Over 3,000 Openfire servers vulnerable to takover attacks
Thousands of Openfire servers continue to remain susceptible to CVE-2023-32315, a vulnerability characterized by path traversal and active exploitation, enabling unauthorized users to generate new administrator accounts.
Openfire, a widely utilized Java-based open-source chat (XMPP) server, boasts an impressive download count of 9 million times. The revelation of an authentication bypass issue on May 23, 2023, revealed the vulnerability’s presence. This issue affected Openfire from version 3.10.0, initially released in April 2015, up to that point.
Openfire’s developers promptly responded to the situation by issuing security updates in versions 4.6.8, 4.7.5, and 4.8.0, aimed at rectifying the problem. However, in June, reports emerged indicating that cybercriminals were actively exploiting the flaw on unprotected servers to establish admin accounts and upload malicious plugins [1, 2].
As detailed in a report by vulnerability researcher Jacob Baines from VulnCheck, the OpenFire community has been slow to apply these essential security updates. Consequently, more than 3,000 servers remain vulnerable to the exploit. What exacerbates the situation is Baines’ assertion that the vulnerability can be exploited to upload plugins without necessitating the creation of an admin account. This modification makes the vulnerability particularly appealing to cybercriminals, as it enables them to operate discreetly, minimizing the risk of detection.
Too many unpatched servers
Shodan scans conducted by VulnCheck have unveiled a total of 6,324 publicly accessible Openfire servers on the internet. Alarmingly, approximately 50% of these servers, equivalent to 3,162 instances, continue to remain susceptible to CVE-2023-32315 due to their utilization of outdated software versions.
Among Openfire users, a mere 20% have taken the necessary steps to apply the available patches, while another 25% are employing versions that precede the critical 3.10.0 release, marking the introduction of the vulnerability to the software. Additionally, an additional 5% of users are operating customized versions or forks derived from the open-source project, thereby raising uncertainty regarding their vulnerability status.
VulnCheck underscores the significance of this situation, emphasizing that the numbers, though not staggering, bear substantial weight, given the pivotal role these servers play within communication infrastructure. They are responsible for managing sensitive information, making it imperative to address this vulnerability promptly and comprehensively.
A better PoC
Current exploits for CVE-2023-32315 typically involve the creation of an admin user, enabling attackers to upload Java JAR plugins with malicious intent. These plugins can facilitate the opening of reverse shells or the execution of commands on compromised servers. Notably, threat actors behind the Kinsing crypto-miner botnet have harnessed this vulnerability to deploy a tailored Openfire plugin that triggers a reverse shell on the vulnerable server.
However, these existing exploits, which rely on the creation of admin accounts, tend to generate significant noise in audit logs, making it relatively easy for defenders to detect security breaches. VulnCheck’s report brings attention to a more covert method of exploiting the flaw without the need for generating random admin accounts.
In their proof-of-concept (PoC), the analysts demonstrate a technique for extracting the JSESSIONID and CSRF token by directly accessing ‘plugin-admin.jsp,’ followed by uploading the JAR plugin via a POST request. The vulnerable server accepts and installs the plugin, granting access to its webshell without requiring admin account credentials.
This attack method operates discreetly, leaving no traces in security logs, and effectively evades detection efforts by defenders. Given that CVE-2023-32315 is already being actively exploited, including by botnet malware, VulnCheck’s PoC could potentially fuel a second wave of attacks that are even more formidable. Consequently, administrators overseeing Openfire servers are strongly advised to promptly upgrade to a patched release to mitigate these risks.
Attention: CLICK HERE to follow our facebook page