[ad_1]
Cybersecurity researchers have demonstrated a brand new approach that exploits a crucial safety flaw in Apache ActiveMQ to attain arbitrary code execution in reminiscence.
Tracked as CVE-2023-46604 (CVSS rating: 10.0), the vulnerability is a distant code execution bug that would allow a menace actor to run arbitrary shell instructions.
It was patched by Apache in ActiveMQ variations 5.15.16, 5.16.7, 5.17.6, or 5.18.3 launched late final month.
The vulnerability has since come below lively exploitation by ransomware outfits to deploy ransomware similar to HelloKitty and a pressure that shares similarities with TellYouThePass in addition to a distant entry trojan known as SparkRAT.
Based on new findings from VulnCheck, menace actors weaponizing the flaw are relying on a public proof-of-concept (PoC) exploit initially disclosed on October 25, 2023.
The assaults have been discovered to make use of ClassPathXmlApplicationContext, a category that is a part of the Spring framework and out there inside ActiveMQ, to load a malicious XML bean configuration file over HTTP and obtain unauthenticated distant code execution on the server.
VulnCheck, which characterised the strategy as noisy, mentioned it was capable of engineer a greater exploit that depends on the FileSystemXmlApplicationContext class and embeds a specifically crafted SpEL expression rather than the “init-method” attribute to attain the identical outcomes and even acquire a reverse shell.
“Which means the menace actors might have averted dropping their instruments to disk,” VulnCheck mentioned. “They might have simply written their encryptor in Nashorn (or loaded a category/JAR into reminiscence) and remained reminiscence resident.”
Nonetheless, it is price noting that doing so triggers an exception message within the activemq.log file, necessitating that the attackers additionally take steps to scrub up the forensic path.
“Now that we all know attackers can execute stealthy assaults utilizing CVE-2023-46604, it is change into much more essential to patch your ActiveMQ servers and, ideally, take away them from the web totally,” Jacob Baines, chief know-how officer at VulnCheck, mentioned.
[ad_2]