VOIP phone flaw goes unpatched for a decade
There are times when open source vulnerabilities can lurk for years in the most obscure – and mundane – systems as was demonstrated recently by McAfee’s Advanced Threat Research team.
The first surprise was that the threat was uncovered in one of the most ubiquitous pieces of office equipment used in enterprises around the world: a VOIP phone. In this case, it was the popular and widely deployed Avaya 9600 series IP Deskphone which runs Linux. Avaya is one of the world largest VoIP solution providers with an installed base that the company claims includes 90% of the Fortune 100 companies.
Surprise number two was that the vulnerability had first been reported in 2009, and security patches for it had been made available at the time.
And surprise number three was that the bug was found not in a 10-year-old version of the Avaya 9600 series IP phone but in its latest model that is still sold and widely distributed.
Having been alerted to the bug – with some suggested fixes from the McAfee team, Avaya soon issued a Security Advisory and a fix for the vulnerability.
What went wrong? How did this bug manage to escape detection in the VoIP phones for so long?
In a blog describing the investigation, Philippe Laulheret, senior security researcher on the McAfee Advanced Threat Research team who led the investigation into the phones, speculates that Avaya probably copied and modified the open source software that carried the remote code execution (RCE) vulnerability 10 years ago, and then failed to apply the subsequent security patches to it.
As a result, an attacker could “leverage the but to take over the normal operation of the phone, exfiltrate audio from its speaker phone, and potentially ‘bug’ the phone,” he explained, and added that the attack could potentially take place either through a direct link to the phone – or via a connection to the same network to which the vulnerable phone is connected.
This means that attackers could use the VOIP phone to be able to tap and record calls and other network traffic – or even deploy malware to all the devices on the network. Attackers could also use their access to launch a ransomware attack that could bring down an organisation’s entire phone system.
While many people tend to regard VOIP phones as “just a phone” they are really computers or IOT devices. As Laulheret pointed out, “phone, IOT and embedded devices tend to blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose.”
Although Avaya was quick to fix the problem, ensuring that the risk posed was soon mitigated, he warned that this was not an isolated case,
“Many devices across multiple industries still run legacy code more than a decade old. From a system administration perspective, it is important to consider all these networked devices tiny black-box computers running unmanaged code which should be isolated and monitored accordingly,” he said.