Three separate safety vulnerabilities within the Apache OpenMeetings open supply Internet conferencing software will be strung collectively into an assault chain that permits risk actors to take over a consumer account, achieve admin privileges, and finally execute arbitrary code on a server working the app.
OpenMeetings can be utilized for video calls, shows, and different collaborative work, and is broadly deployed in tens of hundreds of enterprises, throughout each cloud and on-prem installations.
SonarSource risk researcher Stefan Schiller outlined the failings in a report on Thursday that disclosed the triple risk: a weak hash comparability bug tracked below CVE-2023-28936; an unrestricted entry through invitation hash tracked below CVE-2023-29023; and a null-byte injection bug tracked below CVE-2023-29246.
Customers are urged to replace OpenMeetings to model 7.1.0, which features a repair for all three flaws.
OpenMeetings’ Weak Hash Comparability Kicks Off Assault Chain
The trio of points exist within the software’s room creation and invitation course of. Schiller defined within the report that every time a brand new OpenMeetings invitation is shipped, a person digital “room” is generated, wherein one consumer can invite one other consumer. Each the room and consumer obtain randomly generated hashes which are distinctive to each the consumer and the room.
The primary gap on this course of, the weak hash comparability, will be exploited to permit unauthorized entry to an OpenMeetings invitation.
“The invitation hash is an extended worth (e.g., 3c6a04c8-f935-4226-90f9-34adbd7b4c2d), which is meant to be secret,” Schiller explains to Darkish Studying. “Solely somebody who is aware of this worth can redeem this invitation. But when an attacker makes use of a wildcard search when attempting to redeem an invite (e.g., 3%, which interprets to: ‘redeem the invitation hash starting with the character 3’), the attacker can simply redeem this invitation with out realizing the lengthy secret worth.”
On this occasion, no authentication is required, he factors out.
As soon as the attacker has taken over the invite and entered the room, the second bug permits the attackers to create “zombie rooms.” Mixed with the primary vulnerability, this units up the trail to elevating privileges and distant code execution.
Exploiting OpenMeetings Zombie Rooms
Schiller famous within the evaluation that “attackers can set off sure actions in an sudden order to create a room invitation with out a room assigned to it. This leads to an unrestricted invitation to entry any consumer account.”
This “sudden order” works like this, in response to the SonarSource report: A cyberattacker may create an occasion, then be part of the room related to the occasion, then delete the occasion whereas remaining within the room.
“Though the room can be deleted when its related occasion is deleted, the presence of the attacker within the room makes this a zombie room,” Schiller wrote. “Subsequent, the attacker creates an invite for the admin consumer to this room.”
Because of the second flaw, a consumer with an invite with no room hooked up to it has unfettered entry to the whole software. Menace actors can take over the admin invite they only created with the method outlined above, leading to elevated privileges. Thus, they achieve the power to alter settings and extra, Schiller explains to Darkish Studying.
“So as to create an invite (e.g., invite the admin consumer to realize his privileges), a registered consumer is required,” Schiller provides. “By default, anybody can simply register a consumer, which does not make this a hurdle for an attacker.”
From there, the attacker, armed with admin rights, can use the third bug to flee to the total server upon which OpenMeetings is hosted and remotely execute code.
“As soon as the third vulnerability is exploited, an attacker has full entry to the focused server,” Schiller warns. “This entry is just not restricted to the OpenMeetings app. As a substitute, the attacker can entry any information saved on the server, set up malicious software program (e.g. cryptominers), and pivot to the inner community.”
Patch OpenMeetings Now
With the discharge of OpenMeetings 7.1.0, Apache famous safety enhancements in invitation hashes, consumer permissions, admin paths, and extra to treatment the weaknesses. The patches will not be ones to sleep on: Its official Docker picture has been downloaded greater than 50,000 occasions, and OpenMeetings will also be deployed as a plugin for functions equivalent to Jira, Confluence, or Drupal. Its footprint and elevated utilization of collaboration apps within the period of distant work are robust lures for cyberthreat actors.
“Its widespread adoption and the truth that it is likely to be used for delicate discussions, conferences, and collaborations make it a gorgeous goal for attackers,” the evaluation warned.
