U.S. government agencies are warning private sector and governmental organizations that they expect to see “widespread, continued exploitation” of a known bug in Atlassian Confluence and are urging network administrators to apply the patch for the flaw immediately.
The privilege escalation vulnerability (CVE-2023-22515) in on-premises instances of Confluence Server and Confluence Data Center first emerged earlier in October as a zero day, and Atlassian issued a security advisory on Oct. 4 that included fixed versions. A new advisory on Oct. 16 from CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) included detection signatures and IoCs, and encouraged organizations to hunt for malicious activity on their networks.
“Threat actors exploited CVE-2023-22515 as a zero day to obtain access to victim systems and continue active exploitation post-patch,” according to the Monday advisory. “Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.”
The vulnerability stems from a broken access control issue and is triggered through a request on the unauthenticated /server-info.action endpoint. Successful exploitation of this bug enables threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. The advisory noted that “considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts,” an observation that is in line with what security researchers have also highlighted.
While the advisory did not give further details on the specific attacks that have leveraged CVE-2023-22515, CISA said that post-exploitation data exfiltration methods observed in attacks have involved the use of various command line tools. These have included cURL, a command line tool utilized for transferring data to or from servers, and Rclone, a command line tool for syncing data and file hosting services. Threat actors used Rclone for uploading configuration files to victim infrastructure or for entering cloud storage credentials via the command line, for instance.
CISA recommended immediate upgrades to fixed versions, and if companies are unable to apply those fixes right away they are encouraged to restrict untrusted network access, due to the seriousness of the bug. The vulnerability affects version 8.0 and later of Confluence Server and Data Center. The fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. Atlassian has also recommended that vulnerable organizations hunt for any unexpected members in the Confluence administrators group.
Vulnerabilities in Atlassian’s Confluence platform have historically been targeted by threat actors, including a hardcoded credentials bug and a remote code execution flaw, both fixed last year. In fact, a Confluence flaw from 2021 (CVE-2021-26084) remained one of the top routinely exploited vulnerabilities last year, according to CISA.