WARNING: High risk vulnerability in Openfire xmpp server

Reference:
Advisory #2023-62

Version:
1.0

Affected software:
Openfire version 4.6.8
Openfire version 4.7.5
Openfire version >=3.10.0
Openfire version >=4.7.0

Type:
Administration Console authentication bypass through path traversal

CVE/CVSS:
CVE: CVE-2023-32315
CVSS: 8.6

Sources

https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm

Risks

Openfire's administrative console is vulnerable to a path traversal attack via the setup environment. This permits an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.

The vulnerability has a HIGH impact on Confidentiality. Privileges, authentication, and user interaction are not required to exploit this vulnerability.

Description

CVE-2023-32315 - Administration Console authentication bypass

Openfire's API defines a mechanism for certain URLs to be excluded from web authentication. This mechanism allows for wildcards to be used, to allow for flexible URL pattern matching.

Path traversal protections were already in place to protect against Path Traversal attacks but didn’t defend against certain non-standard URL encoding for UTF-16 characters.

The combination of the wildcard pattern matching, and path traversal vulnerability allows a malicious user to bypass authentication requirements and access Admin Console pages.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to visit Openfire’s release pages to download and install the patched versions of this software.

Openfire version 4.7.5: https://igniterealtime.org/downloads/#openfire
Openfire version 4.6.8: https://github.com/igniterealtime/Openfire/releases/tag/v4.6.8

References

https://www.igniterealtime.org/
https://www.cybersecurity-help.cz/vdb/SB2023052418