Cybersecurity researchers have discovered a highly potent flaw in Mitel MiCollab and MiVoice Business Express systems which could enable Distributed Denial of Service (DDoS) attacks, amplified by a factor of 4,294,967,296:1.
Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation found the CVE-2022-26143 flaw in some 2,600 incorrectly provisioned systems. These act as PBX-to-internet gateways, and come with a test mode that shouldn’t have access to the internet.
When it does have access to the internet, then trouble starts.
"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," Shadowserver explained in a blog post.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
Rendering the system useless
"It should be noted that this single-packet attack initiation capability has the effect of precluding network operator traceback of the spoofed attack initiator traffic. This helps mask the attack traffic generation infrastructure, making it less likely that the attack origin can be traced compared with other UDP reflection/amplification DDoS attack vectors."
In other words, a threat actor can abuse a driver in the Mitel system, making it perform a stress test of status update packets. As the Mitel system can produce up to 4,294,967,294 packets across 14 hours at a maximum possible size of 1,184 bytes, that makes for a hell of a potent DDoS machine against any web hosting provider.
"This would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length," the company explains. "This results in a nearly unimaginable amplification ratio of 2,200,288,816:1 -- a multiplier of 220 billion percent, triggered by a single packet."
The silver lining here is the fact that a Mitel system can only work on a single command at a time, so using it to DDoS a web hosting provider would render it useless for anything else, and someone’s bound to spot it sooner, rather than later.
The patch is already available, so all Mitel systems users are advised to apply them immediately. Those that are unable to act quickly, can also move to block any bad traffic coming on UDP port 10074, with the tools at their disposal.
The flaw has already been used in the wild, targeting financial institutions and logistics firms.
- Here are the best CDN providers right now