Cybersecurity researchers have disclosed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if successfully exploited, could allow an attacker to gain root privileges on the devices.
Tracked as CVE-2022-29854 and CVE-2022-29855 (CVSS score: 6.8), the access control issues were discovered by German penetration testing firm SySS, following which patches were shipped in May 2022.
“Due to this undocumented backdoor, an attacker with physical access to a vulnerable desk phone can gain root access by pressing specific keys on system boot, and then connect to a provided Telnet service as root user,” SySS researcher Matthias Deeg said in a statement shared with The Hacker News.
Specifically, the issue relates to a previously unknown functionality present in a shell script (“check_mft.sh”) in the phones’ firmware that’s designed to be executed at system boot.
“The shell script ‘check_mft.sh,’ which is located in the directory ‘/etc’ on the phone, checks whether the keys ‘*’ and ‘#’ are pressed simultaneously during system startup,” the researchers said. “The phone then sets its IP address to ‘10.30.102[.]102’ and starts a Telnet server. A Telnet login can then be performed with a static root password.”
Successful exploitation of the flaws could allow access to sensitive information and code execution. The vulnerabilities impact 6800 and 6900 Series SIP phones, excluding the 6970 model.
Users of the affected models are recommended to update to the latest firmware version to mitigate any potential risk arising out of exploiting the privilege escalation attack.
This is not the first time such backdoor features have been discovered in telecommunications-related firmware. In December 2021, RedTeam Pentesting revealed two such bugs in Auerswald’s VoIP appliances that could be abused to gain full administrative access to the devices.