Users of Atlassian’s Confluence collaboration software were warned yesterday to either restrict internet access to the software or to disable it due to a critical vulnerability
An advisory from Atlassian dated June 2nd stated that that “currently active exploitation” had been detected.
The advisory has now been updated to reflect the fact that the company has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1, which contain a fix for this issue. Users are advised to update to these versions.
The U.S. Cybersecurity & Infrastructure Agency (CISA) “strongly recommends that organizations review Confluence Security Advisory 2022-06-02 for more information. CISA urges organizations with affected Atlassian’s Confluence Server and Data Center products to block all internet traffic to and from those devices until an update is available and successfully applied.”
Blocking access would make collaboration impossible without VPN access from outside a company’s firewall. At a time with so much remote work, this could either be an extreme inconvenience, or potentially make the software unusable by remote workers. Given that Atlassian’s website claims that Confluence has over 60,000 users world-wide, there could be a very severe impact to a wide number of companies.
Security company Volexity detected the vulnerability and reported it to Atlassian. Volexity has published their analysis in blog on their website.
According to Volexity, “the attacker had used a zero-day exploit, now assigned CVE-2022-26134, that allowed unauthenticated remote code execution on the servers.” The analysis goes on to warn that “these types of vulnerabilities are dangerous, as attackers can execute commands and gain full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system.”
The attacker has deployed an in-memory copy of the BEHINDER implant. Veloxity notes that that “this is an ever-popular web server implant with source code available on GitHub.” BEHINDER allows attackers to use memory-only webshells with built-in support for interaction with Meterpreter and Cobalt Strike.
Having the BEHINDER implant in memory is particularly dangerous in that it allows the attacker to execute instructions without writing files to disk. As it does not have persistence, a reboot or service restart will wipe it out. Until this is done, however, the attacker has access to the server and can execute commands without writing a backdoor file to disk.
Atlassian’s initial advisory had indicated that all supported versions of Confluence Server and Data Center were affected, and repeated the advice to restrict access to the internet or to disable the Confluence Server. The company now says that no Atlassian Cloud sites had been impacted, and all affected customers have been notified of the fix.
NOTE: Updated with information on the fix