Security Bulletin for MiCC SECURITY BULLETIN ID: 15-0007-001 RELEASE VERSION: 1.0 DATE: 2015-11-04 SECURITY BULLETIN 15-0007-001 V1.0 OVERVIEW This security bulletin provides product-specific details on the vulnerability described in Mitel Security Advisory 15-0007 Visit http://www.mitel.com/security-advisories for more details. MiCC versions 7.x and earlier rely on security controls provided by Microsoft IIS. In the event an administrator opts for a default installation (e.g. using default paths), and does not take further steps to harden the web server security, two security vulnerabilities are present in CcmWeb. These vulnerabilities, if successfully exploited, would allow an attacker to read files or perform HTTP redirects. APPLICABLE PRODUCTS This security bulletin provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE MiCC 7.x and earlier Yes – see Mitigation/Workarounds RISK / EXPOSURE CcmWeb Unauthenticated Local File Inclusion CVSS V2.0 OVERALL SCORE: 5 CVSS V2.0 VECTOR: AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS BASE SCORE: 5 CVSS TEMPORAL SCORE: Not defined CVSS ENVIRONMENTAL SCORE: Not defined OVERALL RISK LEVEL: Low CcmWeb open redirect CVSS V2.0 OVERALL SCORE: 3.5 CVSS V2.0 VECTOR: AV:N/AC:M/Au:S/C:N/I:P/A:N CVSS BASE SCORE: 3.5 CVSS TEMPORAL SCORE: Not defined CVSS ENVIRONMENTAL SCORE: Not defined OVERALL RISK LEVEL: Low SECURITY BULLETIN 15-0007-001 V1.0 MITIGATION / WORKAROUNDS A permanent solution that does not rely on Microsoft IIS security controls will be implemented in MiCC version 8.0. The following steps are provided for MiCC versions 7.x and earlier. Server administrators are advised to review the procedures and apply as required. NOTE: Both procedures require that the IIS URL rewrite module is installed. For more information, visit http://www.iis.net/downloads/microsoft/url-rewrite How to block relative paths The following procedure sets up IIS request filters to block relative paths in query strings in CcmWeb: IIS config->Default Web Site->CcmWeb->URL Rewrite Add rule->Request blocking. Block based on query string. Pattern = *..* How to prevent redirect query strings The following procedure configures IIS to block redirecturl query strings in CcmWeb: IIS config->Default Web Site->CcmWeb->URL Rewrite Add rule->request blocking. Block based on query string. Pattern = *redirecturl* Customers are advised to update their MICC installation to version 8.0 when released. PATCH INFORMATION No patch is planned in response to these issues.