WinWAR and Openfire vulnerabilities exploited in the wild

According to the Cybersecurity and Infrastructure Security Agency (CISA), two new vulnerabilities have been added to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. These are Ignite Realtime Openfire Path Traversal Vulnerability (CVE-2023-32315) and RARLAB WinRAR Code Execution Vulnerability (CVE-2023-38831).

CISA warned “these types of vulnerabilities are a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”

WinWAR (CVE-2023-38831)

Hackers have been exploiting CVE-2023-38831 to install malware when clicking on harmless files within a ZIP archive and consequently breach online cryptocurrency trading accounts.

The actors have been actively exploiting the vulnerability from April to August this year to distribute various malware families to include DarkMe, GuLoader, and Remcos RAT.

According to a Bleeping Computer blog post, “researchers from Group-IB said they discovered the WinRAR zero-day being used to target cryptocurrency and stock trading forums, where the hackers pretended to be other enthusiasts sharing their trading strategies.”

NIST published more details on the WinRAR vulnerability CVE-2023-38831 on August 23, 2023:

“RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.”

Openfire (CVE-2023-32315)

The Ignite Realtime community posted an advisory on GitHub regarding Openfire Path Traversal Vulnerability (CVE-2023-32315) on May 23, 2023:

“Openfire’s administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.”

This issue was fixed in Openfire versions 4.6.8, 4.7.5, and 4.8.0.

In July, Packet Storm published new details on a Metasploit module that uses this vulnerability “to create a new admin user that will be used to upload a Openfire management plugin weaponized with a java native payload that triggers remote code execution.”

Related Articles