CVE-2022-26143
published 2022-03-10CVE-2022-26143: The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
87.56%
99.7th percentile
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitel | micollab | < 9.4 | 9.4 |
| mitel | micollab | — | — |
| mitel | mivoice_business_express | <= 8.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /ucs/micollab/version.json HTTP/1.1
path/ucs/micollab/version.json
otherhtml:"MiCollab End User Portal"
- →Probe for exposed MiCollab version endpoint at /ucs/micollab/version.json; a 200 response containing a '"version":' key with a version below 9.4.0 indicates a vulnerable instance.
- →Use Shodan query html:"MiCollab End User Portal" to identify internet-exposed Mitel MiCollab instances potentially vulnerable to CVE-2022-26143.
- →This CVE was actively exploited in the wild in February and March 2022 as part of the TP240PhoneHome DDoS amplification campaign; monitor for excessive outbound UDP traffic originating from TP-240 (tp240dvr) component. ↗
- ·Exploitation requires remote network access to the TP-240 component; the vulnerability is unauthenticated (CWE-306: Missing Authentication for Critical Function), meaning no credentials are needed to trigger information disclosure or DoS.
- ·The vulnerability affects MiCollab before 9.4 SP1 FP1 AND MiVoice Business Express through 8.1; both product lines must be assessed separately.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:N/C:P/I:P/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh7f-2c8g-37p4: The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9
ghsa_unreviewed·2022-03-11
CVE-2022-26143 [CRITICAL] CWE-306 GHSA-xh7f-2c8g-37p4: The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.
VulnCheck
MiCollab, MiVoice Business Express Access Control Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-26143 [CRITICAL] CWE-306 MiCollab, MiVoice Business Express Access Control Vulnerability
MiCollab, MiVoice Business Express Access Control Vulnerability
A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system.
Affected: Mitel MiCollab, MiVoice Business Express
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.cloudflare.com/cve-2022-26143-amplification-attack/; https://www.cve.org/CVERecord?id=CVE-2022-26143; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.cloudflare.com/ddos-threat-report-2023-q2/
Remediation Due: 2022-04-15
CISA
MiCollab, MiVoice Business Express Access Control Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2022-26143 [CRITICAL] CWE-306 MiCollab, MiVoice Business Express Access Control Vulnerability
Vulnerability: MiCollab, MiVoice Business Express Access Control Vulnerability
Affected: Mitel MiCollab, MiVoice Business Express
A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-26143
Remediation Due Date: 2022-04-15
No detection rules found.
Nuclei
Mitel MiCollab - Information Disclosure & Denial of Service
nuclei·CVSS 9.8
CVE-2022-26143 [CRITICAL] Mitel MiCollab - Information Disclosure & Denial of Service
Mitel MiCollab - Information Disclosure & Denial of Service
Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contain a vulnerability in the TP-240 component caused by improper handling, letting remote attackers obtain sensitive information and cause denial of service, exploit requires remote access.
Template:
id: CVE-2022-26143
info:
name: Mitel MiCollab - Information Disclosure & Denial of Service
author: theamanrawat
severity: critical
description: |
Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contain a vulnerability in the TP-240 component caused by improper handling, letting remote attackers obtain sensitive information and cause denial of service, exploit requires remote access.
impact: |
Attackers can retrieve sensitive inf
No writeups or analysis indexed.
https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion/https://blog.cloudflare.com/cve-2022-26143/https://news.ycombinator.com/item?id=30614073https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143/https://www.akamai.com/blog/security/phone-home-ddos-attack-vectorhttps://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion/https://blog.cloudflare.com/cve-2022-26143/https://news.ycombinator.com/item?id=30614073https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143/https://www.akamai.com/blog/security/phone-home-ddos-attack-vectorhttps://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26143
2022-03-10
Published
2022-03-25
Added to CISA KEV
Exploited in the wild