Advisory had already warned that getting a hardcoded password was “easy.”
What’s worse than a widely used business app that connects to the Internet and has a password that is hardcoded? Try out that enterprise app once everyone knows the hardcoded password.
Atlassian announced on Wednesday that three of its products have serious security flaws. One of these, CVE-2022-26138, is caused by a hardcoded password in the Questions for Confluence app, which lets users quickly get answers to common questions about Atlassian products. The company said it was “easy to get” the passcode.
At the time of publication, the company said that Questions for Confluence had been set up in 8,055 places. When the app is installed, it creates a Confluence user account called disabledsystemuser. This account is meant to help admins move data between the app and the Confluence Cloud service. This account is protected by a hardcoded password that lets you view and edit all non-restricted pages in Confluence.
“A remote, unauthenticated attacker with knowledge of the hardcoded password could use this to log into Confluence and access any pages the confluence-users group has access to,” the company said. “It is important to fix this vulnerability on systems that are affected right away.”
A day later, Atlassian said that “an outside party has found and made public the hard-coded password on Twitter.” This caused the company to make its warnings even stronger.
“This issue is likely to be exploited in the wild now that the hardcoded password is public,” the updated advisory said. “This vulnerability should be fixed right away on all systems that are affected.”
The company warned that Confluence installations may still be vulnerable even if the app isn’t actively installed. Even if you uninstall the app, the vulnerability is still there because the disabledsystemuser account can still be on the system.
Atlassian told Confluence users to look for accounts with the following information to find out if a system is weak:
User: disabledsystemuser
Username: disabledsystemuser Email: dontdeletethisuser@email.com
Atlassian has more information about how to find these accounts here. Questions for Confluence versions 2.7.x and 3.0.x are affected by the bug. Atlassian gave customers two ways to fix the problem: they could either turn off the “disabledsystemuser” account or delete it. This list of answers to questions that are often asked has also been put out by the company.
Users of Confluence who are looking for proof of exploitation can check the last time disabledsystemuser logged in by following the instructions here. If the result is “null,” the account exists on the system, but no one has signed in using it yet. The commands also show any recent attempts to log in, whether they were successful or not.
“Now that the patches are out, one can expect patch diff and reversing engineering efforts to produce a public proof of concept in a fairly short time,” Casey Ellis, the founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian shops should patch products that are visible to the public right away and those that are behind the firewall as soon as possible. The comments in the advisory that say proxy filtering is not a good way to protect yourself suggest that there is more than one way for a trigger to happen.
The other two vulnerabilities Atlassian announced on Wednesday are also serious and affect the following products:
Server and Data Center for Bamboo
Server and Data Center for Bitbucket
Server and Data Center for Confluence
Server and Data Center for the Crowd
Crucible
Fisheye
Server and Data Center for Jira
Data Center and the Jira Service Management Server
These flaws, which are tracked as CVE-2022-26136 and CVE-2022-26137, allow remote, unauthenticated hackers to get around Servlet Filters that first- and third-party apps use.
The company said, “The effect depends on which filters each app uses and how those filters are used.” “Atlassian has put out updates that fix the problem that led to this vulnerability, but it hasn’t listed every possible effect of this vulnerability.”
Hackers have used vulnerable Confluence servers for a long time to install ransomware, crypto-miners, and other types of malware. The security holes that Atlassian revealed this week are serious enough that admins should make it a top priority to check their systems thoroughly, ideally before the weekend.
