Mitel Product Security Advisory 16-0004

NTPD Vulnerabilities

Advisory ID: 16-0004
Publish Date: 2016-03-07
Revision: 1.1 (updated 2016-05-02)

Summary

Multiple low and medium-risk vulnerabilities were identified in an open source NTP package used by certain Mitel products.  

Detailed Description

It was discovered that in some cases, ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntp client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client, which could result in a denial of service.

Affected Products

The following products have been identified as being affected (updated 2016-05-02): 

Product Name

Product Versions

Security Bulletin

Last Updated

Oria

Oria 4.0, 4.0 SP1
(4.0.39.0, 4.0.112.0)

16-0004-002

2016-05-02

MiVoice5000

5.4, 6.1, 6.2

16-0004-007

2016-03-07

MiVoice5000 Manager

5.4, 6.1, 6.2

16-0004-007

2016-03-07

Mitel5000 Compact

5.4, 6.1, 6.2

16-0004-007

2016-03-07

MiVoice5000 Gateway

2.4, 3.1, 3.2

16-0004-008

2016-03-07

MBG

9.1, 8.1

16-0004-001

2016-03-07

MiCollab AWV

5.0.4.19, 5.0.5.7

16-0004-005

2016-03-07

MiCollab MAS/SAS/vMas

6.0, 7.0

16-0004-006

2016-03-07

MiCollab MCA

5.x, 6.x

16-0004-005

2016-03-07

MiVB-X

7.0

16-0004-004

2016-03-07

MiVoice Business for

-       Industry Standard Server

-       VMware Virtual Appliance

6.0 and earlier

16-0004-003

2016-03-07

MiVoice Business for Stratus

Versions based on RedHat Linux 6.3

16-0004-003

2016-03-07

MiVoice Business for Multi-instance platform - Server Manager

1.2 and earlier

16-0004-003

2016-03-07

NPM

NPM 7 SP1 & SP2 
(17.1.0.11, 17.2.0.3)

16-0004-005

2016-03-07

This list will be updated with additional information as it becomes available.

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02):

Product Name

340w and 342w

6700i, 6800i (Praxis) Series SIP Phones

74XXip (H323 terminal family)

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

A1023i

AM7450 Management Center

BluStar 8000i

BluStar Client (PC)

BluStar Server

Centergy Virtual Contact Center

Clearspan (Acme Packet Core SBC)

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

Clearspan (Edgewater eSBC)

Comdasys Convergence 4675

Comdasys Convergence 6719

Dialog 5446ip, 4XXXip (H323 terminal family)

Enterprise Manager

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

FMC Controller for Intelligate

MiCollab NuPoint (Speech Auto Attendant, Unified Messaging)

MiContact Center Live

MiContact Center Office

MiContact Center Outbound

Mitel 700

Mitel Alarm Server

Mitel MMC Android

MiVoice 5602/5603/5604/5606/5607 IP DECT phones (DT390, DT690, DT692, DT292, DT590) (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice Conference Unit (UC360)

MiVoice Digital Phones 8528, 8568

MiVoice for Lync

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

MiVoice IP Phones 5560, 5505

MiVoice MX-ONE

MiXML server

MX-ONE Manager (Provisioning)

MX-ONE Manager (Telephony System)

MX-ONE Media Gateway Unit

MX-ONE Telephony Server

MiCollab Advanced Messaging

PointSpan

Redirection and Configuration Service (RCS)

S850i (Revolabs OEM)

TA7102i / TA7104i

vMCD

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This list will be updated with additional information as it becomes available.

Products not Affected

The following products have been identified as not being affected as they do not use the affected component (updated 2016-05-02): 

Product Name

Versions

3250

All

5300 series digital

All

5550 IP Console

All

Aastra 1560ip

All

Aastra 2380ip

All

Aastra 5300ip

All

BluStar Android

All

BluStar iOS

All

CMG

All

Comdasys MC Client Android

All

Comdasys MC Client iOS

All

CPU2 / CPU2-S on Mitel 470 Controller

All

CT Gateway

All

D.N.A. Application Suite

All

DECToverIP (Mitel 100 | OpenCom 100))

All

DECToverIP (OC1000)

All

ER Adviser

All

InAttend

All

MiCollab Client (Desktop/Web)

All

MiCollab Mobile Client (Android)

All

MiCollab Mobile Client (iOS)

All

MiContact Center Business

All

MiContact Center Enterprise

All

MiContact Center for Microsoft Lync

All

Mitel 800

All

Mitel MMC iOS

All

Mitel100/OpenComX320

All

MiVoice 5610 DECT Handset and IP DECT Stand

All

MiVoice Business - MCD (PPC)

All

MiVoice Business Console

All

MiVoice Business Dashboard (CSM)

All

MiVoice Call Accounting

All

MiVoice Call Recording

All

MiVoice IP Phones 53xx, 5540

All

MiVoice Office 250 (Mitel 5000)

All

MiVoice Office 400

All

MX-ONE Manager (System Performance)

All

MX-ONE Manager Availability

All

Oaisys Talkument

All

Oaisys Tracer

All

OIG

All

Open Interfaces Platform (OIP, OIP WebAdmin)

All

OpenCom 1000 family

All

OpenPhone 7x IP

All

Secure IP Remote Management SRM

All

SIP-DECT

All

SIP-DECT Open Mobility Manager

All

SIP-DECT with Cloud-ID

All

Solidus eCare

All

SX-200IP ICP

All

Telephony Switch (TSW)

All

Telepo

All

This list will be updated with additional information as it becomes available.

Risk Assessment

The reported vulnerabilities have varied levels of risk.  Mitel considers CVE-2015-8138 to present a moderate risk to environments where NTP time sources are not trusted.

Mitigation / Recommended Action

Please refer to the product-specific Security Bulletins for mitigation and recommendations.  

External References

http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit