VoIP customers of Avaya, Cisco and Nortel should look Wednesday for patches that correct newly found vulnerabilities that, if exploited, can result in remote code execution; unauthorized access; denial of service; and information harvesting.
The vulnerabilities were found by VoIPshield Laboratories and reported earlier to the three vendors in order to give them time to develop patches for the flaws, says Rick Dalmazzi, president and CEO of VoIPshield. Details of the vulnerabilities and the vendor responses are scheduled to be released Wednesday at noon Eastern time. Dalmazzi would not reveal more details because his company and the affected VoIP vendors agreed to a simultaneous announcement.
He says he believes two of the three vendors will have patches available Wednesday and the third will issue an advisory.
The vulnerabilities found affect voice servers — VoIP PBXes — and softphone software that runs on laptops and desktops, Dalmazzi says.
VoIPshield ranks most of the vulnerabilities found as either critical or high, the two most severe rankings on its four-step scale.
Avaya, Cisco and Nortel were chosen for vulnerability testing because they represent the bulk of IP PBX sales in North America, Dalmazzi says. The company has included Microsoft in its next round of testing, the results of which will come out in about four months.
VoIPshield Systems makes VoIP vulnerability testing software as well as an intrusion-prevention system designed for VoIP.