Apache OpenMeeting Flaw

OpenMeetings is an application that can be used for video calls, collaborative work, and presentations. It can also be added as a plugin to Jira, Confluence or Drupal applications.

Recent reports shared by SonarSource, indicate that a newly discovered vulnerability could allow threat actors to execute commands on the underlying server.

Threat actors only need an account that can be created easily on OpenMeetings to exploit this vulnerability.

This remote command execution is a combination of Weak Hash, unrestricted access via invitation, and Null-byte injection, leading to the command execution vulnerability.

Apache OpenMeeting Flaw

OpenMeetings enables its users to join a new room when an event is added on the calendar. It also allows users to send an invitation to other users which is done using the Invitation class and setRoom class.

Rooms in OpenMeetings (Source: Sonarsource)

This functionality can be hijacked by threat actors as it has a weak hash using the LIKE operator. This operator allows wildcards to be added as value which results in the attacker getting all the invitation hashes. 

Room invitation sending (Source: Sonarsource)

Threat actors can enumerate all the valid invitation hashes with this which can be used to gain access to a specific room on behalf of the invited user. However, no other actions can be performed with this. 

Furthermore, threat actors can create a zombie room by creating an event (which eventually creates a room) and joining the room. While being inside the room, the room can be deleted but sending an invitation from the room functionality still works.

Zombie Room creation (Source: Sonarsource)

Once they combine the wildcard enumeration and use the invitation functionality to send an invitation to the admin user, administrative rights are gained due to hrights class set empty, resulting in giving the privilege of the invited user.

Zombie room + Invitation to the Admin = Administrative Privilege (Source: Sonarsource)

After performing these activities, the null-byte injection due to the ProcessBuilder executing null-byte in the java realm is OS-specific and implemented in native C. This leads to the threat actor executing arbitrary commands on the underlying server.

CVE-2023-28936: Weak Hash Comparison

This vulnerability exists due to the use of getByHash method that queries the Invitation object from the database by user-provided hash using the LIKE operator that can accept wildcard values resulting in enumeration of all the invite hashes on the OpenMeetings application. This vulnerability is given a CVSS score of 5.3 (Medium).

CVE-2023-29032: Unrestricted Access via Invitation Hash

This vulnerability exists as the hrights set inherits the invited users rights if no room is identified when being passed to the setUser. This vulnerability was given a CVSS Score of 8.1 (High).

CVE-2023-29246: Null-Byte Injection

A threat actor who gains admin privileges on the OpenMeetings can conduct null-byte injection to execute remote code execution on the server. This vulnerability was given a CVSS score of 7.2 (High).

Apache has released security patches for this vulnerability and fixed it in the Apache OpenMeetings 7.1.0 version. It is recommended that users upgrade to the latest version of the application to avoid being attacked.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.