Security Bulletin for MiVoice MX-ONE Products SECURITY BULLETIN ID: 15-0009-002 RELEASE VERSION: 1.0 DATE: 2015-09-04 SECURITY BULLETIN 15-0009-002 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0009. Visit http://www.mitel.com/security-advisories for more details. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE Mitel 700 MiVoice MX-ONE MX-ONE Manager (Provisioning) MX-ONE Manager (Telephony System) 5.0, 6.0 5.0, 6.0 5.0, 6.0 5.0, 6.0 Yes Yes Yes Yes RISK / EXPOSURE CVE-2015-5600 has rated the vulnerability as follows. CVSS V2.0 OVERALL SCORE: 8.5 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:P/I:N/A:C CVSS BASE SCORE: 8.5 CVSS TEMPORAL SCORE: N/A CVSS ENVIRONMENTAL SCORE: N/A OVERALL RISK LEVEL: High However, as the Mitel 700 and MX-ONE systems should be deployed in controlled environments, the environment is considered to mitigate the risk of attack to an acceptable level. Such controls include limiting access to administrative interfaces from trusted neworks, and implementing strong passwords schemes. Such measures will reduce the exposure to brute force attacks. MITIGATION / WORKAROUNDS The following steps are provided for customers who want to implement immediate measures to address the vulnerability: 1) As user root, make sure the following is configured in /etc/ssh/sshd_config "PasswordAuthentication yes" "ChallengeResponseAuthentication no" 2) As user root, restart sshd: > rcsshd restart © Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks. SECURITY BULLETIN 15-0009-002 V1.0 PATCH INFORMATION Future versions of the affected products will be released to permanently address the vulnerability. Additional information related to fixes from the Operating System maintainer can be found at https://www.suse.com/security/cve/CVE-2015-5600.html. © Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of the ownership of these marks.