Critical RCE Bug Found Lurking in Avaya VoIP Phones

hackerone bug bounty $1 million

The vulnerability is a decade old with a public exploit, yet remained unpatched in one of the phone giant’s most popular models.

A decade-old remote code-execution (RCE) bug has been found, unpatched, in an Avaya desk phone that’s used at 90 percent of Fortune 100 companies. If exploited, attackers could remotely take over the operation of the phone, exfiltrate audio and potentially even “bug” the phone to listen in continuously.

Researchers found the Avaya 9600 series IP Deskphone vulnerability in a piece of open source software that Avaya likely copied and modified 10 years ago. The same bug was reported in 2009, according to the analysis from McAfee shared with Threatpost at Black Hat 2019, “yet its presence in the phone’s firmware remained unnoticed until now.”

In analyzing the publicly available firmware for the Avaya VoIP phone, researchers were able to gain access to a root shell and the ability to reverse-engineer the files on the phone. The phone runs Linux, and McAfee analysts were able to find a list of processes running with a network connection.

“While poking around, it becomes clear that one of the utilities, dhclient, is of great interest,” explained Philippe Laulhert, analyst at McAfee, in research released at Black Hat 2019 on Thursday. “It is already running on the system and handles network configuration (the so-called DHCP requests to configure the phone’s IP address). If we invoke it in the command line, [it shows] a detailed help screen describing its expected arguments [with a] 2004-2007 copyright.”

The age of the code is “a big red flag,” he said. He was able to find that the 4.0.0 version that the phone runs is more than 10 years old and, even worse, an exploit targeting it is publicly available. From there, he confirmed the phone’s version of dhclient is also vulnerable to the bug reported in 2009, and that, with some tweaking, the public exploit also works.

“Building a weaponized version able to threaten private networks is more of a software engineering task and a skilled attacker might only need a few weeks, if not days, to put one together,” Laulhert said.

An attack can be carried out remotely as long as the attacker has connected to the same network as a vulnerable phone, according to McAfee.

The bug (CVE-2009-0692) is critical a stack-based buffer overflow flaw that exists in the ISC Dynamic Host Configuration Protocol (DHCP) client, according to Avaya’s advisory. DHCP is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask and a broadcast address.

If the DHCP client were to receive a malicious DHCP response, it could crash or execute arbitrary code with the permissions of the client (root), according to the bulletin. The flaw carries a CVSS severity score of 10 out of 10.

A follow-on issue with a severity rating of 7.5 also exists (CVE-2011-0997): “The DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname,” according to the advisory. “A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option’s value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process.”

Avaya published a firmware image that resolves the issue on June 25 – admins are urged to update their gear, but the researcher noted that it may take a while for protections to roll out across the entire attack surface.

“The fix [has] been out for more than 30 days, leaving IT administrators ample time to deploy the new image,” Laulhert said. “In a large enterprise setting, it is pretty common to first have a testing phase where a new image is being deployed to selected devices to ensure no conflict arises from the deployment. This explains why the timeline from the patch release to deployment to the whole fleet may take longer than what is typical in consumer grade software.”

While Avaya was prompt to fix the problem, the discovery of the unpatched bug points out the fact that embedded devices offer a vast landscape for older flaws to slip through.

“It is important to realize this is not an isolated case and many devices across multiple industries still run legacy code more than a decade old,” Laulhert said. “From a system administration perspective, it is important to consider all these networked devices as tiny black-box computers running unmanaged code which should be isolated and monitored accordingly.”

Only the H.323 software stack is affected (as opposed to the SIP stack that can also be used with these phones), according to the analysis.

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles