A report by VulnCheck highlights a high-severity security flaw in thousands of Openfire XMPP servers. This flaw allows unauthorized users to create admin accounts and gain access to restricted areas, potentially leading to remote code execution [1]. The vulnerability has been actively exploited for over two months [4], with threat actors [5], including those associated with the Kinsing crypto botnet malware [5], taking advantage of it. Despite available security updates, a significant number of internet-facing Openfire servers remain unpatched, leaving them vulnerable [2].
Description
According to VulnCheck’s report, the security flaw in Openfire XMPP servers stems from a lack of protection against non-standard URL encoding of UTF-16 characters in the embedded web server. This flaw enables unauthorized users to create new admin accounts and gain access to restricted areas within the admin console. The severity of this vulnerability is heightened by the potential for remote code execution.
The report reveals that the flaw has been actively exploited for over two months, with threat actors [5], including those associated with the Kinsing crypto botnet malware [5], taking advantage of it. Despite the availability of security updates, approximately 50% of the 6,300 internet-facing Openfire servers have not been patched. Shodan scans confirm that 50% of internet-facing Openfire servers remain vulnerable [3]. Only 20% of users have applied the necessary patches, while 25% are using an older version that introduced the vulnerability [3]. Another 5% are running forks of the open-source project that may or may not be impacted [3].
In addition to the existing public exploits that involve creating admin accounts, a newly discovered exploit path allows attackers to upload malicious plugins without detection [4]. This stealthier method bypasses authentication by extracting the necessary tokens and uploading a JAR plugin [5], leaving no evidence in the security audit log [5].
Ignite Realtime released a patch for this flaw in May 2023, but many server administrators have yet to upgrade to the latest versions. It is crucial for Openfire server administrators to promptly update their systems to mitigate the risk and protect sensitive data. The vulnerability affects all versions of Openfire from 3.10.0 to 4.7.5 and 4.6.8 [2]. Exploits targeting this vulnerability have been observed in the wild [2], and it is expected that exploitation will continue in the future [2]. The only indication of malicious activity is found in the captured logs of the Openfire system [1].
Conclusion
The high-severity security flaw in Openfire XMPP servers poses significant risks to organizations. The active exploitation of this vulnerability by threat actors, including those associated with the Kinsing crypto botnet malware [5], underscores the urgency of addressing the issue. Despite available security updates, a substantial number of internet-facing Openfire servers remain unpatched, leaving them vulnerable to unauthorized access and potential remote code execution.
To mitigate the risk and protect sensitive data, it is crucial for Openfire server administrators to promptly update their systems with the necessary patches. Ignite Realtime has released a patch for this flaw, but many administrators have yet to upgrade to the latest versions. The vulnerability affects a wide range of Openfire versions, and exploits targeting it have been observed in the wild [2]. It is expected that exploitation will continue in the future [2].
In conclusion, addressing this security flaw is of utmost importance to ensure the security and integrity of Openfire XMPP servers.
References
[1] https://cyber.vumetric.com/security-news/2023/08/24/thousands-of-unpatched-openfire-xmpp-servers-still-exposed-to-high-severity-flaw/
[2] https://vulnera.com/newswire/unpatched-openfire-servers-at-risk-due-to-recently-discovered-vulnerability/
[3] https://www.redpacketsecurity.com/over-openfire-servers-vulnerable-to-takover-attacks/
[4] https://heimdalsecurity.com/blog/thousands-of-openfire-servers-at-risk-from-critical-cve/
[5] https://www.redpacketsecurity.com/thousands-of-unpatched-openfire-xmpp-servers-still-exposed-to-high-severity-flaw/
