Cybersecurity researchers have launched a proof-of-concept (PoC) exploit that strings collectively a now-patched vital safety flaw impacting Mitel MiCollab with an arbitrary file learn zero-day, granting an attacker the flexibility to entry recordsdata from inclined cases.
The vital vulnerability in query is CVE-2024-41713 (CVSS rating: 9.8), which pertains to a case of inadequate enter validation within the NuPoint Unified Messaging (NPM) element of Mitel MiCollab that ends in a path traversal assault.
MiCollab is a software program and {hardware} resolution that integrates chat, voice, video, and SMS messaging with Microsoft Groups and different functions. NPM is a server-based voicemail system, which permits customers to entry their voice messages via numerous strategies, together with remotely or via the Microsoft Outlook shopper.
WatchTowr Labs, in a report shared with The Hacker Information, stated it found CVE-2024-41713 as a part of its efforts to breed CVE-2024-35286 (CVSS rating: 9.8), one other vital bug within the NPM element that might allow an attacker to entry delicate data and execute arbitrary database and administration operations.
The SQL injection flaw was patched by Mitel in late Might 2024 with the discharge of MiCollab model 9.8 SP1 (9.8.1.5).
What makes the brand new vulnerability notable is that it entails passing the enter “..;/” within the HTTP request to the ReconcileWizard element to land the attacker within the root of the applying server, thus making it doable to entry delicate data (e.g., /and so on/passwd) sans authentication.
WatchTowr Labs’ evaluation additional discovered that the authentication bypass could possibly be chained with an as-yet-unpatched post-authentication arbitrary file learn flaw to extract delicate data.
“A profitable exploit of this vulnerability might permit an attacker to achieve unauthorized entry, with potential impacts to the confidentiality, integrity, and availability of the system,” Mitel stated in an advisory for CVE-2024-41713.
“If the vulnerability is efficiently exploited, an attacker might acquire unauthenticated entry to provisioning data together with non-sensitive person and community data, and carry out unauthorized administrative actions on the MiCollab Server.”
Following accountable disclosure, CVE-2024-41713 has been plugged in MiCollab variations 9.8 SP2 (9.8.2.12) or later as of October 9, 2024.
“On a extra technical stage, this investigation has demonstrated some priceless classes,” safety researcher Sonny Macdonald stated.
“Firstly, it has acted as a real-world instance that full entry to the supply code will not be at all times wanted – even when diving into vulnerability analysis to breed a identified weak spot in a COTS resolution. Relying on the depth of the CVE description, some good Web search expertise could be the idea for a profitable hunt for vulnerabilities.”
It is value noting that MiCollab 9.8 SP2 (9.8.2.12) additionally addresses a separate SQL injection vulnerability within the Audio, Net and Video Conferencing (AWV) element (CVE-2024-47223, CVSS rating: 9.4) that might have extreme impacts, starting from data disclosure to execution of arbitrary database queries that might render the system inoperable.
The disclosure comes as Rapid7 detailed a number of safety defects within the Lorex 2K Indoor Wi-Fi Safety Digicam (from CVE-2024-52544 via CVE-2024-52548) that could possibly be mixed to realize distant code execution (RCE).
In a hypothetical assault state of affairs, the primary three vulnerabilities could possibly be utilized to reset a goal system’s admin password to one of many adversary’s selecting, leveraging the entry to view reside video and audio feeds from the system, or leverage the remaining two flaws to realize RCE with elevated privileges.
“The exploit chain consists of 5 distinct vulnerabilities, which function collectively in two phases to realize unauthenticated RCE,” safety researcher Stephen Fewer famous.
“Section 1 performs an authentication bypass, permitting a distant unauthenticated attacker to reset the system’s admin password to a password of the attacker’s selecting. Section 2 achieves distant code execution by leveraging the auth bypass in section 1 to carry out an authenticated stack-based buffer overflow and execute an working system (OS) command with root privileges.”