Mitel Product Security Advisory 19-0009

Mitel SIP-DECT – Encryption key vulnerability

Advisory ID: 19-0009

First Issue Date: 2019-12-27

Last Updated: 2019-12-27

Revision: 1.0

 

Summary

An encryption key vulnerability in Mitel SIP-DECT phone could allow an attacker to launch a man-in-the-middle attack. A successful exploit may allow the attacker to intercept sensitive information. Successful exploit requires a primary compromise of the internal wired corporate network and a man-in-the-middle position. (CVE-2019-19891).

Credit is given to Bianco Veigel, Chaos Computer Club/Event Phone for highlighting this issue and bringing this to our attention.

Mitel is recommending customers with affected product versions update to the latest release.

 

Affected Products

Security Bulletins are being issued for the following products:

Product Name Product Versions Security Bulletin Last Updated
Mitel SIP-DECT Firmware 8.1 and 8.0 19-0009-001 2019-12-27
 

Risk Assessment

The risk for this vulnerability is rated as High to Moderate. Refer to Mitigation actions and Security Bulletin for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel advises customers that the risk may be further reduced by following best practices to secure their internal wired networks, including, use of appropriate firewalls and network segmentation, controls to detect rogue devices on the internal network and enabling 802.1x to prevent the connection of rogue devices.

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

External References

N/A

 

Related CVEs / CWEs / Advisories

CVE-2019-19891

 

Revision History

Version Date Description
1.0  2019-12-27 Initial version 
Möchten Sie mit unserem Sales Team sprechen?