Advisory ID: 19-0009
First Issue Date: 2019-12-27
Last Updated: 2019-12-27
An encryption key vulnerability in Mitel SIP-DECT phone could allow an attacker to launch a man-in-the-middle attack. A successful exploit may allow the attacker to intercept sensitive information. Successful exploit requires a primary compromise of the internal wired corporate network and a man-in-the-middle position. (CVE-2019-19891).
Credit is given to Bianco Veigel, Chaos Computer Club/Event Phone for highlighting this issue and bringing this to our attention.
Mitel is recommending customers with affected product versions update to the latest release.
Security Bulletins are being issued for the following products:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|Mitel SIP-DECT||Firmware 8.1 and 8.0||19-0009-001||2019-12-27|
The risk for this vulnerability is rated as High to Moderate. Refer to Mitigation actions and Security Bulletin for additional statements regarding risk.
Mitel advises customers that the risk may be further reduced by following best practices to secure their internal wired networks, including, use of appropriate firewalls and network segmentation, controls to detect rogue devices on the internal network and enabling 802.1x to prevent the connection of rogue devices.
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.