The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added to its catalog of known exploited vulnerabilities (KEV) a critical–severity issue tracked as CVE-2023-33246 that affects Apache’s RocketMQ distributed messaging and streaming platform.
Multiple threat actors are possibly exploiting the vulnerability at the moment to install various payloads on impacted systems (RocketMQ versions 5.1.0 and below).
Exploiting the vulnerability is possible without authentication and has been leveraged in the wild since at least June by operators of the DreamBus botnet to deploy a Monero cryptocurrency miner.
CISA is warning federal agencies that they should patch the CVE-2023-33246 vulnerability for Apache RocketMQ installations on their systems by September 27.
If updating the application to a safe version or mitigating the risk in some other way is not possible, CISA recommends discontinuing using the product.
The cybersecurity agency notes that an attacker can exploit the issue “by using the update configuration function to execute commands as the system users that RocketMQ is running.”
The U.S. National Institute of Standards and Technology (NIST) adds that the result is the same if an attacker forges the RocketMQ protocol content.
CISA’s warning about CVE-2023-33246 comes after Jacob Baines, a researcher at vulnerability intelligence platform VulnCheck, published technical details that explain the security problem.
Leveraging the issue is possible because multiple RocketMQ components that include NameServer, Broker, and Controller, are exposed on the public internet, making them a target for hackers.
“The RocketMQ broker was never meant to be exposed to the internet. The interface is insecure by design and offers a variety of administrative functions” – Jacob Baines
Payloads from multiple actors
Trying to find how many potential RocketMQ targets are exposed online, the researcher looked for hosts with the TCP port 9876 used by the RocketMQ Nameserver and found about 4,500 systems.
Baines notes that most of the systems were concentrated in one country, which could mean that many of them are honeypots set up by researchers.
When scanning potentially vulnerable systems, the researcher also discovered “a variety of malicious payloads,” suggesting that multiple threat actors are exploiting the vulnerability.
Although they display suspicious behavior, some of the executables [1, 2, 3, 4] dropped after exploiting RocketMQ are currently not detected as malicious by antivirus engines on the Virus Total scanning platform
The samples’ dubious conduct on a system includes deleting themselves, running commands to modify permissions, enumerating processes, dumping credentials, reading the SSH private keys and the “known_hosts” file, encoding and encrypting data, and reading the bash history.
Baines says that although CVE-2023-33246 has been publicly associated with just one adversary, there are at least five actors exploiting it.
An update that addresses the issue is available and users are recommended to switch to the latest version of the application.