Mitel Product Security Advisory 17-0003
Multiple Vulnerabilities in MiVoice Conference/Video Phone (UC360)
Advisory ID: 17-0003
Publish Date: 2017-02-15
Revision: 1.1 (updated 2017-04-03)
Multiple vulnerabilities associated with the use of ADB in the MiVoice Conference/Video Phone have been identified. Successful exploit of these vulnerabilities would allow a malicious actor to gain privileged access and replace system applications.
Credit given to Context IS for working with Mitel to find acceptable solutions for the issues identified.
The MiVoice Conference/Video Phone is a hardware multimedia endpoint running the Android OS and various applications developed for the platform. An Application Debugging Bridge (ADB) is included which is present for debugging purposes.
While the ADB is disabled by default, a malicious actor with influence over the environment could enable the ADB to allow the unauthorized installation or substitution of applications on the device.
Descriptions of the vulnerabilities are provided in Security Bulletin 17-0003-001
The issues identified carry a risk rating of low to high.
Refer to the product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
Firmware version 2.1 SP5 (build 126.96.36.199) has been released to remove the ADB from production releases. See the security bulletin for additional information.
For older firmware versions, ADB access is disabled by default. Customer guidance documentation for the current release (UC360_Admin_R2.1_SP5.pdf) identifies that ADB is reserved for internal use only, and therefore should not be enabled unless otherwise instructed by Mitel support.
ADB can only be enabled via two methods:
- Admin access (password protected) with physical access to the set (contravening guidance)
- DHCP configuration that allows its use (one of the noted vulnerabilities)
A user would need to be tricked into visiting a compromised DHCP server, or the trusted server must be under the control of a malicious actor.
Where the security of the environment is of concern, a user can assign a static IP to remove the DHCP attack vector.
Related CVEs / CWEs / Advisories