The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
| Link | Tags |
|---|---|
| https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001 | vendor advisory |
| https://www.akamai.com/blog/security/phone-home-ddos-attack-vector | mitigation third party advisory |
| https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/ | mitigation third party advisory |
| https://news.ycombinator.com/item?id=30614073 | third party advisory issue tracking |
| https://blog.cloudflare.com/cve-2022-26143/ | mitigation third party advisory |
| https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143/ | broken link mitigation third party advisory |
| https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion/ | press/media coverage third party advisory exploit |