Security Bulletin for MiVoice Business SECURITY BULLETIN ID: 16-0004-003 RELEASE VERSION: 1.0 DATE: 2016-03-07 SECURITY BULLETIN 16-0004-003 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0004. Visit http://www.mitel.com/security-advisories for more details. MiVoice Business is affected by a “ntpd” vulnerability in the software provided by Mitel Standard Linux (MSL) and distributed by RedHat Linux 6.3. (CVE-2015-8138). It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE 6.0 and later MSL Update MiVoice Business for Stratus All versions using RedHat Linux 6.3 * Vendor update (See Solution Information) MiVoice Business for Multi-instance platform - Server Manager 1.2 and later MSL Update MiVoice Business for: Industry Standard Server, VMware Virtual Appliance * MiVB on Stratus supports RedHat Linux version 5.4 and 6.3. Version 5.4 is not affected by this vulnerability RISK / EXPOSURE The vulnerabiltiy is rated as having moderate risk. CVSS V2.0 OVERALL SCORE: 6.4 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:N/I:P/A:P CVSS BASE SCORE: 6.4 CVSS TEMPORAL SCORE: n/a CVSS ENVIRONMENTAL SCORE: n/a OVERALL RISK LEVEL: Moderate © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks. SECURITY BULLETIN 16-0004-003 V1.0 MITIGATION / WORKAROUNDS Please refer to Mitel Standard Linux’s advisory or Redhat web site. SOLUTION INFORMATION New releases of MSL (10.1.48.0 and 10.3.38.0) are available providing fixes for the reported vulnerability. Customers should upgrade to MSL 10.1.48.0 and 10.3.38.0 as applicable. Please contact Product Support for more information. For sytems allowing the ability to update RedHat packages directly, please refer to the solution provided by Redhat (https://access.redhat.com/security/cve/cve-2015-8138) for RedHat 6.3. Please contact Product Support for more information. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.