Remote code execution found and fixed in Apache OpenMeetings

Recurity Labs hacker Andreas Lindh has found four vulnerabilities, including a remote code execution hole, in Apache OpenMeetings. The flaws mean attackers could hijack installations of the popular virtual meetings and shared whiteboard application.

Lindh reported two critical flaws including a predictable password reset token (CVE-2016-0783) and an arbitrary file read through the SOAP API (CVE-2016-2164) along with moderately dangerous holes in ZIP file path traversal (CVE-2016-0784) and stored cross site scripting in event description (CVE-2016-2163).

He says attackers would need to know the administrator's username in order to hose OpenMeetings installations from afar.

"During my audit, I came across multiple issues of varying severity, among them two vulnerabilities that, with some additional trickery, would allow for an unauthenticated attacker to gain remote code execution on the system, with knowledge of an administrator’s username as the only pre-requisite," Lindh says.

"The last reported vulnerability in OpenMeetings that I could find is an XSS (cross-site scripting) from 2013, something that hints at how infrequently a lot of open source projects are audited."

Lindh detailed the four flaws showing in a proof-of-concept how an attacker with knowledge of an existing username can generate the respective password reset token in "less than a second".

He thanked OpenMeetings maintainers for their responsiveness. ®