Ubuntu Security Notice 6549-5 - It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service. Lin Ma discovered that the Netlink Transformation subsystem in the Linux kernel did not properly initialize a policy data structure, leading to an out-of-bounds vulnerability. A local privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6549-5  
January 10, 2024

linux-gcp-5.15, linux-intel-iotg-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms

Details:

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the  
Linux kernel did not properly initialize a policy data structure, leading  
to an out-of-bounds vulnerability. A local privileged attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3773)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

It was discovered that a race condition existed in QXL virtual GPU driver  
in the Linux kernel, leading to a use after free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-39198)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Jason Wang discovered that the virtio ring implementation in the Linux  
kernel did not properly handle iov buffers in some situations. A local  
attacker in a guest VM could use this to cause a denial of service (host  
system crash). (CVE-2023-5158)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1046-intel-iotg  5.15.0-1046.52~20.04.1  
   linux-image-5.15.0-1048-gcp     5.15.0-1048.56~20.04.1  
   linux-image-gcp                 5.15.0.1048.56~20.04.1  
   linux-image-intel               5.15.0.1046.52~20.04.36  
   linux-image-intel-iotg          5.15.0.1046.52~20.04.36

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6549-5  
   https://ubuntu.com/security/notices/USN-6549-1  
   CVE-2023-37453, CVE-2023-3773, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-39198, CVE-2023-42754,  
   CVE-2023-5158, CVE-2023-5178, CVE-2023-5717

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1048.56~20.04.1

 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1046.52~20.04.1

Ubuntu Security Notice USN-6549-5

Ubuntu Security Notice 6548-5 - It was discovered that Spectre-BHB mitigations were missing for Ampere processors. A local attacker could potentially use this to expose sensitive information. It was discovered that the USB subsystem in the Linux kernel contained a race condition while handling device descriptors in certain situations, leading to a out-of-bounds read vulnerability. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6548-5  
January 10, 2024

linux-iot vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-iot: Linux kernel for IoT platforms

Details:

It was discovered that Spectre-BHB mitigations were missing for Ampere  
processors. A local attacker could potentially use this to expose sensitive  
information. (CVE-2023-3006)

It was discovered that the USB subsystem in the Linux kernel contained a  
race condition while handling device descriptors in certain situations,  
leading to a out-of-bounds read vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2023-37453)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate some attributes passed from userspace. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly expose sensitive information (kernel memory). (CVE-2023-39189)

Sunjoo Park discovered that the netfilter subsystem in the Linux kernel did  
not properly validate u32 packets content, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39192)

Lucas Leong discovered that the netfilter subsystem in the Linux kernel did  
not properly validate SCTP data, leading to an out-of-bounds read  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-39193)

Lucas Leong discovered that the Netlink Transformation (XFRM) subsystem in  
the Linux kernel did not properly handle state filters, leading to an out-  
of-bounds read vulnerability. A privileged local attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-39194)

Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did  
not properly handle socket buffers (skb) when performing IP routing in  
certain circumstances, leading to a null pointer dereference vulnerability.  
A privileged attacker could use this to cause a denial of service (system  
crash). (CVE-2023-42754)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel  
did not properly handle queue initialization failures in certain  
situations, leading to a use-after-free vulnerability. A remote attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-5178)

Budimir Markovic discovered that the perf subsystem in the Linux kernel did  
not properly handle event groups, leading to an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-5717)

It was discovered that the TLS subsystem in the Linux kernel did not  
properly perform cryptographic operations in some situations, leading to a  
null pointer dereference vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-6176)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1028-iot      5.4.0-1028.29

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6548-5  
   https://ubuntu.com/security/notices/USN-6548-1  
   CVE-2023-3006, CVE-2023-37453, CVE-2023-39189, CVE-2023-39192,  
   CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-5178,  
   CVE-2023-5717, CVE-2023-6176

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1028.29

Ubuntu Security Notice USN-6548-5

PHPJabbers Cinema Booking System version 1.0 suffers from a missing rate limiting vulnerability.

    # Exploit Title: PHPJabbers Cinema Booking System v1.0 - No Rate Limit# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/cinema-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51334Descriptions:A lack of rate limiting in the "Login Section, Forgot Email" featureof PHPJabbers Cinema Booking System v1.0 allows attackers to send anexcessive amount of reset requests for a legitimate user, leading to apossible Denial of Service (DoS) via a large amount of generatede-mail messages.Steps to Reproduce:1. Visit this URLhttps://demo.phpjabbers.com/1704804809_816/index.php?controller=pjAdmin&action=pjActionIndex2. Now use the account mail that is already registered on this website.3. Capture request data using burp suite and send it to Intruder Tab4. Configure Intruder and Start Attack5. Check your email.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51334)

PHPJabbers Cinema Booking System 1.0 Missing Rate Limiting

PHPJabbers Meeting Room Booking System version 1.0 suffers from a missing rate limiting vulnerability.

