Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > February 2005 > NISCC Vulnerability Advisory 723548/NISCC/CORSAIRE/MITEL

February 2005

NISCC Vulnerability Advisory 723548/NISCC/CORSAIRE/MITEL

ID: 00177
Ref: 160/2005
Date: 28 February 2005:14:58:17
Version: 1
Title: NISCC Vulnerability Advisory 723548/NISCC/CORSAIRE/MITEL
Abstract:
Vendors affected: Mitel
Operating systems affected: Mitel

Title
=====

NISCC Vulnerability Advisory 723548/NISCC/CORSAIRE/MITEL

Detail
======

The impact includes possible session hijacking and denial of service (DoS) attacks against the web management interface.


NISCC Vulnerability Advisory 723548/NISCC/CORSAIRE/MITEL

Vulnerability Issues with Mitel 3300 ICP Product

Version Information
- -------------------
Advisory Reference 723548/NISCC/CORSAIRE/MITEL
Release Date 28 Feb 2005
Last Revision 21 Feb 2005
Version Number 1.0
What is affected?
- -----------------
3300 Integrated Communication Platform release 5.1 and earlier

Impact
- ------
The impact includes possible session hijacking and denial of service (DoS) attacks against the web management interface.

Severity
- --------
This is rated as low.

Summary
- -------
Several vulnerabilities concerning the Mitel 3300 ICP product were discovered by Corsaire
Ltd, a privately owned UK company; the vulnerabilities are as follows:

1. By predicting the sessions IDs, it will be possible for a local attacker to hijack
legitimate users' web management sessions

2. By exhausting all available session IDs, it will be possible for an authenticated user
to deny service to other users of the web management interface

Mitel have solutions available that can rectify these issues, please refer to the
'Solution' section for further information.

[Please note that revisions to this advisory will not be notified by email. All
subscribers are advised to regularly check the UNIRAS website for updates to this notice.]

Details
- -------
Several vulnerabilities have been discovered within the Mitel 3300 ICP Product.

723548/NISCC/CORSAIRE/MITEL/1
CVE ID: CAN-2004-0944

The 3300 ICP provides enterprise IP-PBX capabilities and makes use of a Web Interface
to manage the device. In order to maintain a user session, the Web Interface generates a
unique session ID for each user after they have successfully authenticated. Once the
client has authenticated, this session ID is used as a shared secret to authenticate the
client to the server for all subsequent request. However this session ID was found to be
predictable and can allow attackers to hijack legitimate users' sessions.

The impact is however minimised because a 3300 ICP is normally installed on an internal LAN with a firewall between it and the Internet. As such, there would be no way for a remote
attacker to access the 3300 ICP management interface from outside the internal LAN.

723548/NISCC/CORSAIRE/MITEL/2
CVE ID: CAN-2004-0945

The Web Interface utilised by the 3300 ICP has a small upper limit for active session
IDs. Hence a malicious user could authenticate over and over again, until all session IDs
are assigned and thereby deny access to the Web Interface for other users.

However the impact is minimised as this attack is only limited to users with access to
valid authentication credentials.

Mitigation
- ----------
Restrict access to the Web Interface so that:

1. Unauthorised users cannot access the Web Interface to hijack legitimate users' sessions 2. Malicious users cannot deny access of the Web Interface to other users

Solution
- --------
Mitel recommends that customers upgrade their 3300 ICP systems to Release 5.2.

Vendor Information
- ------------------
Mitel Networks Corporation is headquartered in Ottawa, Canada; they provide advanced
voice, video and data communications platforms, desktop phones and Internet appliances,
intuitive applications for customer relationship management and mobility, messaging and
multimedia collaboration. For more information, please visit http://www.mitel.com/.

Credits
- -------
This issue was discovered by Corsaire Ltd, who reported the issue to NISCC. The
NISCC Vulnerability Team would also like to thank Mitel for their co-operation in
handling this vulnerability.

Contact Information
- -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line

Telephone +44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00

Fax +44 (0)870 487 0749

Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP key. This is
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should not be sent to the email
address above.

If you wish to be added to our email distribution list please email your request to
uniras@niscc.gov.uk.

What is NISCC?
- --------------
For further information regarding the UK National Infrastructure Security Co-ordination Centre,
please visit http://www.niscc.gov.uk/.

Reference to any specific commercial product, process, or service by trade name, trademark
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or
favouring by NISCC. The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions contained within this
advisory. In particular, they shall not be liable for any loss or damage whatsoever,
arising from or in connection with the usage of information contained within this notice.

© 2005 Crown Copyright

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@niscc.gov.uk

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of NISCC for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |