Vulnerabilities in Avaya VoIP products
Several potentially serious vulnerabilities have been discovered in a number of products by VoIP specialist Avaya in the last few days. The vendor describes the bugs, which may allow attackers to remotely inject arbitrary code into vulnerable systems and obtain local root privileges, in its own advisories. Avaya provides a long list of affected products: Converged Communications Server, CVLAN, Integrated Management Suite (IMS), Intuity LX, Modular Messaging, Message Networking and SIP Enablement Services (SES).
The flaws are mainly security holes in components of the underlying Linux platforms which have already been resolved by their developers. Affected modules include the CUPS printing system, the Qt graphics library, the NFS network filing system and the X.org graphics server. No patches appear to be available for the Avaya products so far. In an official statement, the vendor advises users to restrict physical and network access to vulnerable systems as far as possible until security updates have been released.
- Qt security update, advisory by Avaya
- cups security update, advisory by Avaya
- nfs-utils-lib security update, advisory by Avaya
- Xorg-x11 security update, advisory by Avaya