RocketMQ Arbitrary File Write Vulnerability – CVE-2023-37582

Vendor Description:-

Apache RocketMQ is a distributed messaging and streaming platform developed by Alibaba and now maintained under the Apache Software Foundation. It is designed for high-performance, low-latency, and reliable message processing in large-scale applications.

CVE-2023-37582 Vulnerability Description:-

In RocketMQ versions 5.1.1 and below, there exists an arbitrary file write vulnerability in the NameServer component. The vulnerability exists in the configuration update functionality of RocketMQ’s NameServer component. By sending an UPDATE_NAMESRV_CONFIG command to the NameServer, an attacker can modify the configStorePath configuration item and its content, leading to arbitrary file write.

This vulnerability arises from an incomplete fix for CVE-2023-33246. In addressing CVE-2023-33246, the official team established a blocklist of configuration items that cannot be modified. However, the patch mistakenly designated the blocklist as configStorePathName, when it should have been configStorePath, leading to this outcome.

Impact:-

Unauthorized Configuration Changes

• The vulnerability allows an attacker to modify the NameServer configuration without authentication.
• Example: Changing configStorePath to an arbitrary directory (/tmp/pwned) enables an attacker to control where RocketMQ stores its critical data.

Arbitrary File Write

• Since NameServer parameters control file paths (configStorePath, kvConfigPath), an attacker can use this to write arbitrary files in privileged locations.

Escalation to Remote Code Execution (RCE)

• If an attacker modifies configurations like:
  • rocketmqHome → Points to a malicious JAR file.
  • kvConfigPath → Leads to a controlled script execution.

Denial of Service (DoS) Attack

• Changing critical parameters (like listenPort) could disrupt the entire message queue system, affecting real-time data processing in production environments.

Mitigations:-

• Update RocketMQ → Upgrade to the latest version (>5.1.1) to patch the vulnerability.
• Restrict Network Access → Block unauthorized access to NameServer using firewalls (allow only trusted IPs).
• Enable Authentication → Configure ACL to prevent unauthorized modifications to NameServer settings.
• Monitor Changes → Track unexpected modifications in logs (namesrv.log) and use file integrity monitoring (FIM).
• Make Config Files Read-Only → Use chattr +i on critical files like kvConfig.json to prevent tampering.

POC

Exploit link:- Clickme

After successfully exploiting, which is an Apache RocketMQ vulnerability that permits unauthorized changes to the NameServer settings. The exploit results in changing the configStorePath to /tmp/pwned, indicating that you were able to inject and modify server configurations.

Key Observations:

1. Before Exploitation:
   • The NameServer’s original configuration was retrieved.
   • It included parameters such as configStorePath, listenPort=9876, and rocketmqHome=/rocketmq-all-5.1.1-bin-release.
2. After Exploitation:
   • The configuration was successfully modified, and the configStorePath now points to /tmp/pwned, suggesting an arbitrary file write capability.

Reference:-

https://github.com/vulhub/vulhub/tree/master/rocketmq/CVE-2023-37582