CVE-2022-31008 RabbitMQ is a messaging and streaming broker that uses federation and shovel plugins to obfuscate URI keys. The key used to encrypt the URI was seeded with a predictable secret.

An attacker with network access to a compromised RabbitMQ node could use those to launch a man-in-the-middle attack and change the communication between clients and servers. The attacker would be able to get the encrypted data and send fake messages to the server. In certain cases, the server could be used to send fake messages to the client, tricking it into taking actions that would give the attacker remote access to the system. In some cases, it is possible to trick the client into sending commands to another server, which could be used to implement a distributed attack. For example, if the client is a web application and it receives a command to change its own configuration, it is possible to launch a cross site scripting attack and execute arbitrary code on the client’s behalf. This could lead to a wide variety of impacts, from stealing sensitive data to completely taking over the client. The attacker can also use this to launch a man-in-the-middle attack against clients sending commands to the server.

Shmibib - Stack-based Buffer Overflow (CVE-2022-31008)

MS15-034 - Microsoft Security Bulletin MS15-034
Shmibib is a stack based buffer overflow vulnerability in the implementation of the libmcrypt library. An attacker with network access to a compromised RabbitMQ node could use those to launch a man-in-the-middle attack and change the communication between clients and servers. The attacker would be able to get the encrypted data and send fake messages to the server. In certain cases, the server could be used to send fake messages to the client, tricking it into taking actions that would give the attacker remote access to the system. In some cases, it is possible to trick the client into sending commands to another server, which could be used to implement a distributed attack. For example, if the client is a web application and it receives a command to change its own configuration, it is possible to launch a cross site scripting attack and execute arbitrary code on the client’s behalf. This could lead to a wide variety of impacts, from stealing sensitive data to completely taking over the client. The attacker can also use this vulnerability against clients sending commands to server.

Authentication Bypass

This vulnerability allows an attacker to bypass authentication and gain access to the server. The attacker would need to already have a valid user account on the system in order to take advantage of this vulnerability. The attacker could then use their existing permissions on the system to send commands from any location within their network.

What does RabbitMQ provide?

RabbitMQ provides a common set of features that are used in distributed systems. It provides a message queue management system and it is an integral component of many larger systems. Some of these include Cassandra, Hadoop, and OpenStack.

How do I know if I’m vulnerable?

If you are a client of the RabbitMQ server, you should check if you are vulnerable. If your system is vulnerable, it is important to change the configuration before exploitation occurs.

Timeline

Published on: 10/06/2022 18:16:00 UTC
Last modified on: 11/07/2022 20:20:00 UTC

References

• https://github.com/rabbitmq/rabbitmq-server/pull/4841
• https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31008