Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware (Aug 8, 2019)
McAfee researchers revealed the existence of a security vulnerability in a desk phone developed by Avaya, a VOIP solution provider and vendor for business desk phones. According to Avaya, 90 percent of Fortune 500 companies are signed up to its services. A severe remote code execution (RCE) vulnerability (CVE-2009-0692) was present in an open-source component within the firmware of the Avaya 9600 series IP model device. The open-source module was implemented but never patched, leaving these devices vulnerable since the vulnerability was reported in 2009. McAfee says that threat actors could leverage the RCE to hijack a phone's normal operations, extract and steal audio, and "bug" a device for surveillance purposes. A firmware update and disc image have now been published by Avaya.
Recommendation: Avaya has published a firmware image that resolves the issue, and the company urges administrators with vulnerable hardware to update accordingly. As with all patching, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available. Across all industries, it is important for system administrators to remain vigilant regarding legacy devices that their organization may utilize.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.