Ivanti e Atlassian devono vedersela con vulnerabilità critiche


Settimana difficile per Ivanti e Atlassian: le due compagnie hanno reso note due vulnerabilità critiche che colpiscono i loro prodotti, rispettivamente Standalone Sentry e Bamboo Data Center and Server.

Ivanti Standalone Sentry è un’appliance che funge da gateway tra i dispositivi e i server di posta elettronica o le risorse backend abilitate per ActiveSync. Il bug in questione, tracciato come CVE-2023-41724, consente a un attaccante non autenticato di eseguire comandi arbitrari nel sistema operativo dell’appliance, prendendone il controllo.

La vulnerabilità ha un punteggio di 9,6 su 10 e impatta le versioni 9.17.0, 9.18.0 e 9.19.0 e tutte le relative versioni precedenti. La compagnia ha rilasciato una patch e ha invitato i suoi clienti a installarla il prima possibile, vista la gravità della situazione.

Ivanti ha affermato che al momento non è a conoscenza di attacchi che hanno sfruttato la vulnerabilità. Il bug è stato individuato dal team di sicurezza dell’azienda a fine 2023, ma è stato reso noto solo ora, dopo aver pubblicato i fix.

Pixabay

Ivanti non è la sola a soffrire per una vulnerabilità critica: anche Atlassian ha scoperto un bug critico (punteggio di 10 su 10) in Bamboo Data Center and Server, pipeline di continuous delivery.

Il bug, il CVE-2024-1597, consente a un attaccante non autenticato di esporre risorse sensibili nell’ambiente e renderle vulnerabili agli attacchi, impattando la confidenzialità, l’integrità e la disponibilità dei dati. A peggiorare la situazione c’è il fatto che non serve l’interazione utente per sfruttare la vulnerabilità.

La falla è presente nella dipendenza org.postgresql:postgresql e colpisce le versioni 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0 e 9.5.0 della suite. Atlassian ha rilasciato una patch per la vulnerabilità disponibile nelle versioni 9.6.0 (LTS), 9.5.2, 9.4.4, e 9.2.12 (LTS) di Bamboo Data Center and Server.

Atlassian ha specificato che il bug colpisce solo la soluzione di Bamboo, mentre gli altri prodotti Data Center non sono vulnerabili. Poiché non esistono workaround per risolvere il problema, la compagnia ha invitato tutti i suoi utenti ad aggiornare il prima possibile il software.

Condividi l’articolo



Articoli correlati

Altro in questa categoria


https://www.securityinfo.it/2024/03/21/ivanti-e-atlassian-devono-vedersela-con-vulnerabilita-critiche/?utm_source=rss&utm_medium=rss&utm_campaign=ivanti-e-atlassian-devono-vedersela-con-vulnerabilita-critiche




Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw 

Atlassian warns that ‘critical information’ released on the Confluence bug CVE-2023-22518 increases the risk of exploitation.

The post Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw  appeared first on SecurityWeek.

https://www.securityweek.com/atlassian-issues-second-warning-on-potential-exploitation-of-critical-confluence-flaw/




US Gov Expects Widespread Exploitation of Atlassian Confluence Vulnerability

US cybersecurity agency CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warn organizations of potential widespread exploitation of a recent zero-day vulnerability in Atlassian Confluence Data Center and Server.

Tracked as CVE-2023-22515 (CVSS score of 9.8), the bug has been exploited by a nation-state threat actor since September 14, roughly two weeks before Atlassian released patches for it.

Remotely exploitable without authentication, the flaw is described as a broken access control issue leading to privilege escalation. The issue impacts on-premises Confluence instances only.

“This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts,” CISA, FBI, and MS-ISAC note in an advisory (PDF).

Because it allows threat actors to modify critical configuration settings, the flaw may be used for more malicious actions than the creation of administrative accounts, the advisory reads. 

“Threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint,” the three agencies say.

CISA added CVE-2023-22515 to its Known Exploited Vulnerabilities catalog on October 5 and warns that, following the publication of proof-of-concept (PoC) exploit code, multiple threat actors have started targeting the flaw in attacks.

Advertisement. Scroll to continue reading.

“Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks,” the advisory continues.

The vulnerability impacts Confluence Data Center and Server versions 8.0.0 to 8.5.1 and has been addressed with the release of versions 8.3.3, 8.4.3, and 8.5.2 of the product.

Organizations with internet-accessible Confluence Data Center and Server instances are advised to update to a patched release as soon as possible. They should also consider restricting network access until the updates are applied.

In their advisory, CISA, FBI, and MS-ISAC have included details on the exploitation of CVE-2023-22515, as well as indicators-of-compromise (IoCs) to help organizations hunt for malicious activity associated with the bug’s exploitation.

“CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs),” the US gov agencies note.

Related: Atlassian Security Updates Patch High-Severity Vulnerabilities

Related: Organizations Warned of Critical Confluence Flaw as Exploitation Continues

Related: Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo

https://www.securityweek.com/us-gov-expects-widespread-exploitation-of-atlassian-confluence-vulnerability/




Un gruppo APT cinese ha sfruttato una vulnerabilità critica di Atlassian Confluence


I ricercatori di Microsoft Threat Intelligence hanno rilevato lo sfruttamento di una vulnerabilità critica di Atlassian Confluence Center and Confluence Server da parte di Storm-0062. Il team di sicurezza lo ha annunciato con una serie di post su X spiegando che il gruppo ha cominciato a sfruttare il bug da metà settembre.

La vulnerabilità (CVE-2023-25515) è considerata di livello critico e consente a un attaccante di creare account amministrativi per accedere alle istanze Confluence e sottrarre informazioni sensibili. Atlassian ha confermato che alcuni dei suoi clienti sono stati colpiti dal gruppo, ma non ha specificato la portata effettiva degli attacchi.

Il bug colpisce le versioni 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.1, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 8.4.1, 8.4.2, 8.5.1 delle istanze. Tutte le versioni precedenti alla 8.0.0 non sono vulnerabili. 

Atlassian

Pixabay

Storm-0062

Dietro agli attacchi ai clienti Atlassian c’è Storm-0062, un gruppo APT cinese che agisce negli interessi del governo. Il gruppo è conosciuto anche come DarkShadow e Oro0lxy. Più che di “gruppo” è in realtà corretto parlare di “duo”, visto che Storm-0062 è composto solo da due persone, tali Li Xiaoyu e Dong Jiazhi.

I due sono in attività da molti anni, almeno dal 2009 secondo quanto riportato da DarkReading. Il duo era stato indagato dal Dipartimento di Giustizia statunitense nel 2020 per aver cercato vulnerabilità nelle reti di compagnie che sviluppavano vaccini per il COVID-19 e studiavano nuovi trattamenti per il virus.

Atlassian ha già rilasciato la patch di sicurezza per la vulnerabilità e ha invitato gli utenti a installarla il prima possibile. Le versioni non vulnerabili sono la 8.3.3 e successive, la 8.4.3 e successive e la 8.5.2 e successive. Nel caso non fosse possibile aggiornare immediatamente le istanze, è consigliabile isolarle dalle reti pubbliche finché non verrà applicato il fix.

Condividi l’articolo



Articoli correlati

Altro in questa categoria


https://www.securityinfo.it/2023/10/13/un-gruppo-apt-cinese-ha-sfruttato-una-vulnerabilita-critica-di-atlassian-confluence/?utm_source=rss&utm_medium=rss&utm_campaign=un-gruppo-apt-cinese-ha-sfruttato-una-vulnerabilita-critica-di-atlassian-confluence




Microsoft Blames Nation-State Threat Actor for Confluence Zero-Day Attacks

Researchers at Microsoft say a known nation-state threat actor is behind the zero-day exploits hitting Atlassian’s Confluence Data Center and Server products.

A note from Redmond linked the ongoing attacks to an APT group tracked as Storm-0062 and warned that malicious activity dates back to September 14, a full three weeks before Atlassian’s public disclosure of the issue.

“Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy,” the company said.

According to SecurityWeek sources, the Storm-0062 hacking team has been observed conducting cyberespionage operations for  China’s Ministry of State Security, a state intelligence agency.

Microsoft shared four IP addresses that were seen sending related exploit traffic targeting the critical CVE-2023-22515 privilege escalation vulnerability. 

“Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application,” Microsoft said, confirming earlier warnings from Atlassian that patches should be applied with urgency.

“Organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later. Organizations should isolate vulnerable Confluence applications from the public internet until they are able to upgrade them,” the company added.

Advertisement. Scroll to continue reading.

Atlassian updated its own advisory to confirm it has evidence that a known nation-state actor is actively exploiting the bug.

On October 4, Atlassian rushed out an urgent patch for the issue alongside a notice that “a handful of customers” were hit by remote exploits.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the Australian company said.

The vulnerability, tracked as CVE-2023-22515, is described as a remotely exploitable privilege escalation issue affecting on-prem instances of Confluence Server and Confluence Data Center.

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously,” Atlassian warned. “If an instance has already been compromised, upgrading will not remove the compromise.”

Atlassian published an FAQ urging business users to immediately check all affected Confluence instances for the following indicators of compromise:

  • Unexpected members of the confluence-administrator group
  • Unexpected newly created user accounts
  • Requests to /setup/*.action in network access logs
  • Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

“If it is determined that your instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system,” Atlassian added.

Security problems in Atlassian’s software products have been targeted in the past by both cybercriminal and state-sponsored threat actors. In CISA’s KEV (Known Exploited Vulnerabilities) catalog, there are six distinct Confluence vulnerabilities marked for urgent attention.

Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Related: Atlassian Patches Critical Bitbucket Security Defect

Related: Expects Confluence App Exploitation After Password Leak

Related: Atlassian Patches Remote Vulnerabilities in Confluence, Bamboo

Related: Cybercriminals, State-Sponsored APTs Exploiting Confluence Flaw

https://www.securityweek.com/microsoft-blames-nation-state-threat-actor-for-confluence-zero-day-attacks/




Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Business software maker Atlassian on Wednesday called immediate attention to a major security defect in its Confluence Data Center and Server products and warned that the issue has already been exploited as zero-day in the wild.

An urgent advisory from Atlassian confirms that “a handful of customers” were hit by exploits targeting a remotely exploitable flaw in Confluence Data Center and Server instances.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the Australian company said.

The vulnerability, tracked as CVE-2023-22515, is described as a remotely exploitable privilege escalation issue  affecting on-prem instances of Confluence Server and Confluence Data Center.

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously,” Atlassian warned.  “If an instance has already been compromised, upgrading will not remove the compromise.”

The company said Atlassian Cloud sites are not vulnerable to this issue.

Security vendor Rapid7 is underscoring the urgency for businesses to apply available patches and mitigations.

Advertisement. Scroll to continue reading.

“Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself,” Rapid7’s Caitlin Condon said. 

Atlassian has published an FAQ urging business users to immediately check all affected Confluence instances for the following indicators of compromise:

  • Unexpected members of the confluence-administrator group
  • Unexpected newly created user accounts
  • Requests to /setup/*.action in network access logs
  • Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

“If it is determined that your instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system,” Atlassian added.

Security problems in Atlassian’s software products have been targeted in the past by both cybercriminal and state-sponsored threat actors. In CISA’s KEV (Known Exploited Vulnerabilities) catalog, there are six distinct Confluence vulnerabilities marked for urgent attention.

Related: Atlassian Ships Urgent Patch for Critical Bitbucket Flaw

Related: Expects Confluence App Exploitation After Password Leak

Related: Atlassian Patches Remote Vulnerabilities in Confluence, Bamboo

Related: Cybercriminals, State-Sponsored APTs Exploiting Confluence Flaw

https://www.securityweek.com/atlassian-ships-urgent-patch-for-exploited-confluence-zero-day/




Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo

Atlassian has released patches for two remote code execution (RCE) vulnerabilities in Confluence Data Center and Server and another in Bamboo Data Center.

The most severe of these issues, tracked as CVE-2023-22508 (CVSS score of 8.5), was introduced in Confluence version 7.4.0. The second bug, tracked as CVE-2023-22505 (CVSS score of 8.0), was introduced in Confluence version 8.0.0.

Exploitation of both vulnerabilities could allow an attacker to execute arbitrary code with impact on confidentiality, integrity, and availability. No user interaction is required for exploitation, but the attacker needs to be authenticated as a valid user.

Both flaws were addressed with the release of Confluence versions 8.3.2 and 8.4.0. Customers unable to upgrade to one of these versions should at least update to version 8.2.0, which patches CVE-2023-22508.

According to Atlassian, both vulnerabilities were discovered by private users and reported via the company’s bug bounty program.

The company also announced patches for CVE-2023-22506 (CVSS score of 7.5), a high-severity RCE bug in Bamboo Data Center. Introduced in version 8.0.0 of Bamboo, the vulnerability was addressed in versions 9.2.3 and 9.3.1 of the enterprise solution.

“This injection and RCE vulnerability allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction,” Atlassian explains.

Advertisement. Scroll to continue reading.

Atlassian notes in its advisory that the newly discovered flaws are the result of an expanded scope of its vulnerability disclosure policies, previously focused on first-party, critical-severity bugs.

“While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products,” the company says.

Users and administrators are encouraged to apply the available patches as soon as possible. Successful exploitation of these bugs could lead to system takeover, the US Cybersecurity and Infrastructure Security Agency (CISA) notes.

Atlassian makes no mention of any of these issues being exploited in attacks.

Related: Atlassian Warns of Critical Jira Service Management Vulnerability

Related: Exploitation of Recent Confluence Vulnerability Underway

Related: Jira Align Vulnerabilities Exposed Atlassian Infrastructure to Attacks

https://www.securityweek.com/atlassian-patches-remote-code-execution-vulnerabilities-in-confluence-bamboo/




Hardcoded password in Confluence app has been leaked on Twitter

Hardcoded password in Confluence app has been leaked on Twitter
Getty Images

What’s worse than a widely used Internet-connected enterprise app with a hardcoded password? Try said enterprise app after the hardcoded password has been leaked to the world.

Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was “trivial to obtain.”

The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence.

“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to,” the company said. “It is important to remediate this vulnerability on affected systems immediately.”

A day later, Atlassian was back to report that “an external party has discovered and publicly disclosed the hardcoded password on Twitter,” leading the company to ratchet up its warnings.

“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known,” the updated advisory read. “This vulnerability should be remediated on affected systems immediately.”

The company warned that even when Confluence installations don’t actively have the app installed, they may still be vulnerable. Uninstalling the app doesn’t automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system.

To figure out if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:

  • User: disabledsystemuser
  • Username: disabledsystemuser
  • Email: dontdeletethisuser@email.com

Atlassian provided more instructions for locating such accounts here. The vulnerability affects Questions for Confluence versions 2.7.x and 3.0.x. Atlassian provided two ways for customers to fix the issue: disable or remove the “disabledsystemuser” account. The company has also published this list of answers to frequently asked questions.

Confluence users looking for exploitation evidence can check the last authentication time for disabledsystemuser using the instructions here. If the result is null, the account exists on the system, but no one has yet signed in using it. The commands also show any recent login attempts that were successful or unsuccessful.

“Now that the patches are out, one can expect patch diff and reversing engineering efforts to produce a public POC in a fairly short time,” Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian shops should get on to patching public-facing products immediately, and those behind the firewall as quickly as possible. The comments in the advisory recommending against proxy filtering as mitigation suggest that there are multiple trigger pathways.

The other two vulnerabilities Atlassian disclosed on Wednesday are also serious, affecting the following products:

  • Bamboo Server and Data Center
  • Bitbucket Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Crucible
  • Fisheye
  • Jira Server and Data Center
  • Jira Service Management Server and Data Center

Tracked as CVE-2022-26136 and CVE-2022-26137, these vulnerabilities make it possible for remote, unauthenticated hackers to bypass Servlet Filters used by first- and third-party apps.

“The impact depends on which filters are used by each app, and how the filters are used,” the company said. “Atlassian has released updates that fix the root cause of this vulnerability but has not exhaustively enumerated all potential consequences of this vulnerability.”

Vulnerable Confluence servers have long been a favorite opening for hackers looking to install ransomware, cryptominers, and other forms of malware. The vulnerabilities Atlassian disclosed this week are serious enough that admins should prioritize a thorough review of their systems, ideally before the weekend starts.

https://arstechnica.com/?p=1868878




Bug nei sistemi Atlassian: il rischio è un attacco supply chain


La vulnerabilità avrebbe permesso di violare l’intero ecosistema dello sviluppatore australiano con ricadute a cascata su migliaia di aziende di primo piano.

Una serie di falle di sicurezza che avrebbero potuto portare a una sorta di “apocalisse informatica” simile a quella che ha visto protagonista SolarWinds.

A segnalare lo scampato pericolo è Check Point, che ieri ha pubblicato un report per illustrare i bug che mettevano a rischio l’integrità dei sistemi di Atlassian, azienda australiana specializzata nella distribuzione di soluzioni software dedicate agli sviluppatori.

Il prodotto interessato, spiegano i ricercatori della società di sicurezza, è Jira. Una piattaforma per la gestione dei progetti e il tracciamento dei bug, utilizzata da oltre 180.000 utenti e viene usata da veri e propri colossi che operano in vari settori, come la Apache Software Foundation, Cisco, Fedora Commons, Hibernate, Pfizer e Visa.

Secondo quanto si legge nel documento, i bug in Jira avrebbero essere sfruttati in una catena di exploit che avrebbe permesso di compromettere un account con un singolo click.

[embedded content]
Non solo: i bug individuati dai ricercatori riguardano anche un’altra piattaforma di Atlassian, chiamata Confluence, utilizzata da organizzazioni del calibro di LinkedIn e NASA.

Insomma: secondo Check Point, un eventuale sfruttamento degli exploit in questione avrebbe consentito di avviare un attacco supply chain del tutto simile a quello che ha travolto centinaia di aziende nel caso SolarWinds.

Le cose, per fortuna, questa volta sono andate diversamente. La segnalazione della società di sicurezza ha infatti permesso ad Atlassian di correggere le vulnerabilità e mettere al sicuro le sue piattaforme da eventuali attacchi basati sulle tecniche individuate dai ricercatori.

Condividi l’articolo



Articoli correlati

Altro in questa categoria


https://www.securityinfo.it/2021/06/25/bug-nei-sistemi-atlassian-il-rischio-e-un-attacco-supply-chain/?utm_source=rss&utm_medium=rss&utm_campaign=bug-nei-sistemi-atlassian-il-rischio-e-un-attacco-supply-chain