CVE-2023-35078: A Deep Dive into Protecting Your APIs from Emerging Vulnerabilities
Uncover top API vulnerabilities and CVEs from 2023 including CVE-2023-35078, CVE-2023-23752 and CVE-2023-49103.
Medusa
6 mins
The Common Vulnerabilities and Exposures (CVEs) we will be looking at in this blog are:
- CVE-2023-35078: Authentication Flaw in Ivanti EPMM API
- CVE-2023-23752: Improper Access Control in Joomla
- CVE-2023-49103: Serious Information Exposure in ownCloud's Graph API
CVE-2023-35078: Authentication Flaw in Ivanti EPMM API
This vulnerability was discovered in a software called Ivanti Endpoint Manager Mobile (EPMM), which was previously known as MobileIron Core. This problem is identified by the code CVE-2023-35078. It impacts not just the most recent versions of the software, like 11.10, 11.9, and 11.8, but also older versions.
Now, what is Ivanti Endpoint Manager Mobile (Ivanti EPMM)? It's a type of software that businesses use to manage their mobile devices, applications, and content. Essentially, it helps companies keep track of and control all the mobile devices used by their employees, along with the software and information stored on them.
So, what's the issue with CVE-2023-35078? Well, it's a problem with Ivanti EPMM that allows people who shouldn't be able to access certain parts of the software to do so anyway, without needing the proper permission or credentials. This is a big deal because it means unauthorized individuals could potentially get into sensitive areas of the software and cause all sorts of problems. In terms of severity, this problem is considered very serious and has been given the highest possible score of 10 out of 10 for its severity.
Vulnerability Detection and POC
Ivanti gives a private "Analysis Guide" through customer support to see if the system got affected. Only a few customers have had problems so far, and Ivanti is helping them find out what happened. If customers need help, they can ask for it by opening a support ticket or requesting a call through the Success Portal. Ivanti also says their systems haven't been hacked because of this issue. They use technology and security partners to stop and deal with threats from advanced attackers.
Vaishno Chaitanya has shared a demonstration of CVE-2023-35078 on their personal GitHub page. This POC includes a video showing how the exploit works on a system that's vulnerable to EPMM.
Indicators of Compromise (IoC)
In the Apache HTTP logs on the appliance, you can find signs that the system might have been compromised.
Look for entries in the log file /var/log/httpd/https-access_log. These entries will show requests to a specific API endpoint, containing /mifs/aad/api/v2/ in the path, and with a HTTP response code of 200. If exploitation attempts were blocked, you'll see HTTP response codes 401 or 403 instead. For example:
JavaScript
Mitigation
Ivanti moved fast to deal with this threat. They made a patch for all supported versions of the product. If your system can handle it, update EPMM using the patch releases (11.8.1.1, 11.9.1.1, and 11.10.0.2) from the system manager portal.
If you're using an older version before 11.8.1.0, it's best to upgrade to the latest EPMM version for the newest security and stability fixes. If you can't upgrade, Ivanti offers a temporary patch solution.
Make sure to update to a compatible EPMM version that allows for a permanent patch to be applied.
CVE-2023-23752: Improper Access Control in Joomla
Joomla! released a security warning about CVE-2023-23752 on February 16, 2023. This warning talked about a problem with access controls in Joomla! versions 4.0.0 through 4.2.7.
Because of weaknesses in Joomla's access controls on its web service endpoints, attackers without authentication can use specially made requests to get Joomla-related setup details through the RestAPI interface. This can eventually reveal sensitive information.
Vulnerability Detection and POC
The authentication bypass in the public exploits for CVE-2023-23752 was mostly used to leak the system's configuration, which included the Joomla! MySQL database credentials in plaintext. Attackers could access this information remotely by querying the endpoints /language/en-GB/langmetadata.xml or /administrator/manifests/files/joomla.xml without authentication.
You can find out what version of Joomla! is installed on a website without needing to log in. By checking specific web addresses, like /language/en-GB/langmetadata.xml, you can see the Joomla! version. Also, most Joomla! sites, even if you don't log in, reveal their version in another address, /administrator/manifests/files/joomla.xml. We looked at IP addresses listed in Shodan and saw that Joomla! 4 isn't used much. Only around 14% of the Joomla! sites we checked were using version 4, which is the only version affected by CVE-2023-23752.
