McAfee researchers have uncovered a remote code execution (RCE) vulnerability in open-source software from a popular line of Avaya VoIP phones.

McAfee is warning organizations that use Avaya VoIP phones to check that firmware on the devices have been updated. Avaya’s install base covers 90% of the Fortune 100, with products targeting customers from small business and midmarket, to large corporations.

McAfee’s Philippe Laulheret

The McAfee Advanced Threat Research Team looked at the Avaya 9600 series IP Deskphone and found the RCE in a piece of open-source software that Avaya “likely copied and modified 10 years ago, and then failed to apply subsequent security patches to,” said Philippe Laulheret, a senior security researcher on the team.

“The bug affecting the open-source software was reported in 2009, yet its presence in the phone’s firmware remained unnoticed until now,” he said.

Avaya sent us the following statement: “Avaya has a clear and well-defined policy that requires our products to use the most recent software release to make sure security issues are addressed in a timely manner. With respect to the security issue identified … Avaya issued a security advisory on July 18, 2019, that addresses and resolves the identified risk. Avaya thanked Philippe Laulheret for his responsible disclosure and cooperation with Avaya during the handling of this matter. Customers should always make sure that physical access to communications devices are limited to approved personnel to prevent physical tampering with these devices by unauthorized entities.”

McAfee released a video (below) showing how an attacker can use the bug to take over the normal operation of the phone, exfiltrate audio from its speaker phone, and potentially bug the phone.

“The current attack is conducted with the phone directly connected to an attacker’s laptop, but would also work via a connection to the same network as a vulnerable phone,” Laulheret said.

IoT and embedded devices tend to “blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose,” he said.

“In this case, with a minimal hardware investment and free software, we were able to uncover a critical bug that remained out of sight for more than a decade,” Laulheret said. “Avaya was prompt to fix the problem and the threat this bug poses is now mitigated, but it is important to realize this is not an isolated case and many devices across multiple industries still run legacy code more than a decade old. From a system administration perspective, it is important to consider all these networked devices as tiny black-box computers running unmanaged code which should be isolated and monitored accordingly.”