Urgent Vulnerability Notice: Critical Zero-Day Vulnerability Found in Mitel VoIP Appliance ERS

What You Need to Know:

A ransomware attack was deployed against an unnamed target, using Mitel’s VoIP appliance an entry point. CVE-2022-29499 is actively being used by attackers to achieve remote code execution and to gain initial access to their victim’s environment. The vulnerability is rated 9.8 in severity on the CVSS vulnerability scoring system.

In April 2022, Mitel fixed CVE-2022-29499 which affects the Mitel Service Appliance component of MiVoice Connect, but the fix did not work. According to Mitel, the bug allows attackers to perform remote code execution within the context of the Service Appliance. The following products are affected:

• MiVoice Connect Service Appliances – R19.2 SP3 (22.20.2300.0) and earlier R14.x and earlier
• SA 100
• SA400
• Virtual SA

Discovered by CrowdStrike, CVE-2022-29499 includes two HTTP GET requests that are used to trigger remote code execution via fetching rogue commands from an attacker-controlled infrastructure. During CrowdStrike’s investigation, they observed an attacker using the exploit to create a reverse shell and using it to launch a web shell (“pdf_import.php”) on the VoIP appliance.

The attacker attempted to go undetected by performing anti-forensic techniques on the VoIP appliance – renaming the binary to “memdump”. The device that was observed by Crowdstrike was a Linux-based Mitel VoIP appliance sitting on the network perimeter, where EDR software for the device was highly limited.

Mitel is recommending that customers with affected product versions apply their suggested remediation immediately, as well as review the product Security Bulletin ID: 22-0002-001. If you have further questions regarding the vulnerability, you should contact Mitel’s Product Support.

How Towerwall Is Helping To Protect Our Customers:

• vCISO – Towerwall offers vCISO to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
• Zero Trust Architecture – Towerwall offers Zero Trust Architecture, like CrowdStrike, NetScope, Fortinet (etc.), to stop malware lateral movement.
• MDR Solution – Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. An MDR Solution like Alert Logic which includes Security Information and Event Management (SIEM) system can help an organization to accomplish this. Alert Logic offers a comprehensive MDR-based approach that increases the potential for detecting a ransomware infection before it deploys. MDR provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.

Towerwall Recommendations:

Towerwall recommends that you follow Mitel’s instructions for remediation of CVE-2022-29499. Mitel has provided a script for remediation. Customers are advised to apply the available remediation.

• Mitel provided script available for releases 19.2 SP3 and earlier, and R14.x and earlier
• Remediation will be included in MiVoice Connect R19.3, forecast for June 2022

Indicators of Compromise (IoCs):

• 6da346eecac1a1bb11f834be0ef0b08539fb0f9ec7d8cc415ae9e301f53a536echisel_1.7.3_linux_amd64.gz

Supporting Documentation:

• Novel Exploit in Mitel VOIP Appliance | CrowdStrike
• security-bulletin_22-0002-001-v2.pdf (mitel.com)
• Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack (thehackernews.com)
• Mitel Product Security Advisory 22-0002

If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.