On Oct 27th, open-source web server software provider Apache disclosed a new vulnerability with a CVSS score of 10, which is currently being tracked as CVE-2023-46604. This is a remote code execution (RCE) flaw in Apache ActiveMQ’s OpenWire Module, which can allow attackers to run arbitrary shell commands. This can be accomplished, according to RedHat, “by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath.”
Upon initial discovery, Apache patched ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3. But disturbingly, many organizations are still at risk. The exploit is now being leveraged by threat actor groups to distribute the HelloKitty ransomware and SparkRAT, a remote access trojan, among other malicious exploits.
The HelloKitty Connection
The HelloKitty ransomware is a ransomware variant that first appeared in 2020 which targets windows systems. The ransomware is often found targeting corporate networks with a 1-2 punch, in that it not only steals data, but encrypts systems as well.
A New Variant
Now, researchers at security firm VulnCheck have announced that they have a new PoC that makes it even easier to execute the remote execution code while avoiding detection. This new exploit reduces noise even further as it is launched from memory. In their post detailing the new version, they write, “That means the threat actors could have avoided dropping their tools to disk”…. “They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory-resident, perhaps avoiding detection from … managed [endpoint detection and response] EDR teams.”
As ActiveMQ is relatively common, there are currently over 3000 internet-connected systems vulnerable to this threat, according to ShadowServer. This new evolution from VulnCheck is all the proof needed to see why CVE-2023-46604 presents such a serious threat and why it needs to be addressed immediately.
What Should You do?
- Identify all machines running Apache ActiveMQ
- Verify if it’s running with a vulnerable version – this can be done by verifying the activemq-all-X.X.X.jar file
- Extract the vulnerable jar and verify if it has an ActiveMQ openwire port
- Verify that the machine is listening to that port (and specifically the Java process), for example on Windows you can use Netstat -ano | find [port defined in Step 3]. Machines that are not reachable are less relevant (meaning, it can’t be exploited at the moment).
- Patch the relevant machines
Identifying CVE-2023-46604 with XM Cyber
The XM Cyber Research team is in the process of adding CVE-2023-46604 to the platform, to identify this vulnerability in XM Attack Path Management module and Vulnerability Management module. We will update this post as soon as it’s available.
Similar to other vulnerabilities, organizations lack context and visibility of which machines are at risk and which users could be exploited, which makes it very hard to know what to tackle first and how. With XM Cyber, you can understand the exploitability of CVE-2023-46604 in your organization, in a prioritized manner.