A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.
A proof-of-concept (PoC) exploit that strings together the two flaws, both spotted and disclosed to Mitel by watchTowr, which on Thursday published the PoC after waiting 100-plus days for the vendor to issue a fix.
The Register has reached out to Mitel for comment and did not immediately receive a response to our questions including when the zero-day will be patched. We will update this story if and when we hear back.
Mitel MiCollab, as the name suggests, is an enterprise collaboration tool that allows users to communicate and connect with employees and customers via a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. It’s widely used, boasting more than 16,000 instances across the Internet. And, as such, it’s a very attractive target for ransomware gangs and other cybercriminals.
Back in May, watchTowr’s bug hunters discovered and disclosed to Mitel a now-fixed critical SQL injection vulnerability in the NuPoint Unified Messaging (NPM) component of the MiCollab product. This 9.8-rated flaw is tracked as CVE-2024-35286, and could allow an unauthenticated attacker to access sensitive information and execute arbitrary database and management operations. The vendor closed the hole in May.
Additionally, the watchTowr team found and reported an authentication bypass vulnerability (CVE-2024-41713) that also affects the NPM component of Mitel MiCollab.
This one is due to insufficient input validation, and it could be abused to allow an unauthenticated attacker to conduct a path traversal attack, and thus view, corrupt, or delete users’ data and system configurations. Mitel fixed this one in October.
While investigating these two security holes, watchTowr found a third flaw that hasn’t been assigned a CVE and doesn’t yet have a patch. It’s an arbitrary file read flaw that requires authentication to exploit — and this is why the PoC chains it with CVE-2024-41713, thus allowing an attacker to bypass authentication and then access files such as “/etc/passwd” that contain account information.
The researchers say they contacted Mitel about the arbitrary file read bug on August 26 and the vendor, in October, promised a patch the first week in December.
“Unfortunately, we’re past this period and have not seen any updates on Mitel’s Security Advisory page,” according to a watchTowr report about the three bugs published on Thursday. “Since our disclosure email was sent over 100 days ago, we’ve decided to proceed and include this vulnerability within our blog post – but as of writing, it remains unpatched (albeit post-auth).” ®