Cybersecurity researchers have disclosed details of two
medium-security flaws in Mitel 6800/6900 desk phones that, if
successfully exploited, could allow an attacker to gain root
privileges on the devices.
Tracked as CVE-2022-29854[1]
and CVE-2022-29855[2]
(CVSS score: 6.8), the access control issues were discovered by
German penetration testing firm SySS, following which patches were
shipped in May 2022.
“Due to this undocumented backdoor, an attacker with physical
access to a vulnerable desk phone can gain root access by pressing
specific keys on system boot, and then connect to a provided Telnet
service as root user,” SySS researcher Matthias Deeg said in a
statement shared with The Hacker News.
Specifically, the issue relates to a previously unknown
functionality present in a shell script (“check_mft.sh”) in the
phones’ firmware that’s designed to be executed at system boot.
“The shell script “check_mft.sh”, which is located in the
directory ‘/etc’ on the phone, checks whether the keys “*” and “#”
are pressed simultaneously during system startup,” the researchers
said[3]. “The phone then sets
its IP address to ‘10.30.102[.]102’ and starts a Telnet server. A
Telnet login can then be performed with a static root
password.”
Successful exploitation of the flaws could allow access to
sensitive information and code execution. The vulnerabilities
impact 6800 and 6900 Series SIP phones, excluding the 6970
model.
Users of the affected models are recommended to update to the
latest[4]
firmware[5]
version to mitigate any potential risk arising out of exploiting
the privilege escalation attack.
This is not the first time such backdoor features have been
discovered in telecommunications-related firmware. In December
2021, RedTeam Pentesting revealed[6]
two such bugs in Auerswald’s VoIP appliances that could be abused
to gain full administrative access to the devices.
References
Read more https://thehackernews.com/2022/06/researchers-disclose-rooting-backdoor.html