Cybersecurity researchers have launched a proof-of-concept (PoC) exploit that strings collectively a now-patched important security flaw impacting Mitel MiCollab with an arbitrary file learn zero-day, granting an attacker the flexibility to entry recordsdata from inclined situations.
The important vulnerability in query is CVE-2024-41713 (CVSS rating: 9.8), which pertains to a case of inadequate enter validation within the NuPoint Unified Messaging (NPM) part of Mitel MiCollab that ends in a path traversal assault.
MiCollab is a software program and {hardware} resolution that integrates chat, voice, video, and SMS messaging with Microsoft Groups and different purposes. NPM is a server-based voicemail system, which permits customers to entry their voice messages via varied strategies, together with remotely or via the Microsoft Outlook shopper.
WatchTowr Labs, in a report shared with The Hacker Information, stated it found CVE-2024-41713 as a part of its efforts to breed CVE-2024-35286 (CVSS rating: 9.8), one other important bug within the NPM part that might allow an attacker to entry delicate data and execute arbitrary database and administration operations.
The SQL injection flaw was patched by Mitel in late Might 2024 with the discharge of MiCollab model 9.8 SP1 (9.8.1.5).
What makes the brand new vulnerability notable is that it includes passing the enter “..;/” within the HTTP request to the ReconcileWizard part to land the attacker within the root of the applying server, thus making it doable to entry delicate data (e.g., /and so on/passwd) sans authentication.
WatchTowr Labs’ evaluation additional discovered that the authentication bypass might be chained with an as-yet-unpatched post-authentication arbitrary file learn flaw to extract delicate data.
“A profitable exploit of this vulnerability might enable an attacker to realize unauthorized entry, with potential impacts to the confidentiality, integrity, and availability of the system,” Mitel stated in an advisory for CVE-2024-41713.
“If the vulnerability is efficiently exploited, an attacker might achieve unauthenticated entry to provisioning data together with non-sensitive consumer and community data, and carry out unauthorized administrative actions on the MiCollab Server.”
Following accountable disclosure, CVE-2024-41713 has been plugged in MiCollab variations 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.
“On a extra technical stage, this investigation has demonstrated some beneficial classes,” security researcher Sonny Macdonald stated.
“Firstly, it has acted as a real-world instance that full entry to the supply code just isn’t at all times wanted – even when diving into vulnerability analysis to breed a identified weak spot in a COTS resolution. Relying on the depth of the CVE description, some good Web search expertise will be the premise for a profitable hunt for vulnerabilities.”
It is price noting that MiCollab 9.8 SP2 (9.8.2.12) additionally addresses a separate SQL injection vulnerability within the Audio, Internet and Video Conferencing (AWV) part (CVE-2024-47223, CVSS rating: 9.4) that might have extreme impacts, starting from data disclosure to execution of arbitrary database queries that might render the system inoperable.
The disclosure comes as Rapid7 detailed a number of security defects within the Lorex 2K Indoor Wi-Fi Safety Digicam (from CVE-2024-52544 via CVE-2024-52548) that might be mixed to realize distant code execution (RCE).
In a hypothetical assault situation, the primary three vulnerabilities might be utilized to reset a goal system’s admin password to one of many adversary’s selecting, leveraging the entry to view reside video and audio feeds from the system, or leverage the remaining two flaws to realize RCE with elevated privileges.
“The exploit chain consists of 5 distinct vulnerabilities, which function collectively in two phases to realize unauthenticated RCE,” security researcher Stephen Fewer famous.
“Part 1 performs an authentication bypass, permitting a distant unauthenticated attacker to reset the system’s admin password to a password of the attacker’s selecting. Part 2 achieves distant code execution by leveraging the auth bypass in part 1 to carry out an authenticated stack-based buffer overflow and execute an working system (OS) command with root privileges.”
