Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-26143
CVE-2022-26143:
Mitel MiCollab vulnerability analysis and mitigation
Overview
The TP240PhoneHome vulnerability (CVE-2022-26143) was discovered in Mitel MiCollab (before 9.4 SP1 FP1) and MiVoice Business Express (through 8.1) systems in early 2022. The vulnerability allows remote attackers to exploit an unauthenticated system test facility that was inadvertently exposed to the public Internet through UDP port 10074. First observed attacks leveraging this vulnerability began on February 18, 2022, with approximately 2,600 affected systems identified (Cloudflare Blog, Hacker News).
Technical details
The vulnerability exists in the tp240dvr (TP-240 driver) component that runs as a software bridge for TDM/VoIP PCI interface cards. The service exposes a stress-test command designed for debugging and performance testing that can be abused to generate massive amplification attacks. When exploited, a single malicious packet can trigger the service to emit up to 2,147,483,647 responses, with each response generating two packets, resulting in an unprecedented amplification ratio of 4,294,967,296:1. The attack packets range from 36 to 45 bytes for counter packets and up to 1,184 bytes for diagnostic output packets (Cloudflare Blog).
Impact
The vulnerability enables attackers to launch sustained DDoS attacks lasting up to 14 hours from a single spoofed packet. A single compromised system can generate approximately 95.5GB of amplified attack traffic from counter packets and an additional 2.5TB from diagnostic output packets, resulting in a sustained flood of nearly 393mb/sec. The largest observed attack reached approximately 53 million packets per second and 23Gbps (Cloudflare Blog, Hacker News).
Mitigation and workarounds
Mitel has released patched software versions that disable public access to the test feature. Organizations can prevent abuse by blocking incoming Internet traffic destined for UDP port 10074 via ACLs, firewall rules, and other network access control mechanisms. Network operators should implement ingress and egress source address validation to prevent reflection/amplification attacks. The attacks can be detected and mitigated using standard DDoS defense tools and techniques, including network ACLs, flowspec, and intelligent DDoS mitigation systems (Mitel Advisory, Cloudflare Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management