Mitel Product Security Advisory 17-0002

Privilege Escalation / Remote Code Execution Vulnerability in MiVoice Conference/Video Phone (UC360)

Advisory ID: 17-0002
Publish Date: 2017-02-15
Revision: 1.0

Summary

The MiVoice Conference/Video Phone is vulnerable to remote code execution and privilege escalation via the installed web browser application. A malicious media file opened in the installed web browser application could compromise the device.

Credit and thanks are extended to Context IS for working with Mitel to find acceptable solutions for the issue identified.

Detailed Description

Stagefright is the name given to a collection of vulnerabilities affecting Android version 2.2 and later, typically targeting MMS services. While MiVoice Conference/Video Phone does not support MMS, it has been determined that a similar vulnerability could be exploited by downloading a malicious media file through the installed web browser.

Risk Assessment

While the likelihood of exploiting the operating environment of the MiVoice Conference/Video Phone is considered low, the impact of successful exploit is high.

Mitel has also conducted a review of other vulnerabilities associated with the version of the Android OS in use (v 2.3.4). No other exploitable vulnerabilities have been identified as of this publication.

Mitigation / Recommended Action

To eliminate the identified attack vector, administrators can disable the web browser in the MiVoice Conference/Video Phone.

A fix for firmware version 2.1.3.12 is under investigation. Customers are advised to update to the newer firmware version once available.

For additional information, contact Product Support.

External References

n/a

Related CVEs / CWEs / Advisories

CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
CVE-2015-3864