Security researchers have discovered a new issue in the Mitel MiCollab enterprise VoIP platform that allows attackers to access administrative features without authentication.The discovery was made by researchers from security firm watchTowr back in May while trying to replicate a different vulnerability that Mitel patched at the time (CVE-2024-35286). The new issue is a path traversal that leads to authentication bypass and affects MiCollab 9.8 SP1 FP2 (9.8.1.201) and earlier.The path traversal was patched in October with version 9.8.2.12, but the researchers have now released technical details and a proof-of-concept exploit that leverages it to exploit a yet-unpatched arbitrary file read issue to access sensitive files from the underlying OS.”VoIP platforms, which handle telephone calls for an organization, are a really juicy target for an APT,” the researchers wrote. “Imagine being able to listen in on the phone calls of your target, as they’re happening, or even to interfere with them and block them at will. It’s a very powerful thing to be able to do, and a godsend for an outcome-motivated attacker.”The Mitel MiCollab enterprise collaboration and VoIP suite includes features such as voice, video, chat messaging, SMS, web conferencing, desktop sharing, file sharing, and other tools. According to watchTowr, there are more than 16,000 MiCollab instances on the internet. The researchers started looking at Mitel MiCollab when analyzing an older SQL injection flaw that was rated critical and was patched in the software suite in May. That vulnerability, tracked as CVE-2024-35286 was located in the NuPoint Unified Messaging (NPM) component, which is located at the /npm-admin/ path on the server.This path cannot be accessed directly, however, resulting in a 401 Unauthorized error. As a result, the researchers couldn’t reach the vulnerable Java web application to test the flaw. This made them wonder how the proxy and URL rewrite rules are handled by the Apache webserver running on MiCollab and soon enough they found an old configuration that someone posted on a tech support forum.From there they saw proxy rules for another URL path called /npm-pwg/, but when trying to access that path they were redirected to the default /portal path, the main page of the MiCollab portal. A path traversal trick documented by another researcher known as Orange Tsai gave them an idea.”To briefly explain Orange Tsai’s amazing research in the context of a Java application residing on Apache/Tomcat, it was discovered that the special syntax ..;/ can be used to truncate paths/traverse out of contexts,” the watchTowr researchers wrote.In other words, if the Apache web server redirects a path to a specific servlet (Java web application) on an internal application server like Tomcat, then adding ..;/ to the path, would allow traversing back and accessing other servlets located on the same application server. So, while a direct request to /npm-admin/ doesn’t work, and neither does a request to /npm-pwg/, a request to /npm-pwg/..;/npm-admin/ bypasses the redirect and brings up the web interface of the NuPoint unified messaging server.From here the researchers were able to scan the web application and find the SQL injection flaw that corresponded to CVE-2024-35286. Then they wondered what other web applications (.war files) might reside in the root of the server aside from npm-admin. It turns out a lot of them: awcPortlet, awv, axis2-AWC, Bulkuserprovisioning, ChangePasscodePortlet, ChangePasswordPortlet, ChangeSettingsPortlet, LoginPortlet, massat, MiCollabMetting, portal, ReconcileWizard, SdsccDistributionErrors, UCAProvisioningWizard, and usp.
A larger attack surface means more flaws to find
The path traversal issue opened a much larger attack surface, as any one of those servlets that could now be accessed without authentication could have vulnerabilities or sensitive functionalities that could be abused. The researchers reported the issue to Mitel in May, which assigned it CVE-2024-41713 and patched it in October, closing the attack vector.But the researchers probed further and it didn’t take them long to find a war file that could be abused. The ReconcileWizard servlet appears to be a web application used for saving or viewing system reports. The researchers found that the file access functionality it provides is also vulnerable to path traversal, allowing a user to request any arbitrary file from the system, not just reports from a specific path, leading to sensitive information disclosure.In their newly released proof-of-concept exploit, watchTowr’s researchers combined the path traversal flaw with this ReconcileWizard arbitrary file read issue to obtain the contents of the /etc/passwd file, a Linux system file that should be protected.”In an effort to dampen the flames, we contacted Mitel again on August 26th to disclose this Arbitrary File Read vulnerability,” the researchers wrote. “They informed us on October 12th of their plans to patch, which they scheduled for the first week of December 2024. Unfortunately, we’re past this period and have not seen any updates on Mitel’s Security Advisory page.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3618212/mitel-micollab-voip-authentication-bypass-opens-new-attack-paths.html
