External risk intelligence

Mitel MiCollab and MiVoice Business Express Information Disclosure and Denial of Service Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-26143

A vulnerability in Mitel MiCollab and MiVoice Business Express affects the TP-240 component. This flaw allows unauthorized access to sensitive information and can cause denial of service. The risk to organizations includes data exposure and service disruption.

5Halo Surface Signal

Missing Authentication

Mitel Micollab

before 9.49.48.1 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2022-26143

The vulnerable component functions as a network-accessible service that facilitates communication. Its design allows it to be reached and interacted with over the public internet, as evidenced by its use in reflection and amplification activities that require external network exposure to operate effectively.

Horizon Alert

Summary of the vulnerability and why it matters

The TP-240 component in Mitel MiCollab and MiVoice Business Express software is susceptible to a flaw that can be exploited remotely. This weakness allows unauthorized access to sensitive information and can lead to denial-of-service conditions through performance degradation and excessive outbound traffic. Exploitation of this vulnerability has been observed in the wild, contributing to significant distributed denial-of-service attacks.

TP-240 component
Remote information disclosure and denial of service
Significant traffic amplification and degradation

Attack Path

How an attacker could exploit the issue

This vulnerability allows attackers to access sensitive information and disrupt services by degrading system performance and generating excessive outbound traffic. The TP-240 component within Mitel MiCollab and MiVoice Business Express is susceptible to this attack. Exploitation in early 2022 resulted in a significant distributed denial of service (DDoS) attack known as TP240PhoneHome.

Exposed network service accessible externally.
Attacker sends specific requests to the service.
Service responds excessively, causing denial of service.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its exploitability over the network and potential for severe impact. Attackers can exploit this without needing any prior access or authentication, leading to data disclosure and denial-of-service conditions. Organizations have been affected by this in the wild, highlighting the urgency of remediation.

Likely attacker skill level: Basic
Required access or conditions: Network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts organizations using specific Mitel products, potentially exposing them to sensitive data leakage and denial-of-service attacks. The vulnerability was actively exploited in the wild, indicating a significant risk to affected systems. Organizations should prioritize identifying and mitigating this risk to protect their business operations and data.

Find exposed Mitel systems.
Reduce access to affected systems.
Apply vendor updates and verify.
Monitor for related activity.

Frequently asked questions

What is the TP-240 component in Mitel MiCollab and MiVoice Business?

The TP-240 (also known as tp240dvr) is a component within Mitel MiCollab and MiVoice Business software. It's designed to facilitate system performance testing by simulating a "blast" of calls, but it was found to have a vulnerability when exposed to the internet, allowing it to be misused for other purposes [9, 10].

What type of weakness does CVE-2022-26143 represent?

CVE-2022-26143 is categorized as CWE-306, which signifies a "Missing Authentication for Critical Function." This means the TP-240 component accepts commands without verifying the sender's identity, allowing unauthorized individuals to exploit its traffic generation capabilities [2, 9].

What are the preconditions for exploiting CVE-2022-26143?

The primary precondition for exploiting this vulnerability is that the affected Mitel system must be exposed to the internet. Attackers can then send specially crafted UDP packets to the TP-240 component's UDP port (10074) without needing any prior authentication or access [9, 10].

Who should be concerned about this Mitel vulnerability?

Organizations using Mitel MiCollab or MiVoice Business Express are at risk. This vulnerability is considered external-facing because it can be exploited over the internet, as demonstrated by its use in large-scale DDoS attacks [3, 13].

What are the first steps for responding to this CVE?

The immediate first step is to apply software updates provided by Mitel to patch the vulnerability. Additionally, organizations should identify any exposed Mitel systems and consider reducing external access to affected components until updates are verified [16, 13].

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.