Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Bug. Show all posts
Vulnerabilities and Exploits
Cyber Bug Cyber Exploits Cyberattacks CyberCrime Cybersecurity MySQL database zero day vulnerability Vulnerabilities and Exploits

Exploit PoC Validates MiCollab Zero-Day Flaw Risks

 


A zero-day arbitrary file read vulnerability found in Mitel MiCollab has raised significant concerns about data security. Attackers can exploit this flaw and chain it with a critical bug (CVE-2024-35286) to access sensitive data stored on vulnerable instances of the platform. Mitel MiCollab is a cross-platform collaboration tool offering services such as instant messaging, SMS, voice and video calls, file sharing, and remote desktop sharing, designed to enhance workplace collaboration without verbal communication.

The Risks of Collaboration Platform Vulnerabilities

Data storage and handling of sensitive information are integral to modern organizations' operations. According to WatchTower researchers, the Mitel MiCollab platform has a zero-day vulnerability that allows attackers to perform arbitrary file reads. However, to exploit this issue, attackers require access to the server's filesystem. The vulnerability impacts a range of businesses, from large corporations to SMEs and remote or hybrid workforce setups, all relying on MiCollab for unified communication.

WatchTower reported the issue to Mitel on August 26, 2024, but after 90 days without a fix, the vulnerability remains unresolved. A report by WatchTower revealed that more than 16,000 MiCollab instances accessible via the internet are affected. Despite the lack of a CVE number assigned to the flaw, attackers can inject path traversals via the 'ReconcileWizard' servlet, exploiting the 'reportName' parameter in API requests. This facilitates unauthorized access to restricted files, posing a critical security threat.

Combining Vulnerabilities for Exploitation

The vulnerability gains heightened severity when paired with CVE-2024-35286 (CVSS score 9.8), a critical path traversal flaw that enables authentication bypass. Additionally, CVE-2024-41713, another zero-day issue identified by researchers, allows arbitrary file reading. Together, these flaws enable attackers to gain system visibility, perform malicious operations, and propagate file access across systems. Proof-of-concept (PoC) exploit code for this chain has been published by WatchTower on GitHub.

While the newer vulnerability is technically less critical than the others, it still poses a significant threat by granting unauthorized access to sensitive files. Recent incidents show that threat actors have targeted MiCollab, underlining the urgent need for mitigation measures. Organizations using MiCollab must act promptly to address this risk.

Mitigating the Threat

Until Mitel releases a patch for this zero-day flaw, organizations are advised to:

  1. Update MiCollab to the Latest Version
    Install version 9.8 service pack 2 (9.8.2.12) or later, which addresses other known vulnerabilities such as CVE-2024-41713.
  2. Restrict Server Access
    Limit access to trusted IP ranges and internal networks, and implement firewall rules to block unauthorized access.
  3. Monitor Log Files
    Check for path traversal patterns that might indicate exploitation attempts.
  4. Disable the Vulnerable Servlet
    If feasible, disable the 'ReconcileWizard' servlet to prevent exploitation of the flaw.

The Broader Impact

As security risks related to MiCollab persist, reports indicate that the collaboration platform has been targeted by a group of threat actors, allegedly linked to "Salt Typhoon," a Chinese intelligence operation. These attacks have affected US telecommunications firms, including Verizon, AT&T, and T-Mobile, exposing sensitive customer data.

Organizations must adopt robust security practices to mitigate risks while waiting for Mitel to address these vulnerabilities. Proactively safeguarding sensitive systems and implementing strict access controls are essential for minimizing exposure. By combining organizational vigilance with updated software practices, businesses can navigate these challenges and protect critical infrastructure from exploitation.

Read more »
VPN
Android Flaw Block Chain Cyber Bug Cyber Data Cyberattacks Cybersecurity Data Leaks DNS Mullvad Privacy VPN

Android Flaw Exposes DNS Queries Despite VPN Kill Switch

 


Several months ago, a Mullvad VPN user discovered that Android users have a serious privacy concern when using Mullvad VPN. Even with the Always-On VPN feature activated, which ensures that the VPN connection is always active, and with the "Block connections without VPN" setting active, which acts as a kill switch that ensures that only the VPN is the one that passes network traffic, it has been found that when switching between VPN servers, Android devices leak DNS queries. 

It is important to understand that enabling the "Block Connections Without VPN" option (also known as the kill switch) ensures that all network traffic and connections pass through an always-connected VPN tunnel, preventing prying eyes from tracking all Internet activity by users. During the investigation, Mullvad discovered that even with these features enabled in the latest version of Android (Android 14), a bug still leaks some DNS information. 

As a result, this bug may occur when you use apps that make direct calls to the getaddrinfo C function. The function provides protocol-independent translation from a text hostname to an IP address through the getaddrinfo function. When the VPN is active (and the DNS server is not configured) or when the VPN app re-configures the tunnel, crashes or is forced to stop, Android leaks DNS traffic. 

This leakage behaviour is not observed by apps that are solely based on Android's API, such as DNSResolver, Mullvad clarified. As a result, apps such as Flash Player and Chrome that currently have support for getting address information directly from the OS are susceptible to this issue since they can access the address information directly. This is rather concerning since it goes against what you would expect from the OS, even if security features are enabled. 

Users may want to use caution when using Android devices for sensitive tasks, and may even want to employ additional protective measures until Google addresses this bug and issues a patch that is compatible with both original Android and older versions of Android, in light of the severity of this privacy issue. 

The first DNS leak scenario, which occurs when the user changes the DNS server or switches to a different server, is easily mitigated if the VPN app is set to use a bogus DNS server at the same time. It has also failed to resolve the VPN tunnel reconnect DNS query leak, which is a significant issue for all other Android VPN apps because this issue is likely to affect all other VPN apps as well. 

Mullvad also discovered in October 2022 that, every time an Android device connected to a WiFi network, the device leaked DNS queries (such as IP addresses and DNS lookups), since the device was performing connectivity checks. Even when the "Always-on VPN" feature was enabled with the "Block connections without VPN" option enabled, Android devices still leaked DNS queries.

The leak of DNS traffic can potentially expose users' approximate locations and the online platforms they use as well as their precise locations, posing a serious threat to user privacy. Since this is a serious issue, it may be best to stop using Android devices for sensitive activities or to adapt additional safeguards to mitigate the risk of such leaks until Google fixes the bug and backports the patch to older versions of Android to mitigate the risk.
Read more »
Subscribe to: Posts (Atom)