PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files
(2024/12/06)
- Reference: 1733464871
- News link: https://www.theregister.co.uk/2024/12/06/mitel_micollab_0day/
- Source link:
A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.
A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday [1]published the PoC after waiting 100-plus days for the vendor to issue a fix.
The Register has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back.
[2]
Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It's widely used, boasting more than 16,000 instances across the Internet. And, as such, it's a very attractive target for [3]ransomware gangs and other cybercriminals.
[4]
[5]
Back in May, watchTowr's bug hunters discovered and disclosed to Mitel a [6]now-fixed critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as [7]CVE-2024-35286 , and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.
[8]Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl
[9]HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code
[10]How $20 and a lapsed domain allowed security pros to undermine internet integrity
[11]T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
Additionally, the watchTowr team found and reported an authentication bypass vulnerability ( [12]CVE-2024-41713 ) that also affects the NPM component of Mitel MiCollab.
This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users' data and system configurations. Mitel [13]fixed this one in October.
While investigating these two security holes, watchTowr found a third flaw that hasn't been assigned a CVE and doesn't yet have a patch. It's an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as "/etc/passwd" that contain account information.
[14]
The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.
"Unfortunately, we're past this period and have not seen any updates on Mitel's Security Advisory page," according to a watchTowr [15]report about the three bugs published on Thursday. "Since our disclosure email was sent over 100 days ago, we've decided to proceed and include this vulnerability within our blog post - but as of writing, it remains unpatched (albeit post-auth)." ®
Get our [16]Tech Resources
[1] https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713?ref=labs.watchtowr.com
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-35286
[8] https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/
[9] https://www.theregister.com/2024/11/12/http_citrix_vuln/
[10] https://www.theregister.com/2024/09/11/watchtowr_black_hat_whois/
[11] https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/
[12] https://nvd.nist.gov/vuln/detail/CVE-2024-41713
[13] https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
[16] https://whitepapers.theregister.com/
A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday [1]published the PoC after waiting 100-plus days for the vendor to issue a fix.
The Register has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back.
[2]
Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It's widely used, boasting more than 16,000 instances across the Internet. And, as such, it's a very attractive target for [3]ransomware gangs and other cybercriminals.
[4]
[5]
Back in May, watchTowr's bug hunters discovered and disclosed to Mitel a [6]now-fixed critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as [7]CVE-2024-35286 , and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.
[8]Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl
[9]HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code
[10]How $20 and a lapsed domain allowed security pros to undermine internet integrity
[11]T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
Additionally, the watchTowr team found and reported an authentication bypass vulnerability ( [12]CVE-2024-41713 ) that also affects the NPM component of Mitel MiCollab.
This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users' data and system configurations. Mitel [13]fixed this one in October.
While investigating these two security holes, watchTowr found a third flaw that hasn't been assigned a CVE and doesn't yet have a patch. It's an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as "/etc/passwd" that contain account information.
[14]
The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.
"Unfortunately, we're past this period and have not seen any updates on Mitel's Security Advisory page," according to a watchTowr [15]report about the three bugs published on Thursday. "Since our disclosure email was sent over 100 days ago, we've decided to proceed and include this vulnerability within our blog post - but as of writing, it remains unpatched (albeit post-auth)." ®
Get our [16]Tech Resources
[1] https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713?ref=labs.watchtowr.com
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-35286
[8] https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/
[9] https://www.theregister.com/2024/11/12/http_citrix_vuln/
[10] https://www.theregister.com/2024/09/11/watchtowr_black_hat_whois/
[11] https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/
[12] https://nvd.nist.gov/vuln/detail/CVE-2024-41713
[13] https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
[16] https://whitepapers.theregister.com/
Yet again (and again and again and ...)
Mike 137
SQL injection, authentication bypass and arbitrary file read. Out of the Ark all three. When will someone [a] ideally stop making these idiotic mistakes or [b] possibly less unrealistically, do some darned code review and testing?
Slow disappearing
We do a lot of work with Mitel systems and slowly teams is replacing them. Will they be the next chapter 11. The bottom line is for the solution they are very expensive.