Mitel Product Security Advisory MISA-2024-0027

MiCollab Authentication Bypass Vulnerability

Advisory ID: MISA-2024-0027

Publish Date: 2024-10-09

Last Updated: 2024-10-09

Revision: 1.0

Summary

An authentication bypass vulnerability in the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab could allow an unauthenticated attacker to conduct an unauthorized data access attack due to missing authentication mechanisms.

A successful exploit could enable an attacker to access and delete sensitive information, with potential impacts to the confidentiality and integrity of the system.

This vulnerability is exploitable without authentication. If successfully exploited, the impact is constrained to the ability to listen to or delete web conference recording files.

The vulnerability severity is rated as high.

Mitel is recommending customers with affected product versions update to the latest release.

Affected Products

This security advisory provides information on the following products:

Product Name

Version(s) Affected

Solution(s) Available

MiCollab

9.8 SP1 FP2 (9.8.1.201) and earlier

Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later.
Alternative Solution: Mitel has provided a patch that is available for releases 9.7 and above. See KMS article for instructions.

Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.

Vulnerability Severity

The following products have been identified as affected:

Product Name

CVE ID

Severity

CVSS 3.1 Base Score

MiCollab

CVE-2024-47912

High / 8.2

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

The vulnerability severity is rated as high.

Mitigations / Workarounds

Customers with affected product versions should upgrade to the highlighted solution versions or later.
The risk may be mitigated by following the instructions found in the KMS article.

Solution/ Recommended Action

This issue is corrected in MiCollab 9.8 SP2 (9.8.2.12). Customers are advised to upgrade to this or subsequent releases.

Please see Mitel Knowledge Base article SO8218, “MiCollab Security Update CVE-2024-47912 - Authentication Bypass Vulnerability” https://mitel.custhelp.com/app/answers/answer_view/a_id/1020999

If you do not have access to this link, please contact your Mitel Authorized Partner for support.

For further information, please contact Mitel Product Support.

Related CVEs / CWEs / Advisories

CVE-2024-47912

Revision History

Version	Date	Description
1.0	2024-10-09	Initial release

The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?