Cybersecurity researchers have shared details of two medium-security vulnerabilities in Mitel 6800/6900 desk phones, and if the vulnerabilities are successfully exploited, the attackers can get root privileges on the devices.
“Due to this undocumented backdoor, an attacker with physical access to a vulnerable desk phone can gain root access by pressing specific keys on system boot, and then connect to a provided Telnet service as the root user,” SySS researcher Matthias Deeg said in a statement shared with The Hacker News.
Specifically, the issue relates to a previously unknown functionality present in a shell script (“check_mft.sh”) in the phones’ firmware that’s designed to be executed at system boot.
“The shell script “check_mft.sh”, which is located in the directory ‘/etc’ on the phone, checks whether the keys “*” and “#” are pressed simultaneously during system startup,” the researchers said. “The phone then sets its IP address to ‘10.30.102[.]102’ and starts a Telnet server. A Telnet login can then be performed with a static root password.”
If the flaws are successfully exploited, attackers can access sensitive information and code execution. The flaws plague 6800 and 6900 Series SIP phones, but not the 6970 model.
Users of the affected models should update to the latest firmware version to reduce the risk stemming from the privilege escalation attack.
This is not the first time such backdoor features have been discovered in telecommunications-related firmware. In December 2021, RedTeam Pentesting revealed two such bugs in Auerswald’s VoIP appliances that could be abused to gain full administrative access to the devices.