2 medium-severity vulnerabilities in Mitel 6800/6900 desk phones allow an attacker to gain superuser privileges on devices. Access control vulnerabilities CVE-2022-29854 and CVE-2022-29855 with a CVSS score of 6.8 were discovered by the German firm SySS, followed by patch releases in May 2022.
“Thanks to this undocumented backdoor, an attacker with physical access to the phone can gain root access with a certain key combination at system boot, and then connect to the Telnet service as root,” said SySS researcher Matthias Dieg.
The problem is related to a previously unknown function in the “check_mft.sh” shell script in the phones firmware, which is launched at system boot. “The program check_mft.sh checks if the keys “*” and “#” are pressed at the same time at system startup. After that, a static IP address 10.30.102[.]102 and a static root password are set, and the telnet service is started,” the researchers said.
Successful exploitation of vulnerabilities can open access to sensitive information and code execution. The vulnerabilities affect the 6800 and 6900 series SIP phones, with the exception of the 6970 model. Users of affected models are advised to update the firmware to the latest version to mitigate any potential risk.