Skip to content

How to find Apache ActiveMQ instances

How to find Apache ActiveMQ® instances

On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that
could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team posted a blog speculating that this vulnerability is being used to
deliver ransomware. The Apache ActiveMQ project scored this as CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H(10.0). 

What is Apache ActiveMQ®?

ApacheMQ® is an open source message broker written in Java that supports AMQP, MQTT, STOMP, and JMS clients. Apache ActiveMQ describes itself as “the most popular open source, multi-protocol, Java-based message broker. It supports industry standard protocols so users get the benefits of client choices across a broad range of languages and platforms.”. ActiveMQ is used for custom application development and is often embedded into commercial product stacks.

Are updates available?

The Apache ActiveMQ team has addressed this issue in versions 5.18.3, 5.17.6, 5.16.7, and 5.15.16, with the appropriate update dependent on which minor version is used.

How do I find potentially vulnerable versions of ActiveMQ with runZero?

Apache ActiveMQ services can be found by navigating to the Asset Inventory and using the following query:

port:61616 OR product:activemq OR protocol:activemq

Results from the above query should be triaged to determine if they require patching or vendor intervention.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.Learn more about runZero

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Finding Cisco IOS-XE devices with runZero

An actively exploited critical zero-day vulnerability has surfaced in the Cisco IOS-XE operating system, which is used on Cisco routers, switches, and other devices. Deemed “critical” in severity with a CVSS score of 10 out of 10, this vulnerability affects any device running Cisco IOS-XE with the Web UI component enabled.

What is the impact?

Upon successful exploitation, this vulnerability (tracked as CVE-2023-20198) can allow attackers to execute arbitrary commands on the vulnerable system. This includes the creation of privileged users, installation of additional modules or code, and, in general, total system compromise.

Are updates or workarounds available?

As of October 16th, 2023, software updates are not available. Cisco recommends disabling the Web UI component of all Internet-facing IOS-XE devices.

How do I find potentially vulnerable Cisco IOS-XE devices with runZero?

From the Services Inventory, use the following query to locate assets running the Cisco IOS-XE operating system in your network that expose a web interface and which may need remediation or mitigation:

(products:nginx OR products:openresty) AND _asset.protocol:http AND protocol:http AND http.body:"window.onload=function%url%=%/webui"

Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Finding Confluence servers (yet, again) with runZero

An actively exploited zero-day has surfaced in popular wiki software Confluence. Deemed “critical” in severity with a CVSS score of 10 out of 10, this vulnerability affects most supported versions of Confluence Server and Confluence Data Center running 8.0.0 or later. Hosted instances within Atlassian Cloud and versions prior to 8.0.0 are reportedly protected from exploitation.

What is the impact?

Upon successful exploitation, this vulnerability (tracked as CVE-2023-22515) can provide privilege escalation to external attackers allowing them to exploit the system and create Confluence administrator accounts, allowing for unrestricted access to affected instances.

Are updates available?

Atlassian has made fixes available and strongly encourages admins to update their hosted instances. If patching in the near term isn’t viable, mitigation strategies to limit exploitation opportunities in addition to recommended steps to check for evidence of compromise are also provided. CISA has added this zero-day to its Known Exploited Vulnerabilities Catalog, advising organizations to check for evidence of compromise and reporting any positive findings back to CISA.

How do I find potentially vulnerable Confluence instances with runZero?

From the Service Inventory, use the following pre-built query to locate assets running Confluence within your network which may need remediation or mitigation:

product:confluence OR (_asset.protocol:http AND protocol:http AND has:http.head.xConfluenceRequestTime)

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find Exim mail servers on your network

On September 27th, Trend Micro’s Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account.
In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings: 

What is Exim Mail?

Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.

Are updates available?

Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities,
if you are running Exim mail servers on your network, you should apply the security patch immediately.

How do I find potentially vulnerable Exim mail servers with runZero?

A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.

With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.

product:exim

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find WS_FTP Server instances?

How to find WS_FTP Server instances? 

On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, which are often externally exposed.

The four most serious vulnerabilities in this set:

  • CVE-2023-40044 (CVSS 10.0). An exposure in the web interface that leads to remote code execution through a .NET deserialization vulnerability. This is the issue most likely to be mass-exploited due to the lack of authentication and likelyhood of this web interface being exposed to untrusted networks. Rapid7 noted that this appears to be exploitable with a single HTTP POST request using an existing pauload from the ysoserial.net project.
  • CVE-2023-42657 (CVSS 9.0). An exposure in the FTP/SCP (SSH) implementation that enables file operations outside of the WS_FTP data folder through a directory traversal vulnerability. This issue can allow an attacker to access, modify, and delete files on the server, which can expose data, but also allow remote code execution in some configurations.
  • CVE-2023-40046 (CVSS 8.2). An exposure in the web interface that allows for database access through a SQL injection vulnerability. It’s not clear if a valid user account is required to access this code path, but an attacker could use this to read and modify database contents, which in turn can lead to a full server compromise.
  • CVE-2023-40049 (CVSS 5.3). An exposure in the web interface that exposes file and directory lists within the WebServiceHost folder. Although this does not lead to remote code execution on it’s own, it may be an important exposure in that it will help attackers identify systems vulnerable to the more serious issues above.

What is Progress Software WS_FTP Server?

WS_FTP is a product that allows customers to easily share files between teams and organizations. Progress Software (formerly ipswitch) describes WS_FTP as:

WS_FTP Professional is the safest and easiest way to securely upload and download files. Enjoy SFTP transfers with the highest levels of encryption, ease of use, customization, and low administrative overhead.

Are updates available?

Progress Software has patched these issues in version 8.8.2.

How do I find potentially vulnerable versions of WS_FTP with runZero?

Assets with the WS_FTP FTP, SSH, and web services enabled can be found by navigating to the Service Inventory and using the following pre-built query:

product:ws_ftp OR (_asset.protocol:http AND (http.head.location:"/ThinClient/WTM/" OR html.title:="Web Transfer Client"))

To determine if the the instance has the WS_FTP Ad Hoc module installed, browse to https://[instance-host:port]/AHT/AHT_UI/public/index.html.

If the module is installed, this page will include an image like the one shown below:

If you are not using the Ad Hoc Transfer module, Progress Software has provided instructions for disabling it.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×