Mitel Product Security Advisory 17-0012

SSRF/XSPA Vulnerability in MiContact Center Business

Advisory ID: 17-0012
Publish Date: 2017-12-08
Revision: 1.0

Summary

A security vulnerability has been identified in the MiContact Center Business that permits Server Side Request Forgery (SSRF) and Cross Site Persistent Access (XSPA). This could permit an attacker to supply or modify a URL which the code running on the server will read or submit data to. It may allow an attacker to read server configuration metadata, to connect to internal services and internal databases.

Credit is given to Jamieson O’Reilly of Content Protection (Australia) for identifying this vulnerability and bringing this to our attention.

Affected Products

Security Bulletins are being issued for the following product:

Product Name Product Versions Security Bulletin Last Updated
MiContact Center Business 8.0.0.0 thru 8.1.3.0
7.3 thru 7.3 PR3
17-0012-001 2017-12-08

Risk Assessment

The risk of this vulnerability is rated as high. Refer to the related product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued an updated release of the affected software. Customers are advised to update their software to the latest version.

An immediate mitigation strategy is to block external access to the web portal, or to disable the chat functionality. However, this will impact chat services provided by this unit.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.


External References

Server side request forgery

Related CVEs / CWEs / Advisories

CWE-918