Mitel Product Security Advisory 17-0011

Vulnerability in MiCollab Microsoft Outlook Plugin

Advisory ID: 17-0011
Publish Date: 2017-10-30
Revision: 1.0

Summary

A vulnerability has been identified in MiCollab Microsoft Outlook Plugin used to share AWV conference invites with Microsoft Outlook meetings. This vulnerability could compromise the security of the user’s account configured for the MiCollab Microsoft Outlook Plugin. Additional risk may arise where the MiCollab deployment uses directory authentication. In all cases, the vulnerability relates exclusively to MiCollab releases 7.3.x and 8.0.x systems, and using the optional MiCollab Microsoft Outlook Plugin to share conference invites. We believe the risk is limited to actions by colleagues working on the same email system as the MiCollab user.

Mitel is recommending customers with affected product versions update to a later release and take additional precautions.

Affected Products

Security Bulletins are being issued for the following products:

Product Name Product Versions Security Bulletin Last Updated
MiCollab 8.0 thru 8.0 FP1
7.3 thru 7.3 PR3
17-0011-001 2017-10-30
MiCollab AWV 8.0 thru 8.0 FP1
6.3 thru 6.3 PR1
   
MiVoice Business Express 8.0 thru 8.0 FP1
7.3 thru 7.3 PR2
   

Risk Assessment

The risk of this vulnerability is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions and follow the additional procedures described in the upgrade technical bulletin.

For MiCollab users that are concerned, the risk is immediately mitigated by simply not using the MiCollab Microsoft Outlook Plugin and changing the password used for the MiCollab Microsoft Outlook Plugin setup. This password should also be changed in any other systems where the user has re-used the same password. As an alternate to the MiCollab Microsoft Outlook Plugin, your organizations’ MiCollab End User Portal may be used for scheduling or updating conferences and meeting web links may be used to join conferences.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.


External References

n/a

Related CVEs / CWEs / Advisories

n/a