Mitel Product Security Advisory 16-0014

Multiple Vulnerabilities in ntpd versions < 4.2.8p8 / < 4.3.93

Advisory ID: 16-0014
Publish Date: 2016-08-02
Revision: 1.0

Summary

Multiple vulnerabilities have been identified in specific versions of ntpd identified above.

Detailed Description

CVE-2016-1548 was issued in response to the discovery that an ntp client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntp client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client.

CentOS has issued fixes for CVE-2016-1548 and the following related ntpd vulnerabilities.

CVE-2016-7979
CVE-2016-1547
CVE-2016-1548
CVE-2016-2106
CVE-2016-1550
CVE-2016-2518

MSL is based on the CentOS Linux distribution which is a stable, predictable, manageable and reproducible platform derived from the sources of Red Hat Enterprise Linux (RHEL).

Additional CVEs may be applicable to other products - consult the product Security Bulletins and External Links section for more details.

Affected Products

MSL and other products have been confirmed to use affected ntpd versions.

Security Bulletins are being issued for the following products:

Product Name Product Versions Security Bulletin Last Updated
Mitel Standard Linux
(affects MiCollab UCA/NPM/SAS/MAS,
MBG, MCD/MiVB, MiVB-X, MiVO400
Virtual Appliance, NuPoint, Oria)
10.5.9.0.0 and earlier
10.4.15.0 and earlier
10.3.39.0 and earlier
10.1.51.0 and earlier
16-0014-001 2016-08-02
MiCollab AWV AWV 5.0 (5.0.5.7)
AWV 6.1 (6.1.0.28)
16-0014-002 2016-08-02
MiCollab NPM NPM 7 SP2 (17.2.0.3)
NPM 8 SP1 (18.1.0.23)
16-0014-002 2016-08-02
Micollab Client 6.0 (6.0.509.0)
7.1 (7.1.0.65)
16-0014-002 2016-08-02
MiVoice Business for VMware Virtual
Appliance
All 16-0014-003 2016-08-02
MiVoice Business for Stratus All versions using
RedHat Linux 6.3
16-0014-003 2016-08-02
MiVoice Business for Industry Standard
Server
All 16-0014-003 2016-08-02
MiVoice Business for Multi-instance
platform - Server Manager
All 16-0014-003 2016-08-02
MiVoice Border Gateway All 16-0014-004 2016-08-02


This list will be updated as additional Security Bulletins are published.

Products Under Investigation

All Enterprise products are being evaluated for these vulnerabilities. This advisory will be updated with additional information as it becomes available.

Products not Affected

OpenSSL is not included in Mitel products for use on Microsoft Windows.

Risk Assessment

The noted vulnerabilities carry varied levels of risk, ranging from low to high.   Please refer to the product specific Security Bulletins for additional statements of risk.

Mitigation / Recommended Action

Newer product releases introduce security fixes for these and other identified issues.  Customers are advised to update their Mitel products to newer releases when available.  Please refer to the product-specific Security Bulletins for product-specific details.

For Operating System platforms not provided or managed by Mitel, customers are advised to contact their Operating System vendor for further guidance.

External References
https://rhn.redhat.com/errata/RHSA-2016-1141.html
http://support.ntp.org/bin/view/Main/SecurityNotice

Related CVEs

CVE-2016-7979
CVE-2016-4957
CVE-2016-4956
CVE-2016-4954
CVE-2016-4953
CVE-2016-2518
CVE-2016-2106
CVE-2016-1548
CVE-2016-1547
CVE-2016-1550