Photo credit: www.darkreading.com
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the critical nature of this flaw.
Apache OFBiz is utilized by various industries to streamline their operations, including customer relationship management, human resources, order fulfillment, and warehouse coordination. It supports around 170 organizations, with 41% located in the United States. Notable users include major corporations such as United Airlines, Home Depot, and HP Development, among others, as detailed on the platform’s website.
The vulnerability, designated as CVE-2024-38856, has been assigned a severity score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS). This is due to its ability to allow remote code execution (RCE) without prior authentication. CISA’s warning follows the public release of proof-of-concept (PoC) exploits, which surfaced shortly after the flaw was disclosed in early August.
To mitigate the associated risks, organizations are advised to update to version 18.12.15. Federal Civilian Executive Branch (FCEB) agencies have been instructed to complete their updates by September 17.
One Vulnerability Leads to Another
The discovery of CVE-2024-38856 was made by security researchers at SonicWall during an investigation into another flaw, CVE-2024-36104, which also involves remote code execution.
The earlier vulnerability, CVE-2024-36104, allows malicious actors to infiltrate system directories due to poor validation of incoming requests. This occurs when the ControlServlet and RequestHandler functions are supposed to receive the same processing endpoint but do not, leading to security weaknesses.
While testing a fix for CVE-2024-36104, researchers uncovered CVE-2024-38856, which allows unauthenticated access through the ProgramExport endpoint, potentially enabling arbitrary code execution, necessitating immediate restrictions on this endpoint.
Avoiding Exploitation
In a detailed analysis, SonicWall’s researchers illustrated how an attack exploiting CVE-2024-38856 might unfold, showcasing specific commands that could be utilized:
“POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
groovyProgram=throw new Exception (‘whoami’ .execute () .text) ;”
Several additional URLs that are susceptible to CVE-2024-36104 include:
POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/TestService/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/main/ProgramExport
Both vulnerabilities affect all versions of Apache OFBiz up to 18.12.14, and there are currently no interim patches available. Thus, users are urged to upgrade to the latest version to protect against possible exploitation of these weaknesses.
Neglecting to implement the necessary upgrade may allow “threat actors to manipulate login parameters and execute arbitrary code on the target server,” as noted by researchers at Zscaler who also assessed this issue earlier this month. This risk is heightened as attackers increasingly take advantage of publicly released proof-of-concept exploits linked to vulnerabilities.
Source
www.darkreading.com