blog

Security Vulnerability of the Week 13/06/22

Weekly review of vulnerability, this week we have a lot to unpack

Previous Issues of vulnerability Weekly



This week we deep dive into Confluence RCE vulnerability, Follina exploits and weaponization, and GitLab vulnerability for account takeover.


Appsec

Atlassian Confluence & Jira

Atlassian Confluence

Beginning of June (2-june-2022) Atlassian warned of two zero days. Atlassian credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.

A new strain of ransomware is affecting and targeting both vulnerabilities  CVE-2022-26134. and reports on Atlassian support confirm files are getting locked and encrypted.

Several attempts since weaponization have been seen (source Graynoise)

Credit Graynoise

https://viz.greynoise.io/tag/atlassian-confluence-server-cve-2022-26134-ognl-injection-attempt?days=3

Currently, Atlassian tracks the vulnerability: https://confluence.atlassian.com/doc/confluence-securitydvisory-2022-06-02-1130377146.html with the available workaround

Both Confluence Server and Data Center are affected by an injection that allows an unauthenticated attacker to execute random code (RCE and Injection)

The affected versions are
from 1.3.0 before 7.4.17,
from 7.13.0 before 7.13.7,
from 7.14.0 before 7.14.3,
from 7.15.0 before 7.15.2,
from 7.16.0 before 7.16.4,
from 7.17.0 before 7.17.4,
and from 7.18.0 before 7.18.1.
CVE Database/ Atlassian

Atlassian has been hit by another critical vulnerability in April with a rating of 9.9: https://appsecphoenix.com/svw-2022-04-25/

Also, another variant of the vulnerability Currently Tracked as CVE-2021-26084, CVSS score: 9.8

As the two vulnerabilities are highly exploitable if there are server exposed with authentication is important to patch them

Both vulnerabilities are affected by the Object-graph Navigation Language (OGNL) injection.

Both vulnerabilities is currently high in dangerousness as there are multiple exploits available in the wild: https://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html

https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html

An example of the payload :

curl -v http://localhost:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/pwned%22%29%7D/

This is just an encoding for an OGNL expression including java.lang.Runtime to execute a system command: touch /tmp/pwned.COPY

{@java.lang.Runtime@getRuntime().exec(“touch /tmp/pwned”)}

Current Version of Atlassian Vulnerable on the web

According to stats from internet asset discovery platform Censys, there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with most instances located in the U.S., China, Germany, Russia, and France.

For a live dashboard: https://datastudio.google.com/u/0/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides adding the zero-day bug to its Known Exploited Vulnerabilities Catalog, has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.

Fix

Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.

Mitigation

If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating the following files for the specific version of the product.

More details on the various version in the advisory:

https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2022-06-02

GitLab

A bit dwarfed by the Atlassian vulnerability above GitLab had a serious authentication issue affecting all all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

CVE-2022-1680, the issue has a CVSS severity score of 9.9

The vulnerability was discovered by the internal security team: https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1680.json

Official Advisory:

“When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users’ email addresses via SCIM to an attacker-controlled email address and thus — in the absence of 2FA — take over those accounts,” GitLab said.

Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its advisory published on June 1, 2022.

FIX

it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.


INFRA/Network

MAC Hardware Vulnerability

Credit Techspot

A new hardware attack targeting the novel M1 Processor has been recently demonstrated. The attacker can execute arbitrary code on the affected Mac OS

The vulnerability is rooted in pointer authentication codes (PACs), a line of defence introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

the paper’s lead co-author Ph.D. student Joseph Ravichandran on the processor vulnerability: The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defence isn’t as absolute as we once thought it was

https://pacmanattack.com/paper.pdf

Like other vulnerabilities (like spectre) the vulnerability is difficult to replicate. As for spectre the vulnerability fix might lead more likely to the exclusion of the corruptable area so steps in the future to mitigate the vulnerability needs to be carefully considered.

An example of the pointer leak:

The researcher have used the vulnerability for kernel-based attacks but remains very speculative and no weaponization seen in the wild.

Apple said in a statement shared with The Hacker News, pointing out PACMAN’s diminished potential for in-the-wild exploitation.

The researchers do say there is “no immediate call for alarm” because there needs to be a myriad of other breakages in order to for this ‘last line of defence’ to be cracked. The researchers presented their findings to Apple, who responded with a statement to TechCrunch.

Windows – Follina

The vulnerability CVE-2022-30190 (CVSS score: 7.8) has currently no fix available. Currently Tracked in https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190

The discovery from the  Japanese cybersecurity research team nao_sec started when they discovered a malicious Word file uploaded to VirusTotal from the Belarusian IP address.

The vulnerability exploit get triggered by chaining an HTML file from a remote template that leads to running malicious Powershell code.

The situation is more dangerous as the code is run via the MSDT tool normally run by the support desk to diagnose issues.

Remediation/ workaround

There is still no available patch the step to fix this are:

  • To disable the MSDT URL Protocol (modify the register: reg export HKEY_CLASSES_ROOT\ms-msdt filename)

For additional workaround: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Increase dangerousness

Microsoft Defender for Endpoint hasn’t been able to detect the flaw according to the research by Kevin Beaumont who gave a name to this new Microsoft Office code execution vulnerability.

Nonetheless, the following signatures have been released

  • Trojan:Win32/Mesdetty.A  (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B  (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
  • Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
  • Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

Follina in the Wild:

Researchers have seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

New recent detection have detected potential state sponsor attacks: Follina –

More than 1000 spam email have been recently seen,.

“This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,” the company said in a series of tweets.

the campaign follows a recent attack

Dog Walk Follina extended attack

Despite the fact that an unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), the following flaws continue to get exploited in the wild.

The DOGWALK vulnerability leverage a startup folder exploit. The vulnerability get exploited at when the payload is launched at next user login

DogWalk was originally disclosed by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.

Following some example of virtual patching of this vulnerability

Previous Issues of vulnerability Weekly


Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

November brings a new release of the platform; as most of the features will be released in v3 we are providing a preview of what’s to come
aeappsecphoenix-com
What is the real cost of manual vulnerability management? in this snapshot we analyse the size of the problem and the requirement for a better and more automated approach
Francesco Cipollone
AppSec Phoenix, the leader in ASOC, pioneering the cloud security and application security relationship, was selected amongst thousands of startups and the only one in cybersecurity as a finalist for the prestigious world communication awards. AppSec Phoenix’s Francesco Cipollone, pioneering the cloud security and application security relationship, was selected as a finalist for the innovator of the year award.
Francesco Cipollone
Francesco Cipollone dreamed of creating an organizations that helps all security professionals love back the work on vulnerability management and application security. AppSec Phoenix’s Francesco Cipollone, pioneering the cloud security and application security relationship, was selected as a finalist for the innovator of the year award.
Francesco Cipollone

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: Shield Security
This Site Is Protected By
Shield Security