The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
**Recent assessments:**
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
{"id": "AKB:8049CCA9-ACA9-4288-8493-4153794BD621", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2022-26138", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "published": "2022-07-20T00:00:00", "modified": "2022-07-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/BUK2DJ8uhl/cve-2022-26138", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138", "https://jira.atlassian.com/browse/CONFSERVER-79483", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"], "cvelist": ["CVE-2022-26138"], "immutableFields": [], "lastseen": "2023-03-18T20:49:48", "viewCount": 47, "enchantments": {"score": {"value": 3.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "atlassian", "idList": ["CONFSERVER-79483"]}, {"type": "avleonov", "idList": ["AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0467"]}, {"type": "cisa", "idList": ["CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2022-26138"]}, {"type": "cve", "idList": ["CVE-2022-26138"]}, {"type": "githubexploit", "idList": ["120220D8-2281-57EE-BD84-1A33B8841E56", "E443E98A-3304-54B8-97FD-0FEF9DA283B3"]}, {"type": "hivepro", "idList": ["HIVEPRO:D92A8F5DF20362E41FF86142A0BECE42"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-79483.NASL", "CONFLUENCE_CVE-2022-26138.NASL", "WEB_APPLICATION_SCANNING_113328"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:AE4AA7402829D66599C8A25E83DD0FD2", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:BCF3916E38EC7840E9BABBDD5431352B", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27"]}, {"type": "thn", "idList": ["THN:49CD77302B5D845459BA34357D9C011C", "THN:908A39F901145B6FD175B16E95137ACC", "THN:F050B7CE35D52E330ED83AACF83D6B29"]}]}, "epss": [{"cve": "CVE-2022-26138", "epss": "0.973890000", "percentile": "0.998230000", "modified": "2023-03-19"}], "vulnersScore": 3.7}, "_state": {"score": 1679172805, "dependencies": 1679172672, "epss": 1679301044}, "_internal": {"score_hash": "fba3530b8b49bf575b827f9d1f89b8b5"}, "attackerkb": {"attackerValue": 0, "exploitability": 0}, "wildExploited": true, "wildExploitedCategory": {"News Article or Blog": "", "Government or Industry Alert": ""}, "wildExploitedReports": [{"category": "News Article or Blog", "source_url": "https://unit42.paloaltonetworks.com/network-security-trends-update/", "published": "2022-07-24T17:39:00"}, {"category": "Other:", "source_url": "https://twitter.com/Shadowserver/status/1550958400632066048", "published": "2022-07-24T17:39:00"}, {"category": "Government or Industry Alert", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "published": "2022-07-29T19:15:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138"], "Miscellaneous": ["https://jira.atlassian.com/browse/CONFSERVER-79483", "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"]}, "tags": [], "mitre_vector": {}, "last_activity": "2022-07-29T19:15:00"}
{"thn": [{"lastseen": "2022-08-02T07:00:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEecCIZ-XaRJ4zcsuHaTxv40ceAY7a-zwUbCwG5pavcIkynNfkEL5b0bk3LuyI1j93_OpxDVhmeq2JIDgf2F5gePc20N6z3BLfb8ACE-Hs8BRt0o_lGbsdvT1pJhsBkfeBjvP-oakItq7nm9H28Bo9TQREhjN8EA14vZTuUU3vCCGPWgZ9DEstAMmf/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/07/29/cisa-adds-one-known-exploited-vulnerability-catalog>) the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.\n\nThe vulnerability, tracked as [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.\n\n\"A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,\" CISA [notes](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in its advisory.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj0HlXLLx13DKw6KdL9aiyLzkfseKk26WHbECW9EuVAK8HemGF60r4yqvMLbBNmg2C7pxYyzORkxlDkvZNDNlX8XiSd69Eafk_2BLHONWx_a48pMVrF_79sQCg0dubLIL_rH6rjdVuD0lmtcPt11KVakdJCUlX6MSu833QUV4IexS8mTDkDoUAvH8HUaA/s728-e100/cisa.jpg>)\n\nDepending on the page restrictions and the information a company has in Confluence, successful exploitation of the shortcoming could lead to the disclosure of sensitive information.\n\nAlthough the bug was addressed by the Australian software company last week in versions 2.7.38 and 3.0.5, it has since come [under active exploitation](<https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html>), cybersecurity firm Rapid7 disclosed this week.\n\n\"Exploitation efforts at this point do not seem to be very widespread, though we expect that to change,\" Erick Galinkin, principal AI researcher at Rapid7, told The Hacker News.\n\n\"The good news is that the vulnerability is in the Questions for Confluence app and _not_ in Confluence itself, which reduces the attack surface significantly.\"\n\nWith the flaw now added to the catalog, Federal Civilian Executive Branch (FCEB) in the U.S. are mandated to apply patches by August 19, 2022, to reduce their exposure to cyberattacks.\n\n\"At this point, the vulnerability has been public for a relatively short amount of time,\" Galinkin noted. \"Coupled with the absence of meaningful post-exploitation activity, we don't yet have any threat actors attributed to the attacks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-30T03:54:00", "type": "thn", "title": "CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-02T06:42:46", "id": "THN:908A39F901145B6FD175B16E95137ACC", "href": "https://thehackernews.com/2022/07/cisa-warns-of-atlassian-confluence-hard.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-29T03:59:30", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjkxSAMgSsFZhb4DyOrv7jlV3A4nb55euT83HxRQMejOiw7UHuT9uTYns_ngLd4U6KF7vN-KarRobTWnwkATG6Q2ql1xpYPHfSvB-iJn8pY0T3rfaRpCwyerROalVbwZK4317SC19907zo6BS65jDRzsVx18rjEfxA_oVj6wzdoEkyJJAI4Q1JxsbJl/s728-e100/Atlassian-Confluence.jpg>)\n\nA week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild.\n\nThe bug in question is [CVE-2022-26138](<https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html>), which concerns the use of a hard-coded password in the app that could be exploited by a remote, unauthenticated attacker to gain unrestricted access to all pages in Confluence.\n\nThe real-world exploitation follows the release of the hard-coded credentials on Twitter, prompting the Australian software company to prioritize patches to mitigate potential threats targeting the flaw.\n\n\"Unsurprisingly, it didn't take long [...] to observe exploitation once the hard-coded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,\" Rapid7 security researcher Glenn Thorpe [said](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQF8uoUiufKEleM-yHfQ0lN3WghNEStj2b_QKvuWRV2YnIQm1QmcjsY7RPKKQWQgQ1fuvJ67SI7p4fiY6xW052wY4BZC3Wi5JyVU3EL-XCESStOGZLE2kSoL9gGC-Mz_xbNZ5SrfcW22ED9SF4L5pJUBB1xCQn5zYlws4mPxknxGGYChZ9xJ4m625R/s728-e100/app.jpg>)\n\nIt's worth noting that the bug only exists when the Questions for Confluence app is enabled. That said, uninstalling the Questions for Confluence app does not remediate the flaw, as the created account does not get automatically removed after the app has been uninstalled.\n\nUsers of the affected product are advised to update their on-premise instances to the latest versions (2.7.38 and 3.0.5) as soon as possible, or take steps to disable/delete the account.\n\nThe development also arrives as Palo Alto Networks, in its [2022 Unit 42 Incident Response Report](<https://www.paloaltonetworks.com/unit42/2022-incident-response-report>), found that threat actors are scanning for vulnerable endpoints within 15 minutes of public disclosure of a new security flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-29T03:19:00", "type": "thn", "title": "Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T03:22:24", "id": "THN:49CD77302B5D845459BA34357D9C011C", "href": "https://thehackernews.com/2022/07/latest-critical-atlassian-confluence.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-22T03:59:04", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgwDyGaM4FdPe7m1y8beGIF9lst24L3fkt-FcrOap-X3fu09AhyO7t96mPZ_Q18jTQk8eFV8Z51Gfcp2Ryc_rvunTZbKZlMR3V32iWdinfxc04Gi4-7Y00aCE5kd4OLdU_CVTDy9G5mG9nh8rknBtsXbXwgwYWh-zeyeSlzCme-VBas1mHIY53IAJWH/s728-e100/Atlassian-Confluence-Vulnerability.jpg>)\n\nAtlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting [the Questions For Confluence](<https://marketplace.atlassian.com/apps/1211644/questions-for-confluence>) app for Confluence Server and Confluence Data Center.\n\nThe flaw, tracked as **CVE-2022-26138**, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username \"disabledsystemuser.\"\n\nWhile this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.\n\n\"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the [confluence-users group](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>) has access to,\" the company [said](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) in an advisory, adding that \"the hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app.