News: 1733464871

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

(2024/12/06)


A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.

A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday [1]published the PoC after waiting 100-plus days for the vendor to issue a fix.

The Register has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back.

[2]

Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It's widely used, boasting more than 16,000 instances across the Internet. And, as such, it's a very attractive target for [3]ransomware gangs and other cybercriminals.

[4]

[5]

Back in May, watchTowr's bug hunters discovered and disclosed to Mitel a [6]now-fixed critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as [7]CVE-2024-35286 , and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.

[8]Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl

[9]HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code

[10]How $20 and a lapsed domain allowed security pros to undermine internet integrity

[11]T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

Additionally, the watchTowr team found and reported an authentication bypass vulnerability ( [12]CVE-2024-41713 ) that also affects the NPM component of Mitel MiCollab.

This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users' data and system configurations. Mitel [13]fixed this one in October.

While investigating these two security holes, watchTowr found a third flaw that hasn't been assigned a CVE and doesn't yet have a patch. It's an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as "/etc/passwd" that contain account information.

[14]

The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.

"Unfortunately, we're past this period and have not seen any updates on Mitel's Security Advisory page," according to a watchTowr [15]report about the three bugs published on Thursday. "Since our disclosure email was sent over 100 days ago, we've decided to proceed and include this vulnerability within our blog post - but as of writing, it remains unpatched (albeit post-auth)." ®

Get our [16]Tech Resources



[1] https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713?ref=labs.watchtowr.com

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014

[7] https://nvd.nist.gov/vuln/detail/CVE-2024-35286

[8] https://www.theregister.com/2022/09/13/lorenz_ransomware_mitel_voip/

[9] https://www.theregister.com/2024/11/12/http_citrix_vuln/

[10] https://www.theregister.com/2024/09/11/watchtowr_black_hat_whois/

[11] https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/

[12] https://nvd.nist.gov/vuln/detail/CVE-2024-41713

[13] https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LZV-8-7pcEO11KTVVyqQAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[15] https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/

[16] https://whitepapers.theregister.com/



Slow disappearing

Vader

We do a lot of work with Mitel systems and slowly teams is replacing them. Will they be the next chapter 11. The bottom line is for the solution they are very expensive.

Yet again (and again and again and ...)

Mike 137

SQL injection, authentication bypass and arbitrary file read. Out of the Ark all three. When will someone [a] ideally stop making these idiotic mistakes or [b] possibly less unrealistically, do some darned code review and testing?

James McNeill Whistler's (painter of "Whistler's Mother")
failure in his West Point chemistry examination once provoked him to
remark in later life, "If silicon had been a gas, I should have been a
major general."