RocketMQ Versions 5.1.0 and Below Vulnerable to Remote Command Execution
CVE-2023-33246

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Apache RocketMQ
Vendor
CVE Published:
24 May 2023

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 97%🦅 CISA Reported📰 News Worthy

Summary

CVE-2023-33246 is a critical vulnerability impacting Apache RocketMQ versions 5.1.0 and below, allowing remote command execution under certain conditions. This vulnerability is being exploited by the Muhstik DDoS botnet to infect servers and expand its scale. The flaw affects components like NameServer, Broker, and Controller, all of which are exposed to the extranet and lack permission verification, enabling attackers to execute arbitrary commands in the system. Exploitation of the vulnerability involves using the update configuration function or forging the RocketMQ protocol content. Once abused, attackers proceed to execute a shell script, resulting in the installation of the Muhstik malware. With over 5,000 vulnerable instances of Apache RocketMQ still exposed to the internet, it is crucial for organizations to upgrade to the latest version and safeguard their systems from potential threats.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Apache RocketMQ 0 <= 5.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-33246
Created by SuperZero

CVE-2023-33246_RocketMQ_RCE_EXPLOIT
Created by Malayke

CVE-2023-33246
Created by Le1a

News Articles

favicon imageSC Media

Apache RocketMQ targeted for more extensive Muhstik botnet attacks

Vulnerable Apache RocketMQ instances impacted by the critical remote code execution bug, tracked as CVE-2023-33246, are being targeted by the Muhstik botnet to facilitate more expansive distributed denial-of-service and cryptocurrency mining intrusions, reports The Hacker News.

8 months ago

favicon imageGBHackers on Security

Muhstik Malware Attacking Apache RocketMQ To Execute Remote Code

Apache RocketMQ platform is a widely used messaging system that handles high volumes of data and critical operations which often attracts

8 months ago

favicon imageThe Hacker News

Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

Muhstik DDoS botnet is exploiting a critical vulnerability (CVE-2023-33246) in Apache RocketMQ to infect servers.

8 months ago

References

https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03...
vendor-advisory
http://packetstormsecurity.com/files/173339/Apache-Rocket...
http://www.openwall.com/lists/oss-security/2023/07/12/1

EPSS Score

97% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 💰

    Used in Ransomware

  • 🟡

    Public PoC available

  • 🦅

    CISA Reported

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

[email protected]
.