MiVoice 5300 IP Series Phone Denial of Service Vulnerability
Advisory ID: 18-0009
First Issue Date: 2018-09-25
Last Updated: 2018-09-25
A denial of service vulnerability has been identified in the MiVoice 5300 IP Series phones. If exploited, this can lead to memory corruption and resulting loss of availability for the phone while the attack is sustained. Mitigating factors are that the attacker must be able to send specially crafted SIP/SDP messages to the phone, typically requiring access to the internal corporate voice traffic vLAN.
The vulnerability was reported directly to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.
Credit is given to Mattia Reggiani of the NCC Group for highlighting this issue and bringing it to our attention.
A Security Bulletin is being issued for the following product:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|MiVoice 5300 IP Series||126.96.36.199 and earlier||18-0009-001||2018-09-25|
The risk of this vulnerability is rated as low to moderate.
Successfully exploiting this vulnerability will allow an attacker to perform a denial of service for the phone while the attack is sustained. When the attack ceases, the phone will re-boot and the user can log in and resume service. The confidentiality and integrity of the phone is not impacted.
Mitigation / Recommended Action
For customers operating the MiVoice 5300 IP Series phones in MiNet, Mitel recommends updating to the latest release. Customers using the legacy application Unified Communicator Express must also upgrade to MiCollab to resolve this issue.
For customers choosing to use SIP mode, Mitel recommends enabling TLS. Mitel also recommends that customers operating in SIP mode, consider upgrading to the MiVoice 6800 SIP Series phones.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
Related CVEs / CWEs / Advisories