At present, the PoC and the details of the vulnerability have been made public. Affected users are requested to take protective measures as soon as possible.
You can have a look at the POC here.
CVE-2023-23752 to Code Execution
As discussed, CVE-2023-23752 allows an authentication bypass that leads to an information leak. Most of the public exploits utilize this bypass to expose the system's configuration, which includes the Joomla!
Command:
JavaScript
Check out more on exploit details here.
Impact of CVE-2023-35078
This vulnerability could have serious effects on websites that are affected. Attackers can use it to get into web service endpoints without permission, possibly leaking important information like usernames, passwords, and database names. There's also concern that attackers might try to use this vulnerability to run code.
To exploit this flaw, attackers first bypass authentication to access the system's configuration. This lets them see Joomla!'s MySQL database credentials in plain text, which they can then use to get even more access to the system.
Mitigation
The official security version has been released to fix this vulnerability. It is recommended that affected users upgrade their protection in time by visiting https://downloads.joomla.org/.
Want the best proactive API Security product?
Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.
CVE-2023-49103: Serious Information Exposure in ownCloud's Graph API
OwnCloud is a platform used for sharing files, mainly in big companies. On November 21, 2023, ownCloud revealed a problem known as CVE-2023-49103. It's a flaw that lets people get information without logging in. This problem affects ownCloud if a certain add-on called "Graph API" (graphapi) is installed. If ownCloud was set up using Docker after February 2023, this vulnerable Graph API part comes automatically. But if ownCloud was installed manually, the Graph API part isn't there by default.
The graphapi application, which is dependent on a third-party library called GetPhpInfo.php, creates a vulnerability. This library provides a URL that allows access to the PHP environment's configuration details (phpinfo). In containerized deployments, these environment variables may include sensitive information such as the license key, mail server credentials, and ownCloud admin password.
Disabling the graphapi app alone does not fix the vulnerability. Additionally, phpinfo exposes several other potentially sensitive configuration details that attackers can exploit to gather more information about the system.
Affected Product
The ownCloud Graph API extension is the affected product, specifically versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The vendor has remediated CVE-2023-49103 in version 0.3.1 and 0.2.1 of graphapi, which were released on September 1st, 2023.
For more details, you can visit the vendor page: https://marketplace.owncloud.com/apps/graphapi.
Vulnerability POC
This Python script efficiently checks a long list of URLs for the presence of phpinfo() output. It uses multiple threads to handle many URLs at once, making the process much faster. The script also includes a progress bar to show how far along it is.
A proof of concept (POC) for the vulnerability is available here.
How Akto can Help?
API vulnerabilities are a big deal. We've got you covered on that front. Protecting your API endpoints from bad actors is key, and Akto can help with that. Just import your API Inventory and test all your API endpoints with one click. Give Akto a try today!
Mitigation
To remediate CVE-2023-49103, update the vulnerable graphapi component to version 0.3.1 as per the vendor advisory. If you find the file /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php in your ownCloud installation, delete it.
You can further harden your ownCloud installation by adding the PHP function "phpinfo" to the disabled functions list in the appropriate PHP ini configuration file. ownCloud has added this hardening feature to several recent versions of their official Docker container images. If your Docker containers were built from Docker images released before this addition, the updated hardening will not be applied unless you rebuild the images.
It is highly recommended to update ownCloud to at least version 10.13.1, as this resolves CVE-2023-49103 when the graphapi is shipped as part of the complete bundle with ownCloud.
Conclusion
In conclusion, these API vulnerabilities emphasize the importance of robust security measures in software development and deployment.
Organizations must promptly apply patches and updates, implement strong access controls, conduct regular vulnerability assessments, and maintain secure coding practices to mitigate these risks. By addressing these vulnerabilities and staying informed about security updates, organizations can enhance their security posture and protect sensitive data from unauthorized access or exploitation.
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.