Author Topic: Poor security design? (Read 1439 times)

jdfoxmicro · « **on:** January 13, 2018, 11:19:15 PM »

Hello,

If you have a user in MCD/MiVoice that's not the root but is assigned "system" permissions, you can do almost anything in the system. But, if you try to edit the properties or change the password for the root user, the interface won't allow it. Also, the root user is the only account that can do certain things, such as customizing what forms other users are able to access. A user with "system" permissions can't.

Anyway, I found out that a user with system permissions can reset the root user's password, simply with a command entered in the Maintenance Commands. And I can confirm it works, even in the latest version of MiVoice software.

Of course, Mitel doesn't publicize this method. But, it's not something you can be sure no one knows. In other words, even though it seems a user with system permissions, per the documentation and interface messages, is not supposed to be able to do certain things the root user can, if that user knows the command to reset the root user's password, then the elevated privileges of the root account are not secured from users with only system permissions.

Thoughts, anyone?

sarond · « **Reply #1 on:** January 14, 2018, 02:10:45 AM »

You will probably find any user with access to the maintenance commands might be able to do this. Not just system user profiles.

Agree this is something that Mitel may need to address.

sunspark · « **Reply #2 on:** January 14, 2018, 04:33:33 AM »

And what is rhe collnd to try it please.

Reset....?

sunspark · « **Reply #3 on:** January 14, 2018, 04:25:25 PM »

Quote from: sunspark on January 14, 2018, 04:33:33 AM

And what is the command to try it please.

Reset....?

acejavelin · « **Reply #4 on:** January 14, 2018, 08:19:24 PM »

Quote from: sunspark on January 14, 2018, 04:33:33 AM

And what is the command to try it please.

Reset....?

It is clearly in the help, and will autocomplete...

RESET_ALL_LOGIN_PASSWORDS

or

RESET_LOGIN_PASSWORD <username>

This can also be done from the RTC shell with: ResetAllLoginPasswords or ResetLoginPassword "username"

And yes, you can clear user "system" from another account.

And this is both a blessing and a curse, but it is clearly a security hole.

sarond · « **Reply #5 on:** January 14, 2018, 10:45:26 PM »

I think it should always be allowed when on site using the RS232 port.

I know other systems like this where you can't reset the password remotely but you can when on site.
This would stop most malicious incidents.

sunspark · « **Reply #6 on:** January 15, 2018, 06:16:16 AM »

Quote from: acejavelin on January 14, 2018, 08:19:24 PM

Quote from: sunspark on January 14, 2018, 04:33:33 AM
And what is the command to try it please.

Reset....?
It is clearly in the help, and will autocomplete...

RESET_ALL_LOGIN_PASSWORDS

or

RESET_LOGIN_PASSWORD <username>

This can also be done from the RTC shell with: ResetAllLoginPasswords or ResetLoginPassword "username"

And yes, you can clear user "system" from another account.

And this is both a blessing and a curse, but it is clearly a security hole.

Ok , we talk about the same command.

Mitel Forums - The Unofficial Source

News:

Author Topic: Poor security design? (Read 1439 times)

jdfoxmicro

Poor security design?

sarond

Re: Poor security design?

sunspark

Re: Poor security design?

sunspark

Re: Poor security design?

acejavelin

Re: Poor security design?

sarond

Re: Poor security design?

sunspark

Re: Poor security design?