CISA has added a critical security flaw in the Apache OFBiz open source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) catalog.
Apache OFBiz is a system that helps industries manage their operations, such as customer relations, human resource functions, order processing, and warehouse management. Roughly 170 companies use Apache OFBiz, 41% of them in the US. These include bigwigs such as United Airlines, Home Depot, and HP Development, among many others, according to the platform website.
Tracked as CVE-2024-38856, the bug carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale, since it allows pre-authentication remote code execution (RCE). CISA’s move comes after proof-of-concept (PoC) exploits were made available to the public following the flaw’s disclosure in early August.
Organizations should update to version 18.12.15 to mitigate against the threat. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of Sept. 17Â to do so.
“What I can tell you from a SonicWall perspective [is that] we’ve seen pretty widespread exploitation attempts,” Douglas McKee, executive director of threat research at SonicWall, tells Dark Reading. “And I use the word ‘attempts’ because we don’t necessarily know if they were successful or not. About 16% of our customer base is being attempted to be exploited by this.”
One Vulnerability Leads to Another
CVE-2024-38856 initially was discovered earlier this month by researchers at SonicWall, while they were analyzing a different RCE flaw in the platform, CVE-2024-36104.
CVE-2024-36104 allows remote attackers to access system directories, due to an inadequate validation of user requests. This occurs specifically due to the ControlServlet and RequestHandler functions receiving different endpoints to process after receiving the same request. If functioning correctly, both should get the same endpoint to process.
While testing a patch for CVE-2024-36104, the researchers discovered the next flaw, CVE-2024-38856, which permits unauthenticated access by way of the ProgramExport endpoint, which could potentially enable arbitrary code execution and should be restricted.
McKee notes that ultimately, the discoveries represent a chain involving multiple different vulnerabilities that Apache OFBiz has tried to treat symptoms of, but not the root cause.
“Our researcher looked at the different patches coming out for Apache Office [and] became very familiar with the code base and, as a result, [were] kind of in an attacker mindset,” says McKee. “I like to say ‘think red, act blue’ right? Which is the concept of thinking like an attacker but doing things for the defensive side. So, with SonicWall’s researchers in an attacker mindset, they looked at the fixes in place to patch one vulnerability and tried to get around them, leading to the discovery of another one.Â
Avoiding Exploitation
In a blog post, the SonicWall researchers provided an attack chain to exploit CVE-2024-38856 including the following request that an attacker would send to Apache OFBiz to access the program export functionality within the application as well as the parameter the attackers are passing to get to that:
“POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
groovyProgram=throw new Exception (‘whoami’ .execute () .text) ;”
Other URLs that can be used to exploit CVE-2024-36104 are:
-
POST /webtools/control/forgotPassword/ProgramExport
-
POST /webtools/control/showDateTime/ProgramExport
-
POST /webtools/control/TestService/ProgramExport
-
POST /webtools/control/view/ProgramExport
-
POST /webtools/control/main/ProgramExport
This vulnerability impacts every version of the Apache OFBiz up to 18.12.14, and there are no interim patches available; users and organizations must upgrade to the the latest version to prevent potential exploitation of the flaw.
Failure to promptly upgrade could “enable threat actors to manipulate login parameters and execute arbitrary code on the target server,” according to researchers at Zscaler who also analyzed the bug earlier this month, especially as attackers increasingly capitalize off of publicly disclosed PoC exploits for vulnerabilities.Â