Mitel Product Security Advisory 18-0009

MiVoice 5300 IP Series Phone Denial of Service Vulnerability

Advisory ID: 18-0009

First Issue Date: 2018-09-25

Last Updated: 2018-09-25

Revision: 1.0

Summary

A denial of service vulnerability has been identified in the MiVoice 5300 IP Series phones. If exploited, this can lead to memory corruption and resulting loss of availability for the phone while the attack is sustained. Mitigating factors are that the attacker must be able to send specially crafted SIP/SDP messages to the phone, typically requiring access to the internal corporate voice traffic vLAN.

The vulnerability was reported directly to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.

Credit is given to Mattia Reggiani of the NCC Group for highlighting this issue and bringing it to our attention.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name  Product Versions  Security Bulletin  Last Updated 
MiVoice 5300 IP Series  6.5.0.16 and earlier  18-0009-001  2018-09-25 

 

Risk Assessment

The risk of this vulnerability is rated as low to moderate.

Successfully exploiting this vulnerability will allow an attacker to perform a denial of service for the phone while the attack is sustained. When the attack ceases, the phone will re-boot and the user can log in and resume service. The confidentiality and integrity of the phone is not impacted.

Mitigation / Recommended Action

For customers operating the MiVoice 5300 IP Series phones in MiNet, Mitel recommends updating to the latest release. Customers using the legacy application Unified Communicator Express must also upgrade to MiCollab to resolve this issue.

For customers choosing to use SIP mode, Mitel recommends enabling TLS. Mitel also recommends that customers operating in SIP mode, consider upgrading to the MiVoice 6800 SIP Series phones.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

https://www.nccgroup.trust/uk/our-research/technical-advisory-mitel-mivoice-5330e-memory-corruption-flaw/

Related CVEs / CWEs / Advisories

CVE-2018-15497

Revision History

Version  Date  Description 
1.0  2018-09-25  Initial version 

 

Attachment(s)

Security Bulletin 18-0009-001

Prêt à discuter ? Contactez-nous.