Cybersecurity researchers have demonstrated a brand new approach that exploits a vital safety flaw in Apache ActiveMQ to realize arbitrary code execution in reminiscence.
Tracked as CVE-2023-46604 (CVSS rating: 10.0), the vulnerability is a distant code execution bug that might allow a menace actor to run arbitrary shell instructions.
It was patched by Apache in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability has since come below energetic exploitation by ransomware outfits to deploy ransomware resembling HelloKitty and a pressure that shares similarities with TellYouThePass in addition to a distant entry trojan referred to as SparkRAT.
The assaults have been discovered to make use of ClassPathXmlApplicationContext, a category that is a part of the Spring framework and out there inside ActiveMQ, to load a malicious XML bean configuration file over HTTP and obtain unauthenticated distant code execution on the server.
VulnCheck, which characterised the strategy as noisy, mentioned it was in a position to engineer a greater exploit that depends on the FileSystemXmlApplicationContext class and embeds a specifically crafted SpEL expression instead of the “init-method” attribute to realize the identical outcomes and even get hold of a reverse shell.
“Which means the menace actors may have prevented dropping their instruments to disk,” VulnCheck mentioned. “They may have simply written their encryptor in Nashorn (or loaded a category/JAR into reminiscence) and remained reminiscence resident.”
Nonetheless, it is value noting that doing so triggers an exception message within the activemq.log file, necessitating that the attackers additionally take steps to wash up the forensic path.
“Now that we all know attackers can execute stealthy assaults utilizing CVE-2023-46604, it is change into much more vital to patch your ActiveMQ servers and, ideally, take away them from the web fully,” Jacob Baines, chief know-how officer at VulnCheck, mentioned.