Mitel Product Security Advisory 17-0003
Multiple Vulnerabilities in MiVoice Conference/Video Phone (UC360)
Advisory ID: 17-0003
Publish Date: 2017-02-15
Multiple vulnerabilities associated with the use of ADB in the MiVoice Conference/Video Phone have been identified. Successful exploit of these vulnerabilities would allow a malicious actor to gain privileged access and replace system applications.
Credit given to Context IS for working with Mitel to find acceptable solutions for the issues identified.
The MiVoice Conference/Video Phone is a hardware multimedia endpoint running the Android OS and various applications developed for the platform. An Application Debugging Bridge (ADB) is included which is present for debugging purposes.
While the ADB is disabled by default, a malicious actor with influence over the environment could enable the ADB to allow the unauthorized installation or substitution of applications on the device.
Description of the vulnerabilities are provided in Security Bulletin 17-0003-001
The issues identified carry a risk rating of low to high.
Refer to the product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
ADB access is disabled by default. Customer guidance documentation for the current release (UC360_Admin_R2.1_SP5.pdf) identifies that ADB is reserved for internal use only, and therefore should not be enabled unless otherwise instructed by Mitel support.
ADB can only be enabled via two methods:
- Admin access (password protected) with physical access to the set (contravening guidance)
- DHCP configuration that allows its use (one of the noted vulnerabilities)
A user would need to be tricked into visiting a compromised DHCP server, or the trusted server must be under the control of a malicious actor.
Where the security of the environment is of concern, a user can assign a static IP to remove the DHCP attack vector.
Related CVEs / CWEs / Advisories