\"\n\nQuestions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5. Alternatively, users can [disable or delete](<https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html>) the disabledsystemuser account.\n\nWhile Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account. \"If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it,\" it said.\n\nSeparately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Fisheye and Crucible\n * Jira Server and Data Center, and\n * Jira Service Management Server and Data Center\n\nSuccessful exploitation of the bugs, tracked as CVE-2022-26136 and CVE-2022-26137, could enable an unauthenticated, remote attacker to bypass authentication used by third-party apps, execute arbitrary JavaScript code, and circumvent the cross-origin resource sharing ([CORS](<https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>)) browser mechanism by sending a specially crafted HTTP request.\n\n\"Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,\" the company [cautioned](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>) in its advisory regarding CVE-2022-26137.\n\n**_Update:_** Atlassian on Thursday warned that the critical Questions For Confluence app vulnerability is likely to be exploited in the wild after the hard-coded password became publicly known, urging its customers to remediate the issue as soon as possible.\n\n\"An external party has discovered and publicly disclosed the hardcoded password on Twitter,\" the company said. \"It is important to remediate this vulnerability on affected systems immediately.\"\n\nThe software firm also emphasized that uninstalling the Questions for Confluence app does not address the vulnerability, as the created account does not get automatically removed after the app has been uninstalled. It's instead recommending that users either update to the latest version of the app or manually disable or delete the account.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-21T08:41:00", "type": "thn", "title": "Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-22T02:37:51", "id": "THN:F050B7CE35D52E330ED83AACF83D6B29", "href": "https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "atlassian": [{"lastseen": "2023-02-21T15:45:11", "description": "(i) *Update:* This advisory has been updated since its original publication.\r\n\r\n2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)\r\n * {color:#172b4d}Updated the\u00a0_Remediation_ section to note that if the {{disabledsystemuser}} account is manually deleted, the app must also be updated or uninstalled to ensure the account does not get recreated{color}\r\n\r\n2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note the email service provider for the {{dontdeletethisuser@email.com}}\u00a0account has confirmed the account has been blocked\u00a0\r\n\r\n2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Summary of Vulnerability_ section to note that instances that have not remediated this vulnerability per the\u00a0_Remediation_ section below may send email notifications from Confluence to a third party email address\r\n * Additional details are available in [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html]\r\n\r\n2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)\r\n * Updated the\u00a0_Remediation_ section to explain only option 2 can be used for Confluence Server and Data Center instances configured to use a read-only external directory\r\n * Added a link to a page of frequently asked questions about CVE-2022-26138\r\n\r\n2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)\r\n * An external party has discovered and publicly disclosed the hardcoded password on Twitter. *It is important to remediate this vulnerability on affected systems immediately.*\r\n * The Vulnerability Summary section has been updated to include this new information\r\n\r\nh3. Vulnerability Summary\r\n\r\nWhen the [Questions for Confluence app|https://marketplace.atlassian.com/apps/1211644/questions-for-confluence?hosting=server&tab=overview] is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username {{{}disabledsystemuser{}}}. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The {{disabledsystemuser}} account is created with a hardcoded password and is added to the {{confluence-users}} group, which allows viewing and editing all non-restricted pages within Confluence [by default|https://confluence.atlassian.com/doc/confluence-groups-139478.html]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.\r\n\r\nThe {{disabledsystemuser}} account is configured with a third party email address ({{{}dontdeletethisuser@email.com{}}}) that is not controlled by Atlassian. If this vulnerability has not been remediated per the _Fixes_\u00a0section below, an affected instance\u00a0configured\u00a0to send\u00a0[notifications|https://confluence.atlassian.com/doc/email-notifications-145162.html]\u00a0will email that address.\u00a0One example\u00a0of an email notification is\u00a0[Recommended Updates Notifications|https://confluence.atlassian.com/doc/configuring-the-recommended-updates-email-notification-281480712.html], which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the {{dontdeletethisuser@email.com}}\u00a0account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.\r\n\r\n(!) An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the _Remediation_ section below for guidance on how to remediate this vulnerability.\r\nh3. How To Determine If You Are Affected\r\n\r\nA Confluence Server or Data Center instance is affected if it has an active user account with the following information:\r\n * User: {{disabledsystemuser}}\r\n * Username: {{disabledsystemuser}}\r\n * Email: {{dontdeletethisuser@email.com}}\r\n\r\nIf this account does not show up in the list of active users, the Confluence instance is not affected.\r\nh3. Remediation\r\n\r\n(!) Uninstalling the Questions for Confluence app does *not* remediate this vulnerability. The {{disabledsystemuser}} account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. (!)\r\nh4. Option 1: Update to a non-vulnerable version of Questions for Confluence\r\n\r\nUpdate the Questions for Confluence app to a fixed version:\r\n * 2.7.x >= 2.7.38\r\n * Versions >= 3.0.5\r\n\r\nFor more information on how to update an app, refer to [Atlassian's documentation|https://confluence.atlassian.com/upm/updating-apps-273875710.html].\r\n\r\nFixed versions of the Questions for Confluence app stop creating the {{disabledsystemuser}} user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.\r\n\r\n(!) If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.\r\nh4. Option 2: Disable or delete the {{disabledsystemuser}} account\r\n\r\nSearch for the {{disabledsystemuser}} account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to [Atlassian's documentation|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html].\r\n\r\nIf you choose to delete the {{disabledsystemuser}} account, you must also [uninstall|https://confluence.atlassian.com/upm/uninstalling-apps-273875709.html] or upgrade the Questions for Confluence app to a non-vulnerable version. *Failure to do this could result in the account being recreated after it has been deleted.*\r\n\r\nIf Confluence is configured to use a read-only external directory, refer to the [Delete from a read-only external directory, or multiple external directories section|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html#DeleteorDisableUsers-Deletefromaread-onlyexternaldirectory,ormultipleexternaldirectories]\u00a0from the same document\r\nh3. Frequently Asked Questions\r\n\r\nWe'll update the\u00a0[FAQ for CVE-2022-26138|https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html]\u00a0with answers for commonly asked questions.\r\nh3. Security Advisory\r\n\r\nFor additional details, refer to [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html].\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-08T17:06:14", "type": "atlassian", "title": "Questions For Confluence App - Hardcoded Password", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2023-02-21T15:41:00", "id": "CONFSERVER-79483", "href": "https://jira.atlassian.com/browse/CONFSERVER-79483", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-08-05T13:56:42", "description": "Atlassian has released a security advisory to address a vulnerability (CVE-2022-26138) affecting Questions for Confluence App. An attacker could exploit this vulnerability to obtain sensitive information. Atlassian reports that the vulnerability is likely to be exploited in the wild.\n\nCISA encourages users and administrators to review Atlassian\u2019s security advisory, [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), and apply the necessary updates immediately. