A critical security vulnerability—CVE-2024-23794—was recently discovered in OTRS, a popular open-source ticketing and IT service management platform. This bug allows agents who should only have read-only access to certain tickets to gain unexpected and full access privileges. The vulnerability resides in OTRS’s inline editing feature for tickets, and it only manifests in rare cases when a very specific administrative configuration is present.
OTRS released patches for this issue, but if your organization uses any of the affected versions and the vulnerable configuration, your data could be at risk.
2023.X
- 2024.X
This flaw kicks in when the following system configuration is enabled by an admin
AgentFrontend::Ticket::InlineEditing::Property###Watch::RequiredLock = Yes
This setting controls the "inline editing" ability in ticket views. In normal cases, only agents with proper roles can make changes to tickets. But with this enabled, read-only agents get loophole access.
How the Exploit Works
Here’s, in plain English, how an attacker (in this case, an agent with just read-only access) can escalate privileges:
1. Admin configures the system: They enable RequiredLock for inline editing of the "Watch" property on tickets.
Agent logs in: An agent who should only see tickets and not touch them.
3. Inline Editing Used: The agent opens a ticket and finds inline editing available for the "Watch" property.
4. Access Granted: By manipulating inline editing UI or direct requests, the agent is wrongly granted full ticket access, including editing, note-adding, or even closing the ticket.
Sample Exploit (For Demonstration Only!)
Suppose we have a read-only agent, "bob," logged in. When he tries to watch a ticket with ID 12345, his browser normally should get rejected. But with the vulnerable config live, he can do something like:
// Example: Exploit via direct fetch call in browser
fetch('/otrs/index.pl', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: 'Action=AgentTicketWatch;Subaction=Change;TicketID=12345;Watch=1'
})
.then(res => res.text())
.then(console.log);
This request bypasses the permission checks and enables Bob to "watch" and potentially change the ticket. With slight modifications, this technique lets Bob interact with other ticket properties if the config is misapplied to other inline editable fields.
Why is this Dangerous?
Privilege Escalation: The whole point of agent roles and permissions is to keep sensitive tickets safe. This bug quietly removes those limits in specific cases. Even agents who *should not touch* a ticket can update, escalate, or even delete them if this inline edit method is unguarded.
Subtle Configuration: It’s easy for admins to miss this, since RequiredLock looks like an innocent, security-increasing setting. Most users won’t know it opens the door far wider than intended.
References
- OTRS Security Advisory: CVE-2024-23794
- NVD Entry for CVE-2024-23794
- Official OTRS Documentation
Go to your OTRS System Configuration.
- Set AgentFrontend::Ticket::InlineEditing::Property###Watch::RequiredLock to No unless absolutely needed.
Audit Agent Permissions: Double-check which agents have which rights.
# A simple OTRS Perl script snippet to enumerate inline-edit settings:
my %InlineEditProperties = $ConfigObject->Get('AgentFrontend::Ticket::InlineEditing::Property');
foreach my $property (keys %InlineEditProperties) {
print "Property: $property, RequiredLock: $InlineEditProperties{$property}->{RequiredLock}\n";
}
Conclusion
Even rare, misapplied settings can open the door for privilege escalation. For OTRS users, CVE-2024-23794 is a harsh reminder: always review what your admin settings *really* do, and keep your service desk fully up-to-date!
Stay patched. Stay safe. If in doubt, revoke the RequiredLock setting and follow OTRS’s official advisory.
*This guide is for educational and security awareness use only. Do not exploit vulnerabilities without permission on production systems.*
Timeline
Published on: 07/15/2024 08:15:02 UTC
Last modified on: 08/01/2024 23:13:07 UTC