Introduction
On October 4th, Atlassian disclosed a zero-day vulnerability affecting Confluence Server and Confluence Data Center, which allows a remote, unauthenticated user to create administrator accounts on the vulnerable Confluence instance. At the time of disclosure, the vulnerability was ongoingly being exploited by a Nation-State-Threat-Actor, with attacks dating back as early as September 14th, as stated in this report from Microsoft.
The vulnerability tracked as CVE-2023-22515 received the highest possible CVSS score of 10.0, ranking it as ‘critical’. Initially, the attack vector was rated as Privilege Escalation, but soon after Atlassian updated it to a Broken Access Control.
An attacker can exploit CVE-2023-22515 to reactivate the setup phase of the Confluence instance; he then leverages this to create an additional administrator account with his own credentials. No prior knowledge is needed to execute this attack.
Presenting CVE-2023-22515 attack stages
When looking at the attack, three different stages can be distinguished:
Stage 1: Change the completion status of the configuration to ‘false’
When an attacker tries to access the setup page for any given Confluence page (‘https://<confluence-domain>.atlassian.net/setup’), he will get the following message:
Figure 1: Setup already complete (Source: Senthorus)
So, in order to start the attack, the attacker needs to send a GET request containing the following payload to the ‘/server-info.action’ endpoint:
bootstrapStatusProvider.applicationConfig.setupComplete=false
Explaining the payload in detail is out of scope. For a deep explanation, please refer to this blog article from Qualys. However, we can denote that the attacker is able to manipulate the status of the ‘setupComplete‘ attribute without having to authenticate as an administrator, which should not be possible.
After successful execution of the payload, the server will respond with a ‘success’ message confirming it is operational and that the configuration phase is recognized as uncomplete, which allows the attacker to proceed to the second stage of the attack.
Figure 2: Server response after successful execution of the payload
Stage 2: Accessing the ‘setupadministrator’ endpoint
Now that the setup phase status is marked as incomplete, the next step for the attacker is to access the ‘setupadministrator’ endpoint to add an additional admin account. The payload for this looks as follows:
http://10.10.41.49:8090/setup/setupadministrator-start.action
But it is not as easy as sending a simple POST request. Trying this, the attacker will receive a 403 Forbidden response with the following message: ’Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page.’
In order to bypass this, the attacker will have to add the following header to his request:
X-Atlassian-Token: no-check
Including this header, the attacker is now able to create a new administrator account!
Figure 3: Accessing the administrator configuration page (Source: Senthorus)
Stage 3: Finishing the Setup
To successfully exit the setup, the attacker proceeds with another POST request to the ‘/setup/finishsetup.action’ endpoint.
Afterwards, the attacker can login with his freshly created administrator account. He now possesses full control over the Confluence instance.
The presented attack stages show the manual steps to execute for a successful exploitation. The following GitHub page provides a completely automated exploit. However, it is very important to use the exploit ethically and only with permission.
If you want to try the exploit yourself in a safe environment, you can check out this TryHackMe room.
Impact
By having full access to all resources on Confluence, an attacker can modify, delete, and exfiltrate data at will, impacting the Confidentiality, Integrity, and Availability of the data. This poses a huge potential impact on any organization using Confluence; hence, it is highly recommended to patch the vulnerable versions as soon as possible.
Defending against CVE-2023-22515?
CVE-2023-22515 is a zero-day attack, so this leaves system administrators no time to prepare; actions must be taken with highest priority.
Affected versions
Atlassian reported the following versions of Confluence Data Center and - Server as vulnerable:
Figure 4: Affected Versions of Confluence Data Center and - Server (Source: Atlassian)
Versions prior to 8.0 are not affected by this vulnerability.
Cloud Instances are also not vulnerable to this issue, as they are hosted by Atlassian (note: Cloud Instances are accessed via an atlassian.net domain).
How to mitigate the vulnerability?
Permanent mitigation
Affected organizations should upgrade to one of the following fixed versions (or any later version) as soon as possible.
Figure 5: Fixed versions of Confluence (Source: Atlassian)
Important to note: Upgrading an already compromised instance will not remove the foothold of the attacker. If you’re suspecting a compromise, it’s recommended to isolate the server completely from the network, as well as to contact the Atlassian Support for further assistance.
Temporary solution
If an immediate upgrade is not possible, access to the ‘/setup/‘ endpoint could be blocked. To do so, the following constraint should be added inside the ‘<web-app>’ tag in ‘/<confluence-install-dir>/confluence/WEB-INF/web.xml‘:
<security-constraint>
<web-resource-collection>
<url-pattern>
/setup/*
</url-pattern>
<http-method-omission>
*
</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Indicators of Compromise (IOCs)
Indicators of Compromise may include:
- Unknown members in the confluence-administrators group.
- Unexpected newly created user accounts.
- Unknown plugins that have been installed.
- Requests made to ‘/setup/*action’ in the network access logs.
- Presence of ‘/setup/setupadministrator.action‘ in an exception message in ‘atlassian-confluence-security.log‘ in the Confluence home directory.
- Datadog Security Labs released an extensive list of IPs that are said to have a high confidence of compromise (you can find this list here).
Summary
Confluence CVE-2023-22515 poses a significant security risk, as it allows remote, unauthenticated users to create administrator accounts on any public Confluence site that is not hosted by Atlassian. The vulnerability is a zero-day, meaning that at the time of the disclosure, it was already actively being exploited, allowing defenders no time to react. A successful attack impacts the Confidentiality, Integrity, and Availability of the data, which once again points out the importance of a strong backup process. It is strongly recommended to upgrade your vulnerable Confluence instance to one of the fixed versions of Confluence Server and Confluence Data Center as soon as possible, even if the instance is not accessible through the internet.
References