Atlassian Confluence Data Center and Server Broken Access Control Vulnerability
The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center allowing unauthorized users to get administrative-level privileges by creating unauthorized Confluence administrator accounts. The vulnerability is categorized as a Broken Access Control issue and has a CVSS base score of 10.0. CISA has warned that nefarious activists exploited CVE-2023-22515 as a zero-day to retrieve legitimate access over victim systems. Atlassian described this vulnerability initially as Privilege Escalation but later categorized it as Broken Access Control and released an advisory on October 4th, 2023 for CVE-2023-22515. The vendor has classified this vulnerability as Broken Authentication and Session Management (BASM). Atlassian Cloud sites are not affected by this vulnerability. Vulnerable software versions include 8.0.0-8.0.3, 8.1.0, 8.1.3-4, 8.2.0-8.2.3, 8.3.0-8.3.2, 8.4.0-8.4.2, 8.5.0-1.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-22515.
The overall CVSS score is 10. (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).
The base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
•Attack vector is network.
•Attack complexity is low.
•Privileges required is none.
•User interaction is none.
•Scope is changed.
•Impact of this vulnerability on data confidentiality is high.
•Impact of this vulnerability on data integrity is high.
•Impact of this vulnerability on data availability is high.
Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:
•The exploit code maturity level of this vulnerability is proof of concept code.
•The remediation level of this vulnerability is official fix.
•The report confidence level of this vulnerability is confirmed.
Atlassian Confluence Data Center is a self-managed edition of Confluence, built to support organizations’ size, complexity and governance needs.
To trigger the vulnerability, an unauthenticated attacker can modify the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a single request using the URI /server-info.action endpoint
CVE-2023-22515 can be exploited in a series of steps. The followings steps will demonstrate how RCE is obtained on Atlassian Crowd:
Before manipulating the parameters let us first observe a basic login request.
Next, we can trick the server into believing the configuration hasn’t been completed by setting “applicationConfig.setupComplete” to false.
Once the server believes setup is complete, we can use the setupadministrator.action to try and create an administrative level account passing the desired username and password.
As a result of the last request, a new account is created by the attacker that will allow a successful login to attempt with the attacker’s credentials.
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
• IPS:15926 - Confluence Data Center and Server Privilege Escalation
• IPS:19383 - Confluence Data Center and Server Privilege Escalation 2
• IPS:19382 - Confluence Data Center and Server Privilege Escalation 3
SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph below indicate an increasing number of exploitation attempts over the last 40 days:
Admins still running one of the vulnerable software versions should upgrade Confluence Data Center and Data Servers to version 8.3.3 or later, 8.4.3 or later, or 8.5.2 or later.
If that’s not possible, users can mitigate the issue by blocking access to the /setup/* endpoints on Confluence instances. Further steps to mitigate are dictated on an official link.