Kyle Burns

**Name of the Vulnerable Software and Affected Versions** Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, versions through R6.4.0.HF1 (R6.4.0.136) **Description** A vulnerability in the Mitel SIP phones could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system. The vulnerability is being exploited by the Aquabot botnet, a Mirai-based malware, to launch DDoS attacks. The botnet is targeting Mitel SIP phones, including the 6800, 6900, and 6900w series, as well as the 6970 Conference Unit. **Recommendations** Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, versions through R6.4.0.HF1 (R6.4.0.136): Update to a newer version that contains a fix for this issue, as the current version is vulnerable to argument injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mitel 6869i versions 4.5.0.41 and earlier Mitel 6869i versions 5.x through 5.0.0.1018 Description: A command injection issue exists in the `hostname` parameter taken in by the "provis.html" endpoint. The "provis.html" endpoint performs no sanitization on the `hostname` parameter, which is subsequently written to disk. During boot, the `hostname` parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the `hostname` parameter. Recommendations: For Mitel 6869i versions 4.5.0.41 and earlier, consider disabling access to the "provis.html" endpoint until a patch is available. For Mitel 6869i versions 5.x through 5.0.0.1018, restrict the use of the `hostname` parameter in the "provis.html" endpoint to minimize the risk of exploitation. As a temporary workaround, consider implementing input validation and sanitization for the `hostname` parameter to prevent command injection attacks.

Name of the Vulnerable Software and Affected Versions: Mitel 6869i version 4.5.0.41 Description: The issue is related to the Manual Firmware Update (upgrade.html) page, which does not perform sanitization on the `username` and `path` parameters sent by an authenticated user. This lack of sanitization leads to $() command execution, allowing a remote attacker to execute arbitrary commands by sending specially crafted POST requests. Recommendations: For Mitel 6869i version 4.5.0.41, as a temporary workaround, consider disabling access to the Manual Firmware Update (upgrade.html) page until a patch is available. Restrict access to the `upgrade.html` page to minimize the risk of exploitation. Avoid using the `username` and `path` parameters in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.