Fresh set of RCE flaws addressed as researchers discover shortcomings in previous patch
Vulnerabilities in Apache Unomi could allow an attacker to achieve remote code execution (RCE) on sensitive corporate servers, researchers have warned.
Apache Unomi is an open source customer data management platform that can be integrated with content management systems, customer relationship management systems, and native mobile apps.
By leveraging shortcomings in a previous patch, security researchers from Checkmarx found that an attacker could send malicious API requests that resulted in RCE.
“The discovered vulnerability allows an attacker to inject a crafted OGNL or MVEL expression that runs an operating system command on the underlying server,” Eugene Rojavski, application security researcher at Checkmarx, told The Daily Swig.
Both vulnerabilities, which were bundled together as CVE-2020-13942, have a maximum CVSS score of 10, as they lead to “complete compromise of the Unomi service’s confidentiality, integrity, and accessibility, in addition to allowing access to the underlying OS”.
Rojavski explained: “The unpatched vulnerability keeps the Unomi application servers exposed to complete takeover with the Unomi application privileges level.
“This makes it possible for an attacker to gain a foothold into an enterprise’s internal network for further lateral movement and steal user data collected by the Unomi application.”
The findings came after an initial patch for a previous RCE bug in Apache Unomi was found to be insufficient.
The software offers a restricted API that allows retrieving and manipulating data, in addition to a public endpoint where applications can upload and retrieve user data, a blog post from Checkmarx explains.
“Unomi allows complex conditions in the requests to its endpoints which rely on expression languages such as OGNL or MVEL to allow users to craft complex and granular queries. The EL-based conditions are evaluated before accessing data in the storage.
In the versions prior to 1.5.1, these expression languages were not restricted, leaving Unomi vulnerable to RCE via Expression Language Injection. An attacker was able to execute arbitrary code, and OS commands on the Unomi server by sending a single request.”
The vulnerability, classified as CVE-2020-11975, was fixed. On further inspection, however, Checkmarx researchers found that the fix could be easily bypassed.
Addressing the root cause
“The initial patch didn’t encapsulate all possible attack vectors, primarily focusing on the initial payload instead of the vulnerability root cause,” Rojavski explained.
The researcher added: “The vulnerability is trivial to exploit. An attacker essentially just needs to find the vulnerable endpoint and continue on from there with their exploit.
“Moreover, the vulnerable endpoint should be public by-design, so it’s easy to find.”
Both vulnerabilities have been patched by Apache. Unomi users are urged to update to the latest version.
Rojavski said: “As soon as the issue was discovered and verified, we immediately reported it to the Unomi developers.
“After that, their development team, together with the Checkmarx research team, made a fix that targets the vulnerability's root cause – the evaluation of arbitrary expression language statements. They were collaborative and responsive throughout.”