Mitel MiVoice 6800 and 6900 SIP series phones weak authentication vulnerability
Advisory ID: 19-0001
Publish Date: 2019-03-19
Last Updated: 2019-03-19
A vulnerability in the validation functionality for server certificates has been identified in Mitel MiVoice 6800 and 6900 SIP series phones, which could allow an attacker with a man-in-the-middle position to access sensitive information. Successful exploit requires a primary compromise of the gateway or internal corporate networking and a man-in-the-middle position.
This vulnerability was privately reported to Mitel. At time of publishing, Mitel is not aware of customers that have been impacted by this vulnerability.
Mitel is recommending customers with affected product versions update to the latest release.
Credit is given to Alexander Traud, an independent Security Researcher for highlighting this issue and bringing this to our attention.
The following products have been identified as affected:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|Mitel MiVoice SIP 6863i, 6865i, 6867i, 6869i, 6873i, 6920, 6930, 6940||22.214.171.1249 SP1 HF2 and earlier||19-0001-001||2019-03-19|
The overall risk of this vulnerability is considered moderate to low for secure corporate networks.
Refer to the product Security Bulletin(s) for additional statements regarding risk.
Mitigation / Recommended Action
Customers are recommended to deploy appropriate network security controls.
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
N/ARelated CVEs / CWEs / Advisories