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Advisory for Questions for Confluence App, CVE-2022-26138", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-22T00:00:00", "id": "CISA:B99FA8E68B4D7FF5BA1F6693AC9C7CCF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/07/22/atlassian-releases-security-advisory-questions-confluence-app-cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2022-08-04T19:59:46", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nAfter what seems like forever and honestly has been a really long time, we\u2019re heading back to BlackHat in-person this year. We\u2019re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security. \n\n \n\n\nThroughout the two days of the main conference, we\u2019ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it\u2019s probably worthwhile running through all the cool stuff we\u2019ll have going on at Hacker Summer Camp. \n\n \n\n\nOur [booth should be easy enough to find](<https://www.expocad.com/host/fx/ubm/22bhusa/exfx.html>) \u2014 it\u2019s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you\u2019ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade. Attendees who watch a lightning talk can grab a never-before-seen [Snort 3](<https://snort.org/snort3>)-themed Snorty and our malware mascot stickers, which were a [big hit at Cisco Live this year](<https://twitter.com/TalosSecurity/status/1536821931097305088>). \n\n \n\n\nWe\u2019ll also be over at the Career Center if you want to [come work with us](<https://talosintelligence.com/careers>). Or even if you don\u2019t, word on the street is there\u2019ll be silver and gold Snortys there. And on Thursday the 11th between 10 a.m. and noon local time a Talos hiring manager will be on site reviewing resumes and taking questions. \n\n \n\n\nIf you want more in-depth talks, we\u2019ll have five sponsored sessions between the 10th and 11th. If you want the latest schedule and location on those talks, be sure to [follow us on Twitter](<https://twitter.com/TalosSecurity>) or check out Cisco\u2019s BlackHat event page [here](<https://www.cisco.com/c/en/us/products/security/black-hat-usa.html>). Our sponsored talks cover Talos\u2019 latest work in Ukraine, the growing threat of business email compromise and current trends from state-sponsored actors. Make sure to catch all five of them. \n\n \n\n\nAnd if you liked our speakeasy at Cisco Live, you'll love the next secret we have in store at the BlackHat booth. Swing by and ask us about it. \n\n \n\n\nFor anyone sticking around for DEF CON, we\u2019ll also have a presence there with Blue Team Village. Drop any questions in the [Blue Team Village Discord](<https://www.blueteamvillage.org/>) for us, and be sure to attend the BTV Pool Party on Aug. 12 from 8 \u2013 11 p.m. local time. \n\n \n\n\nTo stay up to date on all things Talos at both conferences, be sure to follow us on social media. - \n\n\n \n\n## The one big thing \n\n> \n\n\nCisco Talos recently discovered [a new attack framework called \"Manjusaka\"](<https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html>) being used in the wild that could be the next evolution of Cobalt Strike \u2014 and is even advertised as so. This framework is advertised as an imitation of the Cobalt Strike framework. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. \n\n\n> ### Why do I care? \n> \n> Our researchers discovered a fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, that\u2019s freely available and can generate new implants with custom configurations with ease. This increases the likelihood of wider adoption of this framework by malicious actors. If you\u2019re a defender of any kind, you want to stay up on the latest tools attackers are likely to use. And since Cobalt Strike is already one of the most widely used out there, it\u2019s safe to assume any evolution of it is going to draw some interest. \n> \n> ### So now what? \n> \n> Organizations must be diligent against such easily available tools and frameworks that can be misused by a variety of threat actors. In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention of this framework. Talos also released Snort rule 60275 and ClamAV signature Win.Trojan.Manjusaka-9956281-1 to detect the use of Manjusaka. \n\n> \n> \n\n## Other news of note\n\n \n\n\nEverything from convenience stores to government websites in Taiwan saw an uptick in cyber attacks this week after U.S. House Speaker Nancy Pelosi visited the country this week. She was the U.S.\u2019 highest-ranking official to visit there in more than 20 years. However, many of the attacks appeared to be from low-skilled attackers and some could even be attributed to a normal uptick in traffic from a busy news day. China could still retaliate for the visit with a cyber attack against Taiwan or the U.S., as the Chinese government has voiced its displeasure over Pelosi\u2019s actions and launched several kinetic warfare exercises. ([Reuters](<https://www.reuters.com/technology/7-11s-train-stations-cyber-attacks-plague-taiwan-over-pelosi-visit-2022-08-04/>), [Washington Post](<https://www.washingtonpost.com/politics/2022/08/03/those-pelosi-inspired-cyberattacks-taiwan-probably-werent-all-they-were-cracked-up-be/>)) \n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting a critical vulnerability in Atlassian Confluence disclosed last week. CISA added CVE-2022-26138, a hardcoded password vulnerability in the Questions for Confluence app, to its list of Known Exploited Vulnerabilities on Friday. Adversaries can exploit this vulnerability to gain total access to data in on-premises Confluence Server and Confluence Data Center platforms. U.S. federal agencies have three weeks to patch for the issue under CISA\u2019s new guidance. ([Dark Reading](<https://www.darkreading.com/cloud/patch-now-atlassian-confluence-bug-active-exploit>), [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-confluence-bug-exploited-in-attacks/>)) \n\nNorth Korean state-sponsored actors continue to be active, recently adding a new Gmail attack to its arsenal. The infamous SharpTongue group uses the SHARPEXT malware to target organizations in the U.S., Europe and South Korea that work on nuclear weapons and other topics that North Korea sees as relevant to its national security. SHARPEXT installs a Google Chrome extension that allows the attackers to bypass users\u2019 Gmail multi-factor authentication and passwords, eventually entering the inbox and reading and downloading email and attachments. Other North Korean actors continue to use fake LinkedIn applications to apply for remote jobs, hoping to eventually steal cryptocurrency and fund the country\u2019s weapons program. ([Ars Technica](<https://arstechnica.com/information-technology/2022/08/north-korea-backed-hackers-have-a-clever-way-to-read-your-gmail/>), [Bloomberg](<https://www.bloomberg.com/news/articles/2022-08-01/north-koreans-suspected-of-using-fake-resumes-to-steal-crypto>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Talos Takes Ep. #106: The top attacker trends from the past quarter](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/106>)_\n * _[Beers with Talos Ep. #124: There's no such thing as \"I have nothing to hide\"](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/124>)_\n * _[BlackHat \u2014 A poem](<https://blog.talosintelligence.com/2022/08/poems-0xCCd.html>)_\n * _[Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution](<https://blog.talosintelligence.com/2022/05/vuln-spotlight-alyac-est.html>)_\n * _[Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities](<https://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misusing.html>)_\n * _[Researcher Spotlight: You should have been listening to Lurene Grenier years ago](<https://blog.talosintelligence.com/2022/08/researcher-spotlight-you-should-have.html>)_\n * _[Manjusaka, a new attack tool similar to Sliver and Cobalt Strike](<https://securityaffairs.co/wordpress/133953/hacking/manjusaka-attack-tool.html>)_\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S.A 2022 **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n_[USENIX Security '22](<https://www.usenix.org/conference/usenixsecurity22#registration>) _**(Aug. 10 - 12, 2022)** \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[Security Insights 101 Knowledge Series](<https://aavar.org/securityinsights101/>) (Aug. 25, 2022)**\n\nVirtual \n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02 \n\n \n\n\n**SHA 256:** [f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121](<https://www.virustotal.com/gui/file/f21b040f7c47d8d3d9c1f0ef00f09e69f2c3f0e19d91988efc0ddd4833ced121/details>) \n\n**MD5:** 9066dff68c1d66a6d5f9f2904359876c \n\n**Typical Filename:** dota-15_id3622928ids1s.exe \n\n**Claimed Product:** N/A \n\n**Detection Name:** W32.F21B040F7C.in12.Talos \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0](<https://www.virustotal.com/gui/file/168e625c7eb51720f5ce1922aec6ad316b3aaca838bd864ee2bcdbd9b66171d0/details>) \n\n**MD5: **311d64e4892f75019ee257b8377c723e \n\n**Typical Filename: **ultrasurf-21-32.exe ** **\n\n**Claimed Product: **N/A \n\n**Detection Name: **W32.DFC.MalParent", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (Aug. 4, 