Cybersecurity researchers have demonstrated a brand new approach that exploits a essential safety flaw in Apache ActiveMQ to attain arbitrary code execution in reminiscence.
Tracked as CVE-2023-46604 (CVSS rating: 10.0), the vulnerability is a distant code execution bug that would allow a risk actor to run arbitrary shell instructions.
It was patched by Apache in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability has since come underneath energetic exploitation by ransomware outfits to deploy ransomware akin to HelloKitty and a pressure that shares similarities with TellYouThePass in addition to a distant entry trojan referred to as SparkRAT.
In response to new findings from VulnCheck, risk actors weaponizing the flaw are relying on a public proof-of-concept (PoC) exploit initially disclosed on October 25, 2023.
The assaults have been discovered to make use of ClassPathXmlApplicationContext, a category that is a part of the Spring framework and out there inside ActiveMQ, to load a malicious XML bean configuration file over HTTP and obtain unauthenticated distant code execution on the server.
VulnCheck, which characterised the strategy as noisy, stated it was capable of engineer a greater exploit that depends on the FileSystemXmlApplicationContext class and embeds a specifically crafted SpEL expression rather than the “init-method” attribute to attain the identical outcomes and even receive a reverse shell.
“Which means the risk actors may have averted dropping their instruments to disk,” VulnCheck stated. “They may have simply written their encryptor in Nashorn (or loaded a category/JAR into reminiscence) and remained reminiscence resident.”
Nonetheless, it is value noting that doing so triggers an exception message within the activemq.log file, necessitating that the attackers additionally take steps to scrub up the forensic path.
“Now that we all know attackers can execute stealthy assaults utilizing CVE-2023-46604, it is grow to be much more necessary to patch your ActiveMQ servers and, ideally, take away them from the web fully,” Jacob Baines, chief know-how officer at VulnCheck, stated.
