overview of cve-2022-29499

A ransomware attack was deployed against an unnamed target, using Mitel’s VoIP appliance an entry point. CVE-2022-29499 is actively being used by attackers to achieve remote code execution and to gain initial access to their victim’s environment. The vulnerability is rated 9.8 in severity on the CVSS vulnerability scoring system.  

In April 2022, Mitel fixed CVE-2022-29499 which affects the Mitel Service Appliance component of MiVoice Connect, but the fix did not work. According to Mitel, the bug allows attackers to perform remote code execution within the context of the Service Appliance. The following products are affected:  

  • MiVoice Connect Service Appliances -  R19.2 SP3 (22.20.2300.0) and earlier R14.x and earlier  
  • SA 100 
  • SA400 
  • Virtual SA  

Discovered by CrowdStrike, CVE-2022-29499 includes two HTTP GET requests that are used to trigger remote code execution via fetching rogue commands from an attacker-controlled infrastructure. During CrowdStrike’s investigation, they observed an attacker using the exploit to create a reverse shell and using it to launch a web shell (“pdf_import.php”) on the VoIP appliance.  

The attacker attempted to go undetected by performing anti-forensic techniques on the VoIP appliance - renaming the binary to “memdump”. The device that was observed by Crowdstrike was a Linux-based Mitel VoIP appliance sitting on the network perimeter, where EDR software for the device was highly limited.  

Mitel is recommending that customers with affected product versions apply their suggested remediation immediately, as well as review the product Security Bulletin ID: 22-0002-001. If you have further questions regarding the vulnerability, you should contact Mitel’s Product Support. 

 
 
 
 

How Avertium is Protecting Our Customers:

  • Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement. 
  • Avertium uses whitelisting tools like AppLocker to audit or block command-line interpreters. 
  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 





Avertium's recommendations

Avertium recommends that you follow Mitel’s instructions for remediation of CVE-2022-29499. Mitel has provided a script for remediation. Customers are advised to apply the available remediation. 

  • Mitel provided script available for releases 19.2 SP3 and earlier, and R14.x and earlier  
  • Remediation will be included in MiVoice Connect R19.3, forecast for June 2022 
  •  


 

INDICATOR'S OF COMPROMISE (IOCS):

  • 6da346eecac1a1bb11f834be0ef0b08539fb0f9ec7d8cc415ae9e301f53a536echisel_1.7.3_linux_amd64.gz
 


 

 

Supporting documentation

Novel Exploit in Mitel VOIP Appliance | CrowdStrike 

security-bulletin_22-0002-001-v2.pdf (mitel.com) 

Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack (thehackernews.com) 

Mitel Product Security Advisory 22-0002 

 

 

 

Related Reading: Flash Notice: Critical Confluence Zero-Day Vulnerability Exploited by Attackers

 

Contact us for more information about Avertium’s managed security service capabilities. 
Chat With One of Our Experts



Vulnerability Zero-Day Vulnerability Flash Notice Mitel VoIP Appliance Blog