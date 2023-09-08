逸耘居

加布里埃尔博塔

8 年 2023 月 XNUMX 日
美国网络安全机构警告 Apache RocketMQ 存在严重漏洞

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in Apache’s RocketMQ distributed messaging and streaming platform. Tracked as CVE-2023-33246, this vulnerability allows threat actors to exploit RocketMQ installations and deploy various payloads, including a Monero cryptocurrency miner. The issue can be exploited without authentication and has been leveraged by the operators of the DreamBus botnet since at least June.

CISA is advising federal agencies to update their Apache RocketMQ installations to a safe version or discontinue the use of the product if mitigation is not possible. The vulnerability stems from a design flaw that allows attackers to execute commands as system users of RocketMQ by utilizing the update configuration function or forging the RocketMQ protocol content.

To further understand the impact of this vulnerability, a researcher at vulnerability intelligence platform VulnCheck, Jacob Baines, conducted a scan and found approximately 4,500 systems with exposed RocketMQ Nameservers. While many of these systems could potentially be honeypots set up by researchers, Baines also discovered various malicious payloads, suggesting the involvement of multiple threat actors.

Although some of the executables dropped after exploiting RocketMQ display suspicious behavior, they are currently not detected as malicious by antivirus engines on the Virus Total scanning platform. Baines highlights that while only one adversary has been publicly associated with CVE-2023-33246, there are at least five actors exploiting the vulnerability.

Users are strongly advised to update their RocketMQ installations to the latest version, as an update addressing this critical vulnerability is available.

Sources: CISA, NIST, Jacob Baines

定义：

  • CVE-2023-33246: Common Vulnerabilities and Exposures (CVE) identifier for the critical vulnerability found in Apache RocketMQ
  • Apache RocketMQ: A distributed messaging and streaming platform
  • Exploit: Taking advantage of a vulnerability or flaw in software to gain unauthorized access or perform malicious actions
  • Payload: A malicious software or code that is delivered or executed after exploiting a vulnerability
  • Cryptocurrency miner: A program that utilizes computational resources to mine cryptocurrencies such as Monero
  • Honeypot: A decoy system or network designed to attract and trap potential attackers