2022) \u2014 BlackHat 2022 preview", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T18:00:00", "id": "TALOSBLOG:1CC8B88D18FD4407B2AEF8B648A80C27", "href": "http://blog.talosintelligence.com/2022/08/threat-source-newsletter-aug-4-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-01-31T04:35:36", "description": "The remote confluence web application uses a known set of hard-coded default credentials of the 'Questions for Confluence' marketplace application. An attacker can exploit this to gain administrative access to the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-12T00:00:00", "type": "nessus", "title": "Questions for Confluence App Default Credentials (CVE-2022-26138)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-07T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2022-26138.NASL", "href": "https://www.tenable.com/plugins/nessus/164091", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164091);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Questions for Confluence App Default Credentials (CVE-2022-26138)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The application hosted on the remote web server uses a default set of known credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote confluence web application uses a known set of hard-coded default credentials of the\n'Questions for Confluence' marketplace application. An attacker can exploit this to gain \nadministrative access to the remote host.\");\n # https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56edf34e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the application's default credentials.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('url_func.inc');\ninclude('vcf.inc');\ninclude('debug.inc');\n\nvar app_name = 'confluence';\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:true);\nvar url = build_url(port:port, qs:app_info['path']);\n\n##\n# Try to authenticate with default disabledsystemuser/disabled1system1user6708 creds\n#\n# @param port - the port the application exists on\n# @return TRUE for successful authentication, otherwise FALSE\n##\nfunction try_default_creds(port)\n{\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[trying default creds]');\n var res, post;\n post = 'os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Findex.action';\n # Authenticate\n res = http_send_recv3(\n port : port,\n method : 'POST',\n item : '/dologin.action',\n data : post,\n content_type : \"application/x-www-form-urlencoded\",\n exit_on_fail : TRUE\n );\n\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Attempted to login with: ' + http_last_sent_request());\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'Response was: ' + obj_rep(res));\n if ('HTTP/1.1 302' >< res[0] && 'X-Seraph-LoginReason: OK' >< res[1])\n {\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login confirmed][ ' + res[0] + '][' + res[1] + ']');\n return TRUE;\n }\n dbg::detailed_log(lvl:1, src:FUNCTION_NAME, msg:'[login failed][ ' + res[0] + '][' + res[1] + ']');\n return FALSE;\n}\n\nvar can_auth = try_default_creds(port:port);\n\nvar report = NULL;\nif (can_auth)\n{\n report = 'Nessus was able to gain access to the remote confluence app\\n' +\n 'using the following set of credentials:\\n' +\n '\\n Username : disabledsystemuser' +\n '\\n Password : disabled1system1user6708';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-10T19:25:42", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.\n\nUninstalling the Questions for Confluence app does not remediate this vulnerability. The account does not automatically get removed after the app has been uninstalled.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T00:00:00", "type": "nessus", "title": "Atlassian Questions For Confluence 2.7.34 / 2.7.35 / 3.0.2 Hardcoded Credentials", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-19T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113328", "href": "https://www.tenable.com/plugins/was/113328", "sourceData": "No source data", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T17:00:50", "description": "The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential vulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version number. This plugin will only run in 'Parnoid' scans.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-12-08T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-79483.NASL", "href": "https://www.tenable.com/plugins/nessus/163327", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163327);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/08\");\n\n script_cve_id(\"CVE-2022-26138\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/19\");\n\n script_name(english:\"Atlassian Confluence < 7.4.17 / 7.13.x < 7.13.6 / < 7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2 (CONFSERVER-79483)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Atlassian Confluence host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Confluence installed on the remote host is prior to < 7.4.17 / 7.13.x < 7.13.6 / 7.14.x <\n7.14.3 / 7.15.x < 7.15.2 / 7.16.x < 7.16.4 / 7.17.x < 7.17.2. It is potentially affected by a hard-coded credential\nvulnerability if the 'Questions for Confluence' app is installed.\n\nThe Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in\nthe confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated\nattacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content\naccessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35,\nand 3.0.2 of the app.(CVE-2022-26138)\n\nNote that Nessus has not tested for this issue but has instead relied only on Confluence's self-reported version\nnumber. This plugin will only run in 'Parnoid' scans.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-79483\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 7.4.17, 7.13.6, 7.14.3, 7.15.2, 7.16.4, 7.17.2, 7.13.6, 7.14.3, 7.15.2, 7.16.4,\n7.17.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-26138\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\n# The vuln is in the Questions for Confluence app, not Confluence itself\n# We cannot determin if this is installed and/or the offending user account is present\nif (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'Confluence', app_info.version);\n\nvar constraints = [\n { 'fixed_version' : '7.4.17', 'fixed_display' : '7.4.17 / 7.13.6 / 7.14.3 / 7.15.2 / 7.16.4 / 7.17.2' },\n { 'min_version' : '7.13.0', 'fixed_version' : '7.13.6' },\n { 'min_version' : '7.14.0', 'fixed_version' : '7.14.3' },\n { 'min_version' : '7.15.0', 'fixed_version' : '7.15.2' },\n { 'min_version' : '7.16.0', 'fixed_version' : '7.16.4' },\n { 'min_version' : '7.17.0', 'fixed_version' : '7.17.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2022-08-11T18:51:48", "description": "Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-29T00:00:00", "type": "cisa_kev", "title": "Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-07-29T00:00:00", "id": "CISA-KEV-CVE-2022-26138", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-08-24T23:29:47", "description": "A hardcoded credentials vulnerability exists in Atlassian Questions for Confluence App. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Questions for Confluence App Hardcoded Credentials (CVE-2022-26138)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-10T00:00:00", "id": "CPAI-2022-0467", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-09-21T23:10:01", "description": "# Confluence-Question-CVE-2022-26138\nAtlassian Confluence Server...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T09:48:21", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-09-21T21:50:55", "id": "E443E98A-3304-54B8-97FD-0FEF9DA283B3", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-09-02T02:01:54", "description": "# CVE-2022-26138\n\n# 1.\u7b80\u4ecb\nConfluence Hardcoded Password POC\n\n#...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-30T07:14:52", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Atlassian Questions For Confluence", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-09-02T01:39:22", "id": "120220D8-2281-57EE-BD84-1A33B8841E56", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}], "cve": [{"lastseen": "2023-02-09T14:16:55", "description": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T18:15:00", "type": "cve", "title": "CVE-2022-26138", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-26138"], "modified": "2022-08-04T14:13:00", "cpe": ["cpe:/a:atlassian:questions_for_confluence:2.7.35", "cpe:/a:atlassian:questions_for_confluence:2.7.34", "cpe:/a:atlassian:questions_for_confluence:3.0.2"], "id": "CVE-2022-26138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26138", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*"]}], "qualysblog": [{"lastseen": "2022-08-19T00:02:03", "description": "Over the last few months, Atlassian Confluence has increasingly become a target for attackers. In June 2022, a critical severity OGNL Remote Code Execution vulnerability was disclosed (CVE-2022-26134). More recently, CVE-2022-26138 was disclosed on social media platforms in July 2022.