Multiple security vulnerabilities have been exposed in Apache OpenMeetings, a web conferencing solution, which poses a serious threat as attackers could potentially hijack admin accounts and execute malicious code on vulnerable servers. The flaws, disclosed by Sonar vulnerability researcher Stefan Schiller, include an unexpected state manipulation allowing attackers to gain control of any user account, including the admin account.
Once admin privileges are acquired, attackers can exploit another vulnerability to execute arbitrary code on the Apache OpenMeetings server. These vulnerabilities were responsibly disclosed on March 20, 2023, and addressed with the release of Openmeetings version 7.1.0 on May 9, 2023, where three main flaws were identified.
CVE-2023-28936 (CVSS score: 5.3) involves an insufficient check of the invitation hash, while CVE-2023-29032 (CVSS score: 8.1) is an authentication bypass leading to unrestricted access via invitation hash. The third flaw, CVE-2023-29246 (CVSS score: 7.2), allows an attacker with admin privileges to execute code through a NULL byte injection.
Attackers can exploit these vulnerabilities by creating an event and joining the corresponding room, then deleting the event to create an invitation for the admin user to a non-existing room. The weak hash comparison bug enables the attacker to redeem the invitation, leading to the creation of a “zombie room,” allowing them to gain admin privileges and manipulate the OpenMeetings instance, impacting connected users.
Additionally, a third vulnerability identified by Sonar is rooted in ImageMagick, where an admin can configure the path for executables. By changing the ImageMagic path to “/bin/sh%00x” and uploading a fake image containing arbitrary shell commands, the attacker with admin privileges can execute any command, leading to remote code execution on the server.
These flaws present a significant risk, as attackers can potentially wreak havoc on the system, accessing sensitive data, and causing harm to the OpenMeetings instance.
