Brisbane web hosting specialist Global Secure Layer has found a zero-day exploit affecting Mitel MiCollab SIP appliances.
The vulnerability, called TP240PhoneHome, would allow potential attackers to gain complete control over the system, allowing them to remotely brick the system, create outgoing calls, dump confidential data and potentially use the exploit to pivot further into the network.
Global Secure Layer said its team first became aware of TP240PhoneHome in mid-February, although it was only able to release technical details on Wednesday, 9 March. The company also expects the impact to get worse over the next few days as it continues to monitor the situation.
In the company’s advisory, a reflective amplification attack like TP240PhoneHome would reflect traffic from a source that is then amplified via servers and targeted towards a victim’s IP. It also has an amplification factor of over 220 billion percent.
“Our security team independently identified the vector and have spent the last few weeks silently working with various organisations to ensure this exploit was patched and the right parties informed,” Global Secure Layer’s advisory read.
Mitel published its own advisory on 22 February, saying the vulnerability was found in its MiCollab and MiVoice Business Express products, and that a denial of service attack would cause “significant outbound traffic impacting availability of other services”.
The TP240PhoneHome vulnerability has multiple levels but has primarily been used to perform reflected amplification DDoS attacks. The chart from Global Secure Layer below illustrates the locations of potential attackers probing to looking to exploit the vulnerability:
Global Secure Layer said those affected should patch their devices with their latest firmware while ensuring port 10074 has its access control list (ACL) turned off at the customer’s end.
“While we are primarily concerned with this being a vector used to launch DDoS attacks, this exploit is far more severe,” the advisory said.
“It allows an attacker complete control over the system, for example being able to remotely brick it, create outgoing calls, dump confidential data and potentially use it to pivot further into the network. So we fully anticipate the impact to be worse over the next few days.”
The company has also deployed a patch on its global network to address the exploit and recommends customers that are multi-homed to reach out to their other providers to do the same.