PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

updated A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances. 

A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday published the PoC after waiting 100-plus days for the vendor to issue a fix.

The Register has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back.

Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It's widely used, boasting more than 16,000 instances across the Internet. And, as such, it's a very attractive target for ransomware gangs and other cybercriminals.

Back in May, watchTowr's bug hunters discovered and disclosed to Mitel a now-fixed critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as CVE-2024-35286, and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.

• Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl
• HTTP your way into Citrix's Virtual Apps and Desktops with fresh exploit code
• How $20 and a lapsed domain allowed security pros to undermine internet integrity
• T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

Additionally, the watchTowr team found and reported an authentication bypass vulnerability (CVE-2024-41713) that also affects the NPM component of Mitel MiCollab. 

This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users' data and system configurations. Mitel fixed this one in October.

While investigating these two security holes, watchTowr found a third flaw that hasn't been assigned a CVE and doesn't yet have a patch. It's an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as "/etc/passwd" that contain account information.

The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.

"Unfortunately, we're past this period and have not seen any updates on Mitel's Security Advisory page," according to a watchTowr report about the three bugs published on Thursday. "Since our disclosure email was sent over 100 days ago, we've decided to proceed and include this vulnerability within our blog post - but as of writing, it remains unpatched (albeit post-auth)." ®

Updated to add at 1640 UTC on December 6, 2024

After watchTowr published its report, Mitel issued a security advisory about the arbitrary file read vulnerability, which it rated as a low-severity risk, and said it will be fixed in future product updates.

According to the advisory: "The low severity local file read exposure is substantially mitigated by MiCollab 9.8 SP2 (9.8.2.12)." This is the software update that closes the critical auth-bypass hole, CVE-2024-41713.

Mitel didn't say when it plans to patch the zero day, which still doesn't have a CVE assigned.

A spokesperson sent The Register the following statement:

"Our top priority is to ensure the reliability and security of the solutions we offer our customers. We recently became aware of vulnerabilities relating to MiCollab and have published recommended actions, including software updates, to mitigate risks. We strongly encourage customers to apply all available security updates as they become available."