A bug that was first detected in 2009 has managed to avoid being patched up for an incredible 10 years, McAfee’s Advanced Threat Research Team has recently revealed.
The vulnerability has been harbouring in the widely used Avaya 9600 VOIP office phones which run Linux. According to itweb.co.za, Avaya is used in 90% of the Fortune 100 companies.
Not only did the problem stay undetected for so long, but McAfee reports there was a patch that could’ve fixed the bug the whole time. This was made available when the report first happened.
Even more shockingly, the bug was found in the most recent version of the phone, not in the older version which is still sold in high numbers around the world.
How the flaw happened
The senior researcher of the investigation, Philippe Laulheret, believes that flaw was left untreated for so long because of Avaya copying and modifying the open source software that carried the remote code execution (RCE) vulnerability 10 years ago. He continues to suggest that despite an issue occurring, the correct security patches were not applied, meaning the problem continued.
The implication of the bug meant that attackers had the potential “to take over the normal operation of the phone, exfiltrate audio from its speaker phone, and potentially ‘bug’ the phone,”
This could’ve led to possible malware or ransomware attacks.
Not just a phone
Laulheret added that people need to be careful with this kind of software due to the lack of understanding over the IT connection that a phone like this has. He continued, “phone, IOT and embedded devices tend to blend into our environment, in some cases not warranting a second thought about the security and privacy risks they pose.”
Since its discovery, the problem has now been fixed.