Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a lately disclosed essential flaw within the Apache OfBiz open-source Enterprise Useful resource Planning (ERP) system to execute a memory-resident payload.
The vulnerability in query is CVE-2023-51467 (CVSS rating: 9.8), a bypass for an additional extreme shortcoming in the identical software program (CVE-2023-49070, CVSS rating: 9.8) that could possibly be weaponized to bypass authentication and remotely execute arbitrary code.
Whereas it was mounted in Apache OFbiz model 18.12.11 launched final month, risk actors have been noticed trying to use the flaw, focusing on susceptible situations.
The newest findings from VulnCheck present that CVE-2023-51467 could be exploited to execute a payload instantly from reminiscence, leaving little to no traces of malicious exercise.
Safety flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496) have been exploited by risk actors up to now, together with by risk actors related to the Sysrv botnet. One other three-year-old bug within the software program (CVE-2021-29200) has witnessed exploitation makes an attempt from 29 distinctive IP addresses over the previous 30 days, per information from GreyNoise.
What’s extra, Apache OFBiz was additionally one of many first merchandise to have a public exploit for Log4Shell (CVE-2021-44228), illustrating that it continues to be of curiosity to each defenders and attackers alike.
CVE-2023-51467 is not any exception, with particulars a few distant code execution endpoint (“/webtools/management/ProgramExport”) in addition to PoC for command execution rising merely days after public disclosure.
Whereas security guardrails (i.e., Groovy sandbox) have been erected such that they block any makes an attempt to add arbitrary internet shells or run Java code through the endpoint, the unfinished nature of the sandbox signifies that an attacker may run curl instructions and procure a bash reverse shell on Linux techniques.
“For a complicated attacker, although, these payloads aren’t ideally suited,” VulnCheck’s Chief Expertise Officer Jacob Baines stated. “They contact the disk and depend on Linux-specific habits.”
The Go-based exploit devised by VulnCheck is a cross-platform answer that works on each Home windows and Linux in addition to will get across the denylist by benefiting from groovy.util.Eval capabilities to launch an in-memory Nashorn reverse shell because the payload.
“OFBiz will not be extensively common, nevertheless it has been exploited up to now. There’s a honest deal of hype round CVE-2023-51467 however no public weaponized payload, which referred to as into query if it was even potential,” Baines stated. “We have concluded that not solely is it potential, however we are able to obtain arbitrary in reminiscence code execution.”
