Americas
Oceania
Advisory ID: 20-0004
First Issue Date: 2020-03-31
Last Updated: 2020-03-31
Revision: 1.0
Multiple vulnerabilities have been identified in Mitel MiVoice Connect.
A remote code execution vulnerability in the UCB component of MiVoice Connect could allow an unauthenticated remote attacker to execute arbitrary code due to insufficient validation of URL parameters. A successful exploit could allow an attacker to gain access to sensitive information. (CVE-2020-10211)
A weak encryption vulnerability in MiVoice Connect Client could allow an unauthenticated attacker to gain access to user credentials. A successful exploit could allow an attacker to access the system with compromised user credentials. (CVE-2020-10377)
Credit is given to Daniel Wetherill of Secureworks for highlighting this issue and bringing this to our attention.
Mitel is recommending customers with affected product versions, update to the latest release.
Security Bulletins are being issued for the following products:
Product Name | Product Versions | Fixed Product Version | Last Updated |
MiVoice Connect | MiVoice Connect 19.1 and earlier | 20-0004-01 | 2020-03-31 |
MiVoice Connect Client | MiVoice Connect Client 214.100.1213.0 and earlier | 20-0004-02 | 2020-03-31 |
The risk from this vulnerability is constrained to systems configured for site-based security and is rated as Low. Refer to the product Security Bulletins for additional statements regarding risk.
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
N/A
CVE-202-10211
CVE-202-10311
Version | Date | Description |
1.0 | 2020-03-31 | Initial version |