09 March 2022 | Security Team Global Secure Layer
CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks discovered.
Today, technical details have been released for an exploit affecting Mitel MiCollab SIP appliances. Our security team became aware of the vulnerability called TP240PhoneHome in early-mid February. This type of attack reflects traffic from a source that is then amplified via servers and targeted towards a victim’s IP. This type of reflective amplification attack has a substantial amplification factor of over 220 billion percent.
Our security team independently identified the vector and have spent the last few weeks silently working with various organisations to ensure this exploit was patched and the right parties informed. Mitel was informed about the vulnerability and have since released an advisory on 22nd of February that can be read here.
This exploit in particular has multiple levels to it but has primarily been used to perform reflected amplification DDoS attacks to date. The below image is an illustration of people probing or trying to exploit this particular TP240PhoneHome vulnerability against our global network.
Global Secure Layer recommends patching the particular devices to the latest firmware and ensuring port 10074 is ACL’d off at the customer’s end. Devices as indicated by Mitel are MiCollab and MiVoice Business Express, more information can be found here.
While we are primarily concerned with this being a vector used to launch DDoS attacks, this exploit is far more severe. It allows an attacker complete control over the system, for example being able to remotely brick it, create outgoing calls, dump confidential data and potentially use it to pivot further into the network. So we fully anticipate the impact to be worse over the next few days.
What have we done to mitigate this?
We have already deployed a patch on our global network for this exploit. However, if you are multi-homed, you may need to contact your other providers to do the same. Please get in contact with our security team if you have any concerns or questions.
Our global DDoS mitigation systems automatically analyse and learn from new attack vectors detected and deploys global rules. With advanced attack detection and rule sets with real-time packet inspection, we ensure your network is protected inline. Our security team is constantly reviewing attacks 24/7 in real-time.