    # Exploit Title: PHPJabbers Meeting Room Booking System v1.0 - No Rate Limit# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51332Descriptions:A lack of rate limiting in the "Forgot Email" feature of PHPJabbersMeeting Room Booking System v1.0 allows attackers to send an excessiveamount of reset requests for a legitimate user, leading to a possibleDenial of Service (DoS) via a large amount of generated e-mailmessages.Steps to Reproduce:1. Visit this URLhttps://demo.phpjabbers.com/1704805602_793/index.php?controller=pjAdmin&action=pjActionLogin2. Now use the account mail that is already registered on this website.3. Capture request data using burp suite and send it to Intruder Tab4. Configure Intruder and Start Attack5. Check your email.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51332)

PHPJabbers Meeting Room Booking System 1.0 Missing Rate Limiting

PHPJabbers Cinema Booking System version 1.0 suffers from reflective and persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Cinema Booking System v1.0 - Reflected Cross-Site Scripting# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/cinema-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51330Descriptions:Reflected cross-site scripting (XSS) vulnerability exists inReservations menu, Schedule section and "date" parameter of PHPJabbersCinema Booking System v1.0 that allows attackers to execute arbitraryweb scripts or HTML via a crafted payload injected into the Websitelogin page parameter.Steps to Reproduce:1. Login your panel.2. Go to Now Showing menu then click Print.3. Now use XSS Payload in "date" parameter.4. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51330)# Exploit Title: PHPJabbers Cinema Booking System v1.0 - Multiple Stored XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/cinema-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51335Descriptions:PHPJabbers Cinema Booking System v1.0 is vulnerable to Multiple StoredCross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "title, name".3. Go to System Users Menu then click add user.4. Then use any XSS Payload in "Name" input field and Save.5. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51335)

PHPJabbers Cinema Booking System 1.0 Cross Site Scripting

PHPJabbers Cleaning Business Software version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Cleaning Business Software v1.0 - MultipleStored XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/cleaning-business-software/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51328Descriptions:PHPJabbers Cleaning Business Software v1.0 is vulnerable to MultipleStored Cross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "c_name, name".3. Go to System Users Menu then click add user.4. Then use any XSS Payload in "Name" input field and Save.5. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51328)

PHPJabbers Cleaning Business Software 1.0 Cross Site Scripting

PHPJabbers Cleaning Business Software version 1.0 suffers from multiple missing rate limiting vulnerabilities.

    # Exploit Title: PHPJabbers Cleaning Business Software v1.0 - No Rate Limit# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/cleaning-business-software/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51326Descriptions:A lack of rate limiting in the "Forgot Email" feature of PHPJabbersCleaning Business Software v1.0 allows attackers to send an excessiveamount of reset requests for a legitimate user, leading to a possibleDenial of Service (DoS) via a large amount of generated e-mailmessages.Steps to Reproduce:1. Visit this URLhttps://demo.phpjabbers.com/1704803403_514/index.php?controller=pjAdmin&action=pjActionLogin2. Now use the account mail that is already registered on this website.3. Capture request data using burp suite and send it to Intruder Tab4. Configure Intruder and Start Attack5. Check your email.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51326)# Exploit Title: PHPJabbers Cleaning Business Software v1.0 - Missing Rate Limit# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/cleaning-business-software/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51327Descriptions:A lack of rate limiting in the "Forgot Email" feature of PHPJabbersCleaning Business Software v1.0 allows attackers to send an excessiveamount of reset requests for a legitimate user, leading to a possibleDenial of Service (DoS) via a large amount of generated e-mailmessages.Steps to Reproduce:1. Visit this URLhttps://demo.phpjabbers.com/{*}/index.php?controller=pjAdmin&action=pjActionLogin2. Now use the account mail that is already registered on this website.3. Capture request data using burp suite and send it to Intruder Tab4. Configure Intruder and Start Attack5. Check your email.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51327)

PHPJabbers Cleaning Business Software 1.0 Missing Rate Limiting

PHPJabbers Shared Asset Booking System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Shared Asset Booking System v1.0 -Multiple Stored XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/shared-asset-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51325Descriptions:PHPJabbers Shared Asset Booking System v1.0 is vulnerable to MultipleStored Cross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "title, name".3. Go to System Users Menu then add user.4. Then use any XSS Payload in "Name" input field and Save.5. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51325)

PHPJabbers Shared Asset Booking System 1.0 Cross Site Scripting

By Deeba Ahmed
Another day, another malware threat against Linux systems!
This is a post from HackRead.com Read the original post: Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

A noticeable difference between NoaBot and Mirai is that rather than DDoS attacks, the botnet targets weak passwords connecting SSH connections to install cryptocurrency mining software.

Cybersecurity researchers at Akamai have discovered cryptomining malware called NoaBot based on the notorious **Mirai botnet**. The crytojacking malware NoaBot is currently targeting Linux servers and has been active since January 2023.

