Apache OFBiz ERP Vulnerability Opens Door for Memory-Based Attacks

Specialists at VulnCheck have developed a Proof-of-Concept (PoC) code that exploits a recently discovered critical vulnerability in the Apache OFBiz Enterprise Resource Planning (ERP) system to execute malicious code in memory.

The vulnerability, designated as CVE-2023-51467 with a CVSS score of 9.8, is an authentication bypass error that allows an attacker to execute arbitrary code on a remote device and access confidential information. This flaw also circumvents another critical shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8).

Although the vulnerability was rectified in the Apache OFBiz version 18.12.11 released in December, cybercriminals are still attempting to exploit it by targeting vulnerable software instances. According to VulnCheck, CVE-2023-51467 can be leveraged to launch malware directly from memory, leaving minimal traces of the breach.

Despite Apache’s integrated security mechanisms (such as the Groovy sandbox) blocking attempts to upload web shells or execute Java code through this endpoint, the sandbox’s inadequate implementation means that an attacker can execute curl commands and obtain a reverse bash shell on Linux systems. However, for a sophisticated attacker, such payloads are not ideal as they affect the disk and rely on Linux-specific features.

VulnCheck’s PoC exploit, based on Go, is a cross-platform solution that works on both Windows and Linux. The PoC bypasses the blacklist by using groovy.util.Eval functions to launch a Nashorn reverse shell in memory as a payload.

Although CVE-2023-51467 has garnered significant attention, the absence of publicly available malicious payloads raises questions about its exploitability. VulnCheck specialists concluded that exploitation is not only feasible but also allows for the execution of arbitrary code in memory.