[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2023-23752 Joomla! Improper Access Control Vulnerability

Tue Jan 9 07:51:16 PST 2024

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-23752 Joomla! Improper Access Control Vulnerability.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On February 16, 2023 Joolma! released updates to patch the Joomla! Content Management System.  CVE-2023-23752 is an improper access control vulnerability and is assigned a CVSSv3 rating of 5.3 (Medium) and was assigned on February 16, 2023.  POC code was released for the exploit in February 2023.

The following products are affected:

  *   Joomla! <= 4.2.7

Patches are available from Joomla! to fix the vulnerabilities.  The fixed versions are:

  *   Joomla! > 4.2.8

Further information is available from Joomla! as published in their security release news article:

  *   Joomla! 4.2.8 Security Release - https://www.joomla.org/announcements/release-news/5878-joomla-4-2-8-security-release.html

Intelligence: On January 7, 2024, CISA added the vulnerability to their list of Known Exploited Vulnerabilities.  It is very likely that each exploit will continue to be leveraged by threat actors over the coming months.

Workarounds:  There are no workarounds at this time.

How it works:  The vulnerability is a result of a flaw in the access control to Web service endpoints.  An unauthenticated attacker can access the RestAPI interface to obtain Joomla! Configuration information by constructing a specially crafted request and then disclose sensitive information.

Post-Exploit: Upon successful exploitation of the vulnerabilities, an attacker could gain access to the MySQL database and/or user database using extracted credentials.  This could an adversary a path for performing code execution, changing the Super User's password, and performing attacks as the Super User.

No known indicators of compromise have been publicly shared at this time.

As of February 22, 2023, the following vulnerability plugins were released and are currently in Tenable Security Center:
Plugin
Title
Severity
113584<https://www.tenable.com/plugins/was/113584>
Joomla! 4.0.0 < 4.2.8 Broken Access Control
Medium
171551<https://www.tenable.com/plugins/nessus/171551>
Joomla 4.0.x < 4.2.8 Joomla 4.2.8 Security Release (5878-joomla-4-2-8-security-release)
Medium

Recommended Actions:

  *   Review identified logs for unexpected or anomalous activity.
  *   Scan environments using provided Tenable Nessus plugins.
  *   Utilize web application firewalls to filter and monitor incoming web traffic.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240109/1a1cf9a7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240109/1a1cf9a7/attachment-0001.png>