CVE-2023-31457 & CVE-2023-32748: Critical Mitel MiVoice Connect Security Vulnerabilities

Mitel’s MiVoice Connect is renowned for bringing together all communications and collaboration tools into a user-friendly interface. Its popularity lies in its ability to allow users to quickly find contacts, check their availability, and connect via various communication channels like phone, IM, video, desktop sharing, or conference calling – all without the need for opening a separate window or logging into new applications. However, like many software solutions, Mitel’s MiVoice Connect is not immune to vulnerabilities, and two critical ones have been recently identified in its architecture.

Unveiling the Vulnerabilities

Two critical Improper Access Control vulnerabilities (CVE-2023-31457 and CVE-2023-32748) have been identified in the Headquarters (HQ), Windows DVS, and Linux DVS Server components of MiVoice Connect. Both vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 9.6, highlighting the gravity of the situation.

The primary concern here is that these vulnerabilities allow an unauthenticated attacker with internal network access to execute arbitrary scripts, potentially leading to arbitrary code execution within the context of the system.

Let’s dive a little deeper into each of these vulnerabilities:

1. CVE-2023-31457: This vulnerability resides in the HQ and Windows DVS server components. It could potentially allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. The aftermath of a successful exploit could lead to arbitrary code execution.
2. CVE-2023-32748: Similarly, this vulnerability is found in the Linux DVS server components. An attacker, once again, could execute arbitrary scripts and potentially execute arbitrary code within the system context.

As both vulnerabilities can lead to unauthorized code execution, they have been rated as ‘Critical’ in terms of risk.

Mitigation and Workarounds

While these vulnerabilities present a significant risk, Mitel has been proactive in providing a host of mitigation strategies.

Mitigation for MiVoice Connect release 19.3 or later is available via configuration options, details of which can be found in the linked Knowledge Base articles:

• For Partners: https://mitel.my.site.com/partner/s/article/Connect-Security-Update-CVE-2023- 31457-CVE-2023-32748-Improper-Access-Control
• For Enterprise Customers: https://mitel.my.site.com/customer/s/article/Connect-Security-UpdateCVE-2023-31457-CVE-2023-32748-Improper-Access-Control

As a standard security practice, Mitel recommends that the MiVoice Connect Headquarters, Windows, and Linux DVS servers be deployed on protected internal networks. Access should be minimal and network access limited using network tools. It is strongly advised that customers with affected product versions upgrade to the highlighted solution versions or apply available mitigation.

Solution Information

Mitel has responded promptly to these vulnerabilities and has issued corrective measures. The issue is rectified in MiVoice Connect Release 19.3 SP3 (22.24.5800.0). As a precaution, customers are advised to upgrade to this or a subsequent release.

Furthermore, Mitel has made available a script that addresses these vulnerabilities for MiVoice Connect Release 19.3 SP2 and earlier.