Aggregator
CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz
IntroductionOn August 5, 2024, researchers at SonicWall discovered a zero-day security flaw in Apache OFBiz tracked as CVE-2024-38856. The vulnerability, which has been assigned a CVSS score of 9.8, allows threat actors to perform pre-authentication remote code execution (RCE). While testing a patch for CVE-2024-36104, SonicWall researchers discovered that unauthenticated access was permitted to the ProgramExport endpoint, potentially enabling the execution of arbitrary code. These vulnerabilities arise from a flaw in the override view functionality, which can be exploited by unauthorized threat actors through maliciously crafted requests, leading to the remote code execution.
RecommendationsZscaler ThreatLabz strongly advises users of the Apache OFBiz application to promptly upgrade to version 18.12.15, as this version contains fixes to mitigate the security vulnerabilities identified in CVE-2024-38856 and CVE-2024-36104.
Affected VersionsThe following versions of Apache OFBiz are affected by the disclosed vulnerabilities and should be updated immediately:
All versions 18.12.13 and below are impacted by CVE-2024-36104
All versions 18.12.14 and below are impacted by CVE-2024-38856
BackgroundApache OFBiz is an open-source Enterprise Resource Planning (ERP) system that provides business solutions for various industries. This includes tools to manage operations like customer relationships, order processing, human resource functions, warehouse management, and more.
During the analysis of CVE-2024-36104, a vulnerability disclosed on June 3, 2024, SonicWall researchers discovered the ControlServlet and RequestHandler functions received different endpoints when handling the same request. Ideally, both functions should process the same endpoint. CVE-2024-38856 allows unauthenticated access to the ProgramExport endpoint, which should have been restricted.
How It WorksIn the previous vulnerability, CVE-2024-36104, Apache OFBiz was found to have a flaw that enabled remote attackers to access system directories due to inadequate validation of user requests. Exploiting this flaw involved sending a malformed URL containing '..' sequences, which could result in the execution of arbitrary code on the system.
An example of a malformed POST request and request-body is shown below.
POST /webtools/control/forgotPassword/;%2e%2e/ProgramExport
POST-Body: groovyProgram=throw new Exception('whoami'.execute().text);
In the figure below, the example malformed request is shown. This request includes a command 'whoami' that is being executed, and the resulting output of the command is displayed in the error message. The output of the command is highlighted in the green box.
Figure 1: An example of a POST request related to CVE-2024-36104. The request includes an encoded request body, along with its corresponding output.
The most recent vulnerability, CVE-2024-38856, permits unauthorized access to the ProgramExport endpoint without the need for a path traversal vector. This means that access is granted even when it should have been restricted.
The figure below shows an attack chain exploiting CVE-2024-38856.
Figure 2: The attack chain depicting an attacker exploiting CVE-2024-38856.
The figure below shows the malformed request, without a path traversal vector, being executed, and the resulting output of the command is displayed in the error message.
Figure 3: An example of a POST request related to CVE-2024-38856. The request includes an encoded request body, and the output associated with it.
Further investigation revealed that unauthenticated access to the ProgramExport endpoint was possible by combining it with any other endpoint that does not require authentication. Examples of such endpoints include:
forgotPassword
showDateTime
TestService
view
main
URLs that could be used to exploit this vulnerability are:
POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/TestService/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/main/ProgramExport
ConclusionTo protect against CVE-2024-38856, it is important to update Apache OFBiz systems to version 18.12.15 as soon as possible. Neglecting to upgrade promptly exposes systems to significant security risks, which could enable threat actors to manipulate login parameters and execute arbitrary code on the target server.
Zscaler CoverageThe Zscaler ThreatLabz team has deployed the following.
Zscaler Advanced Threat Protection
App.Exploit.CVE-2024-38856
App.Exploit.CVE-2024-36104
Zscaler Private Access AppProtection
HTML.Exploit.CommandInjection:6000004
For more details, visit the Zscaler Threat Library.
The post CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz appeared first on Security Boulevard.
Доказательство Бога: как Гедель заставил математику заговорить о вере
Microsoft shares Outlook workaround for Gmail sign-in issues
Randall Munroe’s XKCD ‘Vice President First Names’
via the comic & dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Vice President First Names’ appeared first on Security Boulevard.
Microsoft shares Outlook workaround for Gmail sign-in issues
【核查】这份支持特朗普的前将军名单是2020年的
【工具】定位telegram用户位置的开源工具:Close-Circuit Telegram Vision
CVE-2024-37085: VMware ESXi Hypervisor Vulnerability Exploited by Ransomware Groups
Background On Monday, July 29, Microsoft issued a comprehensive threat intelligence blog detailing the observed exploitation of CVE-2024-37085, an Active […]
The post CVE-2024-37085: VMware ESXi Hypervisor Vulnerability Exploited by Ransomware Groups appeared first on HawkEye.
CVE-2024-42625 | FrogCMS 0.9.5 /admin/ cross-site request forgery
CVE-2024-42626 | FrogCMS 0.9.5 /admin/ cross-site request forgery
CVE-2024-42623 | FrogCMS 0.9.5 /admin/ cross-site request forgery
CVE-2024-42624 | FrogCMS 0.9.5 /admin/ cross-site request forgery
CVE-2024-42627 | FrogCMS 0.9.5 cross-site request forgery
CVE-2023-7249 | OpenText Directory Services up to 24.0 path traversal (KB0807814)
CVE-2024-41909 | Apache MINA SSHD up to 2.11.0 Terrapin integrity check (Issue 445)
CVE-2024-7707 | Tenda FH1206 02.03.01.35 HTTP POST Request /goform/SafeEmailFilter formSafeEmailFilter page stack-based overflow
News alert: Criminal IP and Maltego team up to broaden threat intelligence data search
Torrance, Calif., Aug. 12, 2024, CyberNewsWire — Criminal IP, an expanding Cyber Threat Intelligence (CTI) search engine from AI SPERA, has recently completed its technology integration with Maltego, a global all-in-one investigation platform that specializes in visualized analysis … (more…)
The post News alert: Criminal IP and Maltego team up to broaden threat intelligence data search first appeared on The Last Watchdog.
The post News alert: Criminal IP and Maltego team up to broaden threat intelligence data search appeared first on Security Boulevard.