Mitel 0-day, 5-year-old Oracle RCE bug under active exploit

Cybercriminals are actively exploiting two vulnerabilities in Mitel MiCollab, including a zero-day flaw – and a critical remote code execution vulnerability in Oracle WebLogic Server that has been abused for at least five years.

Here are the three, all of which the US Cybersecurity and Infrastructure Security Agency (CISA) added to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation:

• CVE-2024-41713 Mitel MiCollab Path Traversal Vulnerability: Patch available, data leakage or deletion possible by unauthenticated users
• CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability: Patch not available, data leakage to authenticated admin users
• CVE-2020-2883 Oracle WebLogic Server Unspecified Vulnerability: Patch available, remote-code execution through deserialization

Two of the three – Mitel's CVE-2024-41713, and Oracle's CVE-2020-2883 – have been fixed by the respective vendors, while CVE-2024-55550 remains in flux; security researchers have sounded warnings for months about these Mitel bugs and for years about Oracle's.

It goes without saying, but if you haven't already: Get patching ASAP, if you can. Miscreants have a head start in this race.

The two Mitel flaws affect the vendor's MiCollab product in versions 9.8 SP1 FP2 (9.8.1.201) and earlier. Both are path traversal vulnerabilities, with one (CVE-2024-41713) receiving a critical 9.8 CVSS rating and the other (CVE-2024-55550) a low-severity 2.7 score.

MiCollab is a widely used enterprise collaboration tool with a range of features including voice, video, chat messaging, SMS, web conferencing and file sharing. 

The critical CVE affects the NuPoint Unified Messaging (NPM) component of MiCollab due to insufficient input validation. An unauthenticated attacker can abuse this hole to conduct a path traversal attack and view, corrupt, or delete users' data and system configurations. Mitel fixed this one in October.

Just last month, Mitel added the second, low-severity vulnerability to the same security advisory after bug hunters at watchTowr published a proof-of-concept (PoC) demonstrating how these flaws could be chained together potentially for a more significant impact.

At the time, CVE-2024-55550 did not have a fix or a CVE assigned to it. It now has a CVE but still no fix: "CVE-2024-55550, is substantially mitigated by MiCollab 9.8 SP2 (9.8.2.12)," according to Mitel's December 12 security advisory update. "This low severity issue will be addressed in future product updates."

• PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files
• Patch your Mitel VoIP systems, Lorenz ransomware gang is back on the prowl
• Critical security hole in Apache Struts under exploit
• Microsoft holds last Patch Tuesday of the year with 72 gifts for admins

Mitel credited watchTowr's Sonny Macdonald with spotting and reporting both vulnerabilities, and the watchTowr team said they waited more than 100 days for the enterprise software vendor to issue a fix before going public with the PoC.

While we don't know who is abusing these flaws, and to what purposes — CISA says it's "unknown" if either has been used in ransomware campaigns — watchTowr CEO Benjamin Harris told The Register that this type of software is especially attractive to government-backed snoops.

"VoIP platforms are juicy targets for an APT, creating the opportunity to listen in on calls, interfere with them or even block them at will," Harris said. "We're glad we were able to alert industry to these vulnerabilities and their impact well ahead of CISA marking them as KEV, given our evaluation that they would likely receive real-world threat actor attention."

A Mitel spokesperson declined to answer The Register’s specific questions, and told us the company doesn’t comment on instances of abuse.

“Our top priority is to ensure the reliability and security of the solutions we offer our customers,” the spokesperson said. “We recently became aware of vulnerabilities relating to MiCollab and have published recommended actions, including software updates, to mitigate risks. We strongly encourage customers to apply all available security updates as they become available.”

Oracle RCE under exploit … five years later

The five-year-old Oracle flaw, CVE-2020-2883, also received a critical, 9.8 CVSS score. 

According to CISA: "Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3."

The database giant fixed this vulnerability in April 2020. Viettel Cyber Security researcher Bui Duong, via Trend Micro's Zero Day Initiative, reported this vulnerability, which allowed attackers to bypass a previous bug (CVE-2020-2555). 

Also back in 2020, Oracle and CISA warned that CVE-2020-2883 was being exploited in the wild. 

Oracle did not immediately respond to The Register's questions about this flaw, including the scope of the current exploits. ®

Editor's note: This story was amended post-publication with comment from Mitel.