CVE-2023-39292 & CVE-2023-39293: Mitel MiVoice Office 400 SMB Controller Security Vulnerabilities
Recently, two critical security vulnerabilities have emerged in the MiVoice Office 400 SMB Controller, drawing significant attention due to their high severity. These vulnerabilities, labeled CVE-2023-39292 and CVE-2023-39293, pose alarming threats to data confidentiality, system integrity, and availability.
CVE-2023-39293, with a CVSS score of 8.2, is an insidious Command Injection vulnerability lurking in the Controller Manager component of the MiVoice Office 400 SMB Controller. It exploits insufficient parameter sanitization, providing an avenue for authenticated attackers to launch a command injection attack. Upon successful exploitation, attackers are empowered to execute arbitrary commands within the system’s context, leading to potential adverse impacts on the system’s confidentiality, integrity, and availability.
In a similar vein, the Controller Manager component has fallen prey to another critical vulnerability, CVE-2023-39292, boasting an elevated CVSS score of 8.8. This SQL Injection vulnerability has opened a gateway for unauthenticated attackers to execute arbitrary commands, courtesy of insufficient input validation. The successful execution of this vulnerability could permit attackers to extract sensitive data from the database and orchestrate arbitrary database and management operations. This alarming prospect introduces potential ramifications for the system’s confidentiality, integrity, and availability.
These high-risk vulnerabilities affect the MiVoice Office 400 SMB Controller versions 1.2.5.23 and earlier. In response, Mitel urges users to deploy the MiVoice Office 400 SMB Controller within a shielded internal network and regulate access to the controller interface using robust network protections. Moreover, customers harboring affected product versions are strongly advised to upgrade to MiVoice Office 400 SMB Controller Release 1.2.5.24 or later, as these issues are rectified in these versions.
Mitel has released security advisories for two vulnerabilities in the MiVoice Office 400 SMB Controller. These vulnerabilities have a high impact and could be exploited by attackers to gain unauthorized access to the system or extract sensitive information. Customers are advised to take the necessary steps to mitigate the impact of these vulnerabilities.
