CVE-2023-46118 - RabbitMQ DoS Attack Via HTTP API & Large Messages: Exploit Details, Code Snippets, and Patch Information

RabbitMQ is a popular multi-protocol messaging and streaming broker, widely used across various industries for stream processing, real-time messaging, and more. However, a new vulnerability (CVE-2023-46118) has been discovered, making it susceptible to denial of service (DoS) attacks through its HTTP API. The issue arises due to a lack of enforced HTTP request body limit, allowing authenticated users with ample credentials to publish oversized messages and potentially terminate targeted nodes via an "out-of-memory killer"-like mechanism. To address this vulnerability, patches have been released for RabbitMQ versions 3.11.24 and 3.12.7.

Code Snippet

Below is an example of a potentially malicious HTTP request that could exploit this vulnerability. Note that the request's body is excessively large, ultimately leading to a potential DoS attack:

POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
Host: target-rabbitmq-server:15672
Authorization: Basic {AUTHENTICATION_CREDENTIALS}
Content-Type: application/json
Content-Length: {LARGE_MESSAGE_SIZE}

{
  "properties": {},
  "routing_key": "example",
  "payload": "{REPEATED_LARGE_MESSAGE_CONTENT}",
  "payload_encoding": "string"
}

To prevent potential exploitation, it is crucial to ensure that your RabbitMQ instance is running version 3.11.24 or 3.12.7 or later.

Original References

For more information on this vulnerability and its corresponding patch, please refer to the following resources:

1. RabbitMQ's official GitHub repository, which includes release notes and patch details for affected versions:
- RabbitMQ 3.11.24 release notes
- RabbitMQ 3.12.7 release notes

2. The RabbitMQ HTTP API documentation, highlighting the various request parameters and providing additional context for this exploit:
- RabbitMQ HTTP API documentation

Mitigation Steps

To safeguard your RabbitMQ installation from this vulnerability, we recommend taking the following steps:

1. Upgrade your RabbitMQ instance to version 3.11.24, 3.12.7, or a newer release, ensuring it includes the relevant patch for CVE-2023-46118.
- RabbitMQ download and installation instructions

2. Restrict access to the RabbitMQ HTTP API by enforcing appropriate firewall rules and access controls.

3. Regularly review and audit user accounts associated with your RabbitMQ instance, ensuring that only trusted individuals possess publish permissions.

Conclusion

CVE-2023-46118 represents a significant vulnerability in RabbitMQ that may expose systems to denial of service attacks. By leveraging the HTTP API and publishing large messages, attackers could potentially bring down target nodes and disrupt services. To protect your RabbitMQ implementation, it is vital to upgrade to a patched version (3.11.24 or 3.12.7) and enforce strict access controls. Regular monitoring and auditing of user accounts can also help prevent unauthorized access and malicious activities.

Timeline

Published on: 10/25/2023 18:17:36 UTC
Last modified on: 11/01/2023 17:14:08 UTC