Mitel MiCollab and MiVoice Business Express TP-240 Reflection/Amplification DDoS Vulnerability

A vulnerability in Mitel MiCollab versions prior to 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to abuse an exposed system test facility for reflection and amplification, leading to a distributed denial-of-service (DDoS) attack. This vulnerability has been exploited in the wild, causing performance degradation and excessive outbound traffic. The TP-240 driver interface, exposed to the public internet on approximately 2,600 misconfigured systems, can be used to launch sustained DDoS attacks of up to 14 hours by amplifying traffic by a factor of 4 billion.

Impact

Exploitation of this vulnerability allows for reflection and amplification DDoS attacks, with the potential to overwhelm targeted networks and disrupt normal operations. The abused systems can generate massive amounts of traffic, causing collateral damage to voice communications and other services.

Reproduction

The vulnerability can be reproduced by sending a single spoofed packet to an affected Mitel system's UDP port 10074. This packet will trigger the TP-240 driver to respond with an amplified volume of attack traffic, directed towards the victim's network. The attack can be sustained for up to 14 hours, depending on the configuration of the abused system.

Remediation

Mitel has released patched software that disables the abusable test facility and prevents exposure to the internet. Users should contact Mitel for specific update instructions.