It has been discovered that Apache ActiveMQ is vulnerable to Remote Code Execution (RCE). The vulnerability can be tracked with CVE-2023-46604 and has a Critical CVSS score of 10.0 out of 10. The vulnerability could allow a remote attacker with network access to a broker to run arbitrary shell commands. The vulnerability was observed for the first time on October 27, 2023 by Rapid7 Managed Detection and Response.
Apache ActiveMQ is a popular open-source message broker and integration platform that supports Java, multiple protocols, and features such as STOMP, JMS, and OpenWire.
According to the CVE-2023-46604 information, the vulnerability is severe. If a remote attacker manages to obtain network access to a broker they could run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath. The vulnerability has been mapped to a CWE (Common Weakness Enumeration) ID, CWE-502, because its root cause is that the product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
During a successful exploitation of the vulnerability, Java.exe will contain the specific Apache application being targeted “D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64”. Post-exploitation, the adversary attempted to load remote binaries named M2.png and M4.png using MSIExec. File analysis revealed an executable named dllloader which then revealed EncDLL, a ransomware encryptor.
In the above exploitation instance Rapid7 observed that an adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. The activity was attributed to the HelloKitty ransomware group, based on the findings and the ransomware note.
The HelloKitty ransomware, encrypts files and demands ransom for decryption. It targets Windows servers running vulnerable versions of Apache ActiveMQ and executes malicious commands via the OpenWire protocol.
The vulnerability affects the below versions of Apache ActiveMQ and Legacy OpenWire Module:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
It is important that the users follow some measures to prevent possible exploitation of the vulnerability from potential threat actors. Below can be found some recommendations:
- According to Apache, it is recommended that the users upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
- Block port 61616 on the firewall if ActiveMQ is not needed. This is the default port for the OpenWire protocol, which is exploited by the vulnerability.
- Implement a web application firewall (WAF) to block malicious traffic.