CVE-2023-3368 – CVE-2023-3368 is an unauthenticated command inj... (How to Fix)

Q: How do I fix CVE-2023-3368?

1. Backup your Chamilo installation and database. 2. Download the latest version from the official Chamilo website. 3. Replace the vulnerable file /main/webservices/additional_webservices.php with the patched version. 4. Verify the fix by checking the file hash matches the official patch.

Q: What is the severity of CVE-2023-3368?

CVE-2023-3368 has a CVSS score of 9.8 (CRITICAL). CVE-2023-3368 is an unauthenticated command injection vulnerability in Chamilo LMS that allows remote attackers to execute arbitrary commands on affected systems. This vulnerability affects Chamilo LMS versions up to and including v1.11.20. Attackers can exploit this flaw without any authentication, making it particularly dangerous.

📋 TL;DR

CVE-2023-3368 is an unauthenticated command injection vulnerability in Chamilo LMS that allows remote attackers to execute arbitrary commands on affected systems. This vulnerability affects Chamilo LMS versions up to and including v1.11.20. Attackers can exploit this flaw without any authentication, making it particularly dangerous.

💻 Affected Systems

Products:

Chamilo LMS

Versions: <= v1.11.20

Operating Systems: All operating systems running Chamilo LMS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable file accessible are affected. No special configuration required.

📦 What is this software?

Chamilo by Chamilo

View all CVEs affecting Chamilo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data theft, installation of persistent backdoors, and lateral movement to other systems.

🟠

Likely Case

Remote code execution leading to web shell deployment, data exfiltration, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

Limited impact due to network segmentation, minimal privileges, and proper monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with public proof-of-concept available. This is a bypass of the previous CVE-2023-34960 fix.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.11.21 and later

Vendor Advisory: https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368

Restart Required: No

Instructions:

1. Backup your Chamilo installation and database. 2. Download the latest version from the official Chamilo website. 3. Replace the vulnerable file /main/webservices/additional_webservices.php with the patched version. 4. Verify the fix by checking the file hash matches the official patch.

🔧 Temporary Workarounds

File Access Restriction

all

Restrict access to the vulnerable PHP file using web server configuration

# For Apache: add to .htaccess
<Files "additional_webservices.php">
    Order deny,allow
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /main/webservices/additional_webservices\.php$ {
    deny all;
    return 403;
}

Input Validation Enhancement

all

Add additional input validation to sanitize user input before processing

# Add to the beginning of additional_webservices.php
function sanitize_input($input) {
    return escapeshellarg($input);
}
# Apply to all user-controlled variables before shell execution

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Chamilo server from critical systems
Deploy a web application firewall (WAF) with command injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check if /main/webservices/additional_webservices.php exists and contains the vulnerable code patterns from the advisory

Check Version:

grep "\$version" main/inc/conf/configuration.php | head -1

Verify Fix Applied:

Verify the file hash of /main/webservices/additional_webservices.php matches the patched version from the official repository

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /main/webservices/additional_webservices.php
Shell command execution patterns in web server logs
Multiple failed exploitation attempts

Network Indicators:

Unusual outbound connections from the Chamilo server
Traffic patterns indicating command and control communication

SIEM Query:

source="web_server" AND (url="/main/webservices/additional_webservices.php" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")

📊 Metadata

CVE ID: CVE-2023-3368

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 28, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a Patch
https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b Patch
https://starlabs.sg/advisories/23/23-3368/ Exploit,Third Party Advisory
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368 Issue Tracking,Vendor Advisory
https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a Patch
https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b Patch
https://starlabs.sg/advisories/23/23-3368/ Exploit,Third Party Advisory
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3368, you might also want to check these: