Mitel Product Security Advisory 16-0013

Multiple Vulnerabilities in OpenSSL

Advisory ID: 16-0013
Publish Date: 2016-07-05
Revision: 1.01

Summary

Multiple vulnerabilities have been identified in specific versions of OpenSSL.

Detailed Description

The following CVEs have been issued against specific versions of the OpenSSL 1.0.1 and 1.0.2 cryptographic libraries:

CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176

Four of these vulnerabilities are noted by the CVE as being of moderate or high risk:

CVE-2016-0799
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.

CVE-2016-2108
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

CVE-2016-2109
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

CVE-2016-2842
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

Affected Products

Mitel is not aware of any specific products being vulnerable.  However, all Linux and MSL-based products that include the OpenSSL library are potentially affected. 

Security Bulletins are being issued for the following products:

Product Name Product Versions Security Bulletin Last Updated
MiCollab AWV AWV 6.1 (6.1.0.28)
AWV 6.0 (6.0.0.61)
AWV 5.0 (5.0.5.7)
16-0013-001 2016-07-05
MiCollab Client 7.1
7.0
6.0 and earlier
16-0013-001 2016-07-05
MiCollab NPM NPM 8 SP1 (18.1.0.23)
NPM 8 (18.0.0.49)
NPM 7 SP2 (17.2.0.3)
16-0013-001 2016-07-05
Mitel Standard Linux 10.5.50.0 and earlier
10.4.15.0 and earlier
10.3.39.0 and earlier
10.1.50.0 and earlier
16-0013-003 2016-07-05
MiVoice Business for Industry Standard
Server,
VMware Virtual Appliance,
Multi-instance platform,
3300 Controllers
All 16-0013-002 2016-07-05
MiVoice Business for Stratus All 16-0013-002 2016-07-05
Server Manager for MiVoice Business for
Industry Standard Server, VMware Virtual
Appliance, Multi-instance platform
All 16-0013-002 2016-07-05


This list will be updated as additional Security Bulletins are published.

Products Under Investigation

All Enterprise products are being evaluated for these vulnerabilities.  This advisory will be updated with additional information as it becomes available.

Products not Affected
OpenSSL is not included in Mitel products for use on Microsoft Windows.

Risk Assessment
The noted vulnerabilities carry varied levels of risk, ranging from low to high.   Please refer to the product specific Security Bulletins for additional statements of risk.

Mitigation / Recommended Action
Newer product releases introduce security fixes for these and other identified issues.  Customers are advised to update their Mitel products to newer releases when available.  Please refer to the product-specific Security Bulletins for product-specific details.For Operating System platforms not provided or managed by Mitel, customers are advised to contact their Operating System vendor for further guidance.

External References
https://openssl.org/news/secadv/20160503.txt

Related CVEs / Advisories
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
CVE-2016-2842