A zero-day vulnerability in widely used IT service management software Atlassian has now been patched, about a week after reports of it being abused for remote code execution began to appear.
Threat actors appeared to beat security researchers to this particular vulnerability, with the first notice of it being a handful of attacks that began appearing at the end of May. Atlassian disclosed the vulnerability to the public on June 2 without a patch due to the immediate threat it represented. The patch comes as attempts to exploit the zero-day vulnerability began to ramp up worldwide in response to the public disclosure, and was badly needed as there were no other viable remediation techniques save for blocking traffic to particular servers.
Atlassian zero-day vulnerability described as “critical”, difficult to stop
The Atlassian zero-day vulnerability (CVE-2022-26134) was disclosed in an early June security advisory after several reports of compromise conducted via the software’s Confluence Server and Data Center. The vulnerability was confirmed in Confluence Server 7.18.0 and the company believes that all versions of both it and Data Center from 7.4.0 to present can be compromised. It applies only to local setups; Atlassian Cloud was not impacted by this security flaw.
The only solution previously offered was to either block incoming internet traffic to Confluence Server and Data Center or to disable them entirely. This was the approach previously advised by the Cybersecurity and Infrastructure Security Agency (CISA), which ordered all federal agencies to block internet traffic to Confluence servers by June 3.
The flaw was discovered by security firm Volexity over the Memorial Day holiday weekend during an incident response investigation involving remote code execution. The firm believes that the attackers are based in China given the web shell tools that were used, and that multiple threat actors were involved; it is unclear if these are garden variety for-profit cyber criminals or known advanced persistent threat (APT) teams associated with the Chinese Ministry of State, but the deployment of any zero-day vulnerability not previously seen by security researchers generally directs suspicion to nation-state hacking teams. Volexity did say that there was variety in the approaches of the different threat actors, with some being much more sloppy than others.
Patching out the Atlassian zero-day vulnerability requires updating Confluence Server and Data Center to one of the following version numbers: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. All contain fixes that disable the ability to initiate remote code execution. Prior to issuance of the patch there were estimated to be over 9,000 services across the world running a vulnerable version.
Patching is critical as the vulnerability is relatively easy to exploit, and researchers noted hundreds of unique IP addresses attempting to use it just three days after the public disclosure. As Naveen Sunkavalley, Chief Architect at Horizon3.ai, notes: “CVE-2022-26134 is about as bad as it gets. The vulnerability is easy to scan for and easy to exploit using a single HTTP GET request … Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks. We’ve advised our clients to patch immediately, even if their Confluence instance is not public.”
Confluence was hit by another remote code execution vulnerability in late August 2021. CVE-2021-26084 was confirmed to exploit all versions of the software, and similarly required a version update to fix. It was also relatively easy for attackers to exploit, and the first threat actors to make use of it installed cryptocoin miners on target systems. Prior to the patch, threat actors from around the world had taken up the zero-day vulnerability and were making attempts on a wide variety of organizations.
Another issue in 2021 created the possibility of “one click” takeovers. This issue was arguably even more severe, allowing the possibility of an attacker getting access to the Atlassian Jira bug tracking system. This in turn would have allowed access to Atlassian cloud products and source code repositories in addition to on-premise software installations, with full remote code execution ability and the capacity to hijack user sessions. This issue was discovered in an independent investigation by Check Point Research, following up on popular IT management products in the wake of the SolarWinds breach. This particular zero-day vulnerability does not appear to have been exploited by hackers in any organized way, with Check Point staff disclosing it to Atlassian early in 2021 and public notice not emerging until it had been patched out some months later.
Atlassian is thus having something of a rough year in cybersecurity. Garret Grajek, CEO of YouAttest, notes that this should prompt reviews by organizations: “Source code attacks are some of the most effective and long reaching attacks on the IT ecosystem. The Solarwinds attack showed us the level of damage and the magnitude of threat that embedded malware can have in our vital s/w components. By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system. It is imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to insure restrictive and legitimate access to their vital code bases.”
The incident also demonstrates a renewed focus on code and the quick exploitation of zero-day vulnerabilities by hackers, as industry awareness of phishing and ransomware continues to grow and effective defenses continue to mount. While common cyber criminals still show a strong preference for ransomware and scams, a tidy black market for zero-day vulnerabilities has emerged and nation-state threat actors are the leading groups observed both purchasing and using them. As John Gunn, CEO of Token, notes: “As more organizations implement Multifactor Authentication and effectively lock the front door, hacking organizations are launching Ransomware attacks using other methods as witnessed by the explosion in exploits for this vulnerability. Not implementing patches immediately is the equivalent of leaving the back door propped open for attackers.”
Timely patching is clearly more important than ever, but this particular case raises an additional security question: what happens when a serious remote code execution vulnerability is disclosed, but a patch or useful remediation is not available for days (or weeks)? David Lindner, CISO at Contrast Security, sees this as a prompt to pay greater attention to RASP technologies: “Atlassian products continue to be plagued with OGNL Injections and based on the instructions for WAF rules and comments about loading malicious classes, we believe this is another case of OGNL Injection leading to an RCE. This is yet another example of why enterprises need to move away from on-prem technologies as well as invest in runtime application self-protection (RASP) technologies that can prevent these exploits all before day zero, without the need to patch anything or turn it off. It blows my mind that so many organizations do not see RASP as a critical control layer, especially when RASP solutions provide continuous, accurate, automated and scalable protection while providing application layer threat intelligence across the entire application.”