A Vulnerability in Mitel MiCollab and MiVoice Business Express Could Allow for Unauthorized Disclosure of Data
ITS ADVISORY NUMBER:
2022-027
DATE(S) ISSUED:
Wednesday, March 2, 2022
SUBJECT:
A Vulnerability in Mitel MiCollab and MiVoice Business Express Could Allow for Unauthorized Disclosure of Data
OVERVIEW:
A vulnerability has been discovered in Mitel MiCollab and MiVoice Business Express, which could allow for the unauthorized disclosure of data as well as result in denial of service.
- Mitel MiCollab is an enterprise collaboration software and tools platform solution that securely provides communications.
- MiVoice Business Express provides a complete communications solution for small to mid-range businesses.
Successful exploitation of this vulnerability could allow for unauthorized disclosure of data as well as result in denial of service. Depending on the goal of the attacker they could view sensitive information that should not be accessible, or create denial of service conditions within impacted the system.
THREAT INTELLIGENCE:
The MS-ISAC has been made aware that this vulnerability has been exploited in the wild.
SYSTEMS AFFECTED:
- Mitel MiCollab R9.4SP1 and earlier versions
- MiVoice Business Express R8.1 and earlier versions
RISK:
Government:
Large and medium government entities: High
Small government entities: Medium
Business:
Large and medium business entities: High
Small business entities: Medium
Home Users: Low
DESCRIPTION:
A vulnerability has been discovered in Mitel MiCollab and MiVoice Business Express, which could allow for the unauthorized disclosure of data as well as result in denial of service.
Mitel states that a security access control vulnerability in these services may allow a remote unauthenticated attacker to gain access to sensitive information and services, potential code execution in the context of the conference component, as well as denial of service of the affected system. In the case of a denial of service attack, a series of malformed messages are handled improperly causing the services to create significant outbound traffic.
ACTIONS:
We recommend the following actions be taken:
- Install the updates and/or mitigations mentioned by Mitel immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
REFERENCES:
https://learn.cisecurity.org/e/799323/duct-security-advisory-22-0001/qvh...
https://learn.cisecurity.org/e/799323/etin-22-0001-02-v1---mivbx-pdf/qvh...
https://learn.cisecurity.org/e/799323/n-22-0001-01-v1---micollab-pdf/qvh...