CVE-2024-32113, Vulnerability, Exploit

Overview

On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.

On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw’s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems.

Cyble Global Sensor Intelligence (CGSI) findings

Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request.

Screenshot of exploitation attempts observed via CGSI network
Figure 1 – Screenshot of exploitation attempts observed via CGSI network

Vulnerability Details

Remote Code Execution

CVE-2024-32113

CVSSv3.1

9.1

Severity

Critical

Vulnerable Software Versions

Apache OFBi versions before 18.12.13

Description

The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory.

Overview of the Exploit

The vulnerability arises from a fragmented state between the application’s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access.

Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment.

Figure 2 – Executing Commands with Payload

Mitigation

CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities.

Recommendations

Following are recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities:

  • Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195.
  • Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors.
  • Apply the principle of least privilege to limit the potential impact of any successful exploitation.
  • Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints.

Indicators of Compromise

Indicators Indicator
Type
Description
185[.]190[.]24[.]111 IPv4 Malicious IP

References

The post The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks appeared first on Cyble.