Improper Authorization in Confluence Data Center and Server (CVE-2023-22518)

In early November, the cybersecurity community witnessed the exploitation of a zero-day vulnerability in Confluence Data Center and Server. This critical vulnerability was related to Improper Authorization and assigned CVE-2023-22518 identifier. In this blog, we delve into the details of these vulnerabilities, their implications, and the necessary mitigation steps to protect your digital assets.

The CVE-2023-22518 vulnerability targeted all versions of on-premises Confluence Data Center. This “Improper Authorization” vulnerability flaw allowed an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can gain unfettered access and perform administrative actions that are available to Confluence instance administrator leading to full compromise of confidentiality, integrity and availability.

Atlassian, the creators of Confluence, classified the severity level of this vulnerability as “critical” with a 10 rating with the following vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

In addition, active exploitation of the vulnerability was observed in the wild including exploitation by ransomware cyber threat actors. Particularly, Trend Micro encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations.

Mitigation: Act Swiftly & Decisively

In response to this looming threat, Atlassian promptly released security patches to address the vulnerability. The following versions have been fortified against this vulnerability; (7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1). We highly recommend all Confluence clients with on-premise installations to update their systems immediately.

To ensure the security of your Confluence installation, we recommend following these steps:

  1. Update Confluence to one of the secure versions mentioned above.
  2. Conduct a thorough check for the presence of Indicators-of-Compromise (IoC) as described in the Atlassian advisory, (especially if your Confluence application is Internet-facing).

Wallarm’s Virtual Patch (VPatch) For Immediate Protection

Wallarm has taken proactive measures and issued a virtual patch (VPatch)  to safeguard your Confluence instance. We have issued a Virtual Patch (VPatch) designed to block exploitation attempts of the CVE-2023-22518. This means that Wallarm clients are protected against potential attacks even before or without installing a security patch. However as there may be many variants of vulnerability exploitation, we still recommend updates to Confluence at the earliest opportunity.

Also, as the vulnerability was actively exploited as Zero-day (before Atlassian advisory and patch), attackers had a time window to perform persistence techniques on the server and the infrastructure. Thus we highly recommend checking for the presence of Indicators-of-Compromise (IoC).

Broken Access Control Vulnerability (CVE-2023-22515)

In October 2023, another noticeable Broken Access Control vulnerability (CVE-2023-22515) was discovered in the Confluence Data Center and Server, underscoring the persistence of security issues.The vulnerability allowed unauthenticated attackers to create unauthorized Confluence administrator accounts and access Confluence instances. The vulnerability was actively exploited in the wild. Wallarm detected a staggering 1772 exploitation attempts of the vulnerability in October 2023 alone.

Conclusion: Protecting Your Digital Assets

The events surrounding these vulnerabilities highlight the perpetual attractiveness of Atlassian software, particularly Confluence and Jira, to malicious adversaries. These platforms are widely adopted for their utility as knowledge bases and bug-tracking systems, making them enticing targets. Additionally, the exposure of these systems to the internet, whether due to business needs or security misconfigurations, compounds the risk.

According to Shodan, (the search engine for internet connected devices), currently lists approximately 21,943 Internet-facing installations of Confluence worldwide.

This abundance of potential entry points into an organization’s infrastructure is a cause for concern. Attackers can exploit this access for various purposes, including ransomware attacks, financial gain, or data theft. In some cases, the acquired access may be traded in the dark corners of the Darknet, with prices varying based on factors such as company size, industry, region, and revenue.

In the face of these evolving threats, proactive measures, timely updates, and rigorous security practices are imperative to safeguard your digital assets. Wallarm remains committed to helping you navigate the complex cybersecurity landscape and fortify your defenses against emerging vulnerabilities. – Stay vigilant, stay protected, and stay ahead with Wallarm.

References

NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-22518

Vendor’s Advisory: https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

Nuclei Template: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-22518.yaml

The post Improper Authorization in Confluence Data Center and Server (CVE-2023-22518) appeared first on Wallarm.