Atlassian Zero-day Vulnerability

A critical remote code execution vulnerability was discovered in Atlassian’s Confluence Server and Data Centre products. The vulnerability has been assigned CVE-2022-26134 and is actively being exploited in the wild. All supported versions of Confluence Server and Data Centre are affected; however, it is anticipated that all versions of the enterprise solution are potentially vulnerable. A successful attack can result in an unauthenticated attacker gaining remote code execution of the unpatched server.

CVE-2022-26134 was detected by a cybersecurity firm, Volexity. Volexity also discovered that the zero-day vulnerability was used to install a BEHINDER JSP web shell allowing the attackers to execute commands on the vulnerable server remotely. Along with the BEHINDER web shell, they also deployed the China Chopper web shell and a simple file upload tool as a backup mechanism to maintain access to the compromised server.

On Friday, June 3, Atlassian released patches which addressed the vulnerability. The patched versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1. If it is not feasible to upgrade immediately, Atlassian has suggested customers restrict Confluence Server and Data Centre instances from the internet or disable the instances altogether. Additionally, Atlassian also urged implementing a web application firewall (WAF) rule which blocks URLs containing “${” to reduce the risk.

Accorian recommends ensuring that the latest patches have been installed along with the workarounds released by Atlassian.

Accorian can help identify such vulnerabilities in your environment. Simply reply back to this mail and one of your team members will get in touch with you.

Source: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Article

Outdated WordPress plugin abused to deploy backdoors.

WordPress is a popular open-sourced content management system (CMS). An outdated WordPress plugin known, Eval PHP enables site administrators to insert PHP code into posts and pages of WordPress websites, which is then executed when the page is loaded in the browser. The "eval" function was originally used to execute arbitrary PHP code, which can be useful in certain contexts, such as when creating dynamic templates or customizing functionality. The plugin is still available on the WordPress plugins repository despite not receiving any updates in the last ten years. However, attackers are injecting backdoors into websites using the legitimate but outdated WordPress plugin known as Eval PHP. A sudden spike in the number of installations for the plugin was observed in April 2023. The attackers sneakily install the vulnerable plugin, which is available on the official WordPress plugin repository, on an already compromised website. All WordPress administrators are advised by Accorian to check for the presence of Eval PHP, particularly if they did not install the plugin themselves. The presence of this plugin on a website indicates that it is compromised and may contain backdoors. To prevent any exploitation, admins should remove the plugin if found and protect the account by implementing robust WAF and 2FA. It is also recommended to keep the site up to date with the latest updates. Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html Threat Advisory Team Accorian

Article

Critical Zero-day vulnerability in Microsoft Outlook

Microsoft recently released a patch for a new privilege escalation vulnerability (CVE-2023-23397) that impacts all versions of Microsoft Outlook on Windows. The vulnerability is being tracked as CVE-2023-23397 and holds a CVSS score of 9.8. By sending a specially crafted email, an attacker can remotely obtain hashed passwords without the victim ever having to open them. Microsoft has now officially released patches for the vulnerability, but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since mid-April 2022. Without the interaction of the user, an attacker can steal NTLM credentials by sending a malicious email. Exploitation takes place when the system's reminder is triggered, and Outlook is opened. According to Microsoft, by sending a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a server under the attacker's control, an attacker can exploit the vulnerability to retrieve NTLM hashes. Accorian recommends that organizations update Microsoft Outlook for Windows as soon as possible. If not possible immediately, block outbound SMB (TCP port 445) and add users to the Protected Users group in Active Directory. This would limit the impact of the vulnerability. Accorian can help you identify the vulnerability in your environment. For more information. kindly reach out to us. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 Threat Advisory Team Accorian

Article

Exploit Publicly available for MS Word Remote Code Execution flaw

CVE-2023-21716, a heap corruption vulnerability that was patched by Microsoft as part of its February 2023 Patch Tuesday cycle, now has it's exploit publicly accessible. The vulnerability holds a CVSS score of 9.8 and can allow attackers to execute code remotely without needing any authentication. The flaw impacts several MS Office and SharePoint versions, as well as Microsoft 365 Apps for Enterprise. The vulnerability exists in Microsoft Word's RTF parser and is a heap corruption issue. Attackers can remotely execute code with the same level of privileges as the victim if successfully exploited. The flaw does not require prior authentication, attackers can simply send a decoy RTF file to the victim(s) via email. ‘Protected View’, a feature of Microsoft Office 2010 and later, helps to reduce the impact that a malicious document provided from untrusted sources might cause. As the vulnerability exists when ‘Protected View’ is in use, exploiting it would require an additional sandbox escape vulnerability to gain full privileges. Although Microsoft has released fixes for CVE-2023-21716, it is strongly advised that organizations patch right away because the Proof of Concept is now widely available. Microsoft has also issued temporary solutions for CVE-2023-21716. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 Threat Advisory Team Accorian

Article

Critical Vulnerability found in Atlassian's Jira Service Management

A critical security flaw in Jira Service Management Server and Data Centre has been fixed by Atlassian. The flaw has been identified as CVE-2023-22501 (CVSS rating: 9.4) and is described as a case of broken authentication with a simple attack vector. An attacker could take advantage of the flaw to pose to another user and access affected instances without authorization. This vulnerability affects Jira Service Management Server and Data Centre versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0, respectively. According to Atlassian, an attacker could gain access to signup tokens with write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Users who have never signed into their accounts are sent the tokens. The tokens can be accessed in two ways: If the attacker has access to requests or issues on Jira that include these users, or If the attacker is forwarded or obtains access to emails containing a “View Request” link from these users. Particularly vulnerable in this case are bot accounts. Users who are synchronized to the Jira service by read-only User Directories or single sign-on (SSO) are unaffected, however instances with single sign-on, external customer accounts can be affected in projects in which anyone can make their own account. Atlassian further noted that the issue does not affect Jira sites hosted in the cloud using an atlassian[.]net domain, and no remedial action is necessary in this scenario. Accorian advises you to upgrade each of your impacted installations to 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later considering Atlassian products' recent emergence as an alluring attack vector. Source:https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Threat Advisory Team Accorian

Article

Git affected by remote code execution attacks

Recently, Git patched 2 critical vulnerabilities which could be used to launch remote code execution attacks. The issues have been assigned CVE-2022-23521 and CVE-2022-41903. The vulnerabilities affect Git versions up to and including Git 2.39. CVE-2022-23521 affects the gitattributes mechanism. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, or when the declared attribute names are huge. CVE-2022-41903, also a critical vulnerability regarding integer overflow, can be triggered directly by a user running a command which invokes the commit formatting machinery or can be triggered indirectly through the git archive. These integer overflows may result in arbitrary heap writes, which can result in remote code execution. It is recommended that users of Windows, macOS, and Linux/Unix download and install the most recent git release, which is v2.39.1. Disable the git archive in untrusted repositories if upgrading is unfeasible. Versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been issued, according to GitLab, to resolve the issues. Customers are urged to apply the fixes with immediate effect. Accorian assures to assist all its clients. Please feel free to reach out to us if you have any questions. Source: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/ Threat Advisory Team Accorian

Threat Advisory