Mitel Product Security Advisory 19-0006

Mitel MiVoice 6800/6900 SIP series phones key length vulnerability

Advisory ID: 19-0006

First Issue Date: 2019-11-22

Last Updated: 2019-11-22

Revision: 1.0

Summary

A key length vulnerability in the implementation of the SRTP 128-bit key in Mitel MiVoice 6800 and 6900 SIP series phones, could allow an attacker with a man-in-the-middle position to access sensitive information, when SRTP is used in a call. Successful exploit requires a primary compromise of the gateway or internal corporate networking and a man-in-the-middle position.

This vulnerability was privately reported to Mitel. At time of publishing, Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Credit is given to Alexander Traud, an independent Security Researcher for highlighting this issue and bringing this to our attention.

Affected Products

Security Bulletins are being issued for the following products:

Product Name	Product Versions	Security Bulletin	Last Updated
Mitel MiVoice SIP 6863i, 6865i, 6867i, 6869i, 6873i, 6920, 6930, 6940	Firmware 5.1.0.2051 SP2 HF2 and earlier	19-0006-001	2019-11-22

Risk Assessment

The overall risk of this vulnerability is considered moderate to low for secure corporate networks. Refer to the product Security Bulletins for additional statements regarding risk.

Mitigation / Recommended Action

Customers are recommended to deploy appropriate network security controls.

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

N/A

Related CVEs / CWEs / Advisories

CVE-2019-18863

Revision History

Version	Date	Description
1.0	2019-11-22	Initial version