9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:P/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
0.059 Low
EPSS
Percentile
93.5%
According to its version number, the Mitel MiVoice software is R8.1 or prior. It is, therefore, affected by the following vulnerability:
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Inc.
#
include('compat.inc');
if (description)
{
script_id(200312);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/12");
script_cve_id("CVE-2022-26143");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
script_name(english:"Mitel MiVoice <= 8.1 SP1 Information Disclosure and DoS (22-0001)");
script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by an
information disclosure and denial of service vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its version number, the Mitel MiVoice software is R8.1 or prior.
It is, therefore, affected by the following vulnerability:
- A vulnerability has been identified in MiCollab and MiVoice Business Express that
may allow a malicious actor to gain unauthorized access to sensitive information and
services, cause performance degradations or a denial of service condition on the affected
system. If exploited with a denial of service attack, the impacted system may cause
significant outbound traffic impacting availability of other services.
This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS
attack. (CVE-2022-26143)
Note that Nessus has not tested for these issues but has instead relied only on the
application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://blog.cloudflare.com/cve-2022-26143");
# https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f392cc29");
script_set_attribute(attribute:"solution", value:
"Upgrade to Mitel MiVoice version 8.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-26143");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/08");
script_set_attribute(attribute:"patch_publication_date", value:"2022/03/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mitel:mivoice_connect");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("mitel_mivoice_connect_win_installed.nbin");
script_require_keys("installed_sw/Mitel MiVoice Connect Server");
exit(0);
}
include('vcf.inc');
var app_info = vcf::get_app_info(app:'Mitel MiVoice Connect Server');
var constraints = [
{ 'max_version' : '8.1', 'fixed_display' : 'See vendor advisory' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Vendor | Product | Version | CPE |
---|---|---|---|
mitel | mivoice_connect | cpe:/a:mitel:mivoice_connect |
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:P/I:P/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
0.059 Low
EPSS
Percentile
93.5%