Mitel Product Security Advisory 16-0014
Multiple Vulnerabilities in ntpd versions < 4.2.8p8 / < 4.3.93
Advisory ID: 16-0014
Publish Date: 2016-08-02
Multiple vulnerabilities have been identified in specific versions of ntpd identified above.
CVE-2016-1548 was issued in response to the discovery that an ntp client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntp client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client.
CentOS has issued fixes for CVE-2016-1548 and the following related ntpd vulnerabilities.
MSL is based on the CentOS Linux distribution which is a stable, predictable, manageable and reproducible platform derived from the sources of Red Hat Enterprise Linux (RHEL).
Additional CVEs may be applicable to other products - consult the product Security Bulletins and External Links section for more details.
MSL and other products have been confirmed to use affected ntpd versions.
Security Bulletins are being issued for the following products:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|Mitel Standard Linux
(affects MiCollab UCA/NPM/SAS/MAS,
MBG, MCD/MiVB, MiVB-X, MiVO400
Virtual Appliance, NuPoint, Oria)
|10.5.9.0.0 and earlier
10.4.15.0 and earlier
10.3.39.0 and earlier
10.1.51.0 and earlier
|MiCollab AWV||AWV 5.0 (18.104.22.168)
AWV 6.1 (22.214.171.124)
|MiCollab NPM||NPM 7 SP2 (126.96.36.199)
NPM 8 SP1 (188.8.131.52)
|Micollab Client||6.0 (6.0.509.0)
|MiVoice Business for VMware Virtual
|MiVoice Business for Stratus||All versions using
RedHat Linux 6.3
|MiVoice Business for Industry Standard
|MiVoice Business for Multi-instance
platform - Server Manager
|MiVoice Border Gateway||All||16-0014-004||2016-08-02|
This list will be updated as additional Security Bulletins are published.
Products Under Investigation
All Enterprise products are being evaluated for these vulnerabilities. This advisory will be updated with additional information as it becomes available.
Products not Affected
OpenSSL is not included in Mitel products for use on Microsoft Windows.
The noted vulnerabilities carry varied levels of risk, ranging from low to high. Please refer to the product specific Security Bulletins for additional statements of risk.
Mitigation / Recommended Action
Newer product releases introduce security fixes for these and other identified issues. Customers are advised to update their Mitel products to newer releases when available. Please refer to the product-specific Security Bulletins for product-specific details.
For Operating System platforms not provided or managed by Mitel, customers are advised to contact their Operating System vendor for further guidance.