Overview
On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.
On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw’s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems.
Cyble Global Sensor Intelligence (CGSI) findings
Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request.
Vulnerability Details
Remote Code Execution
CVE-2024-32113
CVSSv3.1
9.1
Severity
Critical
Vulnerable Software Versions
Apache OFBi versions before 18.12.13
Description
The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory.
Overview of the Exploit
The vulnerability arises from a fragmented state between the application’s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access.
Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment.
Mitigation
CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities.
Recommendations
The recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities are as follows:
- Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195.
- Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors.
- Apply the principle of least privilege to limit the potential impact of any successful exploitation.
- Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints.
Indicators of Compromise
| Indicators | Indicator Type | Description |
| 185[.]190[.]24[.]111 | IPv4 | Malicious IP |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-32113
- https://nvd.nist.gov/vuln/detail/CVE-2024-45195
- https://thehackernews.com/2024/09/apache-ofbiz-update-fixes-high-severity.html
- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
- https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/
- https://issues.apache.org/jira/browse/OFBIZ-13006
- https://github.com//Mr-xn//CVE-2024-32113
