Apache ActiveMQ < v5.18.3 - Unauthorised Remote Execution of Arbitrary Code following Deserialisation of Untrusted Data (CVE-2023-46604)

Background & Context

Developed by Apache, ActiveMQ is an open-source message broker written in Java together with a full Java Message Service (JMS) client. It facilitates communication between clients and servers, functioning as a message-oriented middleware and provides "Enterprise Features" which in this case means fostering the communication from more than one client or server. It supports Java and various cross-language clients, as well as multiple protocols, and includes additional features such as STOMP, JMS, and OpenWire.

Vulnerability Summary

Apache ActiveMQ is vulnerable to a deserialization vulnerability. When OpenWire commands are unmarshalled the marshallers should validate the provided throwable class type, but fails to do so. An attacker can manipulate serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. By connecting to ActiveMQ via the OpenWire protocol (often on port 61616) and using a specially crafted OpenWire packet, they trick the system into loading a malicious XML file from an external source.

Impact If Exploited

When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.

Exploitation of the vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands, known as Remote Code Execution (RCE). After successful exploitation of the vulnerability, threat actors have attempted to load remote binaries to encrypt victim assets in a "ransomware" attack.

NOTE: This vulnerability has been reported by the CISA (America's Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-11-02. Prioritisation should be given to remediation in any impacted environment. One vendor detected attempts to exploit Apache ActiveMQ CVE-2023-46604 in two customer environments, starting from October 27, 2023, a second observed evidence of exploitation going back to October 10th, 2023. Attacks are believed to be attributed to the "HelloKitty" Ransomware Group.

NOTE: The FBI, CNMF, NSA, NCSC and other national cybersecurity agencies have as of September 2024 issued a joint cybersecurity alert regarding the compromise of up to 260,000 Internet-connected devices in a campaign by Chinese (PRC)-linked cyber actors. The threat actors used a network of compromised nodes (a “botnet”) as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted networks in the West. The botnet uses a customized variant of the 'Mirai' family of malware as a component of a system that automates the hijack of devices including SOHO routers, firewalls and NAS devices. Compromise of the device is achieved via the exploit of over 60 known and catalogued vulnerabilities, of which this CVE is one. Full details are available via the published NSA report.

Indicators of Compromise (IoC):

IP Addresses:

• 137.175.17[.]172

• 172.245.16[.]125:80

• 4.216.93[.]211:5981

• 27.102.128[.]152:8098

• 45.32.120[.]181

File Hashes:

• Agent_w.exe: dd13cf13c1fbdc76da63e76adcf36727cfe594e60af0dc823c5a509a13ae1e15

• RuntimeBroker.msi: 4c9fa87e72fe59cf15131bd2f3bd7baa7a9555ceec438c1df78dd5d5b8394910

• M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4

• M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0

• dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7

• EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C

Affected Product Versions

• Apache ActiveMQ 5.18.0 before 5.18.3

• Apache ActiveMQ 5.17.0 before 5.17.6

• Apache ActiveMQ 5.16.0 before 5.16.7

• Apache ActiveMQ before 5.15.16

• Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3

• Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6

• Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7

• Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

To determine the version of ActiveMQ you are running, a command line tool is available. The version will be listed by running the command activemq --version.

Official Fix & Remediation Guidance

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Update to the latest version. Patches are available for download from the Apache website at https://activemq.apache.org/components/classic/download/.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

• http://www.openwall.com/lists/oss-security/2023/10/27/5

• https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt

• https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/

• https://github.com/X1r0z/ActiveMQ-RCE

• https://exp10it.cn/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/

• https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604