CVE-2024-47912

Missing Authentication for Critical Function (CWE-306)

Published: Oct 21, 2024 / Updated: 29d ago

010
CVSS 8.2EPSS 0.04%High
CVE info copied to clipboard

Summary

A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through version 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. This vulnerability is classified as CWE-306: Missing Authentication for Critical Function.

Impact

A successful exploit could allow an attacker to access and delete sensitive information. The vulnerability has a high impact on confidentiality and a low impact on integrity, with no impact on availability. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity. Given the CVSS base score of 8.2, this vulnerability is considered high severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch. The vulnerability affects Mitel MiCollab versions up to and including 9.8 SP1 FP2 (9.8.1.201).

Mitigation

While no specific mitigation steps are provided, given the nature of the vulnerability, the following recommendations can be made: 1. Prioritize patching this vulnerability due to its high severity (CVSS score 8.2) and the potential for unauthorized access to sensitive data. 2. Monitor for any patches or updates released by Mitel for MiCollab, particularly versions up to 9.8 SP1 FP2 (9.8.1.201). 3. Implement network segmentation to limit access to the AWV Conferencing component. 4. Enhance monitoring and logging for any suspicious activities related to data access or deletion in the affected systems. 5. Consider implementing additional authentication mechanisms or access controls as a temporary measure until a patch is available. 6. Regularly audit and review authentication mechanisms for critical functions in the MiCollab system.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-47912

Oct 21, 2024 at 8:15 PM
First Article

Feedly found the first article mentioning CVE-2024-47912. See article

Oct 21, 2024 at 8:24 PM / National Vulnerability Database
CVSS

A CVSS base score of 8.2 has been assigned.

Oct 22, 2024 at 6:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 22, 2024 at 6:40 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 22, 2024 at 6:48 PM
Threat Intelligence Report

CVE-2024-47912 is an authentication bypass vulnerability in Mitel's MiCollab unified communications platform, which has been addressed in a recent update. While the criticality and CVSS score are not specified, the vulnerability poses a significant risk of unauthorized access and potential data exfiltration. Mitel recommends that users update their systems to mitigate this issue, as no information is provided regarding exploitation in the wild or proof-of-concept exploits. See article

Oct 25, 2024 at 12:45 PM
Static CVE Timeline Graph

Affected Systems

Mitel/micollab
+null more

Attack Patterns

CAPEC-12: Choosing Message Identifier
+null more

References

[RTCSec news] October 2024 - WebRTC app vulnerabilities at DEF CON 32, SIP URI security, VoIP product fixes
3 years of newsletter, a new white paper about a WebRTC implementation vulnerability, DEF CON 32 talks that mention WebRTC, a fake FBI-run phone company and SIP URI parsing vulnerabilities, various vulnerabilities fixed in Cisco ATA devices, Mitel, VICIDial, and more October 2024 - WebRTC app vulnerabilities at DEF CON 32, SIP URI security, VoIP product fixes

News

[RTCSec news] October 2024 - WebRTC app vulnerabilities at DEF CON 32, SIP URI security, VoIP product fixes
3 years of newsletter, a new white paper about a WebRTC implementation vulnerability, DEF CON 32 talks that mention WebRTC, a fake FBI-run phone company and SIP URI parsing vulnerabilities, various vulnerabilities fixed in Cisco ATA devices, Mitel, VICIDial, and more October 2024 - WebRTC app vulnerabilities at DEF CON 32, SIP URI security, VoIP product fixes
CVE-2024-47912 - Mitel MiCollab AWV Conferencing Unauthenticated Data-Access Vulnerability
CVE ID : CVE-2024-47912 Published : Oct. 21, 2024, 8:15 p.m. 23 hours, 3 minutes ago Description : A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. A successful exploit could allow an attacker to access and delete sensitive information. Severity: 8.2
CVE-2024-47912 | Mitel MiCollab up to 9.8.1.201 Conferencing Component access control (misa-2024-0027)
A vulnerability was found in Mitel MiCollab up to 9.8.1.201 . It has been declared as critical . This vulnerability affects unknown code of the component Conferencing Component . The manipulation leads to improper access controls. This vulnerability was named CVE-2024-47912 . The attack can be initiated remotely. There is no exploit available.
CVE-2024-47912
A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. A successful exploit could allow an attacker to access and delete sensitive...
CVE-2024-47912
A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. A successful exploit could allow an attacker to access and delete sensitive information.

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI