Thousands of Openfire XMPP servers are unpatched against a recently disclosed high-severity flaw and are susceptible to a new exploit, according to a new report from VulnCheck.
Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire’s administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users.
It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0.
As a result, a threat actor could abuse this weakness to bypass authentication requirements for admin console pages. The vulnerability has since come under active exploitation in the wild, including by attackers associated with the Kinsing (aka Money Libra) crypto botnet malware.
A Shodan scan conducted by the cybersecurity firm reveals that of more than 6,300 Openfire servers accessible over the internet, roughly 50% of them are running affected versions of the open-source XMPP solution.
While public exploits have leveraged the vulnerability to create an administrative user, log in, and then upload a plugin to achieve code execution, VulnCheck said it’s possible to do so without having to create an admin account, making it more stealthy and appealing for threat actors.
The improved, less noisy method devised by VulnCheck, on the other hand, employs a user-less approach that extracts the JSESSIONID and CSRF token by accessing a page called ‘plugin-admin.jsp’ and then uploading the JAR plugin via a POST request.
The only tell-tale signs that something malicious is afoot are the logs captured in the openfire.log file, which an adversary could delete by using CVE-2023-32315, the company said.
With the vulnerability already being exploited in real-world attacks, it’s recommended that users move quickly to update to the latest versions to secure against potential threats.
Source: https://thehackernews.com/