CVE-2024-42467
📋 TL;DR
The openHAB CometVisu add-on prior to version 4.2.1 has an unauthenticated proxy endpoint that can be exploited as Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS). This allows attackers to make internal network requests and execute malicious JavaScript in users' browsers, potentially leading to remote code execution when chained with other vulnerabilities. All openHAB installations with the CometVisu add-on exposed to non-private networks are affected.
💻 Affected Systems
- openHAB CometVisu add-on
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on the openHAB server through chained vulnerabilities, leading to complete system compromise and lateral movement within internal networks.
Likely Case
Unauthenticated attackers can perform SSRF attacks against internal services and execute XSS payloads to steal session cookies, perform actions as authenticated users, or access sensitive data.
If Mitigated
If properly segmented and not internet-facing, impact is limited to internal network SSRF and potential privilege escalation within the openHAB environment.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted HTTP requests. Weaponization is likely due to the high CVSS score and potential for RCE chaining.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.1
Vendor Advisory: https://github.com/openhab/openhab-webui/security/advisories/GHSA-v7gr-mqpj-wwh3
Restart Required: Yes
Instructions:
1. Update openHAB to the latest version
2. Update the CometVisu add-on to version 4.2.1 or later
3. Restart the openHAB service
🔧 Temporary Workarounds
Disable CometVisu add-on
allTemporarily disable the vulnerable CometVisu add-on until patching is possible
openhab-cli stop
Remove or disable the CometVisu add-on from openHAB configuration
openhab-cli start
Network segmentation
allEnsure openHAB is not exposed to the internet and is behind proper network segmentation
Configure firewall rules to restrict access to openHAB from untrusted networks
🧯 If You Can't Patch
- Disable the CometVisu add-on completely
- Implement strict network access controls to prevent external access to openHAB
🔍 How to Verify
Check if Vulnerable:
Check the CometVisu add-on version in openHAB's add-on management interface or configuration filesCheck Version:
Check openHAB logs or add-on management interface for CometVisu versionVerify Fix Applied:
Verify that CometVisu add-on version is 4.2.1 or higher in the openHAB add-on management interface📡 Detection & Monitoring
Log Indicators:
- Unusual proxy requests to internal IPs
- Requests to /rest/cometvisu/proxy endpoint without authentication
- JavaScript execution errors from unexpected sources
Network Indicators:
- HTTP requests from openHAB server to internal services that don't normally communicate
- Outbound requests from openHAB to external malicious domains
SIEM Query:
source="openhab" AND (uri_path="/rest/cometvisu/proxy" OR user_agent="*malicious*" OR dest_ip IN [internal_ranges])🔗 References
- https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/backend/rest/ProxyResource.java#L83
- https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2
- https://github.com/openhab/openhab-webui/security/advisories/GHSA-v7gr-mqpj-wwh3
