Two medium-security flaws tracked as CVE-2022-29854 and CVE-2022-29855 (CVSS score: 6.8) detected in Mitel 6800/6900 desk phones, if exploited, could enable...

Continue reading
Security researchers have discovered two medium-security holes in Mitel 6800/6900 desk phones that, if exploited effectively, might allow attackers to acquire root access to the devices.
The access control vulnerabilities, tracked as CVE-2022-29854 and CVE-2022-29855 (CVSS score: 6.8), were discovered by the German penetration testing firm SySS in May 2022, after which patches were distributed.
_"Due to this undocumented backdoor, an attacker with physical access to a vulnerable desk phone can get root access by pressing specified keys during system boot, and then connect to a given Telnet service as the root user,"_ explained SySS researcher Matthias Deeg.
Specifically, the issue relates to a previously unknown functionality available in a shell script ("check mft.sh") intended to be executed at system boot and present in the firmware of the affected phones.
_"The shell script 'check mft.sh', stored in the directory '/etc' on the phone, examines if the keys '*' and '#' are simultaneously pushed at system startup,"_ the researchers explained. _"The telephone then assigns the IP address '10.30.102[.]102' and launches a Telnet server. Then, a Telnet login with a static root password is possible."_
The vulnerabilities affect the 6800 and 6900 Series SIP phones, excluding the 6970 model. A successful exploitation could grant access to sensitive information and allow code execution.
Users of the vulnerable models must update to the most recent firmware version to mitigate the risk posed by the privilege escalation attack.
This is not the first time such backdoors have been discovered in firmware related to telecoms. RedTeam Pentesting discovered two such vulnerabilities in Auerswald's VoIP appliances in December 2021, which could be exploited to acquire complete administrative access to the devices.

Chinese-speaking TA4922 expands into Europe, deploying new Atlas RAT malware in phishing campaigns targeting organizations across sectors.