December 5, 2024 at 10:27AM
Cybersecurity researchers revealed a proof-of-concept exploit for a critical vulnerability (CVE-2024-41713) in Mitel MiCollab, enabling unauthorized file access via a path traversal attack. The flaw has been patched in versions 9.8 SP2 and later. Additionally, several vulnerabilities were found in Lorex security cameras, allowing remote code execution.
### Meeting Takeaways – Dec 05, 2024
**Subject: Vulnerability / IoT Security Overview**
1. **Newly Discovered Vulnerability in Mitel MiCollab:**
– A proof-of-concept (PoC) exploit has been released targeting a critical vulnerability (CVE-2024-41713) in Mitel MiCollab, allowing unauthorized access to sensitive files.
– **CVE Details:**
– CVSS Score: **9.8** (Critical)
– Issue: Insufficient input validation leading to path traversal attacks.
– Affected Component: NuPoint Unified Messaging (NPM).
2. **Exploit Mechanics:**
– Attackers can manipulate HTTP requests using the input “..;/” to access the application server’s root, exposing sensitive information without authentication.
– The attack can potentially be chained with an unpatched post-authentication arbitrary file read flaw.
3. **Mitigation:**
– Mitel has patched CVE-2024-41713 in **MiCollab versions 9.8 SP2 (9.8.2.12)** or later as of October 9, 2024.
– An earlier SQL injection vulnerability (CVE-2024-47223) in the Audio, Web, and Video Conferencing (AWV) component was also addressed in the same update.
4. **Additional Security Concerns:**
– Rapid7 has reported multiple vulnerabilities in Lorex 2K Indoor Wi-Fi Security Camera (CVE-2024-52544 to CVE-2024-52548) that can be combined to achieve remote code execution (RCE).
– The exploit consists of two phases, with Phase 1 focusing on authentication bypass and Phase 2 executing remote code with elevated privileges.
5. **Industry Insights:**
– Security researcher Sonny Macdonald emphasized that full access to source code is not always necessary for vulnerability hunting, suggesting that strong internet research skills can lead to successful discoveries.
**Next Steps:**
– Ensure all relevant systems are updated to the latest versions of MiCollab to mitigate newly discovered vulnerabilities.
– Monitor for patches and updates regarding Lorex security camera vulnerabilities and consider possible implications for device security.
**Follow-up:**
Stay informed on cybersecurity developments by following updates on Twitter and LinkedIn.