Security Bulletin for NuPoint SECURITY BULLETIN ID: 16-0011-002 RELEASE VERSION: 1.0 DATE: 2016-06-03 SECURITY BULLETIN 16-0011-002 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 16-0011. Visit http://www.mitel.com/security-advisories for more details. Multiple ImageMagick vulnerabilities have been identified. NuPoint uses ImageMagick for the conversion of images in the fax module, and thus is vulnerable. This security bulletin provides details and recommended solutions to address APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE NPM NPM 7 SP2 (126.96.36.199) Upgrade to MSL 10.1.50.0 or higher NPM NPM 8 SP1 (188.8.131.52) Upgrade to MSL 10.4.15.0 or higher RISK / EXPOSURE There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) through the processing of user-submitted images. The risk assciated with these vulnerabilities varies from low to high, with CVSS scores ranging from 4.3 to 10. Below is the CVSS risk assessment for CVE-2016-3714, the highest risk of these vulnerabilities. CVSS V2.0 OVERALL SCORE: 9 CVSS V2.0 VECTOR: AV:N/AC:L/Au:s/C:C/I:C/A:C CVSS BASE SCORE: 9 CVSS TEMPORAL SCORE: Not defined CVSS ENVIRONMENTAL SCORE: Not defined OVERALL RISK LEVEL: High MITIGATION / WORKAROUNDS No workarounds to mitigate these vulnerabilities are available for NuPoint. SOLUTION INFORMATION New releases of MSL (10.1.50.0, 10.4.15.0) are available with the fixes for all the vulnerabilities identified in the security advisory. Customers should upgrade to the appropriate MSL version based on the NuPoint version in use. © Copyright 2016, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.