Mitel warns of some critical security gaps in MiVoice Connect and Connect Mobility Router. This allows attackers from the local network to execute arbitrary code. The manufacturer provides updates that are intended to close the gaps.
MiVoice Connect: Critical vulnerability
In the server components Headquarters, Windows DVS and Linux DVS there is only insufficient access control, explains Mitel in a security advisory. Unauthenticated attackers from the local network can abuse this to run arbitrary scripts (CVE-2023-31457, CVE-2023-32748; no CVSS value yet, risk “critical“). In the MiVoice Connect edge gateway, malicious actors can gain admin privileges based on default passwords (CVE-2023-31458, no CVSS, risk “hoch“).
Cross-site scripting vulnerabilities in the index.php and test_presenter.php pages of the MiVoice Connect conference component allow attackers to execute arbitrary script code (CVE-2023-25598, CVE-2023-25599; no CVSS value, risk”middle“). Are affected MiVoice-Connect-Version up to and including 19.3 SP2 (22.24.1500.0). Updated software is available that fixes the vulnerabilities. Mitel recommends that customers also ensure that complex passwords are assigned to all Edge Gateway accounts.
In the Connect Mobility Router, Mitel has also opted for standard passwords, allowing malicious actors access with administrator rights (CVE-2023-31459, no CVSS value, risk “hoch“). Authenticated attackers can use another vulnerability to inject commands that Connect Mobility Router executes in the system context. Mitel does not provide any information on what the vulnerability looks like (CVE-2023-31460, no CVSS value, risk “hoch“).
The security-critical errors can be found in the Connect Mobility Router Version 9.6.2208.101 and previous. Newer software versions iron them out. In addition, Mitel recommends that customers ensure that the accounts on the Connect Mobility Router are provided with complex passwords.
Security gaps in Mitel’s MiVoice products have often been exploited by attackers in the past. IT managers should therefore download and install the available software updates as soon as possible.
To home page