Flash Notices

Flash Notice: UPDATE - Critical Vulnerability in Apache RocketMQ Exploited in the Wild

Written by Marketing | Sep 12, 2023 1:58:06 PM

UPDATE (1/8/2024) -

A vulnerability (CVE-2023-33246 and CVE-2023-37582) has been found in Apache RocketMQ servers, exposing the servers to remote command execution (RCE) attacks. Despite a patch released by Apache in May 2023, the issue persists, affecting NameServer, Broker, and Controller components. 

CVE-2023-33246 initially impacted multiple components, with the NameServer component remaining vulnerable in RocketMQ versions 5.1 and older. The NameServer component still harbors a remote command execution flaw. Attackers can exploit this vulnerability by utilizing the update configuration function on exposed NameServers without proper permission checks. 

CVE-2023-37582 stems from incomplete fixes, which means that users should upgrade the NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x to mitigate potential attacks. 

Organizations using Apache RocketMQ need to immediately address these vulnerabilities by upgrading their NameServer to the recommended versions. Failing to do so may expose systems to unauthorized command execution, which will lead to compromise. 

 

 

overview

A critical vulnerability tracked as CVE-2023-33246 was found in Apache RocketMQ – a messaging and streaming platform used by enterprises. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical security alert, highlighting the vulnerability and its severity.  

CVE-2023-33246 has a CVSS score of 9.8 and has been exploited by multiple threat actors in the wild. The bug is a command execution vulnerability and impacts Apache RocketMQ versions 5.1.0 and earlier. Also, the National Institute of Standards and Technology (NIST) stated that various parts of RocketMQ, such as NameServer, Broker, and Controller, are unintentionally exposed on the external network without proper permission checks. This means that a malicious attacker could take advantage of this weakness by using the update configuration feature to execute commands as if they were the system users running RocketMQ. Since at least June, threat actors, specifically those behind the DreamBus botnet, have utilized this vulnerability to deploy a Monero cryptocurrency miner. 

CISA has advised that federal agencies take immediate action by patching CVE-2023-33246 in their Apache RocketMQ installations, with a deadline set for September 27. In cases where applying the patch or implementing mitigation measures is not feasible, CISA recommends discontinuing the use of the product.  

Previous versions of the DreamBus malware have been observed targeting various software applications, including Redis, PostgreSQL, Hadoop YARN, Apache Spark, HashiCorp Consul, and SaltStack. It is strongly advised to keep all the mentioned software products updated.  

 

 

avertium's recommendationS

  • Users are advised to upgrade to RocketMQ version 5.1.1 or a newer version for RocketMQ 5.x or version 4.9.6 or higher for RocketMQ 4.x to address the vulnerability. 
  • Take your RocketMQ instance offline from the internet, and carefully inspect the broker configuration for any indications of exploitation. 

 

 

INDICATORS OF COMPROMISE (IoCs)

Note: The following IoCs have been added to our standard threat lists 

Hashes 

  • 1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac 
  • d7843904e1c25055e14cae8b44b28f9dd4706c0ad8b03f55dfcded36ce8423a0 
  • 4feb3dcfe57e3b112568ddd1897b68aeb134ef8addd27b660530442ea1e49cbb 
  • f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201 
  • 49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea 

IP Addresses  

  • 103[.]85[.]25[.]121 
  • 94[.]156[.]6[.]110 
  • 45[.]15[.]158[.]124 
  • 134[.]209[.]58[.]230 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  

    • Risk Assessments 
    • Pen Testing and Social Engineering  
    • Infrastructure Architecture and Integration  
    • Zero Trust Network Architecture 
    • Vulnerability Management 
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 







SUPPORTING DOCUMENTATION

CISA Adds One Known Vulnerability to Catalog | CISA 

CISA Adds Critical RocketMQ Bug to Must-Patch List - Infosecurity Magazine (infosecurity-magazine.com) 

CISA warns of critical Apache RocketMQ bug exploited in attacks (bleepingcomputer.com) 

Exposing RocketMQ CVE-2023-33246 Payloads - Blog - VulnCheck 

CVE-2023-33246 ≈ Packet Storm (packetstormsecurity.com) 

oss-security - CVE-2023-37582: Apache RocketMQ: Possible remote code execution when using the update configuration function (openwall.com) 

CVE Record | CVE