Openfire servers still vulnerable to system takover attacks
Take action: If you are operating an Openfire server, plan for immediate patching. Keep in mind that the server enables many users to communicate, so a malware in the conversation nexus will expose a lot of people to a lot of exploits.
Learn More
Openfire, a widely adopted Java-based open-source chat (XMPP) server application is exposed to a critical vulnerability tracked as CVE-2023-32315 (CVSS3 score 7.5). The security flaw came to light on May 23, 2023, impacting version 3.10.0, which had been released in April 2015.
This exploit is already being actively taken advantage of and involves a path traversal flaw that permits unauthorized individuals to establish new administrative accounts and then upload malicious plugins. But new exploit techniques use the vulnerability to upload plugins without necessitating the creation of an admin account:
- The existing public exploits for CVE-2023-32315 necessitates the creation of an admin user, enabling attackers to upload harmful Java JAR plugins that can initiate reverse shells or execute commands on compromised servers. However, these known methods tend to be very visible, allowing defenders to detect breaches through audit logs.
- Security researchers have detected an alternate and subtler technique for exploiting the vulnerability. Their Proof of Concept (PoC) demonstrates a process for extracting the JSESSIONID and CSRF token by directly accessing 'plugin-admin.jsp.' Subsequently, the JAR plugin can be uploaded via a POST request and installed on the vulnerable server, granting access to its webshell without requiring admin account credentials.
- Unlike the previously established methods, this attack approach does not leave discernible traces in the security logs, rendering it considerably more stealthy and minimizing detection opportunities for defenders. Given that CVE-2023-32315 is already being actively exploited, including by a botnet malware, this new PoC will escalate the exploits
To address this vulnerability, the developers of Openfire released security updates within versions 4.6.8, 4.7.5, and 4.8.0. However, a quick search on Shodan reveals 6,324 internet-facing Openfire servers. Half of these servers (3,162) have not been updated, leaving them susceptible to CVE-2023-32315 due to their use of outdated software versions. Additionally, only 20% of servers have applied patches, while 25% continue to operate versions preceding 3.10.0, the version in which the vulnerability was initially introduced. An additional 5% of servers utilize derivatives of the open-source project, which may or may not be impacted.
