Apache OpenMeetings Wide Open to Account Takeover, Code Execution

Three separate security vulnerabilities in the Apache OpenMeetings open source Web conferencing application can be strung together into an attack chain that allows threat actors to take over a user account, gain admin privileges, and ultimately execute arbitrary code on a server running the app.

OpenMeetings can be used for video calls, presentations, and other collaborative work, and is widely deployed in tens of thousands of enterprises, across both cloud and on-prem installations.

SonarSource threat researcher Stefan Schiller outlined the flaws in a report on Thursday that disclosed the triple threat: a weak hash comparison bug tracked under CVE-2023-28936; an unrestricted access via invitation hash tracked under CVE-2023-29023; and a null-byte injection bug tracked under CVE-2023-29246.

Users are urged to update OpenMeetings to version 7.1.0, which includes a fix for all three flaws.

OpenMeetings' Weak Hash Comparison Kicks Off Attack Chain

The trio of issues exist in the application's room creation and invitation process. Schiller explained in the report that each time a new OpenMeetings invitation is sent, an individual virtual "room" is generated, in which one user can invite another user. Both the room and user receive randomly generated hashes that are unique to both the user and the room.

The first hole in this process, the weak hash comparison, can be exploited to allow unauthorized access to an OpenMeetings invitation.

"The invitation hash is a long value (e.g., 3c6a04c8-f935-4226-90f9-34adbd7b4c2d), which is supposed to be secret," Schiller explains to Dark Reading. "Only someone who knows this value can redeem this invitation. But if an attacker uses a wildcard search when trying to redeem an invitation (e.g., 3%, which translates to: 'redeem the invitation hash beginning with the character 3'), the attacker can easily redeem this invitation without knowing the long secret value."

In this instance, no authentication is required, he points out.

Once the attacker has taken over the invite and entered the room, the second bug allows the attackers to create "zombie rooms." Combined with the first vulnerability, this sets up the path to elevating privileges and remote code execution.

Exploiting OpenMeetings Zombie Rooms

Schiller noted in the analysis that "attackers can trigger certain actions in an unexpected order to create a room invitation without a room assigned to it. This results in an unrestricted invitation to access any user account."

This "unexpected order" works like this, according to the SonarSource report: A cyberattacker could create an event, then join the room associated with the event, then delete the event while remaining in the room.

"Although the room is also deleted when its associated event is deleted, the presence of the attacker in the room makes this a zombie room," Schiller wrote. "Next, the attacker creates an invitation for the admin user to this room."

Due to the second flaw, a user with an invitation with no room attached to it has unfettered access to the entire application. Threat actors can take over the admin invite they just created with the process outlined above, resulting in elevated privileges. Thus, they gain the ability to change settings and more, Schiller explains to Dark Reading.

"In order to create an invitation (e.g., invite the admin user to gain his privileges), a registered user is required," Schiller adds. "By default, anyone can just register a user, which doesn't make this a hurdle for an attacker."

From there, the attacker, armed with admin rights, can use the third bug to escape to the full server upon which OpenMeetings is hosted and remotely execute code.

"Once the third vulnerability is exploited, an attacker has full access to the targeted server," Schiller warns. "This access is not restricted to the OpenMeetings app. Instead, the attacker can access any data stored on the server, install malicious software (e.g. cryptominers), and pivot to the internal network."

Patch OpenMeetings Now

With the release of OpenMeetings 7.1.0, Apache noted security improvements in invitation hashes, user permissions, admin paths, and more to remedy the weaknesses. The patches are not ones to sleep on: Its official Docker image has been downloaded more than 50,000 times, and OpenMeetings can also be deployed as a plugin for applications such as Jira, Confluence, or Drupal. Its footprint and increased usage of collaboration apps in the era of remote work are strong lures for cyberthreat actors.

"Its widespread adoption and the fact that it might be used for sensitive discussions, meetings, and collaborations make it an attractive target for attackers," the analysis warned.