On June 23^rd 2022 Crowdstrike released a report mentioning about a zero-day exploit tracked as CVE-2022-29499 (CVSS v3 score: 9.8 – critical).  This vulnerability is used to perform remote code execution (RCE) in Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400, and Virtual SA. And is used to gain initial access to the network.

“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance, this vulnerability was privately reported to Mitel. Mitel is recommending customers with affected product versions apply the available remediation. Credit is given to Patrick Bennett of CrowdStrike for highlighting the issue and bringing to our attention.” Mitel said in the security advisory released in April 2022.

The issued is caused due to insufficient data validation for a diagnostic script, allowing remote unauthenticated attackers to inject commands using specially crafted requests. The exploit entailed two GET requests, one request targeting a “get_url” parameter of a PHP file and the second request to be generated on the device itself, causing a command injection that performs HTTP GET requests to the attacker’s infrastructure.

“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. Having an up-to-date and accurate asset inventory is also critically important, as you can’t protect something if you don’t know it exists. In addition, it’s important to ensure all service accounts are managed and accounted for, and that the capability exists to detect abnormal account usage” Patrick Bennett mentioned in the report released by Crowdstrike.

Sources

https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/

https://www.bleepingcomputer.com/news/security/mitel-zero-day-used-by-hackers-in-suspected-ransomware-attack/

https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.html