Mitel Product Security Advisory - 15-0004

Weakness in Diffie-Hellman key exchange / Logjam

Advisory ID: 15-0004
Publish Date: 2015-07-31
Updated: 2015-09-29
Revision: v1.4

Summary

Security researchers have uncovered a vulnerability in many implementations of the Diffie-Hellman key exchange protocol, a widely-used method for securely negotiating an encrypted communication channel. In some situations, it would be feasible for a motivated attacker to read or modify the contents of an encrypted connection. The vulnerability is commonly known as “Logjam” and has been assigned two key CVE identifiers:

  • CVE-2015-1716 to address Microsoft-specific vulnerabilities
  • CVE-2015-4000 to address the flaw in the TLS 1.2 protocol

Mitel has assessed the impact to products in our portfolio. This advisory summarizes the status of the investigation.

Detailed Description

Diffie-Hellman is a commonly used protocol for allowing two sides of a conversation to choose encryption keys without transmitting those keys across the network. According to the findings published on https://weakdh.org, websites, mail servers, and other TLS-dependent services that use Diffie-Hellman Ephemeral (DHE) and allow for DHE_EXPORT to use 512-bit DH keys are affected. Elliptic-Curve implementations of Diffie-Hellman (ECDH) are reported as not being vulnerable.

An adversary positioned as a “man-in-the-middle” could use the Logjam vulnerability to read and modify data passed over the connection.

Affected Products

The following products have been identified as affected:

Product Name

Product Versions

Security Bulletin

Last Updated

Mitel 100/OpenComX320

11.x - 12.0

15-0004-001

2015-07-31

Mitel 800

11.x - 12.0

15-0004-002

2015-07-31

MiCollab AWV

6.0.205.0 and earlier

15-0004-004

2015-09-25

Oria

3.x

15-0004-005

2015-07-31

MiVoice Conference Unit (UC360)

1.x, 2.x

15-0004-006

2015-07-31

Redirection and Configuration Service (RCS)

All

15-0004-007

2015-07-31

Mitel 700

5.0 SPX, 6.0 SP2 and earlier

15-0004-008

2015-07-31

Products Not Affected

The following products have been evaluated as not being affected:

Product Name

Product Versions

340w / 342w

All

3250

All

5000 Call Manager

All

5000 Compact

All

5000 Gateway

All

5300 series digital

All

5550 IP Console

All

5603/5604/5607 Programmer (Ascom OEM)

All

5603/5604/5607/5624 Rack Charger (Ascom OEM)

All

6700i, 6800i (Praxis) Series SIP Phones

All

74XXip (H323 terminal family)

All

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

All

A1023i

All

Aastra 1560ip

All

Aastra 2380ip

All

Aastra 5300ip

All

AM7450 Management Center

All

BluStar 8000i

All

BluStar Android

All

BluStar Client (PC)

All

BluStar iOS

All

BluStar Server

All

Centergy Virtual Contact Center

All

Clearspan (Acme Packet Core SBC)

All

Clearspan (AudioCodes eSBC / Gateway)

All

Clearspan (Broadworks Platform)

All

Clearspan (Edgewater eSBC)

All

CMG

All

Comdasys Convergence (4675, 6719)

All

Comdasys MC Client Android

All

Comdasys MC Client iOS

All

Comdasys MC Controller

All

CPDM 3 (DECT)

All

CPU2 / CPU2-S on Mitel 470 Controller

All

CT Gateway

All

D.N.A. Application Suite

All

DECT handset programming units

All

DECToverIP (Mitel 100 | OpenCom 100))

All

DECToverIP (OC1000)

All

Dialog 5446ip, 4XXXip (H323 terminal family)

All

DT390, DT690, DT692, DT292, DT590 (DECT)

All

ER Adviser

All

InAttend

All

Intelligate Mobile Client Controller v16.X

All

IPBS 433/434/430/440

All

MiCollab (MAS) (SAS)

All

MiCollab (vMAS)

All

MiCollab Client (Desktop/Web/Standalone)

All

MiCollab Mobile Client (Android)

All

MiCollab Mobile Client (iOS)

All

MiCollab NuPoint (Speech Auto Attendant, Unified Messaging)

