CVE-2019-3396: Vulnerability in Atlassian Confluence Widget Connector Exploited in the Wild
Attackers are targeting vulnerable Confluence instances after company published a fix for the vulnerability back in March 2019.
Background
On March 20, Atlassian published a Confluence Security Advisory to announce fixes for two vulnerabilities, CVE-2019-3395 and CVE-2019-3396.
CVE-2019-3395 is a critical server-side request forgery (SSRF) vulnerability in the WebDAV plugin in Confluence Server and Data Center versions released before June 18, 2018.
CVE-2019-3396 is a critical server-side template injection vulnerability in Confluence Server and Data Center Widget Connector that could lead to path traversal and remote code execution.
In the weeks since the publication of the advisory, attackers have been probing for and exploiting CVE-2019-3396 on vulnerable systems.
Analisi
On April 23, AlertLogic published a blog about attackers exploiting CVE-2019-3396 to install GandCrab ransomware. GandCrab was first spotted in January 2018 and distributed through the RIG and GrandSoft exploit kits. GandCrab has also been distributed through malicious spam emails.
On April 26, Trend Micro published a blog about the AESDDoS botnet leveraging CVE-2019-3396 to infect systems and launch distributed denial of service (DDoS) attacks against other hosts and even use the infected systems for cryptocurrency mining.
Proof of concept
Following Atlassian’s advisory for these vulnerabilities in March, proof-of-concept code began to appear throughout the early part of April [1, 2, 3, 4]. Soon after, in-the-wild attacks began.
Solution
Atlassian recommends upgrading to the latest version of Confluence, which is 6.15.1 at the time of publication.
- For users of 6.12.x versions prior to 6.12.3, upgrade to 6.12.3 or later and 6.14.x versions prior to 6.14.2, upgrade to 6.14.2 or later.
- For users of enterprise release versions 6.6.x prior to 6.6.12, upgrade to 6.6.12 or later and 6.13.x versions prior to 6.13.3, upgrade to 6.13.3 or later.
- For users of older versions from 1.x.x through 5.x.x and versions 6.0.x through 6.11.x, Atlassian recommends upgrading to 6.14.2, 6.13.3 or 6.6.12.
Identifying affected systems
A list of Nessus plugins to identify these vulnerabilities can be found here.
Below is a sample scan output for CVE-2019-3396.
Get more information
- Confluence Security Advisory - 2019-03-20
- Active Exploitation of CVE-2019-3396 Dropping Gandcrab Ransomware
- Trend Micro Blog on AESDDoS Botnet Malware
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Articoli correlati
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
August 23, 2024Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on ransomware trends, vulnerability management practices and election security!
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach
August 6, 2024As AI transforms industries, security remains critical. Discover the importance of a security-first approach in AI development, the risks of open-source tools, and how Tenable's solutions can help protect your systems.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning