Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-51467)

Introduction

On December 26, 2023, researchers at SonicWall announced the discovery of a zero-day security flaw in Apache OFBiz. Tracked as CVE-2023-51467, the vulnerability allows threat actors to bypass authentication and perform a Server-Side Request Forgery (SSRF). CVE-2023-51467 earned a critical CVSS score of 9.8. According to researchers at SonicWall, a patch released for another vulnerability, CVE-2023-49070, left the initial issue unresolved, making authentication bypass possible.

Recommendations

Zscaler ThreatLabz strongly advises users of Apache OFBiz software to promptly upgrade to version 18.12.11, as this version contains crucial fixes to mitigate the identified security vulnerability (CVE-2023-51467).

Affected Versions

The following versions of Apache OFBiz are affected by the disclosed vulnerabilities and should be updated immediately: 

• All versions 18.12.10 and below are impacted by CVE-2023-51467
• All versions 18.12.9 and below are impacted by CVE-2023-49070

Background

Apache OFBiz is an open-source Enterprise Resource Planning (ERP) system that provides business solutions for various industries. This includes tools to manage operations like customer relationships, order processing, human resource functions, and warehouse management.

On December 4, 2023, Apache released a patch to fix CVE-2023-49070. For this fix, Apache removed the XMLRPC endpoint and the OFBiz XMLRPC library, which was not maintained regularly. However, this fix didn’t resolve the root cause of CVE-2023-49070.

While validating the fix for CVE-2023-49070, researchers from SonicWall bypassed authentication in the newly fixed version of Apache OFBiz, leading to CVE-2023-51467.

How It Works

A threat actor sends an HTTP request to exploit a flaw in the checkLogin function. When null or invalid username and password parameters are supplied and the requirePasswordChange parameter is set to Y in the URI, the checkLogin function fails to validate the credentials, leading to authentication bypass. This occurs because the program flow circumvents the conditional block meant to check the username and password fields. By manipulating login parameters, threat actors can achieve Remote Code Execution (RCE) on a target server.

Zscaler Best Practices

• Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on.
• Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
• Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
• Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
• Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as part of a second-stage payload.
• Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations.

Conclusion

Apache OFBiz systems should promptly be updated to version 18.12.11. Failing to do so leaves systems vulnerable to CVE-2023-51467, allowing threat actors to manipulate login parameters and execute arbitrary code on the target server.

Zscaler Coverage

The Zscaler ThreatLabz team has deployed the following.

Zscaler Advanced Threat Protection

• APP.EXPLOIT.CVE-2023-49070
• APP.EXPLOIT.CVE-2023-51467

Zscaler Private Access AppProtection

• 6000751 - Apache OFBiz XMLRPC Insecure Deserialization (CVE-2023-49070)
• 6000753 - Apache OFBiz Auth Bypass and Code Injection (CVE-2023-51467)

For more details, visit the Zscaler Threat Library.

References

• https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/
• https://threatprotect.qualys.com/2023/12/27/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467/
• https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv