Patch Alert: Questions for Confluence
The News
An advisory from Atlassian, released yesterday, July 20, 2022, identified CVE-2022-26138, a critical vulnerability in "Questions for Confluence". When "Questions for Confluence" is installed on Confluence Server or Data center, a user account with the name "disabledsystemuser" (ironic, right?) is created. This account, a member of the "confluence-users" group, is created with hard-coded credentials - easily accessible/viewable in the affected versions.
Atlassian states that they have yet to see exploitation in the wild, however I will admit that the password is widely available/known - even to folks who may have never even viewed the files for a Confluence install. Here's a link to a Twitter thread about this CVE, which admittedly does provide the password and where it is located:
If an adversary connects to a vulnerable instance using the hard-coded credentials, they will be able to edit and view all non-restricted pages. Atlassian states that the account is intended for administrators to migrate data from the app to Confluence Cloud. However, it seems a simple scan of the config files found these details and verified that they were easily used.
Hot Take
Hard-coded credentials, in a popular application? Credentials with view/edit access to non-restricted pages? Certainly not the combo anyone wants to wake up to. This may get severe for victim organizations. I'm expecting to see this rank amongst Internet scans and entry vectors for a while now.
Here's what concerns me - an adversary gets access to a Confluence instance. What do we use Confluence for? Storing of data. Tracking of customers. Integration with build environments, Git code repositories, etc. All sorts of information that I would not want adversaries to get ahold of.
Recommended by LinkedIn
Furthermore, the hard-coded password is out there. We are literally one Shodan scan away from hopping in and out of vulnerable instances.
What To Do Next?
Patch, patch, patch. If you utilize Questions for Confluence, or have in the past (more on this in a second), you need to be applying the relevant patch(es), and double-checking your instances are not vulnerable.
Atlassian does provide an additional option: deleting the "disablesystemuser" account. They also provided guidance on evidence of exploitation. Here's a snippet from that page for you:
Furthermore, if your Confluence instance is accessible from the Internet, I'd recommend assessing exactly why this is necessary. I've personally utilized Confluence instances that are wrapped behind MFA and VPN access, offering a few layers of security in the face of vulnerabilities like this.
Atlassian's notification does state that if the app has previously been installed and uninstalled, it is possible that the account is present. Double-check your instance even if you do not actively use the app.