Thousands of Openfire XMPP servers are prepared against a recently revealed high-severity flaw and are vulnerable to a new exploit, according to a new report from VulnCheck.
Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability is related to a path traversal vulnerability in Openfire’s administrative console that could allow an unauthenticated attacker to access otherwise restricted pages reserved for privileged users Is.
This affects all versions of the software released since April 2015, starting with version 3.10.0. It was improved earlier this May by its developer, Ignite Realtime, by releasing versions 4.6.8, 4.7.5 and 4.8.0.
“Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend against certain non-standard URL encoding for UTF-16 characters that were not supported by the embedded web server that was in use at the time the maintainers said in a detailed advisory.
“A subsequent upgrade to the embedded web server included support for the non-standard URL encoding of UTF-16 characters. Path traversal protection in Openfire was not updated to include protection against this new encoding.”
As a result, a threat actor could abuse this vulnerability to bypass authentication requirements for administrator console pages. The vulnerability has since come under active exploitation in the wild, including by attackers associated with the Kinsing (aka Money Libra) crypto botnet malware.
A Shodan scan by cybersecurity firm shows that of the more than 6,300 Openfire servers available on the Internet, about 50% are running affected versions of the open-source XMPP solution.
While public exploits have leveraged the vulnerability to create an administrative user, log in, and then upload a plugin to achieve code execution, VulnCheck said it’s possible to do so without having to create an admin account, making it more stealthy and appealing for threat actors.
Elaborating on the modus operandi of the existing exploits, security researcher Jacob Baines said they involved “creating an administrator user to gain access to the Openfire Plugins interface.”
“The plugin allows system administrators to add more or less arbitrary functionality to Openfire via uploaded Java JARs. This is, clearly, a place to transition from authentication bypass to remote code execution.”
The better, less noisy method devised by VulnCheck, on the other hand, employs a userless approach that extracts the JSESSIONID and CSRF token by accessing a page called ‘plugin-admin.jsp’ and then via a POST request to the JAR Plugin uploads.
“Without authentication, the plugin is accepted and installed,” Baines said. “Then the web shell can be accessed without authentication using traversal.”
“This approach keeps login attempts out of the security audit log and prevents the ‘uploaded plugin’ notification from being recorded. This is a big deal because it leaves no evidence in the security audit log.”
The company said the only indication that something malicious is happening are the logs captured in the Openfire.log file, which an adversary could exploit using CVE-2023-32315.
With the vulnerability already being exploited in real-world attacks, it is recommended that users move quickly to update to the latest versions to stay safe from potential threats.
