Security Practice Lead
At last week’s DefCon event, a presentation was delivered showing how to exploit a couple of 10-year-old vulnerabilities (CVE-2009-0692 & CVE-2011-0997). These vulnerabilities impact certain Avaya desk and IP phones. If exploited, attackers could remotely take over the operation of the phone, exfiltrate audio and potentially even “bug” the phone to listen in continuously.
How does it work?
These vulnerabilities can allow a rogue DHCP server to execute arbitrary commands as root on the affected system through stack return subversion. This attack has little to no risk for a client situated on a network that is well defended whereas clients that are roaming to potentially hostile or ad-hoc networks can see this attack to pose a severe threat. Factors complicating any attack would be:
- The attacker would need to generate messages the client views as authentic.
- The attacker would then need to develop their attack within a limited packet size.
What can I do?
While the recommended approach is to patch affected systems, there are several compensating controls, and other steps that can be taken to lower your risk exposure.
This type of attack requires network connectivity to vulnerable systems. Consequently, it is imperative that you know all of the devices connected to your network and appropriate controls are in place to monitor activity.
This issue only affects 9608, 9608G, 9611G, 9621G, 9641G, 9641GS, B189, J169, and J179 devices using H.323 signaling. Those same devices using SIP signaling are unaffected.
With both vulnerabilities, DHCP is a required step in the attack process so ensuring your DHCP Server access is controlled and monitored will lower your risk exposure to this type of activity. DHCP Snooping, a layer 2 security feature designed to prevent malicious or malformed DHCP traffic, or rogue DHCP servers, can be utilized to ensure only authorized DHCP responses can pass to the phone. A local user would not be able to send a DHCP response to a local phone as an attack. This is something that can/should be audited to ensure this protection is in place.
Segmenting DHCP and your phones is another way to lower the risk by ensuring DHCP is not on the same VLAN as the phones. This way, the DHCP relay is configured on the routing cores to take the broadcast DHCP request and unicast it to the configured DHCP server(s). The DHCP server would need to be compromised/spoofed, which is a fairly low risk within most infrastructures.
As your trusted partner, Integration Partners will continue to monitor this and furnish updates via this site. Please reach out to your designated Service or Account Manager for any further assistance.