Support
+32 2727 1811
Search
Mitel.com
Document Center
Search Mitel
Search Documentation
+32 2727 1811
Uw zakelijke behoefte
Uw branche
Organisatiegrootte
Onze diensten
Onze producten
Support voor klanten
Trainingen voor klanten
Partner support
Contact
Vragen of opmerkingen?
+32 2727 1811
Blog
Over Mitel
Vacatures
Case studies
Resource center
Advisory ID: 17-0002
Publish Date: 2017-02-15
Revision: 1.0
Summary
The MiVoice Conference/Video Phone is vulnerable to remote code execution and privilege escalation via the installed web browser application. A malicious media file opened in the installed web browser application could compromise the device.
Credit and thanks are extended to Context IS for working with Mitel to find acceptable solutions for the issue identified.
Detailed Description
Stagefright is the name given to a collection of vulnerabilities affecting Android version 2.2 and later, typically targeting MMS services. While MiVoice Conference/Video Phone does not support MMS, it has been determined that a similar vulnerability could be exploited by downloading a malicious media file through the installed web browser.
While the likelihood of exploiting the operating environment of the MiVoice Conference/Video Phone is considered low, the impact of successful exploit is high.
Mitel has also conducted a review of other vulnerabilities associated with the version of the Android OS in use (v 2.3.4). No other exploitable vulnerabilities have been identified as of this publication.
Mitigation / Recommended Action
To eliminate the identified attack vector, administrators can disable the web browser in the MiVoice Conference/Video Phone.
A fix for firmware version 2.1.3.12 is under investigation. Customers are advised to update to the newer firmware version once available.
For additional information, contact Product Support.
External References
n/a
Related CVEs / CWEs / Advisories
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
CVE-2015-3864