CVE-2024-23794
📋 TL;DR
An incorrect privilege assignment vulnerability in OTRS allows agents with read-only permissions to gain full access to tickets in rare configurations. This privilege escalation occurs when an admin has enabled the 'RequiredLock' setting for the 'AgentFrontend::Ticket::InlineEditing::Property###Watch' configuration. Affected versions include OTRS 8.0.X, 2023.X, and 2024.X through 2024.4.x.
💻 Affected Systems
- OTRS
📦 What is this software?
Otrs by Otrs
⚠️ Risk & Real-World Impact
Worst Case
Read-only agents gain full administrative control over tickets, allowing them to modify, delete, or escalate ticket data without authorization.
Likely Case
Read-only agents can edit tickets they shouldn't have access to, potentially altering sensitive information or bypassing workflow controls.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized ticket modifications that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated read-only agent access and specific configuration settings enabled by administrators.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.5.0 and later
Vendor Advisory: https://otrs.com/release-notes/otrs-security-advisory-2024-06/
Restart Required: Yes
Instructions:
1. Backup your OTRS installation and database. 2. Download and install OTRS version 2024.5.0 or later from the official vendor. 3. Apply the update following OTRS upgrade procedures. 4. Restart the OTRS service.
🔧 Temporary Workarounds
Disable Inline Editing Configuration
allDisable the vulnerable 'RequiredLock' setting for the inline editing functionality
Navigate to OTRS Admin > System Configuration > Filter for 'AgentFrontend::Ticket::InlineEditing::Property###Watch' > Set 'RequiredLock' to disabled
🧯 If You Can't Patch
- Review and restrict read-only agent permissions to minimize potential impact
- Implement enhanced logging and monitoring for ticket modification activities
🔍 How to Verify
Check if Vulnerable:
Check OTRS version and verify if 'RequiredLock' setting for 'AgentFrontend::Ticket::InlineEditing::Property###Watch' is enabled in system configurationCheck Version:
Check OTRS version in Admin > System Information or via database query: SELECT * FROM package_repository WHERE name LIKE 'OTRS%'Verify Fix Applied:
Verify OTRS version is 2024.5.0 or later and test that read-only agents cannot modify tickets📡 Detection & Monitoring
Log Indicators:
- Unauthorized ticket modifications by read-only agents
- Multiple failed permission checks followed by successful ticket edits
Network Indicators:
- Unusual ticket update patterns from read-only user accounts
SIEM Query:
source="otrs" (user_role="read-only" AND action="ticket_update")