Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

Panel Discussion: API Security in DevSecOps. Watch the Recording

CVE-2023-35078: A Deep Dive into Protecting Your APIs from Emerging Vulnerabilities

Uncover top API vulnerabilities and CVEs from 2023 including CVE-2023-35078, CVE-2023-23752 and CVE-2023-49103.

Author Medusa

Medusa

6 mins

Trending API 2023
Trending API 2023
Trending API 2023

The Common Vulnerabilities and Exposures (CVEs) we will be looking at in this blog are:

  • - CVE-2023-35078: Authentication Flaw in Ivanti EPMM API

  • - CVE-2023-23752: Improper Access Control in Joomla

  • - CVE-2023-49103: Serious Information Exposure in ownCloud's Graph API

CVE-2023-35078: Authentication Flaw in Ivanti EPMM API

This vulnerability was discovered in a software called Ivanti Endpoint Manager Mobile (EPMM), which was previously known as MobileIron Core. This problem is identified by the code CVE-2023-35078. It impacts not just the most recent versions of the software, like 11.10, 11.9, and 11.8, but also older versions.

Now, what is Ivanti Endpoint Manager Mobile (Ivanti EPMM)? It's a type of software that businesses use to manage their mobile devices, applications, and content. Essentially, it helps companies keep track of and control all the mobile devices used by their employees, along with the software and information stored on them.

So, what's the issue with CVE-2023-35078? Well, it's a problem with Ivanti EPMM that allows people who shouldn't be able to access certain parts of the software to do so anyway, without needing the proper permission or credentials. This is a big deal because it means unauthorized individuals could potentially get into sensitive areas of the software and cause all sorts of problems. In terms of severity, this problem is considered very serious and has been given the highest possible score of 10 out of 10 for its severity.

Vulnerability in source code

Vulnerability Detection and POC

Ivanti gives a private "Analysis Guide" through customer support to see if the system got affected. Only a few customers have had problems so far, and Ivanti is helping them find out what happened. If customers need help, they can ask for it by opening a support ticket or requesting a call through the Success Portal. Ivanti also says their systems haven't been hacked because of this issue. They use technology and security partners to stop and deal with threats from advanced attackers.

Vaishno Chaitanya has shared a demonstration of CVE-2023-35078 on their personal GitHub page. This POC includes a video showing how the exploit works on a system that's vulnerable to EPMM.

Indicators of Compromise (IoC)

In the Apache HTTP logs on the appliance, you can find signs that the system might have been compromised.

Look for entries in the log file /var/log/httpd/https-access_log. These entries will show requests to a specific API endpoint, containing /mifs/aad/api/v2/ in the path, and with a HTTP response code of 200. If exploitation attempts were blocked, you'll see HTTP response codes 401 or 403 instead. For example:

JavaScript

192.168.66.54:58482 - - 2023-07-27--13-01-39 "GET /mifs/aad/api/v2/ping HTTP/1.1" 200 68 "-" "curl/8.0.1" 2509

Mitigation

Ivanti moved fast to deal with this threat. They made a patch for all supported versions of the product. If your system can handle it, update EPMM using the patch releases (11.8.1.1, 11.9.1.1, and 11.10.0.2) from the system manager portal.

If you're using an older version before 11.8.1.0, it's best to upgrade to the latest EPMM version for the newest security and stability fixes. If you can't upgrade, Ivanti offers a temporary patch solution.

Make sure to update to a compatible EPMM version that allows for a permanent patch to be applied.

CVE-2023-23752: Improper Access Control in Joomla

Joomla! released a security warning about CVE-2023-23752 on February 16, 2023. This warning talked about a problem with access controls in Joomla! versions 4.0.0 through 4.2.7.

Because of weaknesses in Joomla's access controls on its web service endpoints, attackers without authentication can use specially made requests to get Joomla-related setup details through the RestAPI interface. This can eventually reveal sensitive information.

Vulnerability Detection and POC

The authentication bypass in the public exploits for CVE-2023-23752 was mostly used to leak the system's configuration, which included the Joomla! MySQL database credentials in plaintext. Attackers could access this information remotely by querying the endpoints /language/en-GB/langmetadata.xml or /administrator/manifests/files/joomla.xml without authentication.

