CVE-2019-3396: Vulnerabilidade no conector Confluence Widget da Atlassian explorada na natureza
Attackers are targeting vulnerable Confluence instances after company published a fix for the vulnerability back in March 2019.
Contexto
On March 20, Atlassian published a Confluence Security Advisory to announce fixes for two vulnerabilities, CVE-2019-3395 and CVE-2019-3396.
CVE-2019-3395 is a critical server-side request forgery (SSRF) vulnerability in the WebDAV plugin in Confluence Server and Data Center versions released before June 18, 2018.
CVE-2019-3396 is a critical server-side template injection vulnerability in Confluence Server and Data Center Widget Connector that could lead to path traversal and remote code execution.
In the weeks since the publication of the advisory, attackers have been probing for and exploiting CVE-2019-3396 on vulnerable systems.
Análise
On April 23, AlertLogic published a blog about attackers exploiting CVE-2019-3396 to install GandCrab ransomware. GandCrab was first spotted in January 2018 and distributed through the RIG and GrandSoft exploit kits. GandCrab has also been distributed through malicious spam emails.
On April 26, Trend Micro published a blog about the AESDDoS botnet leveraging CVE-2019-3396 to infect systems and launch distributed denial of service (DDoS) attacks against other hosts and even use the infected systems for cryptocurrency mining.
Prova de conceito
Following Atlassian’s advisory for these vulnerabilities in March, proof-of-concept code began to appear throughout the early part of April [1, 2, 3, 4]. Soon after, in-the-wild attacks began.
Solução
Atlassian recommends upgrading to the latest version of Confluence, which is 6.15.1 at the time of publication.
- For users of 6.12.x versions prior to 6.12.3, upgrade to 6.12.3 or later and 6.14.x versions prior to 6.14.2, upgrade to 6.14.2 or later.
- For users of enterprise release versions 6.6.x prior to 6.6.12, upgrade to 6.6.12 or later and 6.13.x versions prior to 6.13.3, upgrade to 6.13.3 or later.
- For users of older versions from 1.x.x through 5.x.x and versions 6.0.x through 6.11.x, Atlassian recommends upgrading to 6.14.2, 6.13.3 or 6.6.12.
Identificação de sistemas afetados
A list of Nessus plugins to identify these vulnerabilities can be found here.
Below is a sample scan output for CVE-2019-3396.
Obtenha mais informações
- Confluence Security Advisory - 2019-03-20
- Active Exploitation of CVE-2019-3396 Dropping Gandcrab Ransomware
- Trend Micro Blog on AESDDoS Botnet Malware
Junte-se à equipe de resposta de segurança da Tenable na Tenable.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Artigos relacionados
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
March 10, 2023Learn about a new tool that streamlines MITRE ATT&CK mapping. Plus, known vulnerabilities remain a major cyber risk – just ask LastPass. Also, discover why SaaS data protection remains difficult. Plus, a look at the U.S. National Cybersecurity Strategy. And much more!
The Ransomware Ecosystem: In Pursuit of Fame and Fortune
July 28, 2022The key players within the ransomware ecosystem, including affiliates and initial access brokers, work together cohesively like a band of musicians, playing their respective parts as they strive for fame and fortune.
Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group
July 20, 2022Having gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone quiet. What can we learn from this extortion group’s story and tactics?
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning