Mitel Product Security Advisory-18-0006
Side-Channel Analysis, Spectre Variant 4 and 3a
Advisory ID: 18-0006
First Issue Date: 2018-05-23
Last Updated: 2018-06-26
Revision: 2.0
Summary
On May 21, 2018, researchers disclosed two vulnerabilities that leverage speculative execution capabilities available with many modern processors. These vulnerabilities may allow an unprivileged local attacker to read memory belonging to other processes.
The vulnerabilities are referred to as Spectre Variant 4, (CVE-2018-3639, Speculative Store Bypass) and Spectre Variant 3a (CVE-2018-3640, Rogue System Register Read). Both are variants of the side-channel disclosure attacks disclosed earlier in January 2018.
To successfully exploit these vulnerabilities, the attack vector requires specially crafted malicious code executing on the same processor. Many Mitel products do not support installing custom software and are not directly vulnerable when running on dedicated systems. When running in a shared hosting environment, Mitel products may be impacted by malicious code on the host.
Security updates are being released by processor, operating system and virtualization providers. Early information indicates that security updates to mitigate these vulnerabilities may have negative performance penalties, the extent depending on the specific processor, operating system and application workload. Customers concerned about performance impacts are encouraged to review the available guidance as performance data becomes available. Mitel is investigating performance impacts and will provide further information as available.
Mitel recommends customers apply all available security updates after testing for potential performance impacts. For Mitel products which include the underlying operating system and/or processor, Mitel will be providing product updates.
Mitel is not aware of any active exploits of these vulnerabilities.
Mitel continues to investigate these vulnerabilities and information may change as the investigation continues. This advisory will be updated as information is available.
Affected Products
The following products have been identified as affected
| Product Name | Security Bulletin | Last Updated |
| MiCloud Management Portal | Updates pending | 2018-06-26 |
| MiCollab | Updates pending | 2018-06-26 |
| MiCollab Client | Updates pending | 2018-06-26 |
| Mitel Mass Notification | Updates pending | 2018-06-26 |
| Mitel Open Integration Gateway | Updates pending | 2018-06-26 |
| MiVoice 5000 ISS and Virtual | Updates pending | 2018-06-26 |
| MiVoice Border Gateway | Updates pending | 2018-06-26 |
| MiVoice Business (server, virtual) | Updates pending | 2018-06-26 |
| MiVoice Business Express | Updates pending | 2018-06-26 |
| MiVoice Business Multi-instance | Updates pending | 2018-06-26 |
| MiVoice Connect Virtual, SA100/400 | Updates pending | 2018-06-26 |
| MiVoice Connect Virtual Mobility Router | Updates pending | 2018-06-26 |
| MiVoice MX-ONE (server, virtual) | Updates pending | 2018-06-26 |
| MiVoice MX-ONE Provisioning Manager | Updates pending | 2018-06-26 |
| MiVoice MX-ONE ASU-ll, ASU, ASU Lite | Updates pending | 2018-06-26 |
| MiVoice MX-ONE Express | Updates pending | 2018-06-26 |
Products Not Affected
The following products have been evaluated as not being affected:
| Product Name | Product Versions |
| MiVoice 6900 Series | All |
| MiVoice 6800 SIP Series | All |
| MiVoice 6700 SIP Series | All |
| MiVoice 5300 IP Series | All |
| Mitel 5000 XS, XL, XD Gateways | All |
| MiVoice Business ICP 3300 MX, LX, AX, CX, Mxe | All |
| MiVoice MX-ONE MGU2 | All |
| MiVoice Office 250 HPM | All |
| MiVoice Office 250 PCBA DUAL T1/E1/PRI | All |
| MiVoice Office 415, 430, 470 Controller | All |
| ST, SG24A Voice Switches | All |
| SIP-DECT Basestation RFP 43 WLAN | All |
| SG Half-width Voice Switch | All |
Products Under Investigation
The following Mitel application software products are not directly affected. Mitel continues to investigate these products and recommends customers review the related vendor guidance and apply security updates provided by their operating system, hypervisor and hardware suppliers. Customers are encouraged to review supplier guidance and consider possible negative performance impacts as performance data becomes available.
| Product Name | Product Versions |
| CMG Software Suite | All |
| D.N.A. Application Suite | All |
| ER Adviser | All |
| Mitel InAttend | All |
| MiContact Center Business | All |
| MiContact Center Enterprise | All |
| MiContact Center Office | All |
| MiVoice Call Accounting | All |
| Mitel Management Portal | All |
| MiVoice Call Recording | All |
| MiVoice Connect Headquarters, Windows DVS | All |
| MiVoice 6800 SIP Series | All |
| MiVoice 6700 SIP Series | All |
| MiVoice 5300 IP Series | All |
| MiVoice 5000 ISS and Virtual | All |
| Mitel 5000 XS, XL, XD Gateways | All |
| MiVoice Border Gateway | All |
| MiVoice Business ICP 3300 MX, LX, AX, CX, Mxe | All |
| MiVoice Business (server, virtual) | All |
| MiVoice Business Express | All |
| MiVoice Business Multi-instance | All |
| MiVoice Call Accounting | All |
| MiVoice Call Recording | All |
| MiVoice Connect Headquarters, Windows DVS | All |
| MiVoice Connect Contact Center | All |
| MiVoice Office 470 CPU2-S | All |
| Open Interfaces Platform | All |
| ST 14.2 Headquarters, Windows DVS | All |
| Telepo | All |
Risk Assessment
The risk of these vulnerabilities is deemed to be moderate to low for Mitel products.
Successful exploit requires a local attacker to execute malicious code, requiring an account with privileges to install code or a separate system compromise. Exploit of these vulnerabilities may expose confidential information but is not expected to directly impact the integrity or availability of the system..
Mitigation / Recommended Action
For software not provided by Mitel, Mitel recommends customers apply available security updates as they become available. Customers concerned about performance impacts are encouraged to review the vendor guidance as performance data is available.
For all Mitel desktop and mobile client applications, Mitel recommends customers apply security updates as available for Windows, Mac, iOS and Android hosts and devices running Mitel software.
For Mitel products which include the underlying operating system and/or processor, Mitel will be providing product updates. This advisory will be updated when Mitel product security updates are released.
External References
https://www.us-cert.gov/ncas/alerts/TA18-141A
Related CVEs / CWEs / Advisories
CVE-2018-3640 (Speculative Store Bypass)
CVE-2018-3640 (Rogue System Register Read)
Revision History
| Version | Date | Description |
| 2.0 | 2018-06-26 | Added products impacted and not impacted |
| 1.0 | 2018-05-23 | Initial version |