IP telephony: Avaya IP Office plugs critical security leaks
Updates for Avaya IP Office seal security leaks in the software. Attackers can infiltrate malicious code as a result.
Attackers can attack telephones.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There are critical security gaps in Avaya IP Office. Attackers can misuse the vulnerabilities in the IP telephony software, which are classified as critical, to inject malicious code, for example. Updates are available to plug the security leaks.
Carefully prepared web requests to the web control component of Avaya IP Office can lead to the execution of commands or injected code from the network due to inadequate filtering of input, explains Avaya in a security warning (CVE-2024-4196, CVSS 10, risk"critical"). In the One-X component, on the other hand, attackers can exploit a gap that allows unlimited file uploads - this also potentially leads to the execution of commands or malicious code from the network, Avaya explains (CVE-2024-4197, CVSS 9.9, critical).
Avaya: Updates available
Avaya IP Office 11.1.3.0 and older versions are affected. Version 11.1.3.1 is intended to seal the security gaps. In addition to installing the updated software, Avaya also recommends in a security warning that "best practices" guidelines for network security should be implemented using firewalls, access control lists (ACLs), physical security or appropriate access restrictions. These could also mitigate the impact of current security breaches.
IT managers with Avaya IP Office instances should download and apply the updates quickly via the channels known to them.
Vulnerabilities in IP telephony products are found in all manufacturers from time to time. In May, attackers were able to spy on Cisco IP phones due to security vulnerabilities. In April, gaps in HP's Poly CCX IP phones were discovered that allowed unauthorized access.
(dmk)