Mitel Product Security Advisory 18-0001
Side-Channel Analysis Vulnerabilities
Advisory ID: 18-0001
Publish Date: 2018-01-08
Last Updated: 2018-07-17
Revision: 3.0
Summary
On January 3rd, 2018, researchers disclosed three vulnerabilities that leverage speculative execution capabilities of many modern processors. These vulnerabilities may allow unauthorized disclosure of information between different user processors and between user and kernel processes.
The vulnerabilities are referred to as Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754), that differ in the specific type of speculative execution exploited.
To successfully exploit these vulnerabilities, the attack vector requires malicious code executing on the same processor. Many Mitel products do not support installing custom software and are not directly vulnerable when running on dedicated systems. When running as a virtual machine in a shared hosting environment, Mitel products may be impacted by malicious code on the host.
Speculative execution is a capability to improve the performance of processors. As such, security updates to mitigate these vulnerabilities are expected to have performance penalties, the extent depending on the specific processor, operating system and application workload. Early results indicate performance benchmark testing, designed to stress specific processor components, may see negative performance impacts of 10 - 30%. These results are generally not representative of typical application workloads where various system bottlenecks constrain performance. The performance penalty is not expected to have a significant impact for most Mitel systems which operate well within their performance limits. Mitel is continuing to investigate performance impacts and will provide further information as available.
Security updates are being released by processor, operating system and virtualization providers. Early guidance indicates that server updates support tuneable configuration to allow a trade-off between security and performance. Customers concerned about performance impacts are encouraged to review the available guidance and to assess the trade off between security exposure and performance impacts as applied to their own deployment environment.
Mitel recommends customers apply all available security updates as they become available. For Mitel products which include the underlying operating system, Mitel will be providing product updates.
Mitel is not aware of any active exploits of these vulnerabilities.
Mitel continues to investigate these vulnerabilities and information may change as the investigation continues. This advisory will be updated as information is available.
Affected Products
The following products have been identified as affected:
| Product Name | Product Versions | Security Bulletin | Last Updated |
| MiCloud Management Portal | 6.0 SP1 (6.0.135.0) and earlier | 18-0001-004 | 2018-07-17 |
| MiCollab | 8.0 SP2 (8.0.2.10) and earlier 7.3 PR5 (7.3.0.501) and earlier | 18-0001-001 | 2018-05-08 |
| MiCollab Client | 8.0 SP2 (8.0.2.10) and earlier 7.3.0.401 and earlier | 18-0001-001 | 2018-05-08 |
| Mitel Mass Notification | MMN 6.4 and earlier | Updates pending | |
| Mitel Open Integration Gateway | 4.0 and earlier | 18-0001-005 | 2018-07-17 |
| MiVoice 5000 Server, Virtual, Mitel5000 Compact | 7.0 and earlier | Updates pending | |
| MiVoice 5000 Manager | 7.0 and earlier | Updates pending | |
| MiVoice Border Gateway | 10.0 SP2 and earlier | 18-0001-006 | 2018-07-17 |
| MiVoice Business (server, virtual) | 8.0 SP3 (8.0.3.17) and earlier | 18-0001-002 | 2018-05-08 |
| MiVoice Business Express | 8.0 SP1 (8.0.1.10) and earlier 7.3 PR4 (7.3.1.302) and earlier | 18-0001-001 | 2018-05-08 |
| MiVoice Business Multi-instance | 2.0 SP1 (2.0.1.8) and earlier | 18-0001-007 | 2018-07-17 |
| MiVoice Connect Virtual, SA100/400 | R1801 and earlier | Updates pending | |
| MiVoice Connect Virtual Mobility Router | R1801 and earlier | Updates pending | |
| MiVoice MX-ONE (server, virtual) | 6.1 thru 6.3 all SPs and HFs | 18-0001-003 | 2018-05-08 |
| MiVoice MX-ONE Provisioning Manager | 6.1 thru 6.3 all SPs and HFs | 18-0001-003 | 2018-05-08 |
| MiVoice MX-ONE ASU-ll, ASU Lite, ASU | 6.1 thru 6.3 all SPs and HFs | 18-0001-003 | 2018-05-08 |
| MiVoice MX-ONE Express | 6.1 thru 6.3 all SPs and HFs | 18-0001-003 | 2018-05-08 |
| MiVoice Office 400 Virtual | 5.0 HF3 and earlier | 18-0001-008 | 2018-07-17 |
| MiVoice Office 470 CPU2-S | 5.0.5.1 and earlier | 18-0001-008 | 2018-07-17 |
| SG Half-width Voice Switch | GA29 (19.49.8600.0) and earlier | Pending supplier updates | |
| ST 14.2 Virtual | GA29 (19.49.8600.0) and earlier | Pending supplier updates |
Products Not Affected - Supplier Updates Recommended
The following Mitel application software products are not directly affected. Mitel recommends customers review the related vendor guidance and apply security updates provided by their operating system, hypervisor and hardware suppliers.