\n\nIn CVE-2022-26138, a Confluence user account is created by the Questions for Confluence app with hardcoded credentials stored inside the plugin jar file available on [Atlassian packages](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>). An attacker with knowledge of these credentials could log into the Confluence application and access all contents within the confluence-users group. [Atlassian](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has rated the vulnerability "critical" and highlighted that the vulnerability is being exploited in the wild.\n\nDue to the nature of this vulnerability, it can only be verified remotely by logging into the Confluence application with the hardcoded credentials. Traditional open source scanners and scripts are checking for the Location HTTP response header and 302 status code to verify the credentials, which could result in false positives. [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) has released QID 150556 that confirms the vulnerability detection in two steps. The detection takes an additional step to verify the valid credentials by navigating to the user profile page and verifying that the correct page is returned. This check is much more efficient in comparison to open source scanners and eliminates any possibility of false positives.\n\n## About CVE-2022-26138\n\nAccording to Confluence's [Questions for Confluence Security Advisory](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), both Confluence Server and Confluence Data Center products using affected versions of the Questions for Confluence app are impacted by CVE-2022-26138.\n\nAffected versions :\n\nQuestions for Confluence 2.7.x| 2.7.34 \n2.7.35 \n---|--- \nQuestions for Confluence 3.0.x| 3.0.2 \n \n## Hardcoded Credentials Vulnerability\n\nAffected versions of the Questions for Confluence app, when installed on a Confluence application, create a user account with username `disabledsystemuser` and password `disabled1system1user6708` and the account is added to confluence-users group, which allows viewing and editing all non-restricted pages within Confluence [by default](<https://confluence.atlassian.com/doc/confluence-groups-139478.html>). A remote attacker can easily leverage these credentials to browse sensitive contents within the Confluence application.\n\nThese hardcoded credentials are stored in `default.properties` file inside a [`confluence-questions-X.X.X.jar` file](<https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/>), as shown below.\n\n\n\n## Detecting the Vulnerability with Qualys Web Application Scanning\n\nExisting Qualys customers can detect CVE-2022-26138 on their target Confluence instance with Qualys Web Application Scanning (WAS) using the following Qualys ID (QID):\n\n * 150556 : Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)\n\nThe QID is part of the core category. A vulnerability scan with a core or custom search list including the QID in the options profile will flag all vulnerable applications, as shown below.\n\n\n\n### Qualys WAS Report\n\nOnce the vulnerability is successfully detected by Qualys WAS, the user will see similar results in the vulnerability scan report, as shown here:\n\n\n\n### Solution & Mitigation\n\nTo remediate this vulnerability, any organization using the Questions for Confluence app is advised to ensure the following:\n\n * Upgrade to Version 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)\n * Disable or delete the disabledsystemuser account\n\nPlease note that uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled. It is possible for this account to be present if the Questions for Confluence app was previously installed. It is advised to check the list of active users to ensure the Confluence instance is not affected.\n\n### Credit\n\n**Confluence Security Advisory:** <https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>\n\n### CVE Details:\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26138>\n * <https://nvd.nist.gov/vuln/detail/CVE-2022-26138>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T10:12:53", "type": "qualysblog", "title": "Atlassian Confluence: Questions for Confluence App Hardcoded Credentials Vulnerability (CVE-2022-26138)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138"], "modified": "2022-08-17T10:12:53", "id": "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-13T00:03:22", "description": "Welcome to the first edition of the Qualys Research Team\u2019s \u201cThreat Research Thursday\u201d where we collect and curate notable new tools, techniques, procedures, threat intelligence, cybersecurity news, malware attacks, and more. We will endeavor to issue these update reports regularly, as often as every other week, or as our threat intelligence output warrants. \n\n\n\n## Threat Intelligence from the Qualys Blog\n\nHere is a roundup of the most interesting blogs from the Qualys Research Team from the past couple of weeks: \n\n * New Qualys Research Report: [Evolution of Quasar RAT](<https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat>) \u2013 This free downloadable report gives a sneak peek of the detailed webinar topic that Qualys Threat Research team\u2019s Linux EDR expert Viren Chaudari will be presenting on our upcoming [Threat Thursdays webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>). \n * Here\u2019s a [Simple Script to Detect the Stealthy Nation-State BPFDoor](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor>) \u2013 In this blog we explain how a simple script can detect a BPFDoor. \n * Introducing [Qualys CyberSecurity Asset Management 2.0](<https://www.qualys.com/apps/cybersecurity-asset-management/>) with natively integrated [External Attack Surface Management](<https://blog.qualys.com/qualys-insights/2022/07/28/attack-surface-management-a-critical-pillar-of-cybersecurity-asset-management>) \u2013 This is big news! We offer one of only a few solutions on the market that empower cybersecurity teams to manage internal and external assets at the same time! For our existing customers, [Qualys CSAM API Best Practices](<https://blog.qualys.com/product-tech/2022/08/05/qualys-api-best-practices-cybersecurity-asset-management-api>) should be a good starting point for playing with our extensive list of APIs. \n * [August 2022 Patch Tuesday](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/09/august-2022-patch-tuesday>) \u2013 Microsoft and the second Tuesday of the month are inseparable (except that one time in 2017 just before the Equation Group leak!) This is our regular monthly coverage of the vulnerabilities that Microsoft and Adobe fixed this month. \n\n## New Threat Hunting Tools & Techniques\n\n**Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53**: This is a major update to Sysmon that adds a new `event ID 27 - FileBlockExecutable` that prevents processes from creating executable files in specified locations. What this means is if you want to block certain files from executing in a certain directory, you can do so. [Get these tools & updates](<https://docs.microsoft.com/en-us/sysinternals/downloads/>). \n\n**Bomber: **All of us know how important software bills of materials (SBOMs) are, and the vulnerabilities that affect them even more so. This open-source repository tool that we\u2019ve evaluated will help you scan JSON formatted SBOM files to point out any vulnerabilities they may have. [Check out Bomber](<https://github.com/devops-kung-fu/bomber>). \n\n**Alan C2 Framework:** Until recently, this command & control (C2) framework \u2013 even though it was hosted on GitHub \u2013 was closed source. You could download it and test it for free, but not inspect its source code unless you decompiled it. Now the source code has been made available. For example, you can now look at the [certificate information](<https://github.com/enkomio/AlanFramework/blob/8134494037435c5e6478409447efe41f563e0688/src/client/mbedtls/tests/data_files/dir-maxpath/c20.pem>) and add it to your detection pipeline if you have not already done so. [Access the Alan C2 Framework source code](<https://github.com/enkomio/AlanFramework>). \n\n**FISSURE**: This interesting Radio Frequency (RF) framework was released as open source at the recently concluded DEFCONference. With this reverse engineering RF framework, you can detect, classify signals, execute attacks, discover protocols, and analyze vulnerabilities. A lot can be done with this tool! [Check out FISSURE](<https://github.com/ainfosec/FISSURE>). \n\n**Sub7 Legacy**: The source code to your favorite trojan from the not-so-recent past is now available. Well, not really. This is a complete remake of the trojan from the early 2000\u2019s. The look & feel is still the same \u2013 minus the malicious features, but it does make one nostalgic. Here\u2019s hoping that threat actor groups don\u2019t