Mitel MiVoice Connect Vulnerability Found
As a Mitel platinum partner, we want to ensure all our clients are aware of any vulnerabilities as soon as they are made known. According to Mitel, if you are using the MiVoice Connect product, including earlier versions of 14.2, and have an SA or virtual SA appliance, you may be at risk. If you have or think you might have a MiVoice Connect Service Appliance, SA100, SA400, and/or virtual SA, we ask that you reach out to us for help at firstname.lastname@example.org.
MiVoice Connect (including earlier versions 14.2)
R19.2 SP3 (22.20.2300.o) and earlier;
R14.x and earlier
Mitel provided script available for releases 19.2 SP3 and earlier, and R14.x and earlier
Remediation will be included in MiVoice Connect R19.3, forecast for June 2022
About the Vulnerability:
This risk involves a data validation vulnerability where the Service Appliance component of MiVoice Connect could allow an unauthenticated attacker to inject commands using specially crafted requests due to insufficient data validation for a diagnostic script. Successful exploit could allow remote code execution within the context of the service appliance with potential impacts to the confidentiality, integrity, and availability of the system.
The vulnerability relates exclusively to deployments that include a MiVoice Connect Service Appliance, SA100, SA400, and/or virtual SA.
The Security Solution:
To address a critical security exposure, it is recommended that certain files be permanently removed from all Service Appliances (SA100/400/vSA). Please reach out to us directly at email@example.com and we will help you with removal to best secure your MiVoice Connect system. To learn more, you may also visit Mitel Product Security Advisory 22-0002.