Cybersecurity researchers have launched a proof-of-concept (PoC) exploit that strings collectively a now-patched crucial safety flaw impacting Mitel MiCollab with an arbitrary file learn zero-day, granting an attacker the power to entry information from vulnerable situations.
The crucial vulnerability in query is CVE-2024-41713 (CVSS rating: 9.8), which pertains to a case of inadequate enter validation within the NuPoint Unified Messaging (NPM) part of Mitel MiCollab that leads to a path traversal assault.
MiCollab is a software program and {hardware} answer that integrates chat, voice, video, and SMS messaging with Microsoft Groups and different purposes. NPM is a server-based voicemail system, which permits customers to entry their voice messages by numerous strategies, together with remotely or by the Microsoft Outlook consumer.
WatchTowr Labs, in a report shared with The Hacker Information, stated it found CVE-2024-41713 as a part of its efforts to breed CVE-2024-35286 (CVSS rating: 9.8), one other crucial bug within the NPM part that would allow an attacker to entry delicate info and execute arbitrary database and administration operations.
The SQL injection flaw was patched by Mitel in late Might 2024 with the discharge of MiCollab model 9.8 SP1 (9.8.1.5).
What makes the brand new vulnerability notable is that it entails passing the enter “..;/” within the HTTP request to the ReconcileWizard part to land the attacker within the root of the applying server, thus making it potential to entry delicate info (e.g., /and many others/passwd) sans authentication.
WatchTowr Labs’ evaluation additional discovered that the authentication bypass may very well be chained with an as-yet-unpatched post-authentication arbitrary file learn flaw to extract delicate info.
“A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system,” Mitel stated in an advisory for CVE-2024-41713.
“If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information, and perform unauthorized administrative actions on the MiCollab Server.”
The corporate additionally famous that the native file learn flaw (CVE reserved, CVSS rating: 2.7) inside the system is the results of inadequate enter sanitization, and that the disclosure is proscribed to non-sensitive system info. It emphasised that the vulnerability doesn’t enable file modification or privilege escalation.
Following accountable disclosure, CVE-2024-41713 has been plugged in MiCollab variations 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.
“On a more technical level, this investigation has demonstrated some valuable lessons,” safety researcher Sonny Macdonald stated.
“Firstly, it has acted as a real-world example that full access to the source code is not always needed – even when diving into vulnerability research to reproduce a known weakness in a COTS solution. Depending on the depth of the CVE description, some good Internet search skills can be the basis for a successful hunt for vulnerabilities.”
It is price noting that MiCollab 9.8 SP2 (9.8.2.12) additionally addresses a separate SQL injection vulnerability within the Audio, Internet, and Video Conferencing (AWV) part (CVE-2024-47223, CVSS rating: 9.4) that would have extreme impacts, starting from info disclosure to execution of arbitrary database queries that would render the system inoperable.
The disclosure comes as Rapid7 detailed a number of safety defects within the Lorex 2K Indoor Wi-Fi Safety Digital camera (from CVE-2024-52544 by CVE-2024-52548) that may very well be mixed to realize distant code execution (RCE).
In a hypothetical assault situation, the primary three vulnerabilities may very well be utilized to reset a goal machine’s admin password to one of many adversary’s selecting, leveraging the entry to view reside video and audio feeds from the machine, or leverage the remaining two flaws to realize RCE with elevated privileges.
“The exploit chain consists of five distinct vulnerabilities, which operate together in two phases to achieve unauthenticated RCE,” safety researcher Stephen Fewer famous.
“Phase 1 performs an authentication bypass, allowing a remote unauthenticated attacker to reset the device’s admin password to a password of the attacker’s choosing. Phase 2 achieves remote code execution by leveraging the auth bypass in phase 1 to perform an authenticated stack-based buffer overflow and execute an operating system (OS) command with root privileges.”
