Popular Avaya enterprise VoIP phones are vulnerable to hacking
Security researchers have found a critical remote code execution vulnerability in popular models of enterprise VoIP desk phones made by Avaya. The flaw allows hackers to gain full control of the devices, listen in on calls and even turn the phone into a spying device.
The issue was discovered by researchers from security firm McAfee and was disclosed Thursday at the DEF CON security conference in Vegas. However, firmware updates have been available since June 25.
The vulnerability is located in the DHCP service, which allows the devices to automatically obtain IP addresses on the network. Attackers can exploit it by sending maliciously modified DHCP responses to the devices, which do not require authentication and winning a race condition with the network’s legitimate DHCP server.
The flaw is a buffer overflow that can result in code execution with root privileges. This means attackers are in full control of the phone’s operating system and can do anything including spoofing calls, changing the messages users see on the display, exfiltrating audio calls or turning on the internal microphone in order to spy on nearby conversations.
“There are a lot of different attack vectors, but we thought the most interesting would be the snooping microphone-based attack, and that’s what we used to build the demo,” Steve Povolny, the head of Advanced Threat Research at McAfee, tells CSO.
Vulnerable device models
The McAfee team found and confirmed the vulnerability on Avaya 9600 Series IP Deskphones. However, according to Avaya’s advisory, J100 Series IP Phones and B100 Series Conference Phones are also affected.
Only phones running firmware version 6.8.1 and earlier and configured with H.323 signalling, not SIP, are affected. The company advises users to upgrade to firmware version 6.8.2 or later. Fortunately, these devices can be managed from a central server, so deploying updates can be done automatically.
Old unmaintained code was at fault
It turns out that the vulnerability had actually been patched a decade ago in dhclient, the open-source component that Avaya used in its firmware. The problem is that after forking the open-source code over ten years ago, the company did not update it or backport security patches from upstream. As a result, Avaya phones were using a dhclient version from 2007.
This is a common problem with many embedded devices and proprietary software projects, which in general rely heavily on open-source code and libraries. Past studies have shown that many companies and device makers do not keep track of which versions of open-source libraries are used where, which means they also don’t track the security issues that are later found and fixed in those projects.
In a different talk at Black Hat this week on vulnerabilities in enterprise SSL VPNs, researchers found that VPN appliances from top vendors were using highly outdated data parsing libraries and even an Apache webserver version from 2002. The good news is that there are now increased efforts to create standards that would help companies maintain software bills of materials, which could help address some of these issues.
Latest Jobs
-
- Azure Identity Consultant
- Netherlands
- discussed on applications
-
Are you a cybersecurity expert passionate about identity and access management? We are seeking a talented IAM Technical Specialist to join our Sec Ops team. In this role, you will play a pivotal part in developing and maintaining our IAM infrastructure, ensuring the highest levels of security and compliance. What you'll do: Design, implement, and maintain IAM solutions for both on-premise and cloud environments. Collaborate with cross-functional teams to integrate IAM systems into various applications and processes. Conduct security assessments and risk analysis to identify and mitigate vulnerabilities. Stay up-to-date with the latest IAM technologies and industry best practices. What we're looking for: Experience: experience as a technical specialist with expertise in AD management. IGA concepts: Experience with Identity Governance and Administration (IGA) concepts such as RBAC, PAM, SIEM, SSO, segregation of duties (SoD), data classification, and recertification. Azure Identity Management: Minimum 2 years of demonstrable experience with Azure identity management, specifically within complex organizations. IT knowledge: Good general knowledge of IT environments such as Active Directory, Azure Cloud, Office 365, SharePoint Online, etc. Protocol knowledge: Familiar with SAML, OIDC, OAuth, and SCIM. Programming languages: Minimum 3 years of experience with development languages such as PowerShell; knowledge of Java or C# is a plus.
