A critical new vulnerability affecting VoIP appliances from Mitel is being used in the wild to deploy ransomware -- and an initial patch from the vendor has been bypassed, security vendors say.
Exploitation requires no privileges and no user interaction.
The Mitel zero day was first reported in April 2022. CrowdStrike reported on 23 June the bug was being actively exploited in the wild and gives full remote code execution (RCE).
CrowdStrike mitigated an attempted ransomware attack that saw malicious activity traced to a "Linux-based Mitel VOIP appliance sitting on the network perimeter" with the company noting "the availability of supported security or endpoint detection and response (EDR) software for these devices is highly limited."
In an advisory on 27 June security firm Avertium claimed Mitel's initial fix had not resolved the vulnerability; the vendor updated its security advisory on the Mitel zero-day vulnerability today.
The Mitel zero day includes two HTTP GET requests that are used to trigger RCE by fetching rogue commands from attacker-controlled infrastructure. CrowdStrike has observed an attacker using the exploit to create a reverse shell and using it to launch a web shell (“pdf_import.php”) on the VoIP appliance.
"The attacker attempted to go undetected by performing anti-forensic techniques on the VoIP appliance - renaming the binary to “memdump”. The device that was observed by Crowdstrike was a Linux-based Mitel VoIP appliance sitting on the network perimeter, where EDR software for the device was highly limited."
CrowdStrike's technically detailed writeup is here.
Mitel said that the "vulnerability relates exclusively to deployments that include a MiVoice Connect Service Appliance, SA100, SA400, and/or virtual SA" -- affecting MiVoice Connect (including earlier versions 14.2) R19.2 SP3 (22.20.2300.0) and earlier, R14.x and earlier.
The vulnerability was added this week to CISA's list of known exploited bugs.
| CVE | Product | CVSS Score | Type | Date reported |
|---|---|---|---|---|
| CVE-2022-29499 | Mitel MiVoice Connect | 9.8 | RCE | 25 Apr 2022 |
| CVE-2021-30533 | Google Chrome | 6.5 | Security Bypass | 7 Jun 2021 |
| CVE-2021-4034 | Red Hat Polkit | 7.8 | Privilege escalation with admin rights (undergoing reanalysis) | 28 Jan 2022 |
| CVE-2021-30983 | Apple iOS and iPadOS | 7.8 | Buffer overflow | 24 Aug 2021 |
| CVE-2020-3837 | Apple iOS & more | 7.8 | Memory corruption | 27 Feb 2020 |
| CVE-2020-9907 | Apple iOS & more | 7.8 | Memory corruption | 16 Oct 2020 |
| CVE-2019-8605 | Apple iOS & more | 7.8 | Use-After-Free | 18 Dec 2019 |
| CVE-2018-4344 | Apple iOS & more | 7.8 | Memory Corruption | 3 Apr 2019 |
The Known Exploited Vulnerabilities added to CISA's catalogue on 27 June 2022.
The Google Chrome exploit meanwhile among this week's fresh addition to the list, CVE-2021-30533, is the least serious, but can bypass Chrome's redirect protection, and is being used to drive traffic to malware, according to Google. The vendor issued a fix in May 2021, in Chrome 91 (the current version is 102).
CVE-2021-4034 is within Red Hat polkit's pkexec utility. "The [then] current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands," said the NIST entry - attackers can use this to craft variables which can allow them to gain admin rights on the target machine.
Red Hat Enterprise Linux versions 6, 7 and 8 all had the affected version of polkit, along with Red Had Virtualization 4. Red Hat released mitigation instructions in February 2022.
Wrinkled Apple vulnerabilities being pwned
The remainder of the new entries are Apple vulnerabilities affecting pretty much all its various iDevices - with all of them impacting the iPhone's iOS. All of these are rated 7.8, and all bar one are more than two years old.
The latest of the Apple vulnerabilities, CVE-2021-30983, was uncovered by Pangu Labs during the Tianfu Cup. A buffer overflow issue within the IOMobileFrameBuffer can allow apps to execute arbitrary code with kernel privileges. The issue was fixed in iOS and iPadOS 15.2, released in December 2021.
See also: Critical VMware vulns showcased at China’s Tianfu Cup finally get a patch
Apple's four remaining Apple vulnerabilities which are now being actively exploited include issues within macOS, iOS, iPadOS, tvOS and watchOS. All of them allow execution of arbitrary code with kernel privileges, either via memory corruption or use-after-free exploitation.
As these four vulnerabilities are all more than two years old, updating iDevices to current versions - or at least ones released from December 2021 onwards - will resolve all of them.
