Mitel MiCollab zero-day and PoC exploit unveiled

A zero-day vulnerability in the Mitel MiCollab enterprise collaboration suite can be exploited to read files containing sensitive data, watchTowr researcher Sonny Macdonald has disclosed, and followed up by releasing a proof-of-concept (PoC) exploit that chains together this zero-day file read vulnerability with CVE-2024-41713, which allows attackers to bypass authentication.

A zero-day and PoC to grab sensitive info of MiCollab users

In a blog post published on Thursday, Macdonald tells of watchTowr’s quest to reproduce CVE-2024-35286, a MiCollab SQL injection vulnerability fixed earlier this year, and their discovery of:

• CVE-2024-41713, an additional authentication bypass vulnerability (which Mitel subsequently patched in October), and
• An arbitrary file read zero-day still without a CVE number (a patch for which Mitel said would release in the first week od December 2024)

The zero-day can only be exploited by authenticated attackers, hence it getting chained with CVE-2024-41713 in the PoC. But if that requirement is achieved, attackers can navigate to and access sensitive files such as /etc/passwd.

The researchers went public with the flaw because they’ve reported it more than three months ago. Mitel with hopefully release a fix in the coming days.

Risk mitigation

Upgrading MiCollab to version 9.8 SP2 (9.8.2.12) or later or implementing a patch for releases 9.7 and above fixes CVE-2024-41713, thus crippling watchTowr’s PoC. But until Mitel fixed the CVE-less zero-day, attackers could still abuse it.

Organizations can implement the latest available patches and repeat the process when Mitel patches the zero-day. Allowing access to vulnerable servers only from trusted IP ranges and internal networks is also a good idea to minimize the risk of exploitation of these (and other flaws).

According to Macdonald, there are over 16,000 MiCollab instances across the Internet.

“MiCollab comprises a softphone application deployed to endpoints and a central server component capable of coordinating telephone calls between endpoints and also to the outside world. It’s like a mini telephone exchange, and it boasts the features you’d expect – voicemail, file sharing, and even desktop sharing so that users can show each other what they’re doing. While it’s obvious how dangerous compromise of features such as ‘desktop sharing’ are, there are usually larger dangers exposed by the telephone function itself,” he added.