Security Bulletin for MiVoice5000 SECURITY BULLETIN ID: 16-0004-007 RELEASE VERSION: 1.0 DATE: 2016-03-07 SECURITY BULLETIN 16-0004-007 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0004. Visit http://www.mitel.com/security-advisories for more details. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE MiVoice5000 5.4, 6.1, 6.2 Security patch package QW467AAXXX6.x.23 Mitel5000 Compact 5.4, 6.1, 6.2 Security patch package QW467AAXXX6.x.23 MiVoice5000 Manager 2.4, 3.1, 3.2 Security patch package QW467AAXXX6.x.23 RISK / EXPOSURE Due to a flaw in an open-source third party library, a remote attacker could disable network timestamp synchronization on the MiVoice5000, MiVoice5000 Manager and Mitel5000 Compact systems or push arbitrary time measurements to modify the timestamp on these products. CVSS V2.0 OVERALL SCORE: 6.4 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:N/I:P/A:P CVSS BASE SCORE: 6.4 CVSS TEMPORAL SCORE: Not defined CVSS ENVIRONMENTAL SCORE: Not defined OVERALL RISK LEVEL: Moderate MITIGATION / WORKAROUNDS Customers using Network Time Protocol (NTP) on MiVoice5000, MiVoice5000 Manager or Mitel5000 Compact products should ensure that they have configured multiple sources of NTP Servers by specifying a verified NTP server pool as the time source. Additionally the timestamp on these products may be monitored for any discrepancy. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks. SECURITY BULLETIN 16-0004-007 V1.0 SOLUTION INFORMATION The fix will be included in the new release of security patch package QW467AAXXX6.x.23 available by the end of March. By the meantime, the RedHat patch ntp-4.2.6p5-5.el6_7.4.x86_64.rpm can be loaded on our systems MiVoice5000, MiVoice5000 Manager and Mitel5000 Compact. Contact product support for additional information. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.