All

MiContact Center Business

All

MiContact Center Enterprise

All

MiContact Center for Microsoft Lync

All

MiContact Center Live

All

MiContact Center Office

All

MiContact Center Outbound

All

Mitel Alarm Server

2.0, 2.1

Mitel MMC Android

All

Mitel MMC iOS

All

Mitel Mobile Client Controller

All

MiVoice 5602/5603/5604/5606/5607
IP DECT phones (Ascom OEM)

All

MiVoice 5610 DECT Handset and IP DECT Stand

All

MiVoice 5624 WiFi Phone (Ascom OEM)

All

MiVoice Border Gateway(MBG)

All

MiVoice Business - MCD (PPC)

All

MiVoice Business - MCD for ISS

All

MiVoice Business - MCD on Stratus

All

MiVoice Business - MXe Server

All

MiVoice Business Console

All

MiVoice Business Dashboard (CSM)

All

MiVoice Call Accounting

All

MiVoice Call Recording

All

MiVoice Digital Phones 8528, 8568

All

MiVoice Enterprise Manager

All

MiVoice for Lync

All

MiVoice IP DECT Base Station (Ascom OEM)

All

MiVoice IP Phones 53xx, 5540

All

MiVoice IP Phones 5560, 5550, 5505

All

MiVoice Office 250 (Mitel 5000)

All

MiVoice Office 400

All

MiXML server

3.1

Multi-Instance Communications Director (MiCD)

All

MX-ONE Manager (System Performance)

All

MX-ONE Manager Availability

All

MX-ONE Manager (Provisioning)

All

MX-ONE Gateway Unit

All

MX-ONE Manager Telephony System

All

NuPoint UM (Standalone)

All

Oaisys Talkument

All

Oaisys Tracer

All

OIG

2.1

FaxMail

All

VoiceMail

All

Open Interfaces Platform (OIP, OIP WebAdmin)

All

Open Messaging

All

OpenCom 1000 family

All

OpenPhone 7x IP

All

Oria

4.x

PointSpan

All

Rack Charger for DT390, 69x, 4x3

All

S850i (Revolabs OEM)

All

SAS

All

Secure IP Remote Management SRM

All

SIP-DECT

All

SIP-DECT Open Mobility Manager

All

SIP-DECT with Cloud-ID

All

Solidus eCare 7.0 SP8

All

Solidus eCare 8.3 SP2

All

SX-200IP ICP

All

TA7102i

All

TA7104i

All

Telephony Switch (TSW)

All

Telepo

All

Virtual MiVoice Communications Director (vMCD)

All

Virtualization Framework

All

WSM, WSM-3 (Ascom OEM)

All

If you do not see your product listed above, please contact Mitel Customer Support

Risk Assessment

CVE-2015-1716 has assigned a CVSS v2 Base Score of 5.0
CVE-2015-4000 has assigned a CVSS v2 Base Score of 4.3

Refer to product Security Bulletins for additional statements regarding risk.

Mitigations / Recommended Action

The risk to Mitel products that provide client services (e.g. sending email notifications) is eliminated when connecting to upstream servers which do not support weak DHE implementations. Customers are advised to ensure that upstream servers are running current versions of software. Guidance for server administrators can be found at https://weakdh.org/sysadmin.html

Operating System patches are provided by the respective vendors. The following recommendations are provided for Mitel applications:

  • For Mitel products provided as applications installed on systems running Microsoft Windows, refer to http://technet.microsoft.com/security/bulletin/MS15-055
  • For Mitel products provided as solutions installed systems running other operating systems (e.g. Debian, Red Hat, SUSE), please consult the respective vendor of the distribution.

Major web browser developers have also released new versions to address the use of weak Diffie-Hellman. Updating to the latest version of the browser(s) is recommended as a client-side solution.

Product-specific Security Bulletins will be issued for products which have been confirmed to be affected. Refer to the table of Affected Products and the referenced Security Bulletins for more information on additional mitigation and/or solutions available.

External References

https://weakdh.org
http://technet.microsoft.com/security/bulletin/MS15-055
https://bugzilla.redhat.com/show_bug.cgi?id=1223211
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

Related CVEs / Advisories

CVE-2015-1716
CVE-2015-4000