Cybersecurity researchers have created a proof-of-concept (PoC) exploit code for a newly disclosed critical flaw, CVE-2023-51467, in Apache OFBiz. This flaw was brought to light in December as an authentication bypass zero-day vulnerability in Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system. By exploiting this vulnerability, an attacker can bypass authentication to achieve a simple Server-Side Request Forgery (SSRF).
The flaw exists in the login functionality and is a result of an incomplete patch for the Pre-auth RCE vulnerability CVE-2023-49070. SonicWall researchers highlighted that Apache OFBiz is part of the supply chain of prominent software, including Atlassian’s JIRA, used by over 120,000 companies. They stated, “As a result, like with many supply chain libraries, the impact of this vulnerability could be severe if leveraged by threat actors.”
The researchers found that the magic string requirePasswordChange=Y is the root cause of the authentication bypass, irrespective of the username and password field or other parameters in an HTTP request. Hence, removing the XML RPC code did not completely patch the flaw.
The issue has been addressed by Apache OFBiz in the release of version 18.12.11 or later. The researchers explained that the vulnerability CVE-2023-51467 can be used to execute a malicious payload directly into the memory. They noted that Apache OFBiz is not widely used software. A search on Shodan revealed more than 10,000 potential targets, most of which are honeypots.
The researchers also observed that the Syssrv botnet has been exploiting CVE-2020-9496 and CVE-2021-29200 in the wild. They noted that OFBiz was one of the first products to have a public Log4Shell exploit. The PoC exploit code, which targets both Windows and Linux systems, was published on GitHub. It uses an in-memory Nashorn reverse shell as the payload.