16-0004-005

Security Bulletin for MiCollab and NPM
SECURITY BULLETIN ID: 16-0004-005
RELEASE VERSION: 1.0
DATE: 2016-03-07
SECURITY BULLETIN 16-0004-005 V1.0
OVERVIEW
This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0013.
Visit http://www.mitel.com/security-advisories for more details.
APPLICABLE PRODUCTS
This security bulletin provides information on the following products:
PRODUCT NAME
VERSION(S) AFFECTED
SOLUTION(S) AVAILABLE
MiCollab Client Server
5.x, 6.x
MSL update to 10.1.48.0,
Product upgrade to MiCollab Client
Server 7.0.0.74 (Micollab 7.0)
NPM
NPM 7 SP1 & SP2
(17.1.0.11, 17.2.0.3)
MSL update to 10.1.48.0,
Product upgrade to version NPM
18.0.0.46
MiCollab AWV
5.0.4.19, 5.0.5.7
MSL update to 10.1.48.0, product
upgrade
to version 6.0.0.61
RISK / EXPOSURE
It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote
attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization
with the server, or push arbitrary offset/delay measurements to modify the time on the client.
The CVE CVE-2015-8138 is potentially applicable to MiCollab Client Server, NuPoint Messaging (NPM) and MiCollab
AWV products which are running on MSL version 10.1.39.0 or below as all three products are using the underlying
MSL for all time related functions hence these may be potentially vulnerable.
CVSS V2.0 OVERALL SCORE:
6.4
CVSS V2.0 VECTOR:
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS BASE SCORE:
6.4
CVSS TEMPORAL SCORE:
Not defined
CVSS ENVIRONMENTAL SCORE:
Not defined
OVERALL RISK LEVEL:
Moderate
MITIGATION / WORKAROUNDS
No workarounds are available.
Mitigation is avaiable through MSL updates and upgrades to newer versions of applications.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
SECURITY BULLETIN 16-0004-005 V1.0
SOLUTION INFORMATION
MSL has been updated to provide an updated NTP library. Customers are advised to update to to MSL 10.1.48.0 or
higher. Alternatively, customers can update respective application to an unaffected version. Customers are advised to
contact Product Support for more information.
© Copyright 2016, Mitel Networks Corporation. All Rights Reserved.
The Mitel word and logo are trademarks of Mitel Networks Corporation.
Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of
these marks.
Similar pages