CVE-2023-28936 allows attacker to access any arbitrary recording or room in Apache OpenMeetings

As our world continues to pivot towards an increasingly digital environment, the importance of robust and reliable online conferencing solutions has never been more apparent. Amongst these, Apache OpenMeetings stands as a versatile solution, offering features like presenting, online training, collaborative whiteboard drawing, and document editing. This open-source software, based on the Red5 media server, HTML5, and Flash, has been a go-to for many.

However, as powerful as this tool may be, recent discoveries [1, 2, 3] have highlighted a number of significant security vulnerabilities. Ranging from null-byte injection to bypassing authentication, these vulnerabilities have the potential to wreak havoc if not promptly addressed.

CVE-2023-29246: Null-Byte Injection – A Hidden Threat

The first vulnerability, identified as CVE-2023-29246, is an important one affecting Apache OpenMeetings versions from 2.0.0 to 7.1.0. This vulnerability allows an attacker, who has already gained access to an admin account, to execute a remote command through a null-byte injection.

A null-byte injection, for the uninitiated, is a technique where an attacker injects a null byte – a character that marks the end of a string in C and C++ – into a string to either truncate or manipulate its intended function. In the case of Apache OpenMeetings, this means a potential attacker can use this vulnerability to execute arbitrary commands, providing a gateway to a host of malicious activities.

CVE-2023-29032: Bypassing Authentication – A Wolf in Sheep’s Clothing

The next vulnerability, dubbed CVE-2023-29032, affects versions of Apache OpenMeetings from 3.1.3 to 7.1.0. This vulnerability allows an attacker to bypass authentication, essentially impersonating another user, provided they have access to certain private information.

Impersonation attacks are particularly concerning as they can allow an attacker to masquerade as another user, gain access to sensitive information, manipulate data, or even inflict reputational damage.

CVE-2023-28936: Insufficient Invitation Hash Check – An Uninvited Guest

The third vulnerability, classified as CVE-2023-28936, is particularly critical. It affects Apache OpenMeetings versions from 2.0.0 to 7.1.0. This vulnerability stems from an insufficient check of the invitation hash, allowing an attacker to access any arbitrary recording or room.

In simple terms, this means that an attacker could potentially access sensitive information shared in a supposedly secure meeting room or recording. This vulnerability is particularly concerning given the often confidential nature of information shared during web conferences.

While these vulnerabilities are severe, it is important to remember that they have been identified, and mitigation is possible. Users of Apache OpenMeetings should ensure that they promptly update their software to the latest version (7.1.0) to benefit from the security patches that have been released to handle these vulnerabilities.