Hackers target Apache RocketMQ servers vulnerable to RCE attacks

Security researchers are detecting hundreds of IP addresses on a daily basis that scan or attempt to exploit Apache RocketMQ services vulnerable to a remote command execution flaw identified as CVE-2023-33246 and CVE-2023-37582.

Both vulnerabilities have a critical severity score and refer to an issue that remained active after the vendor's initial patch in May 2023.

Initially, the security issue was tracked as CVE-2023-33246 and impacted multiple components, including NameServer, Broker, and Controller.

Apache released a fix that was incomplete for the NameServer component in RocketMQ and continued to affect versions 5.1 and older of the distributed messaging and streaming platform.

"The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1," reads a warning from Rongtong Jin, a member of the Apache RocketMQ Project Management Committee.

On vulnerable systems, attackers can leverage the vulnerability to execute commands by using the update configuration function on the NameServer when its address is exposed online without proper permission checks.

"When NameServer addresses are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as," the researcher, who is also a research and development engineer at Alibaba, explains. 

The issue is now referred to as CVE-2023-37582 and it is recommended to upgrade the NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x to avoid attacks exploiting the vulnerability.

Threat tracking platform The ShadowServer Foundation has logged hundreds of hosts scanning for RocketMQ systems exposed online, some of them attempting to exploit the two vulnerabilities.

tweet

The organization notes that the attacks it tracks "may include exploitation attempts for CVE-2023-33246 and CVE-2023-37582."

ShadowServer says that the activity it observes may be part of reconnaissance attempts from potential attackers, exploitation efforts, or even researchers scanning for exposed endpoints.

Hackers started targeting vulnerable Apache RocketMQ systems since at least August 2023, when a new version of the DreamBus botnet was observed leveraging an CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers.

In September 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to patch the flaw by the end of the month, warning about its active exploitation status.

Related Articles:

Hackers attack HFS servers to drop malware and Monero miners

TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers

TP-Link fixes critical RCE bug in popular C5400X gaming router

New regreSSHion OpenSSH RCE bug gives root on Linux servers

Hackers exploit critical D-Link DIR-859 router flaw to steal passwords