Attackers Exploiting Atlassian Confluence Software Zero-Day – Source: www.databreachtoday.com

3rd Party Risk Management
,
Breach Notification
,
Cybercrime

Critical Privilege Escalation Bug Helps Create Admin Accounts

Mihir Bagwe (MihirBagwe) •
October 5, 2023    

Hackers have weaponized a zero-day in a popular workspace collaboration tool to create administrator accounts and gain unrestricted access to their on-premises instances of the software, Atlassian’s Confluence Data Center and Server products, which serves millions of daily active users.

See Also: OnDemand | Cyber Resilience: Recovering from a Ransomware Attack

The Australian tech firm said in a Wednesday security advisory that “a handful of customers” had reported that “external attackers may have exploited a previously unknown vulnerability” in Confluence Data Center and Server instances.

Tracked as CVE-2023-22515, the flaw is a critical privilege escalation vulnerability with a CVSS score of 10. The vulnerability affects only on-premises instances. Those in the cloud and versions prior to 8.0.0 accessed via an atlassian.net domain are not affected by this vulnerability.

“It’s unusual though not unprecedented for a privilege escalation vulnerability to carry a critical severity rating,” said cybersecurity firm Rapid7.

The firm added that the advisory suggests the flaw is likely remotely exploitable, which means it is typically associated with authentication bypass or remote code execution chain rather than solely being a privilege escalation concern. Rapid7 researchers did not rule out the possibility that the vulnerability could allow a regular user account to elevate to admin rights. “Notably, Confluence allows for new user signups with no approval, but this feature is disabled by default,” Rapid7 said.

While limited information is available from Atlassian, the mitigation steps do reveal the endpoint that is affected, cybersecurity firm Tenable said. “According to the mitigation steps, blocking network access to the /setup/* endpoints will mitigate the threat of exploitation of this vulnerability, Tenable said.

Atlassian advised users to watch for the following indicators of compromise:

• Unexpected members of the confluence-administrator group;
• Unexpected newly created user accounts;
• Requests to /setup/*.action in network access logs;
• The presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

Atlassian Confluence is a popular target because of its widespread adoption. In June 2022, Atlassian published a similar advisory for CVE-2022-26134, which was another critical zero-day vulnerability affecting Confluence Server and Data Center. Multiple threat actors who appeared to be operating out of China exploited the remote code execution vulnerability (see: Unpatched Atlassian Confluence 0-Day Exploited in the Wild).