Atlassian Confluence Zero-Day Vulnerability

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.

The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.

"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it said in an advisory.

"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available.

All supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.

In the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing "${" to reduce the risk.

Volexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.

The attack chain involved leveraging the Atlassian zero-day exploit — a command injection vulnerability — to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.

"Behinder provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike," the researchers said. "At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out."

CyberSecurity

Subsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including China Chopper and a custom file upload shell to exfiltrate arbitrary files to a remote server.

The development comes less than a year after another critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity said. "Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities."


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.