VOIP Phones: There are times when open source vulnerabilities can remain years in the most vague systems, as recently demonstrated by Advanced Threat Research's team McAfee.
The first surprise was that the threat was revealed in one of the most popular office equipment used in businesses around the world: a VOIP phone. This is the popular and widely deployed IP Deskphone of the Avaya 9600 series running on Linux. Avaya is one of the world's largest VoIP providers with an established base.
And the third surprise was that the error was not found in an earlier version of the Avaya 9600 IP Deskphone but in its latest model which is still widely sold and distributed.
Having been notified of error - with some suggested fixes by McAfee's team, Avaya has published a Security Advisory and vulnerability solution.
What went wrong? How has this error managed to escape detection in VoIP phones for so long?
Philippe Laulheret, senior security researcher at McAfee Advanced Threat Research, who conducted a phone survey, believes Avaya is likely to copy and modify it. open source software responsible for remote code execution (RCE) vulnerability, and then failed to implement the following security patches in this.
As a result, an attacker could "exploit the phone's normal operation, remove the sound from its phone and possibly harm it. In addition, the attack can potentially take place by direct connection to the phone - or by connecting to the same network to which the vulnerable phone is connected.
This means that attackers could use the VOIP phone to record calls and network traffic - or even deploy malware on all devices on the network. The attackers could also use their access to launch an attack ransomware that could throw down an organization's phone system.
While many people tend to regard VOIP phones as "just a phone", they are essentially computers or devices. IOT. Although Avaya was in a hurry to fix the problem, ensuring the risk was mitigated, it warned that this was not an isolated case.
"Many devices in many industries are still running over ten years of code. Therefore, it is important to consider all networked devices operating with unmanaged codes that should be isolated and monitored accordingly. "