1. Topic Security issues have been identified that allows an attacker to compromise ip phones. 2. Description We are testing voip solutions and here's what we've found : take a layer 2 switch, here, an avaya cajun switch like P33xT or P334T-ML (layer 2). configure 2 ports like it's recommended in voip, like this : a vlan id x on port 1 and a vlan-static-bindig id y for telephony (x is the pvid is or native vlan or default vlan) a vlan id x on port 2 and a vlan-static-bindig id y for telephony we are in mode access so ports are not 802.1q or in trunk mode ... plug an ip phone on port 1 in plug a PC on port 2 in (the pc doesn't tag his frames) (if you plug the PC behind another ip phone, the result is the same) try to ping the ip phone ... it's ok. You can now easily flood all ip phones on the same switch or the entire stack ! 3. Affected products Avaya Cajun P33xT , P33xT-ML and more ? 4.Solution Actually in the product house for Avaya. With other switch, we know that you can bypass this hole by activate a 'untagpvidonly' command on the ports 1 et 2 or something equivalent according to constructors ... In trunk mode or in full 802.1q mode, we can do the 'same' thing by simply tagging frames from your PC. So, you are in telephony vlan ... We are also interesting in deployment experience and the response about fully tagging ports or not ... thanks, loic