1. Summary
| Vulnerability Name |
Openfire Authentication Bypass Vulnerability (CVE-2023-32315) |
|---|---|
| Release Date |
June 15, 2023 |
| Component Name |
Openfire Admin Console |
| Affected Versions |
3.10.0 ≤ Openfire < 4.6.8 |
| Vulnerability Type |
Authentication Bypass Vulnerability |
| Severity |
CVSS v3 Base Score: 7.5 (High) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: High Integrity Impact: None Availability Impact: None |
2. About the Vulnerability (CVE-2023-32315)
2.1 About the Component
Openfire is an open-source real-time collaboration (RTC) server that facilitates instant messaging (IM) and group chat communication. It is built on the Extensible Messaging and Presence Protocol (XMPP) and supports features like multi-user chat rooms, file transfers, presence information, and group management. The Openfire Administration Console is a web-based interface for managing and configuring the Openfire XMPP server.
2.2 About the Vulnerability
On June 15, 2023, Sangfor FarSight Labs received notification about an authentication bypass vulnerability in Openfire, identified as CVE-2023-32315, with a severity rating of High (CVSS Score 7.5).
Openfire's Administration Console (Admin Console) has been found vulnerable to a path traversal attack via the setup environment. This vulnerability allows an unauthenticated user to exploit the unauthenticated Openfire Setup Environment within an already configured Openfire environment, granting access to restricted pages in the Openfire Admin Console reserved for administrative users.
The vulnerability stems from Openfire's API, which includes a mechanism for excluding certain URLs from web authentication. This mechanism allows for the use of wildcards for flexible URL pattern matching. The combination of wildcard pattern matching and path traversal vulnerability enables a malicious user to bypass authentication requirements for Admin Console pages. Once the attacker successfully bypasses Admin Console authentication, they can upload malicious plugins to execute arbitrary code and gain control over the server.
3. Affected Versions
3.10.0 ≤ Openfire < 4.6.8
4.7.0 ≤ Openfire < 4.7.5
4. Solutions
4.1 Official Solution
4.1.1 Version Upgrade
Updated versions of Openfire (4.6.8, 4.7.5, 4.8.0) have been released to fix the vulnerability, and users are recommended to upgrade as quickly as possible.
Link: https://github.com/igniterealtime/Openfire/releases
4.2 Sangfor Solution
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Openfire authentication bypass vulnerability (CVE-2023-32315):
- Sangfor Cyber Command (Network Detection & Response)
- Sangfor Cyber Guardian (Managed Detection & Response Service)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Openfire authentication bypass vulnerability (CVE-2023-32315):
- Sangfor NGAF (Next Generation Firewall)
- Sangfor Endpoint Secure (Endpoint Security)
- Sangfor Cyber Guardian (Managed Detection & Response Service)
5. Timeline
On June 15, 2023, Sangfor FarSight Labs received notification about the Openfire authentication bypass vulnerability (CVE-2023-32315).
On June 15, 2023, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
6. Reference
https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm
https://nvd.nist.gov/vuln/detail/CVE-2023-32315
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