use this Delphi source code for new and nefarious use cases! [Check out the new Sub7 Legacy](<https://github.com/DarkCoderSc/SubSeven>). \n\n**Hashview**: What do you do when you dump a hash via Mimikatz and want to crack it? In a team engagement, a tool like Hashview can help. It allows you to automate hashcat, retroactively crack hashes, and get notifications on a particular event. [Check out the Hashview source code](<https://github.com/hashview/hashview>). \n\n**Center for Internet Security: **CIS published their August update for the [End-of-Support Software Report List](<https://www.cisecurity.org/insights/blog/end-of-support-software-report-list>). Use it coupled with Qualys CSAM to stay updated on software that\u2019s no longer vendor supported. \n\n## New Vulnerabilities \n\n[**CVE-2022-34301**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34301>)/[**CVE-2022-34302**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34302>)/[**CVE-2022-34303**](<https://nvd.nist.gov/vuln/detail/CVE-2022-34303>) \u2013 Not much was known about these bootloader vulnerabilities when they were first disclosed as part of Microsoft Patch Tuesday. New research about these vulnerabilities was [presented at DEFCON](<https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/>) pointing towards weaknesses in third-party code signed by Microsoft. Special care must be given to fixing these vulnerabilities, as manual intervention is required for complete remediation. \n\n[**CVE-2022-30209**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30209>) \u2013 Fresh off of its disclosure at Black Hat USA 2022, this _IIS authentication bypass vulnerability_ discovered by Devcore, is [introduced](<https://twitter.com/orange_8361/status/1557504677050478594?s=20&t=KnnUPgzWitsV-dCEdSeCjA>) because of a logic error as a result of improper copy/pasting of variable names. Qualys VMDR customers can find unpatched devices in their networks by looking for QID 91922 in their results. \n\n[**CVE-2022-22047**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>) - This Windows client/server runtime subsystem (CSRSS) _elevation of privilege vulnerability_ affects almost all Windows versions, including v7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022! QIDs 91922 and 91927 should be of interest to current Qualys VMDR customers. \n\n[**CVE-2022-26138**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26138>) \u2013 The Confluence Questions app, when installed will create a `disabledsystemuser `user with a known and now _publicized hardcoded password_. Post exploitation, bad actors can read the pages accessible by the confluence-users group. \n\n[**CVE-2022-26501**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26501>) \u2013 Proof-of-concept code for this _unauthenticated remote code execution_ vulnerability affecting Veeam Distribution Service (VDS) has been available for more than four months now. When last checked on Shodan, there were more than 18,000 publicly facing devices that host Veeam Backup Services. \n\n## Introducing the Monthly Threat Thursdays Webinar \n\nPlease join us for the first [Threat Thursdays monthly webinar](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>) where the Qualys Threat Research Team will present the latest threat intelligence\u2026 each and every month! \n\n[REGISTER NOW](<https://event.on24.com/wcc/r/3925198/52A4000CBD17D2B16AFD5F56B3C9D15A>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-01T21:00:00", "type": "qualysblog", "title": "Introducing Qualys Threat Research Thursdays", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047", "CVE-2022-26138", "CVE-2022-26501", "CVE-2022-30209", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303"], "modified": "2022-09-01T21:00:00", "id": "QUALYSBLOG:AE4AA7402829D66599C8A25E83DD0FD2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T00:03:27", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 121 vulnerabilities (aka flaws) in the August 2022 update, including 17 vulnerabilities classified as **_Critical_** as they allow Elevation of Privilege (EoP) and Remote Code Execution (RCE). This month's Patch Tuesday fixes two (2) zero-day vulnerabilities, with one (1) actively exploited***** in attacks ([CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>)*****,[ CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>)). Earlier this month, August 5, 2022, Microsoft also released 20 Microsoft Edge (Chromium-Based) updates addressing Elevation of Privilege (EoP), Remote Code Execution (RCE), and Security Feature Bypass with severities of Low, Moderate, and Important respectively.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.\n\n## **The August 2022 Microsoft vulnerabilities are classified as follows:**\n\n\n\n [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n\n# **Notable Microsoft Vulnerabilities Patched**\n\nA vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited with no official fix available.\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34713](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713>) | Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nIn May, Microsoft released a [blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) giving guidance for a vulnerability in MSDT and released updates to address it shortly thereafter. Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as their research partners. _This CVE is a variant of the vulnerability publicly known as Dogwalk._\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n>  Qualys director of vulnerability and threat research, [Bharat Jogi](<https://blog.qualys.com/author/bharat_jogi>), said DogWalk had actually been reported back in 2019 but at the time was not thought to be dangerous as it required \u201csignificant user interaction to exploit,\u201d and there were other mitigations in place.\n> \n> - _Excerpt from [Surge in CVEs as Microsoft Fixes Exploited Zero Day Bug](<https://www.infosecurity-magazine.com/news/surge-cves-microsoft-fixes/>)_\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30134](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30134>) | Microsoft Exchange Information Disclosure Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.6/10.\n\nThis vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. For more information, see [Exchange Server Sup](<https://aka.ms/ExchangeEPDoc>)[port for Windows Extended Protection](<https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/>) and/or [The Exchange Blog](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862>).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Unlikely_**\n\n* * *\n\n## **Security Feature Bypass Vulnerabilities Addressed**\n\nThese are **standalone security updates**. These packages must be installed in addition to the normal security updates to be protected from this vulnerability.\n\nThese security updates have a Servicing Stack Update prerequisite for specific KB numbers. The packages have a built-in pre-requisite logic to ensure the ordering.\n\nMicrosoft customers should ensure they have installed the latest Servicing Stack Update before installing these standalone security updates. See [ADV990001 | Latest Servicing Stack Updates](<https://msrc.microsoft.com/update-guide/security-guidance/advisory/ADV990001>) for more information.\n\nAn attacker who successfully exploited either of these three (3) vulnerabilities could bypass Secure Boot.\n\n### CERT/CC: [CVE-2022-34301](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34301>) Eurosoft Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34302](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34302>) New Horizon Data Systems Inc Boot Loader Bypass\n\n### CERT/CC: [CVE-2022-34303](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34303>) Crypto Pro Boot Loader Bypass\n\nAt the time of publication, a CVSSv3.1 score has not been assigned.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Like_**ly\n\n* * *\n\n## **Microsoft Critical and Important Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Aug>) covers multiple Microsoft product families, including Azure, Browser, Developer Tools, [Extended Security Updates (ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Exchange Server, Microsoft Office, System Center,, and Windows.\n\nA total of 86 unique Microsoft products/versions are affected, including .NET, Azure, Edge (Chromium-based), Excel, Exchange Server (Cumulative Update), Microsoft 365 Apps for Enterprise, Office, Open Management Infrastructure, Outlook, and System Center Operations Manager (SCOM), Visual Studio, Windows Desktop, and Windows Server.\n\nDownloads include IE Cumulative, Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-35766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35766>), [CVE-2022-35794](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35794>) | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nAn unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>), [CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>) | Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable. **Warning**: Disabling Port 1723 could affect communications over your network.