Buffer overflow vulnerability in Avaya one-X Desktop Edition may allow an attacker to cause denial of service

Overview

A buffer overflow vulnerability SIP message parsing module of Avaya one-X Desktop Edition SIP phone may allow a remote attacker to partially disable the phone.

Impact

Successfully sending a malformed message to the phone disables the phone from receiving new calls, causing denial of service to the user. The phone may also repeatedly call last dialed number few times.

Description

Avaya one-X™ Desktop Edition, formerly Avaya SIP soft phone, transforms Windows-based PCs into SIP-based collaboration endpoints. A buffer overflow vulnerability exists in the SIP header parsing module of Avaya one-X phone which may allow a remote attacker to disable the phone’s call receiving capability. If an attacker can send a malformed SIP message to the phone, the phone may not be able to receive further new calls causing denial of service to the user. User may not know this unless explicitly informed by other users. The phone must be restarted to recover from this state.

Solution

Phone SIP stack implementation should be patched to prevent exploiting such vulnerability.

Vendor Response:

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com