You can find out what version of Joomla! is installed on a website without needing to log in. By checking specific web addresses, like /language/en-GB/langmetadata.xml, you can see the Joomla! version. Also, most Joomla! sites, even if you don't log in, reveal their version in another address, /administrator/manifests/files/joomla.xml. We looked at IP addresses listed in Shodan and saw that Joomla! 4 isn't used much. Only around 14% of the Joomla! sites we checked were using version 4, which is the only version affected by CVE-2023-23752.

At present, the PoC and the details of the vulnerability have been made public. Affected users are requested to take protective measures as soon as possible.

You can have a look at the POC here.

CVE-2023-23752 to Code Execution

information disclosure

As discussed, CVE-2023-23752 allows an authentication bypass that leads to an information leak. Most of the public exploits utilize this bypass to expose the system's configuration, which includes the Joomla!

Command:

JavaScript

curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true

Check out more on exploit details here.

Impact of CVE-2023-35078

This vulnerability could have serious effects on websites that are affected. Attackers can use it to get into web service endpoints without permission, possibly leaking important information like usernames, passwords, and database names. There's also concern that attackers might try to use this vulnerability to run code.

To exploit this flaw, attackers first bypass authentication to access the system's configuration. This lets them see Joomla!'s MySQL database credentials in plain text, which they can then use to get even more access to the system.

Mitigation

The official security version has been released to fix this vulnerability. It is recommended that affected users upgrade their protection in time by visiting https://downloads.joomla.org/.

Want the best proactive API Security product?

Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.

Want the best proactive API Security product?

Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.

Want the best proactive API Security product?

Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.

CVE-2023-49103: Serious Information Exposure in ownCloud's Graph API

OwnCloud is a platform used for sharing files, mainly in big companies. On November 21, 2023, ownCloud revealed a problem known as CVE-2023-49103. It's a flaw that lets people get information without logging in. This problem affects ownCloud if a certain add-on called "Graph API" (graphapi) is installed. If ownCloud was set up using Docker after February 2023, this vulnerable Graph API part comes automatically. But if ownCloud was installed manually, the Graph API part isn't there by default.

The graphapi application, which is dependent on a third-party library called GetPhpInfo.php, creates a vulnerability. This library provides a URL that allows access to the PHP environment's configuration details (phpinfo). In containerized deployments, these environment variables may include sensitive information such as the license key, mail server credentials, and ownCloud admin password.

Disabling the graphapi app alone does not fix the vulnerability. Additionally, phpinfo exposes several other potentially sensitive configuration details that attackers can exploit to gather more information about the system.

affected devices

Affected Product

The ownCloud Graph API extension is the affected product, specifically versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The vendor has remediated CVE-2023-49103 in version 0.3.1 and 0.2.1 of graphapi, which were released on September 1st, 2023.

For more details, you can visit the vendor page: https://marketplace.owncloud.com/apps/graphapi.

Vulnerability POC

This Python script efficiently checks a long list of URLs for the presence of phpinfo() output. It uses multiple threads to handle many URLs at once, making the process much faster. The script also includes a progress bar to show how far along it is.

A proof of concept (POC) for the vulnerability is available here.

How Akto can Help?

API vulnerabilities are a big deal. We've got you covered on that front. Protecting your API endpoints from bad actors is key, and Akto can help with that. Just import your API Inventory and test all your API endpoints with one click. Give Akto a try today!

Mitigation

To remediate CVE-2023-49103, update the vulnerable graphapi component to version 0.3.1 as per the vendor advisory. If you find the file /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php in your ownCloud installation, delete it.

You can further harden your ownCloud installation by adding the PHP function "phpinfo" to the disabled functions list in the appropriate PHP ini configuration file. ownCloud has added this hardening feature to several recent versions of their official Docker container images. If your Docker containers were built from Docker images released before this addition, the updated hardening will not be applied unless you rebuild the images.

It is highly recommended to update ownCloud to at least version 10.13.1, as this resolves CVE-2023-49103 when the graphapi is shipped as part of the complete bundle with ownCloud.

Conclusion

In conclusion, these API vulnerabilities emphasize the importance of robust security measures in software development and deployment.

Organizations must promptly apply patches and updates, implement strong access controls, conduct regular vulnerability assessments, and maintain secure coding practices to mitigate these risks. By addressing these vulnerabilities and staying informed about security updates, organizations can enhance their security posture and protect sensitive data from unauthorized access or exploitation.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Follow us for more updates

Experience enterprise-grade API Security solution