Critical security vulnerabilities affecting Mitel MiCollab version 9.8 SP1 FP2 (9.8.1.201) and earlier

Release date
09 December 2024
Alert rating
Critical

Description

ASD’s ACSC is aware of multiple critical vulnerabilities impacting Mitel MiCollab collaboration applications.

Audience

Small & medium businessesOrganisations & Critical InfrastructureGovernment

Current update

This alert is intended for the technical staff and systems administrator/s within affected organisations. 

Background  / What has happened?

The ASD’s ACSC is tracking multiple vulnerabilities in Mitel MiCollab collaboration software. The vulnerabilities identified are SQL injection and Authentication Bypass/Path Traversal, which may allow access to sensitive content.

We have assessed that there is significant exposure to the Mitel MiCollab vulnerabilities in Australia and that any exploitation would have significant impact to Australian systems and networks.

CVE-2024-35286

A security flaw in NuPoint Messenger within Mitel MiCollab versions up to 9.8.0.33 permits an unauthenticated attacker to launch a SQL injection attack due to improper sanitization of user input. Exploiting this vulnerability could enable the attacker to retrieve sensitive information and execute unauthorised database and management commands.

CVE-2024-41713

A vulnerability in the NuPoint Unified Messaging component of Mitel MiCollab, up to version 9.8 SP1 FP2 (9.8.1.201), allows an unauthenticated attacker to execute a path traversal attack due to insufficient input validation. Successful exploitation could provide unauthorised access, enabling the attacker to view, alter, or delete user data and system configurations.

Mitigation / How do I stay secure?

  • Investigate systems to determine if at risk.
  • Upgrade to the latest version if possible.
  • While assessing and determining your ability to apply patches, you may consider the following:
    • Implement ACLs or firewall policies to limit access to the MiCollab server to trusted IP ranges or internal networks only.
    • Monitor logs for suspicious activity targeting the ReconcileWizard servlet or path traversal patterns.
    • Monitor for unexpected access to sensitive files or configuration data.
    • If feasible, disable or restrict access to the ReconcileWizard servlet.
  • Monitor vendor advisories for further patch releases and information.

Mitel Security Advisories:

If suspicious activity is detected, notify ASD’s ACSC via cyber.gov.au or 1300 CYBER1 (1300 292 371).

Assistance / Where can I go for help?

The ASD’s ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).

TisaAssist bot
🤖 Hello, how can I assist you today?
I can help you with:
✅ Answer questions related to the website.
✅ Help you understand things you don't know.
❓ What's Tisalabs
💻 What's IoT
🔒 Why sensor data must be protected?