CVE-2023-32315

Description

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

Add Assessment

cbeek-r7 (173)

July 26, 2024 7:44pm UTC (3 months ago)•Edited 3 months ago

Ratings

Observed in state-sponsored attacks

Technical Analysis

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

h00die-gr3y (126)

July 09, 2023 11:42am UTC (1 year ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

Openfire (previously known as Wildfire, and Jive Messenger) is an instant messaging (IM) and groupchat server for the Extensible Messaging and Presence Protocol (XMPP). It is written in Java and licensed under the Apache License 2.0.

On May 26, 2023, Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment using the path http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/. Endpoints such as log.jsp, user-groups.jsp and user-create.jsp can be used to gain unauthorized admin access.
It allows an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.

The vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0 and is patched in Openfire release 4.7.5, 4.6.8 and 4.8.0 and later.

Reading the security advisory, it reminded me of a previous Openfire vulnerability CVE-2008-6508 discovered in 2008 that faced a similar issue. There is even an existing Metasploit module available a.k.a. exploit\multi\http\openfire_auth_bypass that exploits this vulnerability (see Metasploit PR 522).

With that in mind, it should be not too difficult to build a new variant that exploits the latest vulnerability CVE-2023-32315.

The attack sequence is quite simple:

Grab the cookies using the path traversal vulnerability via http://<IP>:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp
Use the cookies to add an admin user using the path traversal vulnerability via http://<IP>:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp
Upload an Openfire plugin weaponized with a java payload triggering an RCE via endpoint http://<IP>:9090/plugin-admin.jsp. For step 3, you need understand how to create an customized Openfire plugin which is described in more detail here.

And as usual, I took the liberty to code a nice Metasploit module that does it all for you.
You can find the module here in my local repository or as PR 18173 at the Metasploit Github development.

This module has been tested on:

Ubuntu Linux 22.04

Openfire 3.10.1, 4.0.4, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0. 4.7.0, 4.7.1, 4.7.3
Java 7, 8, 17

Windows Server 2019 Datacenter

Openfire 4.7.3
Java 20

You can setup your own testing environment by following the instructions below.

Instructions for an Openfire installation:
Download Openfire releases here.
Follow installation instructions here.

Mitigation

Please update your Openfire application to version 4.8.0 or higher and or upgrade to the patched versions 4.7.5 or 4.6.8.

References

Igniterealtime Security Advisory
CVE-2023-32315
Openfire Authentication Bypass RCE – h00die-gr3y Metasploit local repository
Metasploit PR 18173
Openfire plugin development
Openfire release downloads
Openfire installation instructions

See More &2 repliesSee Less

ccondon-r7 (282) December 19, 2023 1:55pm UTC (11 months ago)

Great write-up, @h00die-gr3y, thank you!

h00die-gr3y (126) December 19, 2023 5:45pm UTC (11 months ago)

@ccondon-r7, you are most welcome!
Enjoy your upcoming Christmas and New Year.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

igniterealtime

Products

openfire

Metasploit Modules

exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb)

Exploited in the Wild

Reported by:

cbeek-r7 indicated source as Government or Industry Alert (https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability)

Reported: September 05, 2023 7:40am UTC (1 year ago)

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/08/24/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: September 08, 2023 5:15am UTC (1 year ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2023/08/24/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:19am UTC (1 week ago)

References

Canonical

CVE-2023-32315 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32315)

Advisory

CISA Security Bulletin (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

PoC (https://github.com/Pari-Malam/CVE-2023-32315)

CVE-2023-32315-Openfire-Bypass (https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass) (Added by AKB Worker)

CVE-2023-32315-POC (https://github.com/izzz0/CVE-2023-32315-POC) (Added by AKB Worker)

Miscellaneous

https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm

http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html

Rapid7

Very High

Very High

Very High

None

None

Network

CVE-2023-32315

Description