Critical Mitel MiCollab bug exposes systems to unauthorized file and administrator access

December 5, 2024Ravi LakshmananIoT Vulnerability / Security

Cyber ​​security researchers have liberated a proof-of-concept (PoC) exploit that combines a patched critical security flaw affecting Mitel MiCollab with an arbitrary zero-day readable file, allowing an attacker to access files from vulnerable instances.

The critical vulnerability in question is CVE-2024-41713 (CVSS Score: 9.8), which addresses insufficient input validation in Mitel MiCollab’s NuPoint Unified Messaging (NPM) component, which leads to a path-bypass attack.

MiCollab is a software and hardware solution which integrates chat, voice, video and SMS messaging with Microsoft Teams and other applications. NPM is a voice mail server systemwhich allows users to access their voice messages in a variety of ways, including remotely or through the Microsoft Outlook client.

WatchTowr Labs, in a report shared with The Hacker News, said it discovered CVE-2024-41713 as part of its efforts to reproduce CVE-2024-35286 (CVSS Score: 9.8), another critical flaw in the NPM component that could allow an attacker to gain access to sensitive information and perform arbitrary database and management operations.

The SQL implementation bug was fixed by Mitel in late May 2024 with the release of MiCollab version 9.8 SP1 (9.8.1.5).

What makes the new vulnerability notable is what it implies pass input “..;/” in an HTTP request to the ReconcileWizard component to move the attacker to the root of the application server, thus allowing access to sensitive information (such as /etc/passwd) without authentication.

WatchTowr Labs’ analysis also found that the authentication bypass may be due to an unpatched bug in reading an arbitrary file after authentication to extract sensitive information.

“Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access with potential impact to system confidentiality, integrity, and availability,” Mitel said. said in advisory for CVE-2024-41713.

“If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to initialization information, including non-sensitive user and network information, and perform unauthorized administrative actions on the MiCollab server.”

After responsible disclosure, CVE-2024-41713 was patched in MiCollab version 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.

“On a more technical level, this investigation has demonstrated several valuable lessons,” said security researcher Sonny McDonald.

“First, it was a real-life example that full access to the source code is not always necessary – even in vulnerability research to reproduce a known weakness in a COTS solution. Depending on the depth of the CVE description, some good web searching skills can be the foundation for successful vulnerability hunting.”

It is worth noting that MiCollab 9.8 SP2 (9.8.2.12) also addresses a separate SQL injection vulnerability in the Audio, Web, and Video Conferencing (AWV) component (CVE-2024-47223CVSS score: 9.4) that can have serious consequences, ranging from information disclosure to making arbitrary database queries that can cause system failure.

The disclosure comes after Rapid7 detailed several security flaws in the Lorex 2K Indoor Wi-Fi Security Camera (CVE-2024-52544 through CVE-2024-52548) that can be combined to achieve remote code execution (RCE ).

In a hypothetical attack scenario, the first three vulnerabilities could be used to reset the target device’s administrator password to one of the attacker’s choice using access to view real-time video and audio from the device, or use the remaining two flaws to achieve an elevated RCE.

“The exploit chain consists of five separate vulnerabilities that work together in two phases to achieve an unauthenticated RCE,” security researcher Stephen Fouer. noted.

“Phase 1 bypasses authentication, allowing a remote, unauthenticated attacker to reset the device’s administrator password to a password of the attacker’s choice. Phase 2 enables remote code execution by using the authentication bypass in Phase 1 to perform an authenticated stack-based buffer overflow. and execute the operating system (OS) command with root privileges.”