OpenMeetings Flaws: Exposing Critical Vulnerabilities, Enabling Server Hijacking and Code Execution.

Vulnerabilities in OpenMeetings Allow Hackers to Hijack Instances and Execute Code on Servers

Three vulnerabilities in Apache OpenMeetings, a web conferencing application used for online meetings and collaboration, could potentially expose organizations to remote code execution attacks. These vulnerabilities, identified as CVE-2023-28936, CVE-2023-29023, and CVE-2023-29246, were recently disclosed by cybersecurity firm Sonar.

Account Takeover and Arbitrary Code Execution

According to Sonar, the vulnerabilities stem from a logical flaw and a weak hash comparison in OpenMeetings. By triggering certain actions, an attacker can create a room invitation that is not assigned to any room, allowing them to access any user account and gain administrator privileges. Through insufficient validation of configurable items, attackers can then inject a null-byte in one of the binary paths, which can be leveraged to run arbitrary code and execute commands remotely on the server.

Exploiting Invitation Hashes and Zombie Rooms

The first vulnerability allows an attacker to enumerate valid invitation hashes and redeem them. The second vulnerability involves creating a ‘zombie room’ by creating an event, joining the room, and then deleting the event. With this setup, the attacker can create an invitation to the room for the admin user and redeem it for themselves. Although an error is raised during the redemption process, a valid web session for the invitee with full permissions is created, which can be accessed using the session cookie in the server’s response.

Remote Code Execution via ImageMagic

Once the attacker has gained access as an administrator, they can modify the OpenMeetings instance’s configuration and inject a null-byte into the configured path for the ImageMagick executable. This allows them to upload a fake image that contains valid image headers followed by arbitrary shell commands. The conversion process then executes every command in the fake image, including remote code execution.

Recommended Action

The vulnerabilities in OpenMeetings were addressed in version 7.1.0, released on May 9. Organizations that use OpenMeetings should ensure they have updated to this version to mitigate the risk of exploitation. Additionally, it is recommended to regularly patch and update software applications to protect against newly discovered vulnerabilities.

Furthermore, organizations should follow proper user access controls and authentication practices to minimize the risk of account takeover. Implementing strong password policies and multi-factor authentication can help prevent unauthorized access to accounts. Regular security audits and vulnerability assessments can also identify and address potential weaknesses in the software stack.

Lastly, it is essential for organizations to have a comprehensive incident response plan in place that outlines steps to take in the event of a security breach. This includes promptly applying patches and updates, conducting forensic analysis to understand the extent of the compromise, and notifying affected parties if necessary.

Conclusion

The vulnerabilities in Apache OpenMeetings highlight the potential risks associated with web conferencing applications and the importance of rigorous security measures. As organizations increasingly rely on such applications for remote work and collaboration, it is crucial to stay vigilant and proactive in addressing vulnerabilities and implementing robust security controls. By prioritizing cybersecurity, organizations can better protect themselves from potential compromises and mitigate the potential consequences of a breach.