Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory.
Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could allow a threat actor to run arbitrary shell commands.
Apache patched this in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released last month.
The vulnerability has since been subject to active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain similar to TellYouThePass as well as a remote access trojan called SparkRAT.
The attacks were found to be functional ClassPathXmlApplicationContexta class that is part of the Spring framework and exists within ActiveMQ, to load malicious XML bean configuration file over HTTP and achieve fake remote code execution on the server.
VulnCheck, which describes the method as noisy, has developed a better exploit that relies on FileSystemXmlApplicationContext class and embeds a specially created Expression of SpEL replace “heat-method“attribution to achieve the same results and even get a reverse shell.
“That means threat actors could have avoided dropping their tools on disk,” VulnCheck said. “They could write their encryptor in Nashorn (or load a class/JAR into memory) and keep it memory resident.”
However, it is worth noting that doing so causes an exception message in the activemq.log file, which requires that the attackers also take steps to clean up the forensic path.
“Now that we know that attackers can execute stealth attacks using CVE-2023-46604, it has become even more important to patch your ActiveMQ servers and, at best, they will be removed from the entire internet,” the cybersecurity company said.