Mitel Product Security Advisory 17-0001

Misuse / Potential Compromise of Certain Mitel Product Certificates

Advisory ID: 17-0001
Publish Date: 2017-02-09
Revision: 1.1 (updated 2017-04-03)

Summary

Certain Mitel server products ship with Mitel-issued intermediate certificates which are used to dynamically generate server certificates for the server interfaces. Extraction of the private key would allow the creation of illegitimate certificates for arbitrary domains, which could be used in a potential man-in-the middle or spoofing attack.

Mitel is not aware of any confirmed cases where Mitel products have been compromised. Furthermore, there is no compromise of the root certificates.
As a precautionary measure, in alignment with best practice, Mitel is discontinuing the use of these intermediate certificates and updating products where Mitel certificates are used to provide security for web browser interfaces.

Credit is given to BAE Systems for the discovery and working with Mitel to find acceptable solutions for the issues identified.

Detailed Description

MiVB and MiVoice 5000 ship with intermediate certificates for which, when used in conjunction with the corresponding Root Certificate, a chain of trust is created for the Mitel equipment deployed within the organization.
In the hands of an attacker, these intermediate certificates could be used to generate false certificates for other hosts, domains or email accounts. These certificates could then be installed on systems under the control of an attacker to masquerade as a different server, or position themselves as a man-in-the-middle for communications. Under these circumstances, an attacker would have access to all data passed between the client and server.

Affected Products

The following products have been identified as directly impacted:

Product Name Affected Versions  Remediated Versions Release Date 
MiVB 7.2 and earlier MiVB 8.0  November 2, 2016
MiVB 7.2 and earlier MiVB 7.2 SP1  December 2, 2016
MiVB-X  7.2.1 and earlier MiVB-X 7.2.2 January 6, 2017 
MiVoice 5000  6.2 and earlier MiVoice 5000 v6.3  January 31, 2017 

Product bulletins are not being issued for these products. Depending on interoperability requirements, other products might also require updates. Consult the online product compatibility matrix on https://connect.mitel.com for compatible product releases.

Risk Assessment

A risk of compromise of confidentiality and integrity is present for system environments where the corresponding Mitel Root Certificate is trusted, under the following circumstances:

  • The attacker must possess the Mitel private key or have control over a Mitel system;
  • The attacker must generate and install a fraudulent certificate on a compromised or untrusted intermediate system to which a victim is able to connect;
  • The victim must be tricked (e.g. a crafted URL) or forced (e.g. redirected, hijacked connection) to connect to the compromised host; and
  • The victim’s client system must already have the Mitel Root CA certificate stored in its trusted certificate store, or run other software to forcibly install the certificate.

Mitigation / Recommended Action
Customers should take the following steps:

  • Update their affected Mitel products to newer releases to allow for the use of 3rd party certificates.
  • Edit the trust or uninstall the Mitel Root CA on workstations and servers, where possible, to mitigate the risk of connecting to a system compromised with a fraudulent certificate.

As instructions vary from product to product, refer to browser and operating system documentation to learn more about certificate management for the client application or operating system in question.

Contact Product Support for additional information.

External References

n/a

Related CVEs / CWEs / Advisories
https://cwe.mitre.org/data/definitions/321.html 

Stay One Step Ahead Get notifications of the latest security advisories sent right to your inbox every week!