A vulnerability in the Mitel 680 and 690 Series SIP phones excluding 697 could allow an unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. The affected versions include 5.1 SP8 (5.1..8016) and earlier, and 6. (6...368) through 6.1 HF4 (6.1..165).

Details

The vulnerability is caused by some "undocumented functionality" in Mitel 680 and 690 Series SIP phones. This functionality can be accessed during the system startup, where the phone's access controls are not sufficiently enforced. As a result, an attacker who can physically access the phone could exploit this vulnerability to gain root access to the device. Consequently, the attacker could access sensitive information and execute code.

Exploit

The specific exploit details are not publicly disclosed, but it is clear that physical access to the phone is required for a successful exploit. Here's a general outline of the steps involved in exploiting this vulnerability:

Attacker triggers the "undocumented functionality" during system startup.

3. Exploit results in the attacker gaining root access to the phone, allowing them to access sensitive information and execute code.

Mitigation

Mitel has released a software update that addresses this vulnerability. Users are advised to upgrade their SIP phones to the following firmware versions:

For 6. and 6.1, upgrade to a version later than 6.1 HF4 (6.1..165)

In addition to updating the firmware, users should physically secure their devices to minimize the risk of an attacker accessing the phone.

References

- CVE-2022-29855
- Mitel Product Security Advisory 21-0001
- NIST National Vulnerability Database (NVD) - CVE-2022-29855

Disclaimer: The information in this post is provided for educational purposes only. Unauthorized access to any device is illegal, and users should always ensure that their devices are properly secured.

Timeline

Published on: 05/11/2022 20:15:00 UTC
Last modified on: 06/20/2022 19:15:00 UTC