CVE-2022-26143: Critical vulnerability in Mitel MiCollab and MiVoice Business Express systems enables a new level of DDoS attacks

A team made up of multiple cybersecurity firms published a report related to the detection of denial of service (DoS) attacks with an amplification rate of more than 4 billion to one and that can be launched with a single package. The report was prepared by researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus and Shadowserver Foundation.

Apparently, these attacks have to do with a flaw tracked as CVE-2022-26143, which resides in some 2,600 Mitel MiCollab and MiVoice Business Express systems, both of which contain a test mode that should not be exposed on the Internet: “Threat actors can abuse the test facility of the exposed system to launch a DoS attack for up to 14 hours and using a single counterfeit attack starter package, resulting in an unprecedented packet amplification rate,” the report states.

The first attacks began to be detected on February 18 and were mainly reflected in ports 80 and 443 in Internet service providers, financial institutions and logistics companies.

A driver on Mitel systems contains a command that performs a stress test of state update packets that could produce up to 4,294, 967, 294 packets in 14 hours with a maximum possible size of 1184 bytes, more than enough to maintain traffic of at least 393 Mbps from a single amplifier.

According to the researchers, this would result in an immeasurable amplification ratio of up to 2,200, 288,816:1, a 220 billion percent multiplier activated by a single packet.

 The good news is that Mitel systems can only process a single command at a time, so if a system is used for the deployment of DoS attacks, real users may wonder why normal services are unavailable and the outgoing connection is interrupted, finding an answer almost immediately.

As a security measure, Mitel users are recommended to update their systems, in addition to implementing mechanisms for the detection and blocking of inappropriate incoming traffic on UDP port 10074 with network defense tools.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.