Mitel Product Security Advisory 16-0011
Multiple Vulnerabilities in ImageMagick
Advisory ID: 16-0011
Publish Date: 2016-05-09
Revision: 1.2 (updated 2016-06-03)
Summary
Multiple vulnerabilities have been discovered in ImageMagick, an image framework used in some Mitel products. These vulnerabilities are collectively known as ImageTragick.
The following CVE IDs are associated with this vulnerability:
CVE-2016-3714
CVE-2016-3715
CVE-2016-3716
CVE-2016-3717
CVE-2016-3718
Detailed Description
According to the Vulnerability Summaries for the aforementioned CVEs, the identified vulnerabilities potentially allow for the execution of arbitrary code or shell commands, server-side forgery (SSRF) attacks, or unauthorized access and manipulation of image files.
As per the ImageTragick page,
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick.
ImageMagick is included in Mitel Standard Linux (MSL) and may be included in other Mitel products. Only those products using the ImageMagic package are potentially vulnerable.
These vulnerabilities have varied levels of risk. CVE-2016-3714 has a CVSS v2 score of 10.0 (high).
Affected Products
The following products have been identified as being affected and vulnerable (updated 2016-06-03):
| Product Name | Product Versions | Security Bulletin | Last Updated |
| MiCollab NPM | MiCollab 6.0.205.0 MiCollab 7.1.0.55 | 16-0011-003 | 2016-06-02 |
| MiVoice5000 | 5.4, 6.1, 6.2 | 16-0011-001 | 2016-06-02 |
| MiVoice5000 Compact | 5.4, 6.1, 6.2 | 16-0011-001 | 2016-06-02 |
| MiVoice5000 Manager | 2.4, 3.1, 3.2 | 16-0011-001 | 2016-06-02 |
| NuPoint | NPM 7 SP2 (17.2.0.3) NPM 8 SP1 (18.1.0.23) | 16-0011-002 | 2016-06-02 |
Products not Affected
The following products are not vulnerable as they do not include ImageMagick (updated 2016-05-12):
| Product Name | Versions |
| 3250 | All |
| 5300 series digital | All |
| 5550 IP Console | All |
| 6700i, 6800i (Praxis) Series SIP Phones | All |
| 9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones | All |
| Aastra 1560ip | All |
| Aastra 2380ip | All |
| Aastra 5300ip | All |
| BluStar 8000i | All |
| BluStar Client (PC) | All |
| BluStar Server | All |
| Centergy Virtual Contact Center | All |
| Clearspan (Acme Packet Core SBC) | All |
| Clearspan (AudioCodes eSBC / Gateway) | All |
| Clearspan (Broadworks Platform) | All |
| Clearspan (Edgewater eSBC) | All |
| CMG | All |
| CPU2 / CPU2-S on Mitel 470 Controller | All |
| CT Gateway | All |
| D.N.A. Application Suite | All |
| DECToverIP (Mitel 100 | OpenCom 100) | All |
| DECToverIP (OC1000) | All |
| ER Adviser | All |
| InAttend | All |
| MiCollab Client (Desktop/Web) | All |
| MiContact Center Business | All |
| MiContact Center Enterprise 9.1 | All |
| MiContact Center for Microsoft Lync | All |
| MiContact Center Solidus 9.0 SP1 | All |
| Mitel 700 (5.x SPX) | All |
| Mitel 800 | All |
| Mitel Alarm Server | All |
| Mitel100/OpenComX320 | All |
| Mitel5000 Gateway | All |
| MiVoice Business - MCD (PPC) | All |
| MiVoice Business Console | All |
| MiVoice Call Accounting | All |
| MiVoice IP Phones 53xx, 5540 | All |
| MiVoice IP Phones 5560, 5505 | All |
| MiVoice Office 250 (Mitel 5000) | All |
| MiVoice Office 400 | All |
| MiVoice MX-ONE Provisioning Manager (6.x SPX) | All |
| MiVoice MX-ONE SaaS Express or Express (6.x SPX) | All |
| MX-ONE Manager Provisioning 5.0 SPX | All |
| MX-ONE Manager Telephony Server 5.0 SPX | All |
| MX-ONE Telephony Server 5.0 SPX | All |
| Open Interfaces Platform (OIP, OIP WebAdmin) | All |
| OpenCom 1000 family | All |
| OpenPhone 7x IP | All |
| PointSpan | All |
| Redirection and Configuration Service (RCS) | All |
| S850i (Revolabs OEM) | All |
| Secure IP Remote Management SRM | All |
| SIP-DECT | All |
| SIP-DECT Open Mobility Manager | All |
| SIP-DECT with Cloud-ID | All |
| Solidus eCare 8.3 SP4 | All |
| Telephony Switch (TSW) | All |
| Telepo | All |
The following products are not vulnerable as they do not use ImageMagick (updated 2016-05-13):
| Product Name | Versions |
| MiCollab (MAS) / (SAS) / vMAs | All |
| MiCollab (MCA) | All |
| MiCollab Client Server | All |
| Mitel 700 | All |
| Mitel Standard Linux (MSL) | All |
| MiVoice Border Gateway(MBG) | All |
| MiVoice Business - MCD for ISS | All |
| MiVoice Business - MXe Server | All |
| MiVoice Business Express | All |
| MiVoice Office 400 Virtual Appliance | All |
| MiMXL | All |
| Multi-Instance Communications Director (MiCD) | All |
| MiVoice MX-ONE Provisioning Manager | 6.x SPX |
| MiVoice MX-ONE SaaS Express or Express | 6.x SPX |
| MX-ONE Service Node | 6.x SPX |
| MX-ONE Service Node Manager | 6.x SPX |
| MX-ONE Media Server | 6.x SPX |
| OIG | All |
| Oria | All |
| Virtual MiVoice Communications Director (vMCD) | All |
Products Under Investigation
Mitel continues to investigate these vulnerabilities to determine affected products and risk. This security advisory will be updated during the course of the investigation as details become available.
External References
Related CVEs / Advisories
CVE-2016-3714
CVE-2016-3715
CVE-2016-3716
CVE-2016-3717
CVE-2016-3718