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>) | Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nThis vulnerability can only be exploited by communicating via Port 1723. As a temporary workaround An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.\n\nPlease see [Certificate-based authentication changes on Windows domain controllers](<https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16>) for more information and ways to protect your domain.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-33646](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33646>) | Azure Batch Node Agent Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.0/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## **Microsoft Edge | Last But Not Least**\n\nEarlier in August, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>)[CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>), and [CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. For more information, please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>).\n\n### [CVE-2022-33649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 9.6/10.\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. \n\nThe user would have to click on a specially crafted URL to be compromised by the attacker.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33649>)[CVE-2022-33636](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>), [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33636>)[CVE-2022-35796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35796>) | Microsoft Edge (Chromium-based) Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.3/10. _[Per Microsoft's severity guidelines](<https://www.microsoft.com/en-us/msrc/bounty-new-edge>), the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity. The CVSS scoring system doesn't allow for this type of nuance._\n\nAn attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released five (5) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 25 vulnerabilities affecting Adobe Acrobat and Reader, Commerce, FrameMaker, Illustrator, and Premiere Elements applications. Of these 25 vulnerabilities, 15 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 7.8/10 to 9.1/10, as summarized below.\n\n\n\n* * *\n\n### [APSB22-38](<https://helpx.adobe.com/security/products/magento/apsb22-38.html>) | Security update available for Adobe Commerce\n\nThis update resolves seven (7) vulnerabilities:\n\n * Four (4) **_[_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n * One (1) **_[Moderate](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>), [important](<https://helpx.adobe.com/security/severity-ratings.html>), and [moderate](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, and security feature bypass.\n\n* * *\n\n### [APSB22-39](<https://helpx.adobe.com/security/products/acrobat/apsb22-39.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves seven (7) vulnerabilities:\n\n * Three (3) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Four (4) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-41](<https://helpx.adobe.com/security/products/illustrator/apsb22-41.html>) | Security Updates Available for Adobe Illustrator\n\nThis update resolves four (4) vulnerabilities:\n\n * Two (2) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * Two (2) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Illustrator 2022. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities that could lead to arbitrary code execution and memory leak.\n\n* * *\n\n### [APSB22-42](<https://helpx.adobe.com/security/products/framemaker/apsb22-42.html>) | Security update available for Adobe FrameMaker\n\nThis update resolves six (6) vulnerabilities:\n\n * Five (5) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>)\n * One (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n### [APSB22-43](<https://helpx.adobe.com/security/products/premiere_elements/apsb22-43.html>) | Security update available for Adobe Premiere Elements\n\nThis update resolves one (1) [_**Critical**_](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for Adobe FrameMaker. This update addresses multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>) and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution \nand memory leak. \n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by Noon on Wednesday.\n\n## Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories for August 1-9, 2022 _New Content_\n\n * [Microsoft Patches 121 Vulnerabilities with Two Zero-days and 17 Critical; Plus 20 Microsoft Edge (Chromium-Based) in August 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/08/10/microsoft-patches-121-vulnerabilities-with-two-zero-days-and-17-critical-plus-20-microsoft-edge-chromium-based-in-august-2022-patch-tuesday/>)\n * [VMware vRealize Operations Multiple Vulnerabilities Patched in the Latest Security update (CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, & CVE-2022-31675)](<https://threatprotect.qualys.com/2022/08/10/vmware-vrealize-operations-multiple-vulnerabilities-patched-in-the-latest-security-update-cve-2022-31672-cve-2022-31673-cve-2022-31674-cve-2022-31675/>)\n * [Cisco Patched Small Business RV Series Routers Multiple Vulnerabilities (CVE-2022-20827, CVE-2022-20841, and CVE-2022-20842)](<https://threatprotect.qualys.com/2022/08/04/cisco-patched-small-business-rv-series-routers-multiple-vulnerabilities-cve-2022-20827-cve-2022-20841-and-cve-2022-20842/>)\n * [VMware Patched Multiple Vulnerabilities in VMware Products including Identity Manager (vIDM) and Workspace ONE Access](<https://threatprotect.qualys.com/2022/08/03/vmware-patched-multiple-vulnerabilities-in-vmware-products-including-identity-manager-vidm-and-workspace-one-access/>)\n * [Atlassian Confluence Server and Confluence Data Center \u2013 Questions for Confluence App \u2013 Hardcoded Password Vulnerability (CVE-2022-26138)](<https://threatprotect.qualys.com/2022/08/01/atlassian-confluence-server-and-confluence-data-center-questions-for-confluence-app-hardcoded-password-vulnerability-cve-2022-26138/>)\n\n* * *\n\n## Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>) _The old way of ranking vulnerabilities doesn\u2019t work anymore. Instead, enterprise security teams need to rate the true risks to their business. In this blog, we examine each of the risk scores delivered by Qualys TruRisk, the criteria used to compute them, and how they can be used to prioritize remediation._\n\n* * *\n\n## Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`50121` OR qid:`91929` OR qid:`91931` OR qid:`91932` OR qid:`91933` OR qid:`91934` OR qid:`91935` OR qid:`91936` OR qid:`110413` OR qid:`110414` OR qid:`376813` ) \n\n\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n## Evaluate Vendor-Suggested Workarounds with [Policy Compliance](<https://www.qualys.com/forms/policy-compliance/>) _New Content_\n\nQualys\u2019 [Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires the implementation of a vendor-suggested workaround. A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. _ [Source](<https://www.techtarget.com/whatis/definition/workaround>)_\n\nThe following Qualys [Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended workaround for this Patch Tuesday:\n\n#### **[CVE-2022-35793](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35793>) | Windows Print Spooler Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n * 21711: Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-35804](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804>)** | **SMB Client and Server Remote Code Execution (RCE) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24476: Status of the SMBv3 Client compressions setting\n * 20233: Status of the SMBv3 Server compressions setting \n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### ****[CVE-2022-35755](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35755>)** | **Windows Print Spooler Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 7.3/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 1368: Status of the \u2018Print Spooler\u2019 service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation More Likely\n\n* * *\n\n#### **[CVE-2022-30133](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30133>)**, **[CVE-2022-35744](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744>)** | **Windows Point-to-Point Protocol (PPP) Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 11220: List of \u2018Inbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n * 14028: List of \u2018Outbound Rules\u2019 configured in Windows Firewall with Advanced Security via GPO\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### **[CVE-2022-34715](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34715>): Windows Network File System Remote Code Execution (RCE) Vulnerability** \n\nThis vulnerability has a CVSSv3.1 score of 9.