Advisory ID: 16-0002
Publish Date: 2016-02-01
Two vulnerabilities have been discovered in Mitel 6700 and 6800-series SIP phones. Successful exploitation could lead to denial of service or unauthorized access to phone functions or data.
The following security vulnerabilities have been identified:
Remote denial of service vulnerability
A Proof of Concept exists whereby a well-crafted HTTP POST command could be sent to the phone to initiate a soft-reset without checking any credentials.
Code injection vulnerability
The following products have been identified as affected:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|Mitel 6700-series SIP phones||3.3.1 sp4, and earlier||16-0002-001||2016-02-01|
|Mitel 6800-series SIP phones||3.3.1, 4.0.0 SP2 and earlier||16-0002-002||2016-02-01|
Risk is considered low. Refer to the product Security Bulletins for additional statements and details regarding risk.
Mitigation / Recommended Action
Customers are advised to upgrade to the latest firmware release. Refer to the product Security Bulletins for details on firmware releases
Credit is given to John de Kroon for reporting these vulnerabilities and to Voiceworks B.V. for their assistance in resolving these issues.
Related CVEs / Advisories