Mitel Product Security Advisory 17-0002
Privilege Escalation / Remote Code Execution Vulnerability in MiVoice Conference/Video Phone (UC360)
Advisory ID: 17-0002
Publish Date: 2017-02-15
The MiVoice Conference/Video Phone is vulnerable to remote code execution and privilege escalation via the installed web browser application. A malicious media file opened in the installed web browser application could compromise the device.
Credit and thanks are extended to Context IS for working with Mitel to find acceptable solutions for the issue identified.
Stagefright is the name given to a collection of vulnerabilities affecting Android version 2.2 and later, typically targeting MMS services. While MiVoice Conference/Video Phone does not support MMS, it has been determined that a similar vulnerability could be exploited by downloading a malicious media file through the installed web browser.
While the likelihood of exploiting the operating environment of the MiVoice Conference/Video Phone is considered low, the impact of successful exploit is high.
Mitel has also conducted a review of other vulnerabilities associated with the version of the Android OS in use (v 2.3.4). No other exploitable vulnerabilities have been identified as of this publication.
Mitigation / Recommended Action
To eliminate the identified attack vector, administrators can disable the web browser in the MiVoice Conference/Video Phone.
A fix for firmware version 220.127.116.11 is under investigation. Customers are advised to update to the newer firmware version once available.
For additional information, contact Product Support.
Related CVEs / CWEs / Advisories