Apache OpenMeeting Flaw Allows Server Hijacks and Command Execution
OpenMeetings is an utility that would perchance be used for video calls, collaborative work, and presentations. It can actually even be added as a plugin to Jira, Confluence or Drupal applications.
Newest experiences shared by SonarSource, notify that a newly chanced on vulnerability could perhaps enable menace actors to originate commands on the underlying server.
Threat actors most effective want an story that would perchance be created effortlessly on OpenMeetings to money in on this vulnerability.
This a ways flung expose execution is a aggregate of Extinct Hash, unrestricted opt up correct of entry to by strategy of invitation, and Null-byte injection, ensuing in the expose execution vulnerability.
Apache OpenMeeting Flaw
OpenMeetings permits its users to be half of a original room when an tournament is added on the calendar. It also enables users to send an invitation to diversified users which is done the exhaust of the Invitation class and setRoom class.
This functionality shall be hijacked by menace actors because it has a historic hash the exhaust of the LIKE operator. This operator enables wildcards to be added as tag which results in the attacker getting your complete invitation hashes.
Threat actors can enumerate your complete expert invitation hashes with this which shall be used to determine on up opt up correct of entry to to a particular room on behalf of the invited user. On the other hand, no diversified actions shall be performed with this.
Moreover, menace actors can opt up a zombie room by creating an tournament (which indirectly creates a room) and joining the room. While being contained in the room, the room shall be deleted but sending an invitation from the room functionality aloof works.
Once they mix the wildcard enumeration and exhaust the invitation functionality to send an invitation to the admin user, administrative rights are gained attributable to hrights class region empty, ensuing in giving the privilege of the invited user.
After performing these actions, the null-byte injection attributable to the ProcessBuilder executing null-byte in the java realm is OS-particular and implemented in native C. This results in the menace actor executing arbitrary commands on the underlying server.
CVE-2023-28936: Extinct Hash Comparison
This vulnerability exists attributable to the utilization of getByHash system that queries the Invitation object from the database by user-equipped hash the exhaust of the LIKE operator that can rep wildcard values ensuing in enumeration of your complete invite hashes on the OpenMeetings utility. This vulnerability is given a CVSS obtain of 5.3 (Medium).
CVE-2023-29032: Unrestricted Access by strategy of Invitation Hash
This vulnerability exists as the hrights region inherits the invited users rights if no room is identified when being passed to the setUser. This vulnerability used to be given a CVSS Gather of 8.1 (High).
CVE-2023-29246: Null-Byte Injection
A menace actor who beneficial properties admin privileges on the OpenMeetings can conduct null-byte injection to originate a ways flung code execution on the server. This vulnerability used to be given a CVSS obtain of seven.2 (High).
Apache has released safety patches for this vulnerability and mounted it in the Apache OpenMeetings 7.1.0 model. It is strongly advised that users upgrade to basically the latest model of the utility to protect a ways flung from being attacked.
Source credit : cybersecuritynews.com