Thursday, March 28, 2024

U.S. Cyber Command Warns of Active Mass Exploitation Attempts Targeting Confluence Flaws

The cybersecurity authorities of the U.S. Cyber command have recently been notified regarding the increase in the number of scans and attempts to exploit a newly identified vulnerability in corporate servers along with the Atlassian Confluence wiki engine installed.

CVE-2021-26084 in Confluence Server and Confluence Data Center software is the vulnerability that has been confirmed by security experts. This vulnerability generally enables the threat actors to perform arbitrary code, but the main problem is related to the inaccurate processing of input data.

Not only this but the security researchers also asserted that it can be exploited to bypass authentication and to administer malicious OGNL commands, that will fully compromise a vulnerable system.

What is the issue?

The cybersecurity analysts have detected a vulnerability in Atlassian’s Confluence software on August 25th, and soon after detection, they published the vulnerability details.

According to the report, a cybersecurity researcher called SnowyOwl (Benny Jacob) discovered that an unauthenticated user could easily run arbitrary code just by targetting HTML fields that are interpreted and executed by the Object-Graph Navigation Language (OGNL). 

The important point is that the analysts have investigated the vulnerability and they found that the internet had above 14,637 exposed and vulnerable Confluence servers. 

After detecting the vulnerable servers, they compared it with the September 1st, and there they recognized 14,701 services that self-identified as a Confluence server. 

And not only this but apart from the servers, there are, 13,596 ports and 12,876 individual IPv4 hosts that are continuously running an exploitable version of the software.

Flaw profile

  • CVE ID: CVE-2021-26084
  • Version: CVSS version 3.x
  • CVSS Score: 9.8
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The flaw: CVE-2021-26084

However, in the CVE-2021-26084, all the vulnerable endpoints can easily be obtained by a non-administrator user or an unauthenticated user only if ‘Allow people to sign up to create their account’ is being permitted. 

Not only this but one can easily check whether this option is being allowed or not, by simply going to COG > User Management > User Signup Options. 

What do You Need to Do? 

Apart from this, Atlassian suggests the users upgrade to the latest Long Term Support release, and not only this but users can also download the latest version from the download center.

  • In case if you are managing an affected version then upgrade it to version 7.13.0 (LTS) or higher.
  • In case if you are operating 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then at least upgrade to version 6.13.23.
  • If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11.
  • If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then at least upgrade to version 7.11.6.
  • In case if you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5.

Affected Versions

Here’s the list of all the affected versions:-

  • All 4.x.x versions
  • All 5.x.x versions
  • All 6.0.x versions
  • All 6.1.x versions
  • All 6.2.x versions
  • All 6.3.x versions
  • All 6.4.x versions
  • All 6.5.x versions
  • All 6.6.x versions 
  • All 6.7.x versions
  • All 6.8.x versions
  • All 6.9.x versions
  • All 6.10.x versions
  • All 6.11.x versions
  • All 6.12.x versions 
  • All 6.13.x versions before 6.13.23
  • All 6.14.x versions 
  • All 6.15.x versions 
  • All 7.0.x versions
  • All 7.1.x versions
  • All 7.2.x versions
  • All 7.3.x versions
  • All 7.4.x versions before 7.4.11
  • All 7.5.x versions
  • All 7.6.x versions 
  • All 7.7.x versions
  • All 7.8.x versions
  • All 7.9.x versions
  • All 7.10.x versions
  • All 7.11.x versions before 7.11.6
  • All 7.12.x versions before 7.12.5

Here’s the list of all the versions that are fixed mentioned below:-

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

Mitigation

In case if the users can not upgrade to Confluence as soon as possible, then as a substitute workaround, users can mitigate the problem by operating the script that we have mentioned below for the Operating System which is being hosted by Confluence.

Confluence Server or Data Center Node running on Linux-based Operating System…

Confluence Server or Data Center Node running on Microsoft Windows…

The report of Atlassian pronounced that Confluence’s customer base comprises nearly 60,000 companies and organizations, which also includes:- 

  • Audi
  • Hubspot
  • NASA
  • LinkedIn
  • Twilio
  • Docker 

However, as the popularity of Confluence software is increasing at a rapid speed, and that’s why security experts are expecting a rise in the number of attacks using this problem in the coming days.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles