From 141d6d2b140e9cccf2e5d437a21b9c64d2611f27 Mon Sep 17 00:00:00 2001 From: Wessel Date: Tue, 1 Oct 2024 14:33:27 +0200 Subject: [PATCH 1/8] added casefile for DIVD-2024-00029 --- _cases/2024/DIVD-2024-00039.md | 57 ++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 _cases/2024/DIVD-2024-00039.md diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md new file mode 100644 index 00000000..26147d98 --- /dev/null +++ b/_cases/2024/DIVD-2024-00039.md @@ -0,0 +1,57 @@ +--- +layout: case +title: "Incorrect Authorization vulnerability in Apache OFBiz resulting in RCE" +author: Wessel Baltus +lead: Wessel Baltus +excerpt: "In Apache OFBiz, version 18.12.14and below, a Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in a attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request." +researchers: +- Wessel Baltus +- Stan Plasmeijer +- Alwin Warringa +- Oscar Vlugt +cves: +- CVE-2024-38856 +product: +- Apache OFBiz +versions: +- versions 18.12.14 and below +recommendation: "Update to Apache OFBiz version 18.12.15 or higher if available" +workaround: "None" +patch_status: Patches available +status : Open +start: 2024-09-29 +end: None +timeline: +- start: 2024-09-29 + end: + event: "DIVD starts researching the vulnerability." +- start: 2024-09-29 + end: + event: "DIVD finds fingerprint, preparing to scan." +- start: 2024-09-29 + end: + event: "Case opened, first version of this casefile" +- start: 2024-09-29 + end: + event: "DIVD starts scanning the internet for vulnerable instances." + +--- + +## Summary + +CVE-2024-38856 is a critical pre-authentication remote code execution (RCE) vulnerability in Apache OFBiz. The flaw stems from insufficient validation of the ProgramExport endpoint, which can be accessed without authentication. Attackers exploit this by chaining the ProgramExport endpoint with other publicly accessible endpoints, effectively bypassing authentication controls. This allows the execution of arbitrary code on vulnerable systems, leading to full system compromise. The vulnerability affects versions of OFBiz up to 18.12.14, and upgrading to version 18.12.15 is required to mitigate this threat. + +## Recommendations + +The Apache OFBiz versions 18.12.14 and below are vulnerable. Upgrade to version 18.12.15 as soon as possible. + +## What we are doing + +DIVD is currently working to identify parties that are running a version of Apache OFBiz servers that contain this vulnerability and notify these parties. We do this by finding vulnerable Apache OFBiz instances that are connected to the Internet and verifying vulnerability using an non-weaponized exploit. +{% include timeline.html %} + +## More information + +* {% cve CVE-2024-38856 %} +* [National Vulnerability Database for CVE-2024-38856](https://nvd.nist.gov/vuln/detail/CVE-2024-38856) +* [Indepth information on CVE-2024-23692](https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce-vulnerability-apache-ofbiz) From d04e5d7e2086c449d0bf548c93623d69c41c5b60 Mon Sep 17 00:00:00 2001 From: Wessel Date: Tue, 1 Oct 2024 14:36:27 +0200 Subject: [PATCH 2/8] added casefile for DIVD-2024-00029 --- _cases/2024/DIVD-2024-00039.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 26147d98..7fd6b8f2 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -34,6 +34,9 @@ timeline: - start: 2024-09-29 end: event: "DIVD starts scanning the internet for vulnerable instances." +- start: 2024-10-01 + end: + event: "DIVD starts notifying network owners with a vulnerable instance in their network" --- From 60ddeb86849d3690c3cd989a64811c1c002001d8 Mon Sep 17 00:00:00 2001 From: Wessel Date: Tue, 1 Oct 2024 14:40:09 +0200 Subject: [PATCH 3/8] added casefile for DIVD-2024-00039 --- _cases/2024/DIVD-2024-00039.