Vulnerable Openfire Servers: A Threat to Over 3,000 Instances

A significant security lapse has come to light involving thousands of Openfire servers, leaving them exposed to a takeover threat via CVE-2023-32315. This actively exploited path traversal vulnerability enables unauthorized users to establish new admin accounts, posing a severe risk.

Openfire, a widely utilized Java-based open-source chat (XMPP) server boasting 9 million downloads, has become a prime target for attackers. The alarming disclosure emerged on May 23, 2023, revealing that the software, starting from version 3.10.0 released in April 2015, was plagued by an authentication bypass issue.

Promptly, the Openfire development team issued security updates in versions 4.6.8, 4.7.5, and 4.8.0 to tackle the vulnerability. Despite these efforts, a disconcerting trend emerged in June. Reports [1, 2] surfaced indicating active exploitation of the flaw to establish admin users and surreptitiously introduce malicious plugins into servers that remained unpatched.

Jacob Baines, a vulnerability researcher at VulnCheck, highlighted the sluggish response of the OpenFire community to apply the provided security updates. Shockingly, more than 3,000 servers continue to languish in a vulnerable state.

Adding to the concern, Baines emphasized an unsettling aspect: the vulnerability can be exploited to upload plugins without necessitating the creation of an admin account. This method significantly minimizes noise and draws less attention, thereby appealing to cybercriminals.

Scans conducted on Shodan, a search engine for internet-connected devices, revealed a count of 6,324 publicly accessible Openfire servers. Worryingly, half of these servers (3,162) still exhibit vulnerabilities linked to CVE-2023-32315 due to their usage of outdated versions.

Regrettably, only 20% of users have applied patches, while 25% remain reliant on versions preceding 3.10.0—when the vulnerability was introduced. An additional 5% operate customized variants of the open-source project, creating ambiguity about their vulnerability status.

While the numerical scale might not be staggering, it takes on immense significance considering the critical roles these servers play in communication networks, handling sensitive and confidential information.

Presently, public exploits targeting CVE-2023-32315 involve creating admin accounts, thereby granting attackers the means to install malicious Java JAR plugins that enable reverse shell connections or command execution on the compromised servers.

A striking example involves the Kinsing crypto-miner botnet, whose operators exploit this vulnerability to implant a tailor-made Openfire plugin. This plugin, in turn, triggers a reverse shell on the vulnerable server.

Nevertheless, existing exploits that involve creating admin accounts are conspicuous and raise alarms through audit logs. Unfortunately, a subtler approach has emerged, circumventing the need to establish random admin accounts.

In a proof-of-concept (PoC) demonstration, analysts illustrate a method for extracting the JSESSIONID and CSRF token by directly accessing ‘plugin-admin.jsp.’ This allows them to upload the JAR plugin via a POST request. This plugin is seamlessly accepted and installed on the compromised server, rendering its webshell accessible without requiring admin credentials.

Notably, this method evades detection within security logs, presenting a covert alternative to current exploit avenues.

Given the ongoing active exploitation of CVE-2023-32315, including its incorporation into botnet malware, the PoC developed by VulnCheck could potentially precipitate a more formidable wave of attacks.

In light of this evolving threat landscape, administrators of Openfire servers yet to transition to patched releases are strongly urged to do so without delay.