Cybersecurity researchers have launched a proof-of-concept (PoC) exploit that strings collectively a now-patched important safety flaw impacting Mitel MiCollab with an arbitrary file learn zero-day, granting an attacker the flexibility to entry information from prone cases.
The important vulnerability in query is CVE-2024-41713 (CVSS rating: 9.8), which pertains to a case of inadequate enter validation within the NuPoint Unified Messaging (NPM) element of Mitel MiCollab that ends in a path traversal assault.
MiCollab is a software program and {hardware} answer that integrates chat, voice, video, and SMS messaging with Microsoft Groups and different functions. NPM is a server-based voicemail system, which allows customers to entry their voice messages by varied strategies, together with remotely or by the Microsoft Outlook shopper.
WatchTowr Labs, in a report shared with The Hacker Information, stated it found CVE-2024-41713 as a part of its efforts to breed CVE-2024-35286 (CVSS rating: 9.8), one other important bug within the NPM element that might allow an attacker to entry delicate data and execute arbitrary database and administration operations.
The SQL injection flaw was patched by Mitel in late Could 2024 with the discharge of MiCollab model 9.8 SP1 (9.8.1.5).
What makes the brand new vulnerability notable is that it entails passing the enter “..;/” within the HTTP request to the ReconcileWizard element to land the attacker within the root of the applying server, thus making it potential to entry delicate data (e.g., /and so on/passwd) sans authentication.
WatchTowr Labs’ evaluation additional discovered that the authentication bypass might be chained with an as-yet-unpatched post-authentication arbitrary file learn flaw to extract delicate data.
“A profitable exploit of this vulnerability may permit an attacker to achieve unauthorized entry, with potential impacts to the confidentiality, integrity, and availability of the system,” Mitel stated in an advisory for CVE-2024-41713.
“If the vulnerability is efficiently exploited, an attacker may achieve unauthenticated entry to provisioning data together with non-sensitive person and community data, and carry out unauthorized administrative actions on the MiCollab Server.”
Following accountable disclosure, CVE-2024-41713 has been plugged in MiCollab variations 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.
“On a extra technical stage, this investigation has demonstrated some beneficial classes,” safety researcher Sonny Macdonald stated.
“Firstly, it has acted as a real-world instance that full entry to the supply code just isn’t at all times wanted – even when diving into vulnerability analysis to breed a recognized weak spot in a COTS answer. Relying on the depth of the CVE description, some good Web search abilities might be the idea for a profitable hunt for vulnerabilities.”
It is price noting that MiCollab 9.8 SP2 (9.8.2.12) additionally addresses a separate SQL injection vulnerability within the Audio, Internet and Video Conferencing (AWV) element (CVE-2024-47223, CVSS rating: 9.4) that might have extreme impacts, starting from data disclosure to execution of arbitrary database queries that might render the system inoperable.
The disclosure comes as Rapid7 detailed a number of safety defects within the Lorex 2K Indoor Wi-Fi Safety Digicam (from CVE-2024-52544 by CVE-2024-52548) that might be mixed to attain distant code execution (RCE).
In a hypothetical assault situation, the primary three vulnerabilities might be utilized to reset a goal gadget’s admin password to one of many adversary’s selecting, leveraging the entry to view dwell video and audio feeds from the gadget, or leverage the remaining two flaws to attain RCE with elevated privileges.
“The exploit chain consists of 5 distinct vulnerabilities, which function collectively in two phases to attain unauthenticated RCE,” safety researcher Stephen Fewer famous.
“Section 1 performs an authentication bypass, permitting a distant unauthenticated attacker to reset the gadget’s admin password to a password of the attacker’s selecting. Section 2 achieves distant code execution by leveraging the auth bypass in part 1 to carry out an authenticated stack-based buffer overflow and execute an working system (OS) command with root privileges.”
