Security Bulletin for Comdasys Convergence, Comdasys Mobile Client Controller, AMCC for Intelligate and Mitel Mobile Client Controller SECURITY BULLETIN ID: 15-0009-001 RELEASE VERSION: 1.0 DATE: 2015-09-04 SECURITY BULLETIN 15-0009-001 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0009. Visit http://www.mitel.com/security-advisories for more details. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller) 10684.21.7 and earlier 10684.21.8 FMC Controller for Intelligate 10684.16.12 and earlier 10684.16.13 Convergence 4675 4675.42.11 and earlier 4675.42.12 Convergence 6719 6719.34.11 and earlier 6719.34.10 RISK / EXPOSURE CVE-2015-5600 has rated the vulnerability as follows. CVSS V2.0 OVERALL SCORE: 8.5 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:P/I:N/A:C CVSS BASE SCORE: 8.5 CVSS TEMPORAL SCORE: N/A CVSS ENVIRONMENTAL SCORE: N/A OVERALL RISK LEVEL: High However, the affected products implement additional measures to limit authentication attempts as follows: Mobile Client Controller 10684.21: LoginGracePeriod is set to 30s, allowing 10 possible login attempts before closing the connection. Mobile Client Controller for Intelligate, Convergence 4675, Convergence 6719: LoginGracePeriod is set to 120s, allowing 40 possible login attempts before closing the connection. This threshholds, combined with deployments in controlled enviroments and the use of a strong password policy are considered to reduce the exposure to a low level of risk. © Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks. SECURITY BULLETIN 15-0009-001 V1.0 MITIGATION / WORKAROUNDS No mitigation / workarounds are available PATCH INFORMATION Customers can contact their authorized support provider to obtain the latest versions of the affected products. Visit www.mitel.com for additional contact information. © Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.