-
- Cloud Architect- German Speaker
- Hungary
- Upto €48000 per year + bonus + benefits
-
As a Senior Pre-Sales Solutions Architect, you will play a pivotal role in driving our sales success by translating complex technical solutions into compelling proposals that resonate with our clients. You will collaborate closely with our sales teams to understand customer needs, design tailored solutions, and negotiate successful deals. Responsibilities: Solution Design: Develop comprehensive technical solutions that align with customer business objectives and industry best practices. Proposal Development: Create compelling proposals, including requirements gathering questionnaires, presentation materials, and Statements of Work (SOWs). Customer Engagement: Build strong relationships with clients, understanding their technical, business, and commercial requirements. Collaboration: Work closely with sales teams, delivery teams, and third-party partners to ensure successful project execution. Pricing Strategy: Define and deliver pricing strategies that align with customer needs and company objectives. Requirements: Experience in technical pre-sales or sales support roles. Proven track record in designing and delivering successful customer solutions. Strong technical foundation in areas such as VMware, Azure, AWS, cloud computing, and data center technologies. Excellent understanding of sales principles, account management, and negotiation techniques. Ability to explain complex technical concepts clearly and concisely. Experience working in international teams and supporting clients across multiple regions. Fluency in German and English is essential. Benefits: Competitive salary and benefits package Opportunity to work on challenging and rewarding projects Collaborative and supportive work environment Potential for career growth and advancement Please note that this role is focused on supporting German clients, but will also involve global client support as needed.
-
- Microsoft Sentinel Architect
- United Kingdom
- discussed on applications
-
Microsoft Sentinel Architect We're seeking a talented and experienced Microsoft Sentinel Architect to be responsible for the design, deploy of a new Sentinel solution into an expanding Services business. As a key member of our team, you'll play a vital role in driving security operations and protecting clients' assets. Responsibilities: Solution Design: Develop comprehensive Microsoft Sentinel architectures aligned with our clients' specific needs and industry best practices. Deployment and Configuration: Oversee the deployment and configuration of Sentinel components, including data connectors, analytics rules, and playbooks. Integration: Integrate Sentinel with other security tools and platforms within our MSSP ecosystem. Tuning and Optimization: Continuously monitor and optimize Sentinel performance to ensure maximum effectiveness and efficiency. Training and Mentoring: Mentor junior team members and provide training on Sentinel technologies and best practices. Required Skills and Experience: Proven experience as a Microsoft Sentinel Architect with a deep understanding of its capabilities and limitations. Strong technical skills in Azure, security operations, and data analytics. Experience designing and implementing complex security solutions, into a services environment Knowledge of threat intelligence, incident response, and compliance frameworks. Excellent communication and problem-solving skills.
-
- Network & Security Consultant
- Romania
- €54000 plus benefits
-
Senior Network & Security Engineer to join a Managed Network & Security Team in Europe. In this critical role, you will: Play a pivotal role in managing and securing network infrastructure across datacenters, customer connections, and on-premise deployments. Proactively monitor network and security devices, analyse incidents, and implement solutions to ensure optimal performance and security. Collaborate with colleagues and customers to troubleshoot issues, troubleshoot outages, and implement effective resolutions. Lead and participate in network system installations for new facilities and expansions. Develop and maintain network infrastructure procedures, recommend technical strategies, and propose improvements to enhance network capabilities. Stay up-to-date on the latest network and security technologies and trends. Work as part of a collaborative international team, contributing to team presentations and knowledge sharing. To be successful, you'll need: Proven expertise in Cisco network solutions (CCNP R&S/Sec/Wireless preferred) for both BAU and project work. In-depth knowledge of network security principles and experience with Fortinet firewalls. Experience deploying and managing large, complex network infrastructure (routing, switching, wireless, security). Solid understanding of ITIL v3 framework for incident, change, and problem management. Excellent troubleshooting skills with experience using Wireshark or similar protocol analysers. Strong communication and teamwork skills, with the ability to work independently and collaborate effectively.