In this blog article, we discuss CVE-2023-51467, a zero-day SSRF vulnerability in Apache OFBiz. This vulnerability arises from an incomplete patch for CVE-2023-49070, a pre-authenticated RCE flaw.
TLDR: The blog article discusses the critical security threats posed by Apache OFBiz zero-day vulnerabilities, specifically CVE-2023-49070 and CVE-2023-51467. It emphasizes the need for both red and blue teams to work together in order to exploit and analyze these vulnerabilities. By understanding and addressing these vulnerabilities, organizations can improve their security posture and protect their systems from potential malicious attacks.
If you would like to investigate this alert as an Incident Responder, you can register to LetsDefend.
In recent years, the threat landscape has become increasingly complex and sophisticated, with cybercriminals constantly evolving their tactics to exploit vulnerabilities in various software systems. One such system that has recently come under scrutiny is Apache OFBiz, a popular open-source enterprise resource planning (ERP) framework. This blog article aims to provide an in-depth analysis of two zero-day vulnerabilities in Apache OFBiz, namely CVE-2023-49070 and CVE-2023-51467. The SonicWall Threat research team's discovery of CVE-2023-51467, a severe authentication bypass vulnerability with a CVSS score of 9.8, has unveiled an alarming risk to the system's integrity. These vulnerabilities have the potential to allow remote code execution (RCE) on affected systems, making them highly critical and deserving of immediate attention from both red and blue teams.
CVE-2023-51467 is a pre-authenticated RCE flaw that was discovered in Apache OFBiz. This vulnerability allows an attacker to execute arbitrary code on the target system without requiring any prior authentication. It arises due to an incomplete patch that was intended to fix a previous vulnerability (CVE-2023-49070) but inadvertently left a loophole for attackers to exploit.
Building upon the foundation laid by CVE-2023-49070, CVE-2023-51467 is a zero-day server-side request forgery (SSRF) vulnerability that targets Apache OFBiz. SSRF vulnerabilities allow an attacker to make unauthorized requests from the vulnerable server's perspective, potentially leading to unauthorized access or data leakage. In this case, the SSRF vulnerability can be leveraged by an attacker to manipulate requests sent by Apache OFBiz and bypass security measures.
To fully understand the implications of these vulnerabilities, it is essential for both red and blue teams to collaborate and adopt a unified perspective. The red team's role involves simulating real-world attacks on the system using known exploits for these vulnerabilities. By exploiting these zero-days, they can uncover potential weaknesses in the system's defenses and help identify areas for improvement.
On the other hand, the blue team's objective is to defend against these attacks by implementing robust security measures and patching any vulnerabilities that may be present. They will analyze the red team's findings and develop strategies to mitigate the risk posed by these zero-day vulnerabilities. This collaborative approach ensures a comprehensive and effective response to such critical security threats.
In conclusion, the exploitation and analysis of Apache OFBiz zero-day vulnerabilities, specifically CVE-2023-49070 and CVE-2023-51467, require the joint efforts of both red and blue teams. By understanding the nature of these vulnerabilities and proactively addressing them, organizations can enhance their security posture and protect their systems from potential malicious attacks. This blog article aims to provide valuable insights into these vulnerabilities, enabling organizations to take the necessary steps to safeguard their infrastructure.
Versions Affected:
Versions preceding the 18.12 branch could potentially be vulnerable as well. It is advisable to conduct testing and, if necessary, upgrade to version 18.12.11 to mitigate any associated risks.
To have a deeper understanding of the background of the two vulnerabilities and see the exploit in action with a proof-of-concept, first, we set up our lab, then talk about the issues in general and then on a technical level.
It’s a pre-authentication Remote Code Execution (RCE) vulnerability which has been identified in Apache OFBiz 18.12.09. The issue stems from the presence of XML-RPC, which is no longer maintained but remains in the system. It was published on the 5th of December 2023.
On December 26, 2023, this vulnerability, which also holds a CVSS v3.x rating of 9.8 out of 10, was disclosed after a thorough examination of the root causes behind authentication weaknesses.
In brief, remote unauthenticated attackers can still exploit the same vulnerability by manipulating request parameters, enabling them to completely bypass OFBiz's authentication and authorization checks. The successful exploitation of this flaw allows for unauthorized access to confidential data and facilitates the upload of malicious scripts, leading to remote code execution.
The vulnerability allows attackers to bypass authentication processes, granting them the ability to remotely execute arbitrary code. The SonicWall threat research team identified this authentication bypass vulnerability during the Root Cause Analysis (RCA) of the previously disclosed CVE-2023-49070 vulnerability.
Apache OFBiz (Open For Business) is an open-source enterprise resource planning (ERP) and business process automation framework. It provides a suite of business applications that cover various aspects, including accounting, order processing, customer relationship management (CRM), and supply chain management. OFBiz is designed to be customizable and extensible, allowing organizations to tailor it to their specific business needs. It is part of the Apache Software Foundation and is developed collaboratively by a community of contributors.
Apache OFBiz is an open-source project and can be downloaded from its official website. Release notes for the published versions can be reviewed. The release notes provide information about the new features, bug fixes, and enhancements included in each version of Apache OFBiz. They also highlight any known issues or compatibility concerns that users should be aware of.
You may access earlier versions of Apache OFBiz by clicking the link at the bottom of the page. This will allow you to explore previous releases and access their respective documentation. It is helpful for users who may prefer to use a specific version of Apache OFBiz due to compatibility issues or specific features they require.
Apache OFBiz is a Java-based application, making it compatible with most operating systems. However, for the sake of simplicity and ease of use, we will demonstrate the installation on an Ubuntu machine in this example. However to exploit the CVE-2023-51467 vulnerability, it is necessary to install a version lower than 18.12.11. To expedite the setup of the lab environment, we will use a previously prepared Docker image.
