New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar
Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory.
Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands.
It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability has since come under active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as well as a remote access trojan called SparkRAT.
According to new findings from VulnCheck, threat actors weaponizing the flaw are relying on a public proof-of-concept (PoC) exploit originally disclosed on October 25, 2023.
The attacks have been found to use ClassPathXmlApplicationContext, a class that’s part of the Spring framework and available within ActiveMQ, to load a malicious XML bean configuration file over HTTP and achieve unauthenticated remote code execution on the server.
VulnCheck, which characterized the method as noisy, said it was able to engineer a better exploit that relies on the FileSystemXmlApplicationContext class and embeds a specially crafted SpEL expression in place of the “init-method” attribute to achieve the same results and even obtain a reverse shell.
“That means the threat actors could have avoided dropping their tools to disk,” VulnCheck said. “They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory resident.”
However, it’s worth noting that doing so triggers an exception message in the activemq.log file, necessitating that the attackers also take steps to clean up the forensic trail.
“Now that we know attackers can execute stealthy attacks using CVE-2023-46604, it’s become even more important to patch your ActiveMQ servers and, ideally, remove them from the internet entirely,” Jacob Baines, chief technology officer at VulnCheck, said.