Over 3,000 Openfire Servers Vulnerable to Takover Attacks

Cyber Security Threat Summary:
“Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point. Openfire developers released security updates in versions 4.6.8, 4.7.5, and 4.8.0 to address the issue. Still, in June, it was reported [1, 2] that the flaw was actively exploited to create admin users and upload malicious plugins on unpatched servers. As highlighted in a report by VulnCheck vulnerability researcher Jacob Baines, the OpenFire community has not rushed to apply the security updates, with over 3,000 servers remaning vulnerable. To make matters worse, Baines says there's a way to exploit the flaw and upload plugins without creating an admin account, making it far more inviting and less noisy for cybercriminals” (Bleeping Computer, 2023).

Security Officer Comments:
Although current exploits entail creating an admin account that would enable actors to upload malicious Java JAR plugins designed to open reverse shells or execute commands on compromised servers, analysts from VulnCheck recently showcased a way to extract the session ID and CSRF token by accessing “plugin-admin.jsp’ directly and uploading the JAR plugin via a POST request. Using this method, the plugin is accepted without the need for authentication and the webshell can be accessed using the path traversal. What’s more, analysts state that this attack vector doesn’t leave traces in security logs, allowing the activity to go undetected by defenders.

There are already active exploitations including those from Kinsing crypto-miner botnet. However, we could see a new wave of attacks as VulnCheck’s POC is more stealthier and does not require the creation of admin accounts.

Suggested Correction(s):
According to a Shodan scan, there are roughly 6,324 internet-facing Openfire servers, 50% of which are still vulnerable to CVE-2023-32315. Given that the flaw is being actively exploited, administrators should apply the patches as soon as possible.