Hackers have started exploiting a critical remote code execution vulnerability that was patched recently in Atlassian Confluence Server and Data Centre. Some of the attacks deploy cryptocurrency mining malware, but Atlassian products have also been targeted in the past by cyberespionage groups.
"Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Nepal, Poland, Romania, Estonia, United States, and Italy," threat intelligence firm Bad Packets told CSO. "Multiple proofs-of-concept have been published publicly demonstrating how to exploit this vulnerability."
Webwork OGNL injection
According to Atlassian, CVE-2021-26084 is an OGNL injection issue that allows authenticated users, and in some instances unauthenticated users, to execute arbitrary code on servers running affected versions of the products. The Object-Graph Navigation Language (OGNL) is an open-source expression language for getting and setting properties of Java objects.
Atlassian Confluence is a web-based team collaboration platform written in Java for managing workspaces and projects that organisations can run locally on their own servers. Atlassian Data Centre is a more feature-rich version of Confluence that has support for things like team calendars, analytics, more advanced permissions management, content delivery network support and more.
The flaw impacts all Atlassian Confluence and Data Centre versions prior to versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0 which were released on Aug. 25 for still supported branches of the software. However, Atlassian recommends upgrading to the latest version in the 7.13.x branch if possible, which has long-term support. Manual patch scripts that can be run on Linux or Windows hosts have also been provided as temporary workarounds for users who cannot perform a full upgrade.
According to the Atlassian advisory, the vulnerability was reported by a researcher named Benny Jacob (SnowyOwl) through the Atlassian bug bounty program, suggesting that it wasn't a flaw exploited in the wild at the time of its discovery.
However, since then, other researchers analysed the patch and wrote detailed reports on the bug, complete with proof-of-concept exploits. Moreover, even though Atlassian says the issue can be exploited by unauthenticated users "in some instances," the existence of unauthenticated exploit paths might be more common than users expect.
"For example, simply visiting /pages/doenterpagevariables.action should render the velocity template file which was modified i.e. createpage-entervariables.vm," security researcher and bug hunter Harsh Jaiswal said in an analysis of the flaw. "Remember that any route that renders this template would cause the vulnerability [to] exist completely unauth regardless of you turning on Sign up feature."
As with all injection-type vulnerabilities, the goal is to inject code into expected user input that would be evaluated and executed by the application out of context. In this particular case, attackers can include command line (bash) commands that would be executed on the operating system. Confluence code does use an isSafeExpression method to evaluate OGNL expressions for hardcoded malicious properties and methods, but like with most blacklist-based approaches, attackers and researchers can usually find a way to bypass them, which was also true in this case.
Cryptocurrency miners are a popular payload for remote code execution vulnerabilities in web applications because they provide an easy way for attackers to directly monetise their access to the underlying servers. However, such access can also be used to deploy stealthier backdoors that can later be used for lateral movement inside corporate networks if the impacted web servers are not properly walled off from the rest of the network.
In 2019, security and incident response firm FireEye published a report about attacks by a China-based hacker group tracked as APT41 in which the group exploited a path traversal and remote code execution vulnerability in Atlassian Confluence (CVE-2019-3396) in order to compromise a web server at a US-based research university. APT41 is a dual espionage and financially focused group that has a history of weaponising recently-disclosed vulnerabilities, often within days of their public disclosure. In that particular attack the group exploited the Confluence vulnerability to deploy a web shell and a backdoor program.
Bad Packets told CSO that it hasn't observed attacks against Confluence specifically in the past, but it has seen attacks exploiting vulnerabilities in other Atlassian products including Atlassian Crowd RCE CVE-2019-11580, Atlassian Jira SSRF CVE-2019-8451 and Atlassian Jira Unauthenticated Information Disclosure CVE-2020-36289.