CVE-2024-32656
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Ant Media Server versions 2.6.0 through 2.8.2. Any unprivileged operating system user can connect to the JMX service on localhost port 5599/TCP and use the MLet Bean to load malicious MBeans from attacker-controlled servers, executing arbitrary code as the antmedia service account. This can lead to full root compromise on affected systems.
💻 Affected Systems
- Ant Media Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the server, allowing complete system takeover, data theft, installation of persistent backdoors, and lateral movement to other systems.
Likely Case
Local attackers gain antmedia service account privileges, potentially escalating to root through other vulnerabilities or misconfigurations, leading to service disruption and data compromise.
If Mitigated
With proper network segmentation and access controls, impact is limited to the antmedia service account on isolated systems.
🎯 Exploit Status
Exploitation requires local system access but no authentication to JMX service. Similar to CVE-2023-26269 in Apache James, making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.0
Vendor Advisory: https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download and install Ant Media Server version 2.9.0 or later from official sources. 3. Restart the antmedia service. 4. Verify the service is running correctly.
🔧 Temporary Workarounds
Disable JMX authentication parameters
linuxRemove JMX authentication disabling parameters from antmedia.service file to enable authentication.
sudo sed -i '/-Dcom.sun.management.jmxremote.authenticate=false/d' /etc/systemd/system/antmedia.service
sudo systemctl daemon-reload
sudo systemctl restart antmedia
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to the server
- Configure firewall rules to block port 5599/TCP from all but necessary sources
🔍 How to Verify
Check if Vulnerable:
Check if Ant Media Server version is between 2.6.0 and 2.8.2 and JMX is listening on localhost port 5599 with netstat -tlnp | grep 5599Check Version:
antmedia -vVerify Fix Applied:
Verify version is 2.9.0 or later with antmedia -v and confirm JMX authentication is enabled or port 5599 is not listening📡 Detection & Monitoring
Log Indicators:
- Unusual JMX connection attempts in Java logs
- MBean loading from unusual sources in JMX logs
Network Indicators:
- Unexpected connections to localhost port 5599/TCP
- Outbound connections from antmedia process to unknown servers
SIEM Query:
source="antmedia.logs" AND "JMX" AND ("MLet" OR "MBean")🔗 References
- https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764
- https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5
- https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764
- https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5
