Number: AL22-003
Date: 8 March 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

On 22 February 2022, Mitel published a security advisory addressing a security access vulnerability in their MiCollab and MiVoice Business Express products that may allow a remote unauthenticated actor to gain unauthorized access, potentially execute code or cause these systems to generate a denial of service (DoS) attack.

Details

On 22 February 2022 Mitel published a security advisory Footnote 1 addressing vulnerabilities in their MiCollab and MiVoice Business Express products. Exploitation of these vulnerabilities may result in unauthorized access to sensitive information and services or arbitrary code execution. By submitting specially-crafted messages, a remote actor can also abuse these systems to generate large volumes of network traffic that can be used in a denial of service (DoS) attack.

On March 8, the Cyber Centre released a security advisory covering these Mitel products, and multiple sources published articles with details regarding this vulnerability and associated observed exploitation activity Footnote 3 Footnote 4 Footnote 5 Footnote 6.

Multiple sources Footnote 4 Footnote 5 Footnote 6 have reported that this vulnerability has been exploited to achieve significant reflection/amplification of traffic that has been abused to launch impactful DDoS activity. Reports indicate that exploitation of this vulnerability has resulted in amplification of 53 million packets per second, and that this activity can be sustained over several hours.

Mitigation

For organizations who have deployed these products, Mitel has recommended the following mitigations to protect these systems from external abuse:

  • Configure the systems behind a firewall or border gateway device to ensure MiCollab/MiVoice are not exposed directly to the internet
  • Apply appropriate firewall rules to block external access to specific ports (UDP 10074)
  • Mitel has made a script available Footnote 2 to provide mitigation for this vulnerability

For defenders of network perimeters, it is recommended to use a layered approach to security by implementing multiple controls and techniques and to ensure that a plan is in place to mitigate and respond to DDoS attacks.

  • Review and implement guidance from the Cyber Centre publication Footnote 7 on protecting your organization against denial of service attacks
  • Monitor UDP ports for traffic incoming from UDP port 10074 and consider applying mitigations such as firewall rules if activity described in this Alert is observed



Source link