This image is completely self-contained and contains pre-loaded demo data for evaluation and tweaking with OFBiz. It saves users the time and effort of manually setting up a new environment and populating it with data. Additionally, the Docker image allows users to easily switch between different versions of OFBiz without the need for complex configurations or installations.
# Update the package list on your Ubuntu machine
sudo apt update
# Install Docker on your system
sudo apt install docker.io
# Pull the 'marcopinball/ofbiz-demo' Docker image from Docker Hub
docker pull marcopinball/ofbiz-demo
# Run a detached Docker container from the pulled image, mapping ports 8080 and 8443
docker run -d -p 8080:8080 -p 8443:8443 marcopinball/ofbiz-demo:latest
Startup time can take time. After the installation is done, you can access the OFBiz application by opening a web browser and navigating to: https://localhost:8443/myportal/.
You can login the OFBiz using the default credentials: the username is set as "Admin" and the password as "OFBiz".
Exploitation of CVE-2023-51467 (POC)
Threat actors deftly exploit this vulnerability by manipulating the checkLogin function through a meticulously crafted HTTP request. This involves supplying null or incorrect values for both password and username parameters, while also strategically setting requirePasswordChange to Y in the URI.
The initiation of the exploit is a carefully orchestrated process that circumvents the authentication checks. By directing a well-crafted HTTP request to /webtools/controls/xmlrpc, the program responds with the xmlrpc namespace page, signaling the success of the circumvention.
In this Proof of Concept, we are going to use a custom-built script to exploit this vulnerability and demonstrate how an attacker can bypass authentication. The script in question was written by another cybersecurity researcher @jakabakos and is readily available on GitHub for research purposes. You can download the script from their GitHub repository.
# Clone the repository to your local machine.
git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git
# Install the Java
sudo apt install default-jre
# Verify Java Installation
java -version
This command should display information about the installed Java version.
Once the script is successfully downloaded and the Java installation is verified, we can proceed to execute the necessary commands for exploiting the system.
# Utilize scanner mode to check if the host is vulnerable
python3 exploit.py --url https://localhost:8443
When sending a web request to the specific path /webtools/control/ping?USERNAME&PASSWORD=test&requirePasswordChange=Y, the server responds with the word "PONG." This response indicates that the vulnerability has been triggered.
After running the command, it can be seen that the host is vulnerable to the CVE-2023-51467 authentication bypass vulnerability in Apache OFBiz. From now on, steps can be taken to further exploit the system and gain unauthorized access. For example, an attacker can attempt to execute arbitrary code or extract sensitive data.
python3 exploit.py --url https://localhost:8443 --cmd 'touch /tmp/Rce_POC_CVE-2023-51467'
With the provided command, we were able to create a file on the vulnerable system.
Using the exploit.py script, we have successfully remotely executed commands on the vulnerable system. Additionally, we directed the vulnerable system to send a curl request to the C2 server, confirming the successful execution of the command.
The analysis of the hacked OFBiz server involves examining the methods used by the attacker to exploit the system and gain unauthorized access. In this case, the attacker used a Python script called exploit.py to execute arbitrary code on the vulnerable system. By providing a specific command, the attacker was able to create a file on the system, demonstrating their ability to control and manipulate it remotely.
Root cause analysis is important to determine the underlying factors that led to the vulnerability and to prevent similar incidents in the future. The vulnerability is primarily caused by an insufficient patch that was applied to fix the previously known CVE-2023-49070 in the Apache OFBiz ERP system.
The Apache OFBiz login function insufficiently validated empty or invalid usernames and passwords during the patching process. This oversight made it possible for attackers to exploit an SSRF vulnerability by bypassing authentication using the "requirePasswordChange" parameter.
As depicted in the image, this vulnerability has resulted in a remote code execution:
https[:]//www.example.com:8443/webtools/control/xmlrpc/?USERNAME=&PASSWORD=&requirePasswordChange=Y.
As a result, the checkLogin function ends up returning success, allowing the authentication to be bypassed.
Effective detection plays a crucial role in addressing this vulnerability. It is essential to have a comprehensive understanding of log paths, the utilization of relevant security products, and knowing where to look for potential indicators, enhancing the overall detection strategy.
To access the section where application audit logs are stored within the Apache OFBiz web interface, navigate to Applications > Web Tools > Logging.
You can view logs, fetch logs, and modify log configurations on web interface.
To manually view the logs on the device, navigate to the "ofbiz/runtime/logs" directory to access OFBIZ logs.
To identify the exploitation of CVE-2023-51467, analyze the access_log for any suspicious activity. If you suspect your system is affected, initiate threat hunting to assess the extent of the impact.
To detect the exploitation of CVE-2023-51467, you can create rules on IDS and IPS to analyze network traffic containing the malicious request. Here is a Snort rule that detects exploitation attempts of CVE-2023-51467.
On the LetsDefend platform, you can practice by analyzing the latest zero-days in a realistic SOC environment. You can investigate EventID:217 - SOC254 - Apache OFBiz Auth Bypass and Code Injection 0-Day (CVE-2023-51467) and learn how attackers exploit vulnerabilities to gain unauthorized access and execute malicious code.
In conclusion, it is crucial to promptly apply the necessary patch for a clean version in order to address any vulnerabilities in the system. Additionally, establishing rules on security products to monitor Java processes and network connections can help generate alerts and ensure that the patching process is completed effectively. By resolving the "EventID:217 - SOC254 Apache Ofbiz" alert in the LetsDefend Training section, individuals can further develop their analysis skills and gain a deeper understanding of relevant vulnerabilities. This will ultimately enhance proficiency in vulnerability analysis and contribute to overall system security.
