Security Bulletin for MiCollab and NPM SECURITY BULLETIN ID: 16-0004-005 RELEASE VERSION: 1.0 DATE: 2016-03-07 SECURITY BULLETIN 16-0004-005 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0013. Visit http://www.mitel.com/security-advisories for more details. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE MiCollab Client Server 5.x, 6.x MSL update to 10.1.48.0, Product upgrade to MiCollab Client Server 7.0.0.74 (Micollab 7.0) NPM NPM 7 SP1 & SP2 (17.1.0.11, 17.2.0.3) MSL update to 10.1.48.0, Product upgrade to version NPM 18.0.0.46 MiCollab AWV 5.0.4.19, 5.0.5.7 MSL update to 10.1.48.0, product upgrade to version 6.0.0.61 RISK / EXPOSURE It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. The CVE CVE-2015-8138 is potentially applicable to MiCollab Client Server, NuPoint Messaging (NPM) and MiCollab AWV products which are running on MSL version 10.1.39.0 or below as all three products are using the underlying MSL for all time related functions hence these may be potentially vulnerable. CVSS V2.0 OVERALL SCORE: 6.4 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:N/I:P/A:P CVSS BASE SCORE: 6.4 CVSS TEMPORAL SCORE: Not defined CVSS ENVIRONMENTAL SCORE: Not defined OVERALL RISK LEVEL: Moderate MITIGATION / WORKAROUNDS No workarounds are available. Mitigation is avaiable through MSL updates and upgrades to newer versions of applications. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks. SECURITY BULLETIN 16-0004-005 V1.0 SOLUTION INFORMATION MSL has been updated to provide an updated NTP library. Customers are advised to update to to MSL 10.1.48.0 or higher. Alternatively, customers can update respective application to an unaffected version. Customers are advised to contact Product Support for more information. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.