August 14, 2019

⚠️ Avaya Desk & Conference Phone Vulnerability ⚠️


Patrick Zanella
Security Practice Lead


At last week’s DefCon event, a presentation was delivered showing how to exploit a couple of 10-year-old vulnerabilities (CVE-2009-0692 CVE-2011-0997). These vulnerabilities impact certain Avaya desk and IP phones. If exploited, attackers could remotely take over the operation of the phone, exfiltrate audio and potentially even “bug” the phone to listen in continuously.

Details on this vulnerability are available via Avaya’s download page by clicking here

 

How does it work?

These vulnerabilities can allow a rogue DHCP server to execute arbitrary commands as root on the affected system through stack return subversion. This attack has little to no risk for a client situated on a network that is well defended whereas clients that are roaming to potentially hostile or ad-hoc networks can see this attack to pose a severe threat. Factors complicating any attack would be: 

  • The attacker would need to generate messages the client views as authentic. 
  • The attacker would then need to develop their attack within a limited packet size.

 

What can I do?

While the recommended approach is to patch affected systems, there are several compensating controls, and other steps that can be taken to lower your risk exposure.

 

Network Connectivity

This type of attack requires network connectivity to vulnerable systems. Consequently, it is imperative that you know all of the devices connected to your network and appropriate controls are in place to monitor activity. 

 

H.323 Signaling

This issue only affects 9608, 9608G, 9611G, 9621G, 9641G, 9641GS, B189, J169, and J179 devices using H.323 signaling. Those same devices using SIP signaling are unaffected.

 

DHCP

With both vulnerabilities, DHCP is a required step in the attack process so ensuring your DHCP Server access is controlled and monitored will lower your risk exposure to this type of activity. DHCP Snooping, a layer 2 security feature designed to prevent malicious or malformed DHCP traffic, or rogue DHCP servers, can be utilized to ensure only authorized DHCP responses can pass to the phone. A local user would not be able to send a DHCP response to a local phone as an attack. This is something that can/should be audited to ensure this protection is in place.

 

Segmentation

Segmenting DHCP and your phones is another way to lower the risk by ensuring DHCP is not on the same VLAN as the phones. This way, the DHCP relay is configured on the routing cores to take the broadcast DHCP request and unicast it to the configured DHCP server(s). The DHCP server would need to be compromised/spoofed, which is a fairly low risk within most infrastructures.


As your trusted partner, Integration Partners will continue to monitor this and furnish updates via this site. Please reach out to your designated Service or Account Manager for any further assistance.