Specialists from vulncheck developed POC code (Proof-Of-Concept, POC) that utilizes a recently discovered critical vulnerability in the ERP-system Apache OFBIZ to launch malicious code in memory.
The vulnerability, known as CVE-2023-51467 (CVSS: 9.8), is an authentication bypass error that allows attackers to execute arbitrary code on a remote device and gain access to confidential information. This error can be used to bypass another critical flaw in the same software (cve-2023-49070 with a CVSS assessment of 9.8).
While the vulnerability was fixed in the December release of Apache OFBIZ version 12/18/11, attackers are still attempting to exploit vulnerable software. According to Vulncheck, CVE-2023-51467 can be leveraged to launch a malicious program directly from memory, leaving minimal signs of a hack.
A search on Shodan reveals over 13,000 connected copies, although most of them are decoys.
Although Apache implemented security mechanisms such as the sandbox Groovy to block attempts to load web scripts or execute Java code, the incomplete implementation of the sandbox allows attackers to run Curl commands and obtain a reverse Bash shell on Linux systems. However, these payloads are not perfect for advanced attackers as they leave traces on the disk and depend on the specificities of Linux.
Vulncheck has created a cross-platform solution called POC-EX-EXTISS based on Go, which can work on both Windows and Linux. This POC circumvents the blacklist by using the groovy.eval function to launch a Nashorn reverse shell in memory as a payload.
There has been a lot of discussion around CVE-2023-51467, but no public malware has been found, raising doubts about its potential use. Vulncheck specialists have concluded that the vulnerability not only exists but also enables the execution of arbitrary code in memory.