Security Advisory: Unauthenticated Command Injection in Mitel IP Phones
Summary
The Mitel Series SIP Phones web administration interface executes an unauthenticated OS command constructed with unsanitized user input.
Affected Manufacturer: Mitel
Model: Mitel-6800/6900/6900w/6970
Versions: R6.4.0.HF1 (R6.4.0.136) and earlier
CVEs: CVE-2024-41711
Impact (CVSS): 8.8 (high) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Systems
- Mitel 6800 Series SIP Phones R6.4.0.HF1 (R6.4.0.136) and earlier
- Mitel 6900 Series SIP Phones R6.4.0.HF1 (R6.4.0.136) and earlier
- Mitel 6900w Series SIP Phone R6.4.0.HF1 (R6.4.0.136) and earlier
- Mitel 6970 Conference Unit R6.4.0.HF1 (R6.4.0.136) and earlier
Impact
By successfully exploiting this flaw, a remote unauthenticated attacker can execute arbitrary commands on the device with elevated privileges.
Description
The "webconfig" CGI binary manages the web administration interface and relies on an outdated method of input parsing. It is executed as a CGI binary of the HTTPD web server with the command:
/usr/sbin/httpd -h /webroot
This interface, which includes the “Ethernet Settings” page, processes user data without validation, allowing users to enter any input—strings, numbers, or special characters—which are then directly copied to configuration files. When users click “Save,” all entered data is written to the config file /nvdata/etc/enet.cfg
and applied within the operating system as environment settings with the highest priority via the if_setup.sh up
script. Additionally, attackers can exploit a concatenation bug that appends strings to the config file, enabling them to bypass string length restrictions (further details below).
Proof-Of-Concept
For this proof of concept, we'll craft an exploit that allows an attacker to read the root hash from the shadow file. To demonstrate both command injection and a string length bypass, we'll use the parameters "Router IP Address" and "Domain Name" for the attack, though an attacker could leverage any suitable parameter for their payload. Here, we input the command injection payload via the web interface, splitting it into two parts.
After pressing “Save“, you can see the following request being sent:
An attacker listening on port "4444" will receive the root hash string.
And config file - “/nvdata/etc/enet.cfg” - will looks like this:
Use the following curl command for testing, updating the IP address and Host address as needed—from “127.0.0.1” to the router’s IP address and the attacker's machine wher.
Takeaways
These vulnerabilities highlight significant security risks in web administration interfaces that use outdated input parsing methods. The high CVSS score (8.8) underlines the critical nature of these flaws, which allow unauthenticated remote attackers to execute arbitrary commands with elevated privileges.
If you manage or use Mitel SIP phones—or any networked devices with embedded web interfaces—it's essential to assess and test your firmware for similar issues. This includes scanning for unvalidated user input and command injection points. Organizations should regularly review and update device firmware and implement strong input sanitization to prevent unauthorized system access and data breaches.
Timeline
- 2024-02-27: Vulnerability identified
- 2024-03-28: Sent coordinated disclosure request to PSIRT@mitel.com
- 2024-03-28: Received guidance on the secure communication channel from vendor
- 2024-04-09: Sent vulnerability disclosure report to the vendor through secure communication channel
- 2024-04-09: Vendor responded and start analysis
- 2024-05-01: Vendor responded that we was using old version and we need to test on the version 6.4 to proove findings
- 2024-05-14: We received latest version 6.4 and found that findings are still exist
- 2024-05-21: We shared update for the new version with proof-of-concepts for findings
- 2024-05-21: Vendor responded and start analysis
- 2024-06-21: Vendor confirmed “Unauthenticated Command Injection” findings and start working on the new release, we agreed to wait for Vendors Release and Advisory
- 2024-07-17: Vendor published Security Advisory 24-0020 for found issue
- 2024-07-30: Vendor provided CVE number - CVE-2024-41711
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de
RELATED RESEARCH ARTICLES
Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers
Discover how severe security flaws, including unauthenticated remote command execution (CVE-2024-11665 & CVE-2024-11666), affect eCharge EV charging controllers. Learn about insecure firmware practices, cloud infrastructure issues, and actionable steps to mitigate risks in EV charging systems.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.