Apache OpenMeetings Vulnerabilities

Researcher discovered three vulnerabilities in the open source Web application Apache OpenMeetings application can be used together into an attack chain that allows threat actors to take over a user account, gain admin privileges, and ultimately execute arbitrary code on a server running the app.

OpenMeetings can be used for video calls, presentations, and other collaborative work, and is widely deployed in tens of thousands of enterprises, across both cloud and on-prem installations.

A weak hash comparison bug tracked under CVE-2023-28936; an unrestricted access via invitation hash tracked under CVE-2023-29023; and a null-byte injection bug tracked under CVE-2023-29246.

Advertisements

The trio of issues exist in the application’s room creation and invitation process. Schiller explained in the report that each time a new OpenMeetings invitation is sent, an individual virtual “room” is generated, in which one user can invite another user. Both the room and user receive randomly generated hashes that are unique to both the user and the room.null

The first hole in this process, the weak hash comparison, can be exploited to allow unauthorized access to an Open Meetings invitation. No authentication is required for exploiting the vulnerability. Once the attacker has taken over the invite and entered the room, the second bug allows the attackers to create “zombie rooms.” Combined with the first vulnerability, this sets up the path to elevating privileges and remote code execution.

Due to the second flaw, a user with an invitation with no room attached to it has unfettered access to the entire application. Threat actors can take over the admin invite they just created with the process outlined above, resulting in elevated privileges. Thus, they gain the ability to change settings.