The U.S. CISA adds a new critical-severity vulnerability to its KEV catalog that tracked as CVE-2023-33246 and it affects Apache’s RocketMQ distributed messaging and streaming platform.
Exploiting the vulnerability is possible without authentication, and multiple threat actors actively exploit this vulnerability. Even operators of the DreamBus botnet are known to exploit it after they’ve been caught deploying a Monero cryptocurrency miner.
CISA issued a warning to federal agencies to patch the CVE-2023-33246 vulnerability for Apache RocketMQ installations on their systems by September 27. The versions affected are version 5.1.0 and below. If updating the app is not possible, CISA recommends discontinuing using the product.
CISA notes that attackers can exploit the vulnerability “by using the update configuration function to execute commands as the system users that RocketMQ is running.”
Threat actors can take advantage of the problem because certain RocketMQ components, such as NameServer, Broker, and Controller, are available on the open internet. While trying to find how many potential targets are exposed online, Baines also looked for hosts with the TCP port 9876 used by the RocketMQ Nameserver and found about 4,500 systems.
The researcher found “a variety of malicious payloads” while scanning possibly vulnerable devices, indicating that several threat actors are making use of the flaw. Some of the executables dropped after abusing RocketMQ exhibit strange behavior, but are not currently flagged as dangerous.