Cybersecurity scientists have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to realize arbitrary code execution in memory.
Tracked as CVE-2023-46604 (CVSS score: 10.), the vulnerability is a remote code execution bug that could allow a risk actor to operate arbitrary shell instructions.
It was patched by Apache in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 unveiled late final month.
The vulnerability has considering that appear less than energetic exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as perfectly as a distant accessibility trojan referred to as SparkRAT.
In accordance to new findings from VulnCheck, risk actors weaponizing the flaw are relying on a public evidence-of-concept (PoC) exploit initially disclosed on October 25, 2023.
The assaults has been observed to use ClassPathXmlApplicationContext, a class that is part of the Spring framework and obtainable within ActiveMQ, to load a malicious XML bean configuration file more than HTTP and realize unauthenticated distant code execution on the server.
VulnCheck, which characterised the approach as noisy, has engineered a better exploit that depends on the FileSystemXmlApplicationContext course and embeds a specially crafted SpEL expression in location of the “init-technique” attribute to realize the similar benefits and even get a reverse shell.
“That signifies the menace actors could have avoided dropping their instruments to disk,” VulnCheck said. “They could have just penned their encryptor in Nashorn (or loaded a course/JAR into memory) and remained memory resident.”
Even so, it’s worth noting that doing so triggers an exception message in the activemq.log file, necessitating that the attackers also get methods to clean up the forensic path.
“Now that we know attackers can execute stealthy attacks working with CVE-2023-46604, it truly is grow to be even additional important to patch your ActiveMQ servers and, preferably, take away them from the internet fully,” the cybersecurity organization stated.
Identified this report attention-grabbing? Follow us on Twitter and LinkedIn to examine far more exclusive content material we post.
Some parts of this article are sourced from:
thehackernews.com