Greater than 3,000 Openfire servers haven’t been patched towards a current vulnerability and stay uncovered to assaults counting on a brand new exploit, vulnerability intelligence agency VulnCheck experiences.
Maintained by Ignite Realtime, Openfire is a cross-platform actual time collaboration server written in Java that makes use of the XMPP protocol, and which helps administration through an internet interface.
Tracked as CVE-2023-32315, the high-severity flaw was found in Openfire’s administration console and is described as a path traversal bug through the setup setting that enables unauthenticated attackers to entry restricted pages within the admin console.
The difficulty exists as a result of the trail traversal protections in Openfire didn’t shield towards ‘sure non-standard URL encoding for UTF-16 characters’ that weren’t supported by the webserver – assist was added with out updating the protections.
All Openfire iterations from model 3.10.0, which was launched in April 2015, by means of variations 4.7.5 and 4.6.8, launched in Might 2023 to patch the vulnerability, are impacted.
The vulnerability has been exploited in malicious assaults for greater than two months, with menace actors seen creating new admin console person accounts to put in a brand new plugin containing a distant internet shell, permitting them to execute arbitrary instructions and entry any knowledge on the server.
Numerous public exploits concentrating on CVE-2023-32315 are already out there, however all comply with the identical sample. Nonetheless, VulnCheck now says it has found a brand new exploit path that doesn’t require creating the executive person account.
The menace intelligence agency says it has recognized over 6,300 Openfire servers accessible from the web, with roughly half of them being both patched towards the vulnerability, older variations that aren’t weak, or forks which may not be affected.
“This leaves roughly 50% of the internet-facing Openfire servers utilizing affected variations. Whereas that’s only some thousand servers, it’s a good quantity given the server’s trusted place related to chat shoppers,” VulnCheck notes.
As a result of the security defect permits an unauthenticated attacker to entry the plugin administration endpoint, the agency explains, the attacker can add the plugin instantly after which entry the net shell, additionally with out authentication.
“This method retains login makes an attempt out of the security audit log and prevents the ‘uploaded plugin’ notification from being recorded. That’s a fairly large deal as a result of it leaves no proof within the security audit log,” VulnCheck explains.
Whereas the malicious exercise is likely to be seen within the openfire.log file, the attacker can use the trail traversal to delete the log through the net shell, thus leaving the plugin itself as the one indicator of compromise, the corporate warns.
“This vulnerability has already been exploited within the wild, possible even by a widely known botnet. With loads of weak internet-facing techniques, we assume exploitation will proceed into the longer term,” VulnCheck concludes.
