Cybersecurity researchers have launched a proof-of-concept (PoC) exploit that strings collectively a now-patched important safety flaw impacting Mitel MiCollab with an arbitrary file learn zero-day, granting an attacker the power to entry information from inclined situations.
The important vulnerability in query is CVE-2024-41713 (CVSS rating: 9.8), which pertains to a case of inadequate enter validation within the NuPoint Unified Messaging (NPM) part of Mitel MiCollab that leads to a path traversal assault.
MiCollab is a software program and {hardware} resolution that integrates chat, voice, video, and SMS messaging with Microsoft Groups and different functions. NPM is a server-based voicemail system, which allows customers to entry their voice messages by way of numerous strategies, together with remotely or by way of the Microsoft Outlook consumer.
WatchTowr Labs, in a report shared with The Hacker Information, stated it found CVE-2024-41713 as a part of its efforts to breed CVE-2024-35286 (CVSS rating: 9.8), one other important bug within the NPM part that might allow an attacker to entry delicate info and execute arbitrary database and administration operations.
The SQL injection flaw was patched by Mitel in late Could 2024 with the discharge of MiCollab model 9.8 SP1 (9.8.1.5).
What makes the brand new vulnerability notable is that it includes passing the enter “..;/” within the HTTP request to the ReconcileWizard part to land the attacker within the root of the appliance server, thus making it potential to entry delicate info (e.g., /and so forth/passwd) sans authentication.
WatchTowr Labs’ evaluation additional discovered that the authentication bypass could possibly be chained with an as-yet-unpatched post-authentication arbitrary file learn flaw to extract delicate info.
“A profitable exploit of this vulnerability may permit an attacker to realize unauthorized entry, with potential impacts to the confidentiality, integrity, and availability of the system,” Mitel stated in an advisory for CVE-2024-41713.
“If the vulnerability is efficiently exploited, an attacker may acquire unauthenticated entry to provisioning info together with non-sensitive person and community info, and carry out unauthorized administrative actions on the MiCollab Server.”
The corporate additionally famous that the native file learn flaw (CVE reserved, CVSS rating: 2.7) throughout the system is the results of inadequate enter sanitization, and that the disclosure is proscribed to non-sensitive system info. It emphasised that the vulnerability doesn’t permit file modification or privilege escalation.
Following accountable disclosure, CVE-2024-41713 has been plugged in MiCollab variations 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.
“On a extra technical degree, this investigation has demonstrated some priceless classes,” safety researcher Sonny Macdonald stated.
“Firstly, it has acted as a real-world instance that full entry to the supply code shouldn’t be at all times wanted – even when diving into vulnerability analysis to breed a identified weak spot in a COTS resolution. Relying on the depth of the CVE description, some good Web search abilities could be the premise for a profitable hunt for vulnerabilities.”
It is value noting that MiCollab 9.8 SP2 (9.8.2.12) additionally addresses a separate SQL injection vulnerability within the Audio, Net, and Video Conferencing (AWV) part (CVE-2024-47223, CVSS rating: 9.4) that might have extreme impacts, starting from info disclosure to execution of arbitrary database queries that might render the system inoperable.
The disclosure comes as Rapid7 detailed a number of safety defects within the Lorex 2K Indoor Wi-Fi Safety Digital camera (from CVE-2024-52544 by way of CVE-2024-52548) that could possibly be mixed to realize distant code execution (RCE).
In a hypothetical assault situation, the primary three vulnerabilities could possibly be utilized to reset a goal gadget’s admin password to one of many adversary’s selecting, leveraging the entry to view dwell video and audio feeds from the gadget, or leverage the remaining two flaws to realize RCE with elevated privileges.
“The exploit chain consists of 5 distinct vulnerabilities, which function collectively in two phases to realize unauthenticated RCE,” safety researcher Stephen Fewer famous.
“Section 1 performs an authentication bypass, permitting a distant unauthenticated attacker to reset the gadget’s admin password to a password of the attacker’s selecting. Section 2 achieves distant code execution by leveraging the auth bypass in section 1 to carry out an authenticated stack-based buffer overflow and execute an working system (OS) command with root privileges.”