NTPD Vulnerabilities

Advisory ID: 16-0004
Publish Date: 2016-03-07
Revision: 1.1 (updated 2016-05-02)


Multiple low and medium-risk vulnerabilities were identified in an open source NTP package used by certain Mitel products.

Detailed Description

It was discovered that in some cases, ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntp client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client, which could result in a denial of service.

Affected Products

The following products have been identified as being affected (updated 2016-05-02):

Product Name  Product Versions  Security Bulletin Last Updated 
Oria  Oria 4.0, 4.0 SP1
 16-0004-002  2016-05-02
5.4, 6.1, 6.2
 16-0004-007 2016-03-07 
MiVoice5000 Manager
5.4, 6.1, 6.2
Mitel5000 Compact
5.4, 6.1, 6.2
16-0004-007  2016-03-07
MiVoice5000 Gateway
2.4, 3.1, 3.2
9.1, 8.1
16-0004-001 2016-03-07 
MiCollab AWV,
MiCollab MAS/SAS/vMas
6.0, 7.0
MiCollab MCA
5.x, 6.x
MiVoice Business for Industry Standard Server and VMware Virtual Appliance
6.0 and earlier
 MiVoice Business for Stratus  Versions based on RedHat Linux 6.3  16-0004-003
 MiVoice Business for Multi-instance platform - Server Manager  1.2 and earlier
 NPM 7 SP1 & SP2 


This list will be updated with additional information as it becomes available.

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02):

Product Name
340w and 342w

6700i, 6800i (Praxis) Series SIP Phones

74XXip (H323 terminal family)

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones


AM7450 Management Center

BluStar 8000i

BluStar Client (PC)

BluStar Server

Centergy Virtual Contact Center

Clearspan (Acme Packet Core SBC)

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Broadworks Platform)

Clearspan (Edgewater eSBC)

Comdasys Convergence 4675

Comdasys Convergence 6719

Dialog 5446ip, 4XXXip (H323 terminal family)

Enterprise Manager

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

FMC Controller for Intelligate

MiCollab NuPoint (Speech Auto Attendant, Unified Messaging)

MiContact Center Live

MiContact Center Office

MiContact Center Outbound

Mitel 700

Mitel Alarm Server

Mitel MMC Android

MiVoice 5602/5603/5604/5606/5607 IP DECT phones (DT390, DT690, DT692, DT292, DT590) (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice Conference Unit (UC360)

MiVoice Digital Phones 8528, 8568

MiVoice for Lync

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

MiVoice IP Phones 5560, 5505

MiVoice MX-ONE

MiXML server

MX-ONE Manager (Provisioning)

MX-ONE Manager (Telephony System)

MX-ONE Media Gateway Unit

MX-ONE Telephony Server

MiCollab Advanced Messaging


Redirection and Configuration Service (RCS)

S850i (Revolabs OEM)

TA7102i / TA7104i


WSM, WSM-3 (CPDM 3) (Ascom OEM)

This list will be updated with additional information as it becomes available

Products not Affected

The following products have been identified as not being affected as they do not use the affected component (updated 2016-05-02):

Product Name


5300 series digital

5550 IP Console

Aastra 1560ip

Aastra 2380ip

Aastra 5300ip

BluStar Android

BluStar iOS


Comdasys MC Client Android

Comdasys MC Client iOS

CT Gateway

D.N.A. Application Suite

DECToverIP (Mitel 100 | OpenCom 100)

DECToverIP (OC1000)

ER Adviser


MiCollab Client (Desktop/Web)

MiCollab Mobile Client (Android)

MiCollab Mobile Client (iOS)

MiContact Center Business

MiContact Center Enterprise

MiContact Center for Microsoft Lync

Mitel 800

Mitel MMC iOS

MiVoice Business - MCD (PPC)

MiVoice 5610 DECT Handset and IP DECT Stand

MiVoice Business Console

MiVoice Business Dashboard (CSM)

MiVoice Call Accounting

MiVoice Call Recording

MiVoice IP Phones 53xx, 5540

MiVoice Office 250 (Mitel 5000)

MiVoice Office 400

MX-ONE Manager (System Performance)

MX-ONE Manager Availability

Oaisys Talkument

Oaisys Tracer


Open Interfaces Platform (OIP, OIP WebAdmin)

OpenCom 1000 family

OpenPhone 7x IP

Secure IP Remote Management SRM


SIP-DECT Open Mobility Manager

SIP-DECT with Cloud-ID

Solidus eCare


Telephony Switch (TSW)


This list will be updated with additional information as it becomes available.

Risk Assessment

The reported vulnerabilities have varied levels of risk.  Mitel considers CVE-2015-8138 to present a moderate risk to environments where NTP time sources are not trusted.

Mitigation / Recommended Action

Please refer to the product-specific Security Bulletins for mitigation and recommendations.  

External References



Ready to talk to sales? Contact us.