Hackers target Apache RocketMQ servers vulnerable to RCE attacks

Security researchers are detecting hundreds of IP addresses on a daily basis that scan or attempt to exploit Apache RocketMQ services vulnerable to a remote command execution flaw identified as CVE-2023-33246 and CVE-2023-37582.

Both vulnerabilities have a critical severity score and refer to an issue that remained active after the vendor's initial patch in May 2023.

Initially, the security issue was tracked as CVE-2023-33246 and impacted multiple components, including NameServer, Broker, and Controller.

Apache released a fix that was incomplete for the NameServer component in RocketMQ and continued to affect versions 5.1 and older of the distributed messaging and streaming platform.

"The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1," reads a warning from Rongtong Jin, a member of the Apache RocketMQ Project Management Committee.

On vulnerable systems, attackers can leverage the vulnerability to execute commands by using the update configuration function on the NameServer when its address is exposed online without proper permission checks.

"When NameServer addresses are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as," the researcher, who is also a research and development engineer at Alibaba, explains. 

The issue is now referred to as CVE-2023-37582 and it is recommended to upgrade the NameServer to version 5.1.2/4.9.7 or above for RocketMQ 5.x/4.x to avoid attacks exploiting the vulnerability.

Threat tracking platform The ShadowServer Foundation has logged hundreds of hosts scanning for RocketMQ systems exposed online, some of them attempting to exploit the two vulnerabilities.

The organization notes that the attacks it tracks "may include exploitation attempts for CVE-2023-33246 and CVE-2023-37582."

ShadowServer says that the activity it observes may be part of reconnaissance attempts from potential attackers, exploitation efforts, or even researchers scanning for exposed endpoints.

Hackers started targeting vulnerable Apache RocketMQ systems since at least August 2023, when a new version of the DreamBus botnet was observed leveraging an CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers.

In September 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to patch the flaw by the end of the month, warning about its active exploitation status.