Cybersecurity researchers have demonstrated a brand new approach that exploits a important security flaw in Apache ActiveMQ to attain arbitrary code execution in reminiscence.
Tracked as CVE-2023-46604 (CVSS rating: 10.0), the vulnerability is a distant code execution bug that might allow a risk actor to run arbitrary shell instructions.
It was patched by Apache in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability has since come beneath lively exploitation by ransomware outfits to deploy ransomware equivalent to HelloKitty and a pressure that shares similarities with TellYouThePass in addition to a distant entry trojan referred to as SparkRAT.
In accordance with new findings from VulnCheck, risk actors weaponizing the flaw are counting on a public proof-of-concept (PoC) exploit initially disclosed on October 25, 2023.
The assaults have been discovered to make use of ClassPathXmlApplicationContext, a category that is a part of the Spring framework and obtainable inside ActiveMQ, to load a malicious XML bean configuration file over HTTP and obtain unauthenticated distant code execution on the server.
VulnCheck, which characterised the strategy as noisy, stated it was in a position to engineer a greater exploit that depends on the FileSystemXmlApplicationContext class and embeds a specifically crafted SpEL expression rather than the “init-method” attribute to attain the identical outcomes and even get hold of a reverse shell.
“Which means the risk actors might have prevented dropping their instruments to disk,” VulnCheck stated. “They might have simply written their encryptor in Nashorn (or loaded a category/JAR into reminiscence) and remained reminiscence resident.”
Nevertheless, it is price noting that doing so triggers an exception message within the activemq.log file, necessitating that the attackers additionally take steps to wash up the forensic path.
“Now that we all know attackers can execute stealthy assaults utilizing CVE-2023-46604, it is change into much more necessary to patch your ActiveMQ servers and, ideally, take away them from the web fully,” Jacob Baines, chief know-how officer at VulnCheck, stated.
