Confluence encrypted password leaked on Twitter

Getty Images

What’s worse than a widely used Internet-connected enterprise app with an encrypted password? Try the said enterprise app after leaking your encrypted password to the world.

Atlassian on Wednesday disclosed three critical product vulnerabilities, including CVE-2022-26138 stemming from a password encrypted in Questions for Confluence, an app that allows users to quickly receive support for frequently asked questions related to Atlassian products. The company warned that the passcode was “trivial to get”.

The company said Questions for Convergence had 8,055 installations at the time of publication. Upon installation, the app creates a Confluence user account called a disabled user, which is intended to help administrators move data between the app and the Confluence Cloud service. The encrypted password protecting this account allows viewing and editing of all unrestricted pages within Confluence.

“An unauthenticated remote attacker with knowledge of the encrypted password could exploit this to log into Confluence and access any pages that a group of confluence users can access,” the company said. “It is important to immediately address this vulnerability on affected systems.”

A day later, Atlassian returned to report that “a third party had discovered and publicly disclosed the configured password on Twitter,” prompting the company to escalate its warnings.

“This issue is likely to be exploited in the wild now that the encrypted password is known to the public,” states the updated how-to text. “This vulnerability on affected systems must be addressed immediately.”

The company warned that even if the app is not actively installed in Confluence installs, it could still be vulnerable. Uninstalling the application does not automatically cure the vulnerability because the disabled system user account still exists on the system.

To find out if the system is vulnerable, Atlassian advised Confluence users to look for accounts with the following information:

Atlassian provided further instructions for locating these accounts here. The vulnerability affects the release of Confluence Questions 2.7.x and 3.0.x. Atlassian offered two ways for customers to fix the problem: disabling or removing the “Disabled User” account. The company also posted this list of answers to frequently asked questions.

Users who are looking for evidence of the exploit can check the last authentication time of the disabled system user using the instructions here. If the result is empty, it means that the account is on the system, but no one has logged in with it. The commands also display any recent login attempts that were successful or unsuccessful.

“Now that the patches are out, one can expect patch teams and reverse engineering efforts to produce a public POC in a fairly short time,” Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian stores should start debugging audience-facing products immediately, and those behind the firewall as quickly as possible. Comments in the advisory text recommending no proxy filtering as a mitigation suggest that there are multiple operating paths.”

The other two vulnerabilities disclosed by Atlassian on Wednesday are also serious, affecting the following products:

  • Bamboo server and data center
  • Bitbucket server and data center
  • Confluence server and data center
  • Crowd server and data center
  • crucible
  • The fish’s eye
  • Jira server and data center
  • Jira Service Management Server and Data Center

These vulnerabilities are tracked as CVE-2022-26136 and CVE-2022-26137, making it possible for remote and unauthenticated hackers to bypass Servlet filters used by first and third party applications.

“The effect depends on which filters each app uses, and how the filters are used,” the company said. “Atlassian has released updates that fix the root cause of this vulnerability but have not comprehensively listed all of the potential consequences of this vulnerability.”

Vulnerable confluence servers have long been the preferred opening for hackers looking to install ransomware, cryptoware, and other forms of malware. The vulnerabilities revealed by Atlassian this week are serious enough that administrators should prioritize a thorough review of their systems, ideally before the start of the weekend.

Leave a Reply

%d bloggers like this: