Cybersecurity researchers have discovered a highly potent flaw in Mitel MiCollab and MiVoice Business Express systems which could enable Distributed Denial of Service (DDoS (opens in new tab)) attacks, amplified by a factor of 4,294,967,296:1.
Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation found the CVE-2022-26143 flaw in some 2,600 incorrectly provisioned systems. These act as PBX-to-internet gateways, and come with a test mode that shouldn’t have access to the internet.
When it does have access to the internet, then trouble starts.
"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," Shadowserver explained in a blog post.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Rendering the system useless
"It should be noted that this single-packet attack initiation capability has the effect of precluding network operator traceback of the spoofed attack initiator traffic. This helps mask the attack traffic generation infrastructure, making it less likely that the attack origin can be traced compared with other UDP reflection/amplification DDoS attack vectors."
In other words, a threat actor can abuse a driver in the Mitel system, making it perform a stress test of status update packets. As the Mitel system can produce up to 4,294,967,294 packets across 14 hours at a maximum possible size of 1,184 bytes, that makes for a hell of a potent DDoS machine against any web hosting provider (opens in new tab).
"This would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length," the company explains. "This results in a nearly unimaginable amplification ratio of 2,200,288,816:1 -- a multiplier of 220 billion percent, triggered by a single packet."
> DDoS attacks could soon be bigger and more dangerous than ever (opens in new tab)
> DDoS attacks soared to new highs in 2021 (opens in new tab)
> DDOS attacks: how to prevent and protect your business against them (opens in new tab)
The silver lining here is the fact that a Mitel system can only work on a single command at a time, so using it to DDoS a web hosting provider (opens in new tab) would render it useless for anything else, and someone’s bound to spot it sooner, rather than later.
The patch is already available, so all Mitel systems users are advised to apply them immediately. Those that are unable to act quickly, can also move to block any bad traffic coming on UDP port 10074, with the tools at their disposal.
The flaw has already been used in the wild, targeting financial institutions and logistics firms.
- Here are the best CDN providers (opens in new tab) right now
Via: ZDNet (opens in new tab)