According to Akamai, a noticeable difference between NoaBot and Mirai is that rather than **DDoS attacks** (Distributed Denial of Service attacks), the malware targets weak passwords connecting SSH connections and installs cryptocurrency mining software, allowing attackers to generate digital coins using victims’ computing resources, electricity, and bandwidth.

Here, it is important to mention that NoaBot malware has also been used to deliver **P2PInfect**, a separate worm discovered by Palo Alto Networks in July 2023.

NoaBot is compiled using the UClibc code library, unlike the standard Mirai library. This changes how the antivirus protections detect NoaBot, categorizing it as an SSH scanner or generic trojan. The malware is statically compiled and stripped of symbols, while strings are obfuscated instead of saved as plaintext, making it harder for reverse engineers to extract details.

The NoaBot binary runs from a randomly generated folder, making searching devices harder. The standard Mirai dictionary is replaced with a large one, and a custom-made SSH scanner is used. Post-breach capabilities include installing a new SSH-authorized key.

This botnet has grown significantly, with over 800 unique IP addresses worldwide showing signs of NoaBot infections. The worm is a **customized version of Mirai**, a malware that infects Linux-based servers, routers, web cameras, and other Internet of Things devices.

Interestingly, the malware includes embedded song lyrics from the “**Who’s Ready for Tomorrow**” song by Rat Boy and IBDY, but later samples do not have these. The botnet also adds command line arguments, such as the “noa” flag, which installs a persistence method after a reboot.

Screenshot: Akamai

Screenshot: Akamai

Threat actors modified the **XMRig miner** to extract the mining configuration before execution. The miner’s functions involve function calls and signals. The configuration contains the mining pool and wallet address details. However, IDA misses the binary name and pool IP placeholder, allowing attackers to estimate the profitability of the cryptomining gig.

Researchers noted that the attackers were running their private pool instead of a public one, eliminating the need for a wallet. However, domains are no longer resolvable with Google’s DNS, and no recent incidents involving the dropping of the miner are noticed, suggesting the threat actors may have halted the campaign for better opportunities.

Hackread has been following incidents involving Mirai since it was **discovered** in 2016. Mirai is a self-replicating malware targeting Linux-based IoT devices, used to infect other vulnerable devices.

In 2016, it was used in a massive **DDoS attack against Dyn DNS**, paralyzing the internet. The creators released the source code, allowing crime groups to incorporate it into their attacks. Mirai scans the internet for Telnet connections via infected devices to crack Telnet passwords, then targets additional devices using the same technique.

**Akamai urges** Linux server administrators to protect their systems from NoaBot by keeping software updated, using strong passwords, enabling two-factor authentication, and monitoring unauthorized activity. This is crucial as NoaBot can launch DDoS, data breaches, and **cryptojacking attacks**.

****_RELATED ARTICLES_****

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Hackers behind Mirai botnet to avoid jail for working with the FBI**
3.  **Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai**
4.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

Mirai-based NoaBot Botnet Targeting Linux Systems with Cryptominer

Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload.
The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (

Vulnerability / Cyber Attack

Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload.

The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8) that could be weaponized to bypass authentication and remotely execute arbitrary code.

While it was fixed in Apache OFbiz version 18.12.11 released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances.

The latest findings from VulnCheck show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no traces of malicious activity.

Security flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496) have been exploited by threat actors in the past, including by threat actors associated with the Sysrv botnet. Another three-year-old bug in the software (CVE-2021-29200) has witnessed exploitation attempts from 29 unique IP addresses over the past 30 days, per data from GreyNoise.

What's more, Apache OFBiz was also one of the first products to have a public exploit for Log4Shell (CVE-2021-44228), illustrating that it continues to be of interest to both defenders and attackers alike.

CVE-2023-51467 is no exception, with details about a remote code execution endpoint ("/webtools/control/ProgramExport") as well as PoC for command execution emerging merely days after public disclosure.

While security guardrails (i.e., Groovy sandbox) have been erected such that they block any attempts to upload arbitrary web shells or run Java code via the endpoint, the incomplete nature of the sandbox means that an attacker could run curl commands and obtain a bash reverse shell on Linux systems.

"For an advanced attacker, though, these payloads aren't ideal," VulnCheck's Chief Technology Officer Jacob Baines said. "They touch the disk and rely on Linux-specific behavior."

The Go-based exploit devised by VulnCheck is a cross-platform solution that works on both Windows and Linux as well as gets around the denylist by taking advantage of groovy.util.Eval functions to launch an in-memory Nashorn reverse shell as the payload.

"OFBiz is not widely popular, but it has been exploited in the past. There is a fair deal of hype around CVE-2023-51467 but no public weaponized payload, which called into question if it was even possible," Baines said. "We've concluded that not only is it possible, but we can achieve arbitrary in memory code execution."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#linux