Top Trending CVEs of December 2023

Happy Holidays! As we close out 2023 we do it with a bit of deja vu (depending on how sharp your memory is). This month we cover an Apache Struts 2 vulnerability that could result in remote command execution (RCE). If that sounds familiar it’s because the Equifax breach of 2017 was a result of an Apache Struts vulnerability. We also dive into a JetBrains TeamCity authentication bypass vuln that results in trivial command execution. Finally, we review an authentication flaw in an enterprise IT and HR management platform used by a wide range of large corporations. Roll up your sleeves and drop to a command line as we cover the trending CVEs for December 2023.

1. Apache Struts 2 File Upload to RCE CVE-2023-50164

Apache has issued an advisory for a critical vulnerability designated as CVE-2023-50164. It affects Apache Struts 2. Exploiting this flaw involves unauthorized path traversal through the file upload feature, allowing for the upload of malicious files, which under the correct conditions could result in remote code execution. While challenging to exploit at scale, the impact can be severe. 

The vulnerability affects Struts versions 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0, which represents a decently broad spectrum of potential targets. The flaw arises from case sensitivity in HTTP parameters, that when exploited could enable an attacker to manipulate file upload parameters and perform path traversal. The vulnerable endpoint is /upload.action.

The vulnerability is associated with HTTP parameter pollution. This is an attack technique where the payload is delivered across multiple instances of a parameter with the same name. It is used as a means to bypass validation controls. The Apache Struts 2 vulnerability enabled attackers to modify the initial parameter and introduce an additional parameter in lowercase, which could overwrite an internal file name variable. The manipulation of internal variables can lead to path traversal, enabling attackers to write files to arbitrary locations on disk.

Apache Struts’s getCanonicalName function in AbstractMultiPartRequest.java is bypassed, allowing the path traversal payload to persist in the final filename. Temporary files created during uploads may pose a security risk if not deleted. A secondary commit in the same patch  ensures the deletion of uploaded files, reducing the risk of persistence.

This vulnerability while trivial to exploit is highly dependent on how the Apache Struts framework is leveraged in a given app. For example, if an Apache Struts 2 application does not use the file upload features, it is not vulnerable to exploitation. Due to the nature of the exploit crafting a trivial mass scanner to identify vulnerable targets is difficult. Mature exploits have been released to the public. If you run an Apache shop it’s highly recommended that you patch now.

Systems Impacted: 

• Struts 2.0.0 – Struts 2.3.37
• Struts 2.5.0 – Struts 2.5.32
• Struts 6.0.0 – Struts 6.3.0

Read more:

• https://www.trendmicro.com/en_no/research/23/l/decoding-cve-2023-50164–unveiling-the-apache-struts-file-upload.html
• https://nvd.nist.gov/vuln/detail/CVE-2023-50164
• https://cwiki.apache.org/confluence/display/WW/S2-066

2. ADiTaaS Authentication Bypass CVE-2023-6483

Researchers have identified a security vulnerability in version 5.1 of the ADiTaaS enterprise service management (ESM) SaaS platform. The platform, coded in Angular JS on the frontend and .Net on the backend, was prone to an authentication bypass vulnerability. Successful exploitation could grant unauthorized threat actors access to customer instances by pivoting through an unauthenticated API call. Various industries, including automotive, medical, real estate, aviation, and others, were potentially affected.

The researcher found that the ADiTaaS application leveraged Angular on the front end to facilitate API calls. By reviewing the code downloaded by the browser it was observed that two important events occurred after successfully authenticating. One, a boolean named IsLoginDone is set to ‘true’. Two, a string named ObjLoginData has its value set to a JSON string that contains information about the logged-in user. A deeper analysis of the same code ultimately enabled the reverse engineering of the JSON object attributes which included userId, userType, firstName, emailId, and isSuperAdmin among others. Using the debug console to modify the local storage, the JSON object was crafted with a userId value set to 1. 

Subsequent to creating the JSON object, when the authentication page was reloaded the attacker was redirected to the dashboard of a super admin user. The vulnerability was present as a result of gaps in authorization checks where server side verification was performed using arbitrary attacker defined data. The underlying API responsible for authentication relied exclusively on client side controls to enforce unauthorized access. The API did not require any form of authorization token to authenticate or otherwise authorize a request. 

It should be noted that unauthorized access was restricted to a single tenant instance. However, by enumerating common subdomain naming conventions identifying a large number of targets was trivial. 

The timeline outlines the disclosure process, starting with the initial report to CERT-In and subsequent interactions with the ADiTaaS team. The final fix included measures such as devtools blocking, local storage encryption, obfuscated referrer checks, and an admin auth guard. The responsible disclosure process involved coordination between the researcher, CERT-In, and ADiTaaS representatives, leading to the resolution of the vulnerability and the issuance of a CVE.

This may be the first time we don’t close with “Patch Now.” There is nothing to patch or update for this one. Being a SaaS solution there is one entity that can address this issue and ADiTaaS has pushed a patch to production that included the above mentioned mitigating controls. 

We really wanted to review this particular vulnerability, because it highlights a common pitfall in relying too heavily on client side frameworks such as Angular or React JS for authentication and authorization purposes. The research makes for a solid read and the exploit is easy to digest from a technical perspective. Read up and learn!

Systems Impacted: 

• N/A

Read more: 

• https://eaton-works.com/2023/12/18/aditaas-cve-2023-6483/
• https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/
• https://nvd.nist.gov/vuln/detail/CVE-2023-6483

3. JetBrains TeamCity RCE CVE-2023-42793

JetBrains TeamCity is an integration and delivery platform that aids in the building, testing, and deployment processes in software development. Researchers found that the on-prem versions of JetBrains TeamCity prior to 2023.05.4 are prone to an authentication bypass vulnerability designated as CVE-2023-42793 that results in remote command execution. 

The vulnerability, reported by Stefan Schiller from Sonar Team, allows attackers to bypass authentication and execute arbitrary code. The attack is rooted in the way TeamCity routes requests. All requests are sent first to an interceptor endpoint. The interceptor makes determinations where to route the request based on the contents of the URL when matched against a regular expression. The various paths each have varying levels of authorization checks to ensure access is securely restricted. However, certain routes, such as those that match the expression “/**/RPC2” bypass request pre-handling, which includes authorization checks. The lack of authorization checks on administrative endpoints enables an attacker to generate arbitrary authentication tokens for any application user via a crafted POST request to “app/rest/users/<userLocator>/tokens/RPC2”. By gaining unauthorized access to the bearer token of an administrative user an attacker is able to make configuration changes to the TeamCity instance, such as enabling a debug API. The debug API can be used by administrators to start remote processes, i.e. execute remote commands. 

Targeting the admin in the default instance of JetBrains TeamCity is trivial, because the default admin user is always assigned an Id of 1. Exploitation of the authentication bypass and RCE vulnerability is dead simple and can be executed using the command line tool cURL. JetBrains has released a patch to address this vulnerability.

Systems/Applications Impacted:

• All JetBrains TeamCity versions prior to version 2023.05.4

Mitigating Controls:

If upgrading to the latest version is not possible JetBrains has released a plugin to eliminate the risk in older instances. Reference the links below for additional information on plugin installation

Read more:

• https://www.jetbrains.com/teamcity/download/other.html
• https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/
• https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/
• https://www.prio-n.com/blog/cve-2023-42793-attacking-defending-JetBrains-TeamCity
• https://nvd.nist.gov/vuln/detail/CVE-2023-42793

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let the NopSec platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what the NopSec platform can do in action watch this on-demand product tour.