On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) reported active exploitation of CVE-2024-32113, a critical path traversal vulnerability in Apache OFBiz. This vulnerability allows attackers to execute arbitrary commands through specially crafted requests. The situation worsened with the discovery of CVE-2024-45195, which bypasses previous patches, leading to increased exploitation attempts, including the deployment of the Mirai botnet.
Key Points:- Vulnerability Identified: CVE-2024-32113, a critical path traversal vulnerability in Apache OFBiz.
- Exploitation Date: Active exploitation detected on September 4, 2024.
- Severity Rating: CVSSv3.1 score of 9.1, categorized as critical.
- Vulnerable Versions: Affects Apache OFBiz versions prior to 18.12.13.
- Exploitation Method: Attackers send crafted requests to execute arbitrary commands on the server.
- Mitigation Recommendation: Upgrade to Apache OFBiz version 18.12.16 or later.
- Additional Threat: CVE-2024-45195 allows bypassing of previous patches, increasing exploitation risks.
- Execution – TA0002
- Execution of arbitrary commands through crafted requests.
- Persistence – TA0003
- Deployment of the Mirai botnet on compromised systems.
- Credential Access – TA0006
- Unauthorized access to sensitive information through command execution.
Overview
On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.
On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw’s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems.
Cyble Global Sensor Intelligence (CGSI) findings
Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request.
Vulnerability Details
Remote Code Execution
CVE-2024-32113
CVSSv3.1
9.1
Severity
Critical
Vulnerable Software Versions
Apache OFBi versions before 18.12.13
Description
The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory.
Overview of the Exploit
The vulnerability arises from a fragmented state between the application’s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access.
Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment.
Mitigation
CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities.
Recommendations
Following are recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities:
- Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195.
- Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors.
- Apply the principle of least privilege to limit the potential impact of any successful exploitation.
- Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints.
Indicators of Compromise
Indicators | Indicator Type |
Description |
185[.]190[.]24[.]111 | IPv4 | Malicious IP |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-32113
- https://nvd.nist.gov/vuln/detail/CVE-2024-45195
- https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html
- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
- https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/
- https://issues.apache.org/jira/browse/OFBIZ-13006
- https://github.com//Mr-xn//CVE-2024-32113
The post The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks appeared first on Cyble.