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 7fd6b8f2..01c9692e 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -17,7 +17,7 @@ versions: - versions 18.12.14 and below recommendation: "Update to Apache OFBiz version 18.12.15 or higher if available" workaround: "None" -patch_status: Patches available +patch_status: Patch available status : Open start: 2024-09-29 end: None From 568c641b2b0077cf77a2cb884750a6edbbbaf872 Mon Sep 17 00:00:00 2001 From: Wessel Date: Tue, 1 Oct 2024 14:48:36 +0200 Subject: [PATCH 4/8] Fix casefile for DIVD-2024-00039 --- _cases/2024/DIVD-2024-00039.md | 1 - 1 file changed, 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 01c9692e..4a29ccfc 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -20,7 +20,6 @@ workaround: "None" patch_status: Patch available status : Open start: 2024-09-29 -end: None timeline: - start: 2024-09-29 end: From a3503a3086dbe4f732d85d3d569c025e8b0b3579 Mon Sep 17 00:00:00 2001 From: WesselDIVD <126914416+WesselDIVD@users.noreply.github.com> Date: Wed, 2 Oct 2024 21:24:20 +0200 Subject: [PATCH 5/8] Update _cases/2024/DIVD-2024-00039.md Co-authored-by: Stan Plasmeijer <111912052+JstRelax@users.noreply.github.com> --- _cases/2024/DIVD-2024-00039.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 4a29ccfc..53633dd2 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -3,7 +3,7 @@ layout: case title: "Incorrect Authorization vulnerability in Apache OFBiz resulting in RCE" author: Wessel Baltus lead: Wessel Baltus -excerpt: "In Apache OFBiz, version 18.12.14and below, a Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in a attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request." +excerpt: "In Apache OFBiz, version 18.12.14 and below, an Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in an attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request." researchers: - Wessel Baltus - Stan Plasmeijer From 30034989a7bd1b2700110db702a65d978598e370 Mon Sep 17 00:00:00 2001 From: WesselDIVD <126914416+WesselDIVD@users.noreply.github.com> Date: Wed, 2 Oct 2024 21:24:24 +0200 Subject: [PATCH 6/8] Update _cases/2024/DIVD-2024-00039.md Co-authored-by: Stan Plasmeijer <111912052+JstRelax@users.noreply.github.com> --- _cases/2024/DIVD-2024-00039.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 53633dd2..7d36eaef 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -45,7 +45,7 @@ CVE-2024-38856 is a critical pre-authentication remote code execution (RCE) vuln ## Recommendations -The Apache OFBiz versions 18.12.14 and below are vulnerable. Upgrade to version 18.12.15 as soon as possible. +The Apache OFBiz versions 18.12.14 and below are vulnerable. Upgrade to version 18.12.15 or higher as soon as possible. ## What we are doing From ff5bbcfd7f31e53727866eb3cdd7aec4ea68c6f6 Mon Sep 17 00:00:00 2001 From: WesselDIVD <126914416+WesselDIVD@users.noreply.github.com> Date: Wed, 2 Oct 2024 21:24:29 +0200 Subject: [PATCH 7/8] Update _cases/2024/DIVD-2024-00039.md Co-authored-by: Stan Plasmeijer <111912052+JstRelax@users.noreply.github.com> --- _cases/2024/DIVD-2024-00039.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 7d36eaef..091f7649 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -1,6 +1,6 @@ --- layout: case -title: "Incorrect Authorization vulnerability in Apache OFBiz resulting in RCE" +title: "Incorrect Authorization vulnerability in Apache OFBiz resulting in Remote Code Execution" author: Wessel Baltus lead: Wessel Baltus excerpt: "In Apache OFBiz, version 18.12.14 and below, an Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in an attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request." From d46643d5523b64cb39c1d6efdda672241c2fc4e0 Mon Sep 17 00:00:00 2001 From: Wessel Date: Wed, 2 Oct 2024 21:31:17 +0200 Subject: [PATCH 8/8] Fixed build failing due overly long title --- _cases/2024/DIVD-2024-00039.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_cases/2024/DIVD-2024-00039.md b/_cases/2024/DIVD-2024-00039.md index 091f7649..28d26649 100644 --- a/_cases/2024/DIVD-2024-00039.md +++ b/_cases/2024/DIVD-2024-00039.md @@ -1,6 +1,6 @@ --- layout: case -title: "Incorrect Authorization vulnerability in Apache OFBiz resulting in Remote Code Execution" +title: "Incorrect authorization vulnerability in Apache OFBiz resulting in RCE" author: Wessel Baltus lead: Wessel Baltus excerpt: "In Apache OFBiz, version 18.12.14 and below, an Incorrect Authorization vulnerability exists that allows pre-authentication remote code execution (RCE) resulting in an attacker being able to execute arbitrary commands on the affected system by sending a specially crafted HTTP request."