Mitel Product Security Advisory 16-0007

glibc: getaddrinfo stack-based buffer overflow (CVE-2015-7547)

Advisory ID: 16-0007
Publish Date: 2016-02-25
Revision: 1.3 (updated 2016-05-02)

Summary

The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.

Detailed Description

A stack-based buffer overflow was found in libresolv in the code which performs dual A/AAAA DNS queries. A remote attacker could create specially crafted DNS responses which could cause libresolv to crash or potentially execute code with the permissions of the user running the library. The buffer overflow occurs in the function send_dg (for UDP queries) and send_vc (for TCP queries) in libresolv. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw has been assigned CVE-2015-7547.

Affected Products

The following products have been identified as being affected (updated 2016-05-02): 

Product Name

Product Versions

Security Bulletin

Last Updated

Oria

Oria 4.0, 4.0 SP1

(4.0.39.0, 4.0.112.0)

16-0007-009

2016-05-02

MiCollab AWV

6.0.0.61 and earlier

5.0.5.7 and earlier

5.0.4.19 and earlier

16-0007-003

2016-03-07

MiCollab Client

6.0 SP4 and earlier

16-0007-004

2016-03-07

Mitel Standard Linux (MSL)

MSL 10.4.12.0 and earlier

MSL 10.3.37.0 and earlier

MSL 10.1.48 and earlier

MSL 10.0.x

16-0007-001

2016-03-07

Mitel Border Gateway (MBG)

All versions 9.2 and earlier running affected MSL

16-0007-001

2016-03-07

MiVoice Business for

-       Industry Standard Server

-       VMware Virtual Appliance

6.0 and earlier

16-0007-006

2016-03-07

MiVoice Business for Stratus

Versions based on

RedHat Linux 6.3

16-0007-006

2016-03-07

MiVoice Business for Multi-instance

platform - Server Manager

1.2 and earlier

16-0007-006

2016-03-07

MiVB-X

7.0.0.102 and earlier

6.0.207.0 and earlier

16-0007-008

2016-04-08

MX-ONE, MiVoice MX-ONE,

MiVoice MX-ONE Express, Mitel 700

6.0 SP2 and 6.1

(SLES 11 SP3/SP4)

16-0007-002

2016-03-07

NPM

NPM 8 (18.0.0.49) and earlier

NPM 7 SP2 (17.2.0.3) and earlier

NPM 7 SP1 (17.1.0.11) and earlier

16-0007-007

2016-03-07

 

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02):

Product Name

3000 Communications System

340w and 342w

6700i, 6800i (Praxis) Series SIP Phones

74XXip (H323 terminal family)

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

A1023i

BluStar 8000i

BluStar Android

BluStar iOS

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Edgewater eSBC)

Comdasys Convergence 4675

Comdasys Convergence 6719

Comdasys MC Client Android

Comdasys MC Client iOS

Dialog 5446ip, 4XXXip (H323 terminal family)

Enterprise Manager

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

FMC Controller for Intelligate

MiCollab (MAS) / (SAS) / vMAs

MiCollab (MCA)

MiCollab Advanced Messaging

MiContact Center Live

MiContact Center Office

MiContact Center Outbound

Mitel Alarm Server

Mitel MMC Android

Mitel MMC iOS

Mitel5000 Compact

Mitel5000 Gateway

MiVoice 5602/5603/5604/5606/5607 IP DECT phones (DT390, DT690, DT692, DT292, DT590) (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice Business Dashboard (CSM)

MiVoice Conference Unit (UC360)

MiVoice Digital Phones 8528, 8568

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

MiVoice IP Phones 53xx, 5540

MiVoice IP Phones 5560, 5505

MiVoice Office 400 Virtual Appliance

MiVoice5000

MiVoice5000 Manager

MiXML server

Multi-Instance Communications Director (MiCD)

NuPoint UM (Standalone)

OIG

Redirection and Configuration Service (RCS)

S850i (Revolabs OEM)

TA7102i / TA7104i

Virtual MiVoice Communications Director (vMCD)

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This list will be updated with additional information as it becomes available.

Products not Affected

The following products have been identified as not being affected as they do not use the affected component (updated 2016-05-02): 

Product Name

Versions

3250

All

 

5300 series digital

All

 

5550 IP Console

All

 

Aastra 1560ip

All

 

Aastra 2380ip

All

 

Aastra 5300ip

All

 

BluStar Client (PC)

All

 

BluStar Server

All

 

Centergy Virtual Contact Center

All

 

Clearspan (Acme Packet Core SBC)

All

 

Clearspan (Broadworks Platform)

All

 

CMG

All

 

CPU2 / CPU2-S on Mitel 470 Controller

All

 

CT Gateway

All

 

D.N.A. Application Suite

All

 

DECToverIP (Mitel 100 | OpenCom 100))

All

 

DECToverIP (OC1000)

All

 

ER Adviser

All

 

InAttend

All

 

MiCollab Client (Desktop/Web)

All

 

MiCollab Mobile Client (Android)

All

 

MiCollab Mobile Client (iOS)

All

 

MiContact Center Business

All

 

MiContact Center Enterprise 9.1

All

 

MiContact Center for Microsoft Lync

All

 

MiContact Center Solidus 9.0 SP1

All

 

Mitel 800

All

 

Mitel100/OpenComX320

All

 

MiVoice 5610 DECT Handset and IP DECT Stand

All

 

MiVoice Business - MCD (PPC)

All

 

MiVoice Business - MXe Server

All

 

MiVoice Business Console

All

 

MiVoice Call Accounting

All

 

MiVoice Call Recording

All

 

MiVoice for Lync

All

 

MiVoice Office 250 (Mitel 5000)

All

 

MiVoice Office 400

All

 

Oaisys Talkument

All

 

Oaisys Tracer

All

 

Open Interfaces Platform (OIP, OIP WebAdmin)

All

 

OpenCom 1000 family

All

 

OpenPhone 7x IP

All

 

PointSpan

All

 

Secure IP Remote Management SRM

All

 

SIP-DECT

All

 

SIP-DECT Open Mobility Manager

All

 

SIP-DECT with Cloud-ID

All

 

Solidus eCare 8.3 SP4

All

 

SX-200IP ICP

All

 

Telephony Switch (TSW)

All

 

Telepo

All

 

 

This list will be updated with additional information as it becomes available.

Risk Assessment

CVE-2015-7547 is rated as having moderate risk, in that it can create a complete denial of service on the vulnerable system, or potentially allow for the execution of unauthorized code.

Mitigation / Recommended Action

As per the vendor advisory:

This vulnerability can be “mitigated by using a trusted, protocol-compliant DNS resolver on a trusted network. A compliant resolver will not produce the kind of oversized responses which are necessary to exploit this vulnerability because by default, the glibc resolver does not enable EDNS0 and does not request large responses.

The TCP-based vector could be mitigated by a trusted recursive resolver on a trusted network which limits the size of individual DNS responses to 1023 bytes and below. However, such a capability is not common in DNS resolver implementations because it breaks the DNS protocol. (The buffer size configuration option offered by most resolvers only applies to UDP, not TCP.)

Rejecting AAAA responses, without also limiting the size of A responses, does not mitigate the vulnerability. Disabling IPv6 support on affected systems does not mitigate the vulnerability because the dual A/AAAA lookups are performed even if the system lacks IPv6 support.

External References

https://access.redhat.com/articles/2161461