Exploited! NuPoint Unified Messaging (NPM) Component of Mitel MiCollab
IONIX is tracking CVE-2024-41713 and related vulnerabilities for Mitel MiCollab NPM: This post is based on ongoing security research – and will continue to be updated as we get additional information…
What is CVE-2024-41713 Mitel MiCollab NPM?
The NuPoint Unified Messaging (NPM) module in Mitel MiCollab versions up to 9.8 SP1 FP2 (9.8.1.201) is vulnerable to a path traversal attack caused by insufficient input validation. This vulnerability could be exploited by an unauthenticated attacker to gain unauthorized access to sensitive files, potentially allowing them to read, alter, or delete user data and critical system settings.
The Mitel MiCollab Arbitrary File Read Vulnerability combines CVE-2024-41713 with another yet-to-be-assigned issue.
This flaw stems from improper input validation and directory traversal weaknesses. It enables attackers to bypass access controls by sending specially crafted HTTP requests. Exploiting this vulnerability allows attackers to retrieve sensitive files stored on the affected server, potentially exposing critical information.
According to HelpNetSecurity: watchTowr researcher Sonny Macdonald has disclosed the flaw, and followed up by releasing a proof-of-concept (PoC) exploit that chains together this zero-day file read vulnerability with CVE-2024-41713, which allows attackers to bypass authentication.
“In a blog post published on Thursday, Macdonald tells of watchTowr’s quest to reproduce CVE-2024-35286, a MiCollab SQL injection vulnerability fixed earlier this year, and their discovery of:
- CVE-2024-41713, an additional authentication bypass vulnerability (which Mitel subsequently patched in October), and
- An arbitrary file read zero-day still without a CVE number (a patch for which Mitel said would release in the first week od December 2024)
The zero-day can only be exploited by authenticated attackers, hence it getting chained with CVE-2024-41713 in the PoC. But if that requirement is achieved, attackers can navigate to and access sensitive files such as /etc/passwd.”
Recommended Mitigation steps:
To address this issue, we recommend the following immediate steps:
- Apply Vendor Patches: Follow the guidance in the Mitel Security Advisory to patch CVE-2024-41713 and related vulnerabilities.
- Restrict Access: Limit access to the affected server to trusted IPs only and restrict public exposure of the asset.
- Sanitize Input: Ensure the application properly validates and sanitizes all user inputs to prevent directory traversal attacks.
Am I impacted by CVE-2024-41713 and related vulnerabilities?
IONIX tracked the issue since it was published and on Dec 5 our security research team added a full exploit simulation model based on exploits that are used in the wild. In this way, we can see which customers have impacted assets. The payload created successfully retrieves file contents, confirming the exploitability of this vulnerability.
IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.