Mitel Product Security Advisory 20-0004

MiVoice Connect - Remote Code Execution and Weak Encryption Vulnerabilities

Advisory ID: 20-0004

First Issue Date: 2020-03-31

Last Updated: 2020-03-31

Revision: 1.0

 

Summary

Multiple vulnerabilities have been identified in Mitel MiVoice Connect.

A remote code execution vulnerability in the UCB component of MiVoice Connect could allow an unauthenticated remote attacker to execute arbitrary code due to insufficient validation of URL parameters. A successful exploit could allow an attacker to gain access to sensitive information. (CVE-2020-10211)

A weak encryption vulnerability in MiVoice Connect Client could allow an unauthenticated attacker to gain access to user credentials. A successful exploit could allow an attacker to access the system with compromised user credentials. (CVE-2020-10377)

Credit is given to Daniel Wetherill of Secureworks for highlighting this issue and bringing this to our attention.

Mitel is recommending customers with affected product versions, update to the latest release.

 

Affected Products

Security Bulletins are being issued for the following products:

Product Name Product Versions Fixed Product Version Last Updated
MiVoice Connect MiVoice Connect 19.1 and earlier 20-0004-01 2020-03-31
MiVoice Connect Client MiVoice Connect Client 214.100.1213.0 and earlier 20-0004-02 2020-03-31
 

Risk Assessment

The risk from this vulnerability is constrained to systems configured for site-based security and is rated as Low. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

External References

N/A

 

Related CVEs / CWEs / Advisories

CVE-202-10211

CVE-202-10311

 

Revision History

Version Date Description
1.0  2020-03-31 Initial version 
Prêt à discuter ? Contactez-nous.