Apache OpenMeetings Exposed: Vulnerabilities Enable Account Hijacking and Code Execution

Three Vulnerabilities in Apache OpenMeetings Enable Account Hijacking and Code Execution

Overview

Apache OpenMeetings, an open-source web conferencing application widely used by tens of thousands of enterprises, has been found to have three separate security vulnerabilities. These vulnerabilities, when combined, allow threat actors to take over user accounts, gain admin privileges, and execute arbitrary code on servers running the application. Researchers have discovered a weak hash comparison bug, an unrestricted access flaw via invitation hash, and a null-byte injection bug.

The Attack Chain

Weak Hash Comparison

The first vulnerability lies in the weak hash comparison during the room creation and invitation process. Each time a new OpenMeetings invitation is sent, a unique virtual “room” and user-specific hashes are generated. However, by using a wildcard search, an attacker can easily redeem an invitation without knowing the secret value of the hash. This allows unauthorized access to OpenMeetings invitations without requiring authentication.

Exploiting OpenMeetings Zombie Rooms

The second vulnerability enables attackers to create “zombie rooms,” where actions can be triggered in an unexpected order, resulting in an invitation without a room assigned to it. This grants unrestricted access to any user account. By creating an invitation for the admin user, an attacker can gain elevated privileges and change settings within the application. This flaw allows them to create an invitation using any registered user, which poses no hurdle for an attacker.

Remote Code Execution

The third vulnerability allows the attacker, armed with admin rights, to escape to the full server hosting OpenMeetings and execute arbitrary code. Once exploited, the attacker gains full access to the targeted server, including the ability to access any stored data, install malicious software, and pivot to the internal network.

Implications and Advice

Given the widespread adoption of Apache OpenMeetings and its use for sensitive discussions and collaborations, these vulnerabilities make it an attractive target for attackers. To mitigate the risk, users are strongly urged to update to the latest version, 7.1.0, which includes a fix for all three flaws. Apache has released patches improving security in invitation hashes, user permissions, admin paths, and more. Promptly applying these patches is crucial to safeguarding the integrity and security of OpenMeetings installations.

Furthermore, organizations should review their internet security practices to ensure they are implementing the necessary measures to protect against similar vulnerabilities in other applications. Conducting regular penetration testing, applying security patches, and following best practices for application and server security are essential. Vulnerability management programs should be in place to monitor and address any potential weaknesses in software used by the organization.

Lastly, recognizing the evolving threat landscape and the increasing significance of data protection, organizations must prioritize cybersecurity education and awareness among their employees. They should cultivate a culture of vigilance when it comes to online security, emphasizing the importance of strong passwords, cautious clicking, and staying updated on the latest security practices.

The discovery of these vulnerabilities in Apache OpenMeetings highlights the ongoing battle between hackers and security professionals. Without constant vigilance and proactive security measures, organizations will remain vulnerable to cyberattacks, potentially resulting in significant financial and reputational damage.