Researchers from CrowdStrike uncover an attack on the VoIP appliance MiVoice. In the process, they find a zero-day vulnerability. Mitel now protects its customers from attacks with a script.
The security provider CrowdStrike has discovered a zero-day vulnerability in Mitel products. The vulnerability with the identifier CVE-2022-29499 were apparently used to create an initial access to a network. Although the attack was stopped, the researchers assume that the cybercriminals wanted to inject a ransomware.
The vulnerability can be found in the Mitel Service Appliance of MiVoice Connect of the products SA 100, SA 400 and Virtual SA. An attacker may be able to inject and execute malicious code remotely in the context of the service appliance. The trigger is an inadequate check of data for a diagnostic script, as BleepingComputer reports. This enables an attacker to inject commands without prior authentication using specially crafted requests.
The vulnerability ultimately allows a reverse shell and subsequently a web shell to be set up. On top of this, the attackers downloaded a proxy tool called Chisel. It is designed to make it more difficult to detect an attack while the cybercriminals are spreading across the network.
According to CrowdStrike, the attackers also tried to cover their traces by deleting all data stored on the compromised devices. However, the researchers managed to secure evidence from the TMP partition as well as the HTTP access logs.
An official patch is not yet available. However, since 19 April, Mitel has been distributing a script for MiVoice Connect version 19.2 SP3 and earlier as well as R14.x and earlier that is supposed to protect against an attack.