Mitel Product Security Advisory 18-0009

MiVoice 5300 IP Series Phone Denial of Service Vulnerability

Advisory ID: 18-0009

First Issue Date: 2018-09-25

Last Updated: 2018-09-25

Revision: 1.0

Summary

A denial of service vulnerability has been identified in the MiVoice 5300 IP Series phones. If exploited, this can lead to memory corruption and resulting loss of availability for the phone while the attack is sustained. Mitigating factors are that the attacker must be able to send specially crafted SIP/SDP messages to the phone, typically requiring access to the internal corporate voice traffic vLAN.

The vulnerability was reported directly to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.

Credit is given to Mattia Reggiani of the NCC Group for highlighting this issue and bringing it to our attention.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name	Product Versions	Security Bulletin	Last Updated
MiVoice 5300 IP Series	6.5.0.16 and earlier	18-0009-001	2018-09-25

Risk Assessment

The risk of this vulnerability is rated as low to moderate.

Successfully exploiting this vulnerability will allow an attacker to perform a denial of service for the phone while the attack is sustained. When the attack ceases, the phone will re-boot and the user can log in and resume service. The confidentiality and integrity of the phone is not impacted.

Mitigation / Recommended Action

For customers operating the MiVoice 5300 IP Series phones in MiNet, Mitel recommends updating to the latest release. Customers using the legacy application Unified Communicator Express must also upgrade to MiCollab to resolve this issue.

For customers choosing to use SIP mode, Mitel recommends enabling TLS. Mitel also recommends that customers operating in SIP mode, consider upgrading to the MiVoice 6800 SIP Series phones.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

https://www.nccgroup.trust/uk/our-research/technical-advisory-mitel-mivoice-5330e-memory-corruption-flaw/

Related CVEs / CWEs / Advisories

CVE-2018-15497

Revision History

Version	Date	Description
1.0	2018-09-25	Initial version

Attachment(s)

Security Bulletin 18-0009-001

Pourquoi choisir Mitel

Produits et Services

Partenaires

Clients

Ressources

Nos secteurs d'expertise

Taille d’Entreprise

Les besoins de votre entreprise

Produits

Services

Partenaire avec Mitel

Aide aux partenaires

Formations pour les partenaires

Mitel Solutions Alliance

Développeurs CloudLink

CLIMB

Ressources pour les clients

Développer les capacités

Carrières

Communiqués de presse

Centre de documentation technique

Avis de sécurité

Blog

Centre de ressources

Santé

Finance

Administrations Publiques

Hôtellerie

Education

Systèmes et solutions téléphoniques d'entreprise

Collaboration

Contact Center

Téléphones et accessoires

Mission critique et solutions verticales

Phases du cycle de vie

À la une

Mitel Product Security Advisory 18-0009

Prêt à parler aux ventes ? Contactez-nous.