Cybersecurity researchers have released a proof-of-concept (PoC) exploit that strings in combination a now-patched essential safety flaw impacting Mitel MiCollab with an arbitrary report learn zero-day, granting an attacker the facility to get entry to information from prone cases.
The essential vulnerability in query is CVE-2024-41713 (CVSS ranking: 9.8), which pertains to a case of inadequate enter validation within the NuPoint Unified Messaging (NPM) element of Mitel MiCollab that leads to a trail traversal assault.
MiCollab is a software and hardware solution that integrates chat, voice, video, and SMS messaging with Microsoft Groups and different packages. NPM is a server-based voicemail system, which allows customers to get entry to their voice messages thru more than a few strategies, together with remotely or in the course of the Microsoft Outlook shopper.
WatchTowr Labs, in a report shared with The Hacker Information, stated it came upon CVE-2024-41713 as a part of its efforts to breed CVE-2024-35286 (CVSS ranking: 9.8), any other essential malicious program within the NPM element that might allow an attacker to get entry to touchy data and execute arbitrary database and control operations.
The SQL injection flaw was once patched via Mitel in past due Would possibly 2024 with the discharge of MiCollab model 9.8 SP1 (9.8.1.5).
What makes the brand new vulnerability notable is that it comes to passing the input “..;/” within the HTTP request to the ReconcileWizard element to land the attacker within the root of the applying server, thus making it imaginable to get entry to touchy data (e.g., /and so forth/passwd) sans authentication.
WatchTowr Labs’ research additional discovered that the authentication bypass may well be chained with an as-yet-unpatched post-authentication arbitrary report learn flaw to extract touchy data.
“A a success exploit of this vulnerability may permit an attacker to achieve unauthorized get entry to, with attainable affects to the confidentiality, integrity, and availability of the machine,” Mitel said in an advisory for CVE-2024-41713.
“If the vulnerability is effectively exploited, an attacker may acquire unauthenticated get entry to to provisioning data together with non-sensitive consumer and community data, and carry out unauthorized administrative movements at the MiCollab Server.”
The corporate additionally famous that the native report learn flaw (CVE reserved, CVSS ranking: 2.7) inside the machine is the results of inadequate enter sanitization, and that the disclosure is restricted to non-sensitive machine data. It emphasised that the vulnerability does now not permit report amendment or privilege escalation.
Following accountable disclosure, CVE-2024-41713 has been plugged in MiCollab variations 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.
“On a extra technical stage, this investigation has demonstrated some precious courses,” safety researcher Sonny Macdonald stated.
“At the beginning, it has acted as a real-world instance that complete get entry to to the supply code isn’t at all times wanted – even if diving into vulnerability analysis to breed a recognized weak spot in a COTS answer. Relying at the intensity of the CVE description, some just right Web seek talents will also be the root for a a success hunt for vulnerabilities.”
It is price noting that MiCollab 9.8 SP2 (9.8.2.12) additionally addresses a separate SQL injection vulnerability within the Audio, Internet, and Video Conferencing (AWV) element (CVE-2024-47223, CVSS ranking: 9.4) that may have serious affects, starting from data disclosure to execution of arbitrary database queries that might render the machine inoperable.
The disclosure comes as Rapid7 detailed a number of safety defects within the Lorex 2K Indoor Wi-Fi Safety Digital camera (from CVE-2024-52544 thru CVE-2024-52548) that may be mixed to reach faraway code execution (RCE).
In a hypothetical assault situation, the primary 3 vulnerabilities may well be applied to reset a goal instrument’s admin password to some of the adversary’s opting for, leveraging the get entry to to view reside video and audio feeds from the instrument, or leverage the remainder two flaws to reach RCE with increased privileges.
“The exploit chain is composed of 5 distinct vulnerabilities, which function in combination in two levels to reach unauthenticated RCE,” safety researcher Stephen Fewer noted.
“Section 1 plays an authentication bypass, permitting a faraway unauthenticated attacker to reset the instrument’s admin password to a password of the attacker’s opting for. Section 2 achieves faraway code execution via leveraging the auth bypass in segment 1 to accomplish an authenticated stack-based buffer overflow and execute an working machine (OS) command with root privileges.”