| Product Name | Product Versions |
| CMG Software Suite | All |
| D.N.A. Application Suite | All |
| ER Adviser | All |
| Mitel InAttend | All |
| MiContact Center Business | All |
| MiContact Center Enterprise | All |
| MiContact Center Office | All |
| MiVoice Call Accounting | All |
| MiVoice Call Recording | All |
| MiVoice Connect Headquarters, Windows DVS | All |
| MiVoice Connect Contact Center | All |
| Open Interfaces Platform | All |
| ST 14.2 Headquarters, Windows DVS | All |
| Telepo | All |
For all Mitel desktop and mobile client applications, Mitel recommends customers apply available security updates provided by Windows, Mac, iOS and Android to hosts and devices running Mitel software.
Products Not Affected
The following products have been evaluated as not being affected:
| Product Name | Product Versions |
| MiVoice 6900 Series | All |
| MiVoice 6800 SIP Series | All |
| MiVoice 6700 SIP Series | All |
| MiVoice 5300 IP Series | All |
| Mitel 5000 XS, XL, XD Gateways | All |
| MiVoice Business ICP 3300 MX, LX, AX, CX, Mxe | All |
| MiVoice MX-ONE MGU2 | All |
| MiVoice Office 250 HPM | All |
| MiVoice Office 250 PCBA DUAL T1/E1/PRI | All |
| MiVoice Office 415, 430 Controller | All |
| ST, SG24A Voice Switches | All |
| SIP-DECT Basestation RFP 43 WLAN | All |
Products Under Investigation
All products are being evaluated for the impact of these vulnerabilities and the impact of released mitigations. This advisory will be updated with additional information as it becomes available.
If you do not see your product listed above, please contact Mitel Product Support.
Risk Assessment
The risk of this vulnerability is rated as moderate to low for Mitel products.
Successful exploit requires an attacker to execute malicious code with user privileges, requiring an account with privileges to install code or a separate system compromise. Exploit of these vulnerabilities may expose confidential information but is not expected to directly impact the integrity or availability of the system.
Web browsers provide a vector for local code execution, such as JavaScript embedded in web pages. Such execution is normally contained by the browser but these vulnerabilities can potentially be exploited by this vector. Browser security updates have been or will soon be released for most common browsers.
Proof of concept code is publicly available. Mitel is not aware of active exploits.
Mitigation / Recommended Action
Customers are advised to follow good security practices including using caution when browsing to unknown and potentially malicious web sites. Specifically, customers are advised to avoid browsing to unknown sites on servers hosting Mitel products.
For software not provided by Mitel, Mitel recommends customers apply available security updates as they become available. Customers are advised to ensure operating system updates, including Windows, MacOS, iOS and Android, are applied to hosts and devices running Mitel software. Several vendors are providing guidance on potential performance impacts related to their security updates. Customers concerned about performance impacts are encouraged to review this vendor guidance.
Mitel continues to monitor for component updates and will be providing product updates. This advisory will be updated when Mitel product security updates are released.
External References
https://meltdownattack.com
https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
Related CVEs / CWEs / Advisories
CVE-2017-5715 (Branch target injection)
CVE-2017-5753 (Bounds check bypass)
CVE-2017-5754 (Rogue data cache load)
Revision History
| Version | Date | Description |
| 3.0 | 2018-07-17 | Added product updates for MMP, OIG, MiVBG, MiVB-MI, MiVO400 |
| 2.0 | 2018-05-08 | Added product updates and products not affected |
| 1.0 | 2018-01-08 | Initial version |
Security-Bulletin-18-0001-003.pdf
Security-Bulletin-18-0001-002.pdf
Security-Bulletin-18-0001-001.pdf