Advisory ID: 17-0011
Publish Date: 2017-10-30
A vulnerability has been identified in MiCollab Microsoft Outlook Plugin used to share AWV conference invites with Microsoft Outlook meetings. This vulnerability could compromise the security of the user’s account configured for the MiCollab Microsoft Outlook Plugin. Additional risk may arise where the MiCollab deployment uses directory authentication. In all cases, the vulnerability relates exclusively to MiCollab releases 7.3.x and 8.0.x systems, and using the optional MiCollab Microsoft Outlook Plugin to share conference invites. We believe the risk is limited to actions by colleagues working on the same email system as the MiCollab user.
Mitel is recommending customers with affected product versions update to a later release and take additional precautions.Products Under Investigation
All products are being evaluated for the impact of these vulnerabilities and the impact of released mitigations. This advisory will be updated with additional information as it becomes available.
Although Mitel application software is not directly affected, the underlying CPU vulnerability has the potential to increase the impact of other successful exploits that allow code execution. As such, as operating system providers release security updates, the relevant Mitel products will also be updated.
Security Bulletins are being issued for the following products:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|MiCollab||8.0 thru 8.0 FP1
7.3 thru 7.3 PR3
|MiCollab AWV||8.0 thru 8.0 FP1
6.3 thru 6.3 PR1
|MiVoice Business Express||8.0 thru 8.0 FP1
7.3 thru 7.3 PR2
The risk of this vulnerability is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions and follow the additional procedures described in the upgrade technical bulletin.
For MiCollab users that are concerned, the risk is immediately mitigated by simply not using the MiCollab Microsoft Outlook Plugin and changing the password used for the MiCollab Microsoft Outlook Plugin setup. This password should also be changed in any other systems where the user has re-used the same password. As an alternate to the MiCollab Microsoft Outlook Plugin, your organizations’ MiCollab End User Portal may be used for scheduling or updating conferences and meeting web links may be used to join conferences.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
Related CVEs / CWEs / Advisories