Cybersecurity researchers have demonstrated a brand new method that exploits a important safety flaw in Apache ActiveMQ to realize arbitrary code execution in reminiscence.
Tracked as CVE-2023-46604 (CVSS rating: 10.0), the vulnerability is a distant code execution bug that might allow a risk actor to run arbitrary shell instructions.
It was patched by Apache in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability has since come below lively exploitation by ransomware outfits to deploy ransomware comparable to HelloKitty and a pressure that shares similarities with TellYouThePass in addition to a distant entry trojan referred to as SparkRAT.
In accordance with new findings from VulnCheck, risk actors weaponizing the flaw are relying on a public proof-of-concept (PoC) exploit initially disclosed on October 25, 2023.
The assaults have been discovered to make use of ClassPathXmlApplicationContext, a category that is a part of the Spring framework and out there inside ActiveMQ, to load a malicious XML bean configuration file over HTTP and obtain unauthenticated distant code execution on the server.
VulnCheck, which characterised the tactic as noisy, mentioned it was capable of engineer a greater exploit that depends on the FileSystemXmlApplicationContext class and embeds a specifically crafted SpEL expression instead of the “init-method” attribute to realize the identical outcomes and even get hold of a reverse shell.
“Which means the risk actors may have prevented dropping their instruments to disk,” VulnCheck mentioned. “They may have simply written their encryptor in Nashorn (or loaded a category/JAR into reminiscence) and remained reminiscence resident.”
Nonetheless, it is price noting that doing so triggers an exception message within the activemq.log file, necessitating that the attackers additionally take steps to wash up the forensic path.
“Now that we all know attackers can execute stealthy assaults utilizing CVE-2023-46604, it is turn out to be much more necessary to patch your ActiveMQ servers and, ideally, take away them from the web totally,” Jacob Baines, chief expertise officer at VulnCheck, mentioned.