Mitel Product Security Advisory 20-0014

Mitel MiVoice SIP and MiNet Phones Bluetooth Auto Pair Vulnerability

Advisory ID: 20-0014

Publish Date: 2020-11-02

Last Updated: 2020-11-02

Revision: 1.0

 

Summary

Bluetooth enabled handsets of Mitel MiVoice 6940, 6930 and 6873i SIP and MiNet phones could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when the phone handset loses connection. This is possible due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.

Mitel is recommending customers with affected product versions to update to the latest release.

 

 

Affected Products

 

 

 

Risk Assessment

The risk for this vulnerability is rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

 

To successfully exploit this vulnerability the attacker’s device must be in proximity (within Bluetooth range) of two vulnerable Bluetooth devices. In addition, the attacker must successfully execute a Man-in-the-Middle attack within a narrow time window while both vulnerable devices are initiating Bluetooth pairing.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

External References

CVE-2020-27639

CVE-2020-27640

 

Related CVEs / CWEs / Advisories

CVE-2020-27639 CVE-2020-27640

 

Revision History

Stay One Step Ahead

Ready to talk to sales? Contact us.
Find a Partner +44 1291 430 000 Email Us