Misuse / Potential Compromise of Certain Mitel Product Certificates

Advisory ID: 17-0001
Publish Date: 2017-02-09
Revision: 1.1 (updated 2017-04-03)

Summary

Certain Mitel server products ship with Mitel-issued intermediate certificates which are used to dynamically generate server certificates for the server interfaces. Extraction of the private key would allow the creation of illegitimate certificates for arbitrary domains, which could be used in a potential man-in-the middle or spoofing attack.

Mitel is not aware of any confirmed cases where Mitel products have been compromised. Furthermore, there is no compromise of the root certificates.
As a precautionary measure, in alignment with best practice, Mitel is discontinuing the use of these intermediate certificates and updating products where Mitel certificates are used to provide security for web browser interfaces.

Credit is given to BAE Systems for the discovery and working with Mitel to find acceptable solutions for the issues identified.

Detailed Description

MiVB and MiVoice 5000 ship with intermediate certificates for which, when used in conjunction with the corresponding Root Certificate, a chain of trust is created for the Mitel equipment deployed within the organization.
In the hands of an attacker, these intermediate certificates could be used to generate false certificates for other hosts, domains or email accounts. These certificates could then be installed on systems under the control of an attacker to masquerade as a different server, or position themselves as a man-in-the-middle for communications. Under these circumstances, an attacker would have access to all data passed between the client and server.

Affected Products

The following products have been identified as directly impacted:

Product Name  Affected Versions   Remediated Versions  Release Date 
MiVB  7.2 and earlier  MiVB 8.0   November 2, 2016
MiVB  7.2 and earlier  MiVB 7.2 SP1   December 2, 2016
MiVB-X   7.2.1 and earlier  MiVB-X 7.2.2  January 6, 2017 
MiVoice 5000   6.2 and earlier  MiVoice 5000 v6.3   January 31, 2017 

Product bulletins are not being issued for these products. Depending on interoperability requirements, other products might also require updates. Consult the online product compatibility matrix on https://connect.mitel.com for compatible product releases.

Risk Assessment

A risk of compromise of confidentiality and integrity is present for system environments where the corresponding Mitel Root Certificate is trusted, under the following circumstances:

Mitigation / Recommended Action
Customers should take the following steps:

As instructions vary from product to product, refer to browser and operating system documentation to learn more about certificate management for the client application or operating system in question.

Contact Product Support for additional information.

External References

n/a

Related CVEs / CWEs / Advisories
https://cwe.mitre.org/data/definitions/321.html 

Neem contact op met Mitel
+31 (0)88 235 6483 Contact