Full Report
Cybersecurity researchers have released a proof-of-concept (PoC) exploit that strings together a now-patched critical security flaw impacting Mitel MiCollab with an arbitrary file read zero-day, granting an attacker the ability to access files from susceptible instances. The critical vulnerability in question is CVE-2024-41713 (CVSS score: 9.8), which relates to a case of insufficient input
Analysis Summary
# Vulnerability: Mitel MiCollab Unauthenticated Path Traversal Leading to File Read
## CVE Details
- CVE ID: CVE-2024-41713
- CVSS Score: 9.8 (Critical)
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
## Affected Systems
- Products: Mitel MiCollab (specifically the NuPoint Unified Messaging (NPM) component)
- Versions: Versions prior to MiCollab 9.8 SP2 (9.8.2.12)
- Configurations: Applicable to instances running vulnerable MiCollab/NPM components.
## Vulnerability Description
CVE-2024-41713 is a critical path traversal vulnerability residing within the NuPoint Unified Messaging (NPM) component of Mitel MiCollab. The flaw stems from insufficient input validation within the `ReconcileWizard` component. An attacker can send a specially crafted HTTP request, passing the input `..;/`, which causes the path normalization logic to incorrectly resolve, landing the attacker at the root of the application server. This allows for unauthenticated access to sensitive files (e.g., `/etc/passwd`). Furthermore, researchers noted this bypass could be chained with a separate, post-authentication arbitrary file read flaw for enhanced data exfiltration.
## Exploitation
- Status: PoC available (Chained with a separate flaw)
- Complexity: Low (Unauthenticated path traversal)
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential access to sensitive system and provisioning information)
- Integrity: Medium (Potential to perform unauthorized administrative actions)
- Availability: Medium (Potential for system disruption if chained with other exploits)
## Remediation
### Patches
- Mitel has patched CVE-2024-41713 in **Mitel MiCollab version 9.8 SP2 (9.8.2.12) or later.**
- *Note: Version 9.8 SP1 (9.8.1.5) addressed a related SQL injection vulnerability (CVE-2024-35286).*
### Workarounds
No specific workarounds were detailed, but blocking unusual path traversal sequences (like `../` or `..;/`) at the network edge where possible may offer temporary relief until patching is complete.
## Detection
- Indicators of compromise include unusual access patterns or file read attempts targeting system files (like `/etc/passwd`) originating from the MiCollab application interface.
- Detection should focus on monitoring web application traffic directed at the MiCollab server for payloads containing path traversal sequences in HTTP requests targeting the `ReconcileWizard` component.
## References
- Vendor Advisory (MISA-2024-0029): `mitel[.]com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029`
- PoC Disclosure: `github[.]com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713`
- WatchTowr Labs Report: `labs[.]watchtowr[.]com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day`