Advisory ID: 19-0006
First Issue Date: 2019-11-22
Last Updated: 2019-11-22
A key length vulnerability in the implementation of the SRTP 128-bit key in Mitel MiVoice 6800 and 6900 SIP series phones, could allow an attacker with a man-in-the-middle position to access sensitive information, when SRTP is used in a call. Successful exploit requires a primary compromise of the gateway or internal corporate networking and a man-in-the-middle position.
This vulnerability was privately reported to Mitel. At time of publishing, Mitel is not aware of customers that have been impacted by this vulnerability.
Mitel is recommending customers with affected product versions update to the latest release.
Credit is given to Alexander Traud, an independent Security Researcher for highlighting this issue and bringing this to our attention.
Security Bulletins are being issued for the following products:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|Mitel MiVoice SIP 6863i, 6865i, 6867i, 6869i, 6873i, 6920, 6930, 6940||Firmware 126.96.36.1991 SP2 HF2 and earlier||19-0006-001||2019-11-22|
The overall risk of this vulnerability is considered moderate to low for secure corporate networks. Refer to the product Security Bulletins for additional statements regarding risk.
Customers are recommended to deploy appropriate network security controls.
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.