Software Development and Collaboration Toolkit Atlasian issues a warning Dangerous zero-day In its collaboration software.
There are no warnings about bugs visible on the company’s main webpage, featuring the company’s most popular tools JIRA (an IT ticket system) and Trello (a discussion board), but you’ll find Confluence Security Advisory 2022-06-02 Sangam sub-site.
The official bug number is CVE-2022-26134.
The bug existed Out By U.S. threat response company Volexity, which claims to have uncovered vulnerabilities in wildlife investigations “Included JSP webshells are being written to disk”.
Webshells revisited
You will remember the webshells, no doubt, because they were all in the news more than a year before the so-called hafnium attack carried out by Chinese hackers against the Microsoft Exchange Server in March 2021.
WebShell is a bad way to open a backdoor on a network using an attack that sometimes requires attackers to do more than just write a small file to the part of a web server where the content is stored.
In the 1990’s, hackers with access to writing on your website could probably get kicked in the face for adding flaming skulls to your home page and instantly drawing public attention to what they broke.
But one adds a web page that includes what is called Server-side scriptToday’s attackers can give a secret way to your network without paying attention to themselves
This is because many web servers don’t just have static files that are sent to remote users when they put in the correct URL.
Instead, web servers often rely on files that, when requested by a user Is executed as a program by a scripting engine inside the web serverAnd used to create original content that was sent back.
If it seems dangerous, it is usually considered a feature, not a bug.
In fact, server-side scripting is the backbone of technologies such as Microsoft’s ASP (Active Server Pages – The name says it all!) And Java JSP (Jakarta server page).
As Wikipedia Leave:
JSP […] A collection of technologies that help software developers create dynamic web pages based on HTML. [and] Other document types.
Webshells can be as simple as a line of code that performs a three-step process like this:
--> Extract text from the URL or the body of the incoming web request --> Run the extracted text itself as a script --> Send the output of the rogue script back as the reply
WebShell also does not need to have its own specific malware code that may be different.
As long as the attacker can control (or even guess) the name of their implanted webshell file, then they can simply go to the server URL consistent with that file, anytime they like …
… And upload new malware code for immediate implementation each time
Of course, this kind of “run whatever you want at any time” leaves a mark that an attacker cannot easily control and can find a threat, such as unexpected error messages, abnormal network connections or unexpected web-related processes. Displaying on web server.
But those artefacts only appear as side-effects of the malicious activity that has already taken place, so they stay on top of the attackers until someone notices something.
What happened?
As you can imagine, Atlassian is not giving any specific information about the bug at the moment, it is still working on a solution.
Fortunately, while Volexity decided to blog publicly about the security breach, instead of disclosing Atlasian in person and giving the company a few days to fix it silently, both sides seem to have kept enough details secret that we are not aware of anything. “Here’s how you do it, folks!” Sample code is floating around right now.
Atlasian advises customers looking for URLs that can pre-filter incoming web data ${That’s this block “May reduce your risk”.
This bug sounds a bit like the infamous Log4Shell hole in late 2021, where the logged text is not actually logged if it contains special commands in parentheses. ${....} Character.
If you’ve ever used Bash Shell, you’ll be familiar with this type of “metacommand”. In Bash, the magic brackets are round, not squiggly, so that the text $(runthis) It is not used exactly as it is written, but instead is replaced by the output generated by execution. runthis Order, which is really a very different and much more dangerous thing.
So we’re assuming that the Atlasian code processes the “query” part of URLs that not only have a server name and a file name, but are followed by some kind of query string, usually preceded by a query.
The funny thing is, the characters { And } It is not allowed to appear in the URL, and instead of being sent as a special “escape code” in hexadecimal, it will be displayed as %7B And %7D Respectively
This bug depends on the malicious URL character that was sent without escaping, or whether you should check ${ The URL is not clear after your web server has “escaped”.
So, if you are going to add a temporary URL filter, we recommend looking for it { The character forms both its raw and escaped, just in case.
What do you do?
Atlassian dubbed this bug CriticalAnd it said it would be a patch-out at one “Estimated time [of] EOD June 3 PDT ”Which at the same time is reassuring but vague and automatic.
(The term EOD is indefinite in its own right, and does not require the word “approximate”.)
Remember EOD means At the end of the dayAnd so it can be as late as one minute to midnight.
And 2022-06-03T23:59 UTC-7 (Where PDT is short Pacific Daylight TimeUsed in June on the west coast of the United States) 2022-06-04T06:59 Zulu Time, which is 8 a.m. Saturday in the UK and 9 a.m. in Western Europe.
In other words, be prepared to wake up late or get up early, because you will want to Grab the patch as soon as you can.
This is because we assume that the patch can reveal the nature of the attack and how it can be used and thus the concept file and the actual attack will soon follow.
Of:
- Take your Confluence servers offline Temporarily if this is an option.
- Block open access to your server If you can directly from the internet.
- Also, consider blocking URLs
${Among them If you have a quick way to add a basic filter.
Not enough time or staff to keep cyber security on top?
Uncertain where to start if you see suspicious activity?
Learn more about the Sophos-managed threat response:
Sophos MTR – Expert-led response 3
24/7 Threat Victims, Identification, and Response 3
