A critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, has been exposed, revealing an active exploitation scenario by the notorious Kinsing malware.
According to an advisory published by Trend Micro on Monday, the discovery underscores the implications for Linux systems, as the vulnerability allows for remote code execution (RCE) due to inadequate validation of throwable class types in OpenWire commands.
Apache ActiveMQ, a Java-based open source protocol, is widely used for message-oriented middleware, facilitating seamless communication between diverse applications.
Kinsing, a potent threat specifically targeting Linux-based systems, capitalizes on web application vulnerabilities and misconfigured container environments to infiltrate servers and swiftly propagate across networks.
Reports of active exploitation of CVE-2023-46604 surfaced in November, with threat actors employing exploits such as Metasploit and Nuclei. Despite the severity of the vulnerability (CVSS 9.8), detection remains relatively low.
“The danger with this CVE is that Apache ActiveMQ is widely used, and because it can communicate across multiple protocols (such as MQTT), it is also widely used in non-IT environments to interface to IoT/OT/ICS devices,” explained John Gallagher, vice president of Viakoo Labs at Viakoo.
“Many IoT devices have powerful processing capabilities and lack patching policies, making [crypto]mining an ideal activity for them.”
The Kinsing exploit utilizes the ProcessBuilder method, leading to the download and execution of cryptocurrency miners and malware on compromised systems. Notably, the malware actively seeks and eliminates competing cryptocurrency miners.
The threat actors orchestrating Kinsing exploit not only CVE-2023-46604 but also other high-profile vulnerabilities like CVE-2023-4911 (Looney Tunables).
Trend Micro urged users to promptly upgrade to mitigate the risks associated with this vulnerability. The patch for CVE-2023-46604 addresses the root cause by introducing the “validateIsThrowable” method in the “BaseDataStreamMarshall” class.
“To guard against this [threat], organizations should prioritize patching and remediation, especially for all external-facing exposure and those with higher-value assets,” said Ken Dunham, director of cyber threat at Qualys.
“Additionally, precautions such as extensive monitoring and logging reviews with workarounds where they apply are recommended to counter known TTPs for brute-force and known attacks until the risk of exploitation is fully remediated.”