Over 3,000 Openfire servers are currently at risk due to a recently discovered high-severity flaw, known as CVE-2023-32315. These servers have not been updated with the necessary patches, leaving them vulnerable to attacks using a new exploit. Openfire, a real-time collaboration server that uses the XMPP protocol, is maintained by Ignite Realtime. It supports administration through a web interface.
The vulnerability was found in Openfire's administration console. It is a path traversal bug that allows unauthenticated attackers to access restricted pages in the admin console via the setup environment. The problem arises because the path traversal protections in Openfire did not guard against 'certain non-standard URL encoding for UTF-16 characters' that were not supported by the webserver. Support for these characters was added without updating the protections.
All versions of Openfire from 3.10.0, released in April 2015, to versions 4.7.5 and 4.6.8, released in May 2023 to patch the vulnerability, are affected. The vulnerability has been exploited in malicious attacks for more than two months. Threat actors have been observed creating new admin console user accounts to install a new plugin containing a remote web shell. This allows them to execute arbitrary commands and access any data on the server.
Several public exploits targeting CVE-2023-32315 are already available, and they all follow the same pattern. However, a new exploit path that does not require creating the administrative user account has been discovered. Over 6,300 Openfire servers accessible from the internet have been identified, with roughly half of them being either patched against the vulnerability, running older versions that are not vulnerable, or forks that might not be affected.
This leaves approximately 50% of the internet-facing Openfire servers using affected versions. The vulnerability allows an unauthenticated attacker to access the plugin administration endpoint. The attacker can upload the plugin directly and then access the web shell, also without authentication. This method keeps login attempts out of the security audit log and prevents the 'uploaded plugin' notification from being recorded. While the malicious activity might be visible in the openfire.log file, the attacker can use the path traversal to delete the log via the web shell, leaving the plugin itself as the only indicator of compromise.
The vulnerability has already been exploited in the wild, likely even by a well-known botnet. With a significant number of vulnerable internet-facing systems, it is assumed that exploitation will continue into the future.