Summary:
Enterprise Resource Planning (ERP) software is crucial for managing human resources, accounting, shipping, and manufacturing within enterprises. These systems often become complex and difficult to maintain due to extensive customization, complicating the patching process. Despite this, critical vulnerabilities frequently affect these systems, risking essential business data. The SANS Internet Storm Center reported that the open-source ERP framework OFBiz is being targeted by new variants of the Mirai botnet. Supported by the Apache Foundation, OFBiz is a Java-based framework for creating ERP applications. Although less common than commercial alternatives, OFBiz handles sensitive business data, making its security paramount.

In May, a critical security update was released for OFBiz to fix a directory traversal vulnerability that could lead to remote command execution. Versions before 18.12.13 were affected. This vulnerability, disclosed a few weeks after the patch, allows attackers to bypass access controls, exemplified by using a URL like "/public/../admin" to gain unauthorized access. A recent alert by CISA and the FBI highlighted the prevalence of directory traversal vulnerabilities. For OFBiz, the vulnerability is exploited by inserting a semicolon in the URL. The current exploit URL is:

/webtools/control/forgotPassword;/ProgramExport

Since the "forgotPassword" function requires no authentication, it can be manipulated to access "ProgramExport," allowing arbitrary code execution. Attackers exploit this vulnerability using a POST request without needing a request body.


Security Officer Comments:
The SANS Internet Storm Center detected increased exploit attempts targeting CVE-2024-32213, associated with the Mirai botnet, from two IP addresses involved in previous IoT device exploits. The attackers used two methods: including the exploit command in the URL or the request body. The malicious scripts hosted on identified IPs were not recovered.


Key IP addresses involved in these exploits:


95[.]214[.]27[.]196: Sending exploits via URL parameter and hosting malware.


83[.]222[.]191[.]62: Sending exploits in request bodies, with malware hosted on 185[.]196[.]10[.]231.


185[.]196[.]10[.]231: Hosting malware.


Despite the small number of vulnerable systems, attackers are actively exploiting the OFBiz vulnerability, possibly incorporating it into Mirai botnet variants.


Suggested Corrections:
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.


Link(s):
https://thehackernews.com/2024/08/mirai-botnet-targeting-ofbiz-servers.html