CybserSecurity News

Tag: CVE-2023-51467

  • Apache OFBiz ERP Vulnerability Opens Door for Memory-Based Attacks

    Specialists at VulnCheck have developed a Proof-of-Concept (PoC) code that exploits a recently discovered critical vulnerability in the Apache OFBiz Enterprise Resource Planning (ERP) system to execute malicious code in memory.

    The vulnerability, designated as CVE-2023-51467 with a CVSS score of 9.8, is an authentication bypass error that allows an attacker to execute arbitrary code on a remote device and access confidential information. This flaw also circumvents another critical shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8).

    Although the vulnerability was rectified in the Apache OFBiz version 18.12.11 released in December, cybercriminals are still attempting to exploit it by targeting vulnerable software instances. According to VulnCheck, CVE-2023-51467 can be leveraged to launch malware directly from memory, leaving minimal traces of the breach.

    Despite Apache’s integrated security mechanisms (such as the Groovy sandbox) blocking attempts to upload web shells or execute Java code through this endpoint, the sandbox’s inadequate implementation means that an attacker can execute curl commands and obtain a reverse bash shell on Linux systems. However, for a sophisticated attacker, such payloads are not ideal as they affect the disk and rely on Linux-specific features.

    VulnCheck’s PoC exploit, based on Go, is a cross-platform solution that works on both Windows and Linux. The PoC bypasses the blacklist by using groovy.util.Eval functions to launch a Nashorn reverse shell in memory as a payload.

    Although CVE-2023-51467 has garnered significant attention, the absence of publicly available malicious payloads raises questions about its exploitability. VulnCheck specialists concluded that exploitation is not only feasible but also allows for the execution of arbitrary code in memory.

  • SonicWall Detects Thousands of OFBiz Zero-Day Attempts

    SonicWall has recorded thousands of daily attempts to exploit zero-day vulnerabilities in Apache OFBiz over nearly two weeks. The flaw was first publicized on December 26, leading to a significant increase in exploitation attempts.

    Experts confirmed that the number of attacks remained stable since the beginning of 2024. Users of the Apache Software Foundation framework, which includes applications for business process automation and other enterprise functions, are advised to immediately update to OFBiz version 18.12.11. The update addresses both the specified vulnerability and a second, equally dangerous issue.

    The vulnerability, CVE-2023-51467 (CVSS score: 9.8), identified in late December, is an authentication bypass error that allows an attacker to circumvent authentication processes and execute arbitrary code on a remote device, potentially leading to access to confidential information.

    Researchers identified the issue during root cause analysis of another separate authentication bypass vulnerability with remote code execution (RCE) potential, designated as CVE-2023-49070 (CVSS score: 9.8).

    Apache’s fix for the second vulnerability involved removing code for the XML-RPC API, which is no longer supported. However, further analysis by SonicWall revealed that the root cause lies in the login function. The failure to rectify the underlying cause of CVE-2023-49070 resulted in the authentication bypass vulnerability, which is currently widely exploited, remaining in OFBiz.

    SonicWall researchers developed two Proof-of-Concept (PoC) exploits demonstrating the feasibility of exploiting the vulnerability. The primary reason for the exploit is that the authentication bypass is triggered by unexpected behavior when setting the requirePasswordChange parameter of the login function to “Y” in the URI. The Apache OFBiz team promptly rectified the issue, and the SonicWall PoC exploits, applied to the corrected version (18.12.11), were no longer effective.

  • CVE-2023-51467 & CVE-2023-50968: Critical Security Vulnerabilities in Apache OFBiz

    Apache OFBiz offers a comprehensive suite of tools for ERP, CRM, E-Commerce, and more. Hailed for its open-source nature and part of the esteemed Apache Software Foundation, OFBiz has been a top choice for enterprises seeking reliable and scalable solutions. However, the digital landscape is ever-evolving, and with it comes the challenge of maintaining robust security. Recently, two significant vulnerabilities have come to light within Apache OFBiz, posing serious risks to its users.

    CVE-2023-51467

    CVE-2023-50968: Arbitrary file properties reading and SSRF attack

    Labeled as ‘important‘ in severity, tracked as CVE-2023-50968, the vulnerability allows for arbitrary file properties reading – a technical term for unauthorized snooping into file details. Worse still, it opens the door for Server-Side Request Forgery (SSRF) attacks, where attackers can trick the server into making rogue requests. This flaw was unveiled by the security researcher Yun Peng.

    Versions up to 18.12.10 of Apache OFBiz are vulnerable. A swift upgrade to version 18.12.11, fortifies the system against this threat.

    CVE-2023-51467: Pre-authentication Remote Code Execution (RCE) vulnerability

    Marked as ‘critical‘, tracked as CVE-2023-51467, the pre-authentication remote code execution (RCE) vulnerability allows attackers to sidestep authentication barriers, potentially taking control of the system. The discovery of this alarming vulnerability is credited to the combined efforts of Hasib Vhora, a senior threat researcher at SonicWall, Gao Tian, and L0ne1y.

    Any version of Apache OFBiz before 18.12.11 is at risk. The solution is clear and non-negotiable – an update to version 18.12.11 is imperative for security.

    For businesses relying on Apache OFBiz, updating to version 18.12.11 is not just a recommendation – it’s a necessity for safeguarding their digital assets.