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 24139: Status of the Windows Network File System (NFSV4) service\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\n#### ****[CVE-2022-34691](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691>): Active Directory Domain Services Elevation of Privilege (EoP) Vulnerability****\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * 4079: Status of the \u2018Active Directory Certificate Service\u2019\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): Exploitation Less Likely\n\n* * *\n\nThe following QQL will return a posture assessment for the CIDs for this Patch Tuesday:\n \n \n control:( id:`1368` OR id:`4079` OR id:`11220` OR id:`14028` OR id:`20233` OR id:`21711` OR id:`24139` OR id:`24476` ) \n\n\n\n [Mitigating the Risk of Zero-Day Vulnerabilities by using Compensating Controls](<https://blog.qualys.com/vulnerabilities-threat-research/2022/08/23/mitigating-the-risk-of-zero-day-vulnerabilities-by-using-compensating-controls>)\n\n [Policy Compliance (PC) | Policy Library Update Blogs](<https://notifications.qualys.com/tag/policy-library>)\n\n* * *\n\n##### Patch Tuesday is Complete.\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-09T20:00:00", "type": "qualysblog", "title": "August 2022 Patch Tuesday | Microsoft Releases 121 Vulnerabilities with 17 Critical, plus 20 Microsoft Edge (Chromium-Based); Adobe Releases 5 Advisories, 25 Vulnerabilities with 15 Critical.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20827", "CVE-2022-20841", "CVE-2022-20842", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-26138", "CVE-2022-30133", "CVE-2022-30134", "CVE-2022-30190", "CVE-2022-31672", "CVE-2022-31673", "CVE-2022-31674", "CVE-2022-31675", "CVE-2022-33636", "CVE-2022-33646", "CVE-2022-33649", "CVE-2022-34301", "CVE-2022-34302", "CVE-2022-34303", "CVE-2022-34691", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-35744", "CVE-2022-35755", "CVE-2022-35766", "CVE-2022-35793", "CVE-2022-35794", "CVE-2022-35796", "CVE-2022-35804"], "modified": "2022-08-09T20:00:00", "id": "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-07-25T12:00:43", "description": "Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary Atlassian has released patches to address a critical security flaw, being tracked as CVE-2022-26138 involving the usage of hard-coded credentials in the Questions For Confluence app for Confluence Server and Confluence Data Center. Additionally, CVE-2022-26136 has been assigned to an authentication bypass and cross-site scripting (XSS) vulnerabilities and CVE-2022-26137 has been assigned to a Cross-origin resource sharing (CORS) bypass vulnerability. Both CVEs impact multiple Atlassian products.", "cvss3": {}, "published": "2022-07-25T11:10:10", "type": "hivepro", "title": "Critical Vulnerabilities in Multiple Atlassian Products being exploited-in-wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-25T11:10:10", "id": "HIVEPRO:D92A8F5DF20362E41FF86142A0BECE42", "href": "https://www.hivepro.com/critical-vulnerabilities-in-multiple-atlassian-products-being-exploited-in-wild/", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2022-07-29T21:59:42", "description": "\n\nExploitation is underway for one of the [trio of critical Atlassian vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) that were published last week affecting several the company\u2019s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of [CVE-2022-26134 in Confluence Server and Confluence Data Center](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>).\n\n**CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:**\n\n * Confluence Server\n * Confluence Data Center\n\n**CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:**\n\n * Bamboo Server and Data Center\n * Bitbucket Server and Data Center\n * Confluence Server and Data Center\n * Crowd Server and Data Center\n * Crucible\n * Fisheye\n * Jira Server and Data Center\n * Jira Service Management Server and Data Center\n\n## CVE-2022-26138: Hardcoded password in Questions for Confluence app\n\nThe most critical of these three is [CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>), as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization\u2019s Confluence instance. Unsurprisingly, it didn\u2019t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.\n\n## Affected versions\n\n * Questions for Confluence 2.7.x\n\n * 2.7.34\n * 2.7.35\n * Questions for Confluence\n\n * 3.0.x\n * 3.0.2\n\n## Mitigation guidance\n\nOrganizations using on-prem Confluence should follow Atlassian\u2019s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian\u2019s advisory also includes information on how to look for evidence of exploitation. An [FAQ](<https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html>) has also been provided.\n\n> Please note: Atlassian\u2019s [Questions For Confluence Security Advisory 2022-07-20](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>) has a very important call-out that \u201cuninstalling the Questions for Confluence app does not remediate this vulnerability.\u201d\n\n## CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities\n\nTwo other vulnerabilities were announced at the same time, [CVE-2022-26136 and CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>), which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.\n\nThe list of affected versions is long and can be found on [Atlassian\u2019s Security Advisory](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>).\n\nWhile the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-26138 with a remote vulnerability check released on July 29, 2022 (ContentOnly-content-1.1.2602-202207292027).\n\n## Updates\n\n07/29/2022 - 5:30 PM EDT \nUpdated Rapid7 customers section to include information on a new remote vulnerability check.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T19:26:38", "type": "rapid7blog", "title": "Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-07-27T19:26:38", "id": "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "href": "https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-26T16:04:26", "description": "\n\nOn August 24, 2022, Atlassian published [an advisory for Bitbucket Server and Data Center](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) alerting users to [CVE-2022-36804](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>). The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with **read permissions** to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. CVE-2022-36804 carries a CVSSv3 score of 9.8 and is easily exploitable. Rapid7\u2019s vulnerability research team has a [full technical analysis in AttackerKB](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>), including how to use CVE-2022-36804 to create a simple reverse shell.\n\n[According to Shodan](<https://www.shodan.io/search?query=http.component%3A%22atlassian+bitbucket%22>), there are about 1,400 internet-facing servers, but it\u2019s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022 (edit: see note below), but there has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available. Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse- engineer, it\u2019s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon.\n\n**Note:** Several threat intelligence sources [reported](<https://twitter.com/Shadowserver/status/1573300004072132608>) seeing exploitation attempts in the wild as of September 23, 2022.\n\n**Affected products:** \nBitbucket Server and Data Center 7.6 prior to 7.6.17 \nBitbucket Server and Data Center 7.17 prior to 7.17.10 \nBitbucket Server and Data Center 7.21 prior to 7.21.4 \nBitbucket Server and Data Center 8.0 prior to 8.0.3 \nBitbucket Server and Data Center 8.1 prior to 8.1.3 \nBitbucket Server and Data Center 8.2 prior to 8.2.2 \nBitbucket Server and Data Center 8.3 prior to 8.3.1\n\n## Mitigation guidance\n\nOrganizations that use Bitbucket Server and Data Center in their environments should patch as quickly as possible [using Atlassian's guide](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html>), without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-36804 with an unauthenticated vulnerability check in the September 20, 2022 content release (`ContentOnly-content-1.1.2653-202209202050`).\n\nA detection rule, `Suspicious Process - Atlassian BitBucket Spawns Suspicious Commands`, was deployed to InsightIDR around 10am ET on September 22, 2022.\n\n## Updates\n\n**September 22, 2022 10:00AM ET** \nUpdated Rapid7 customers section to include information on a new IDR detection rule.\n\n**September 26, 2022 10:30 AM EDT** \nUpdated to reflect reports of exploitation in the wild.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>)_\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-20T15:14:26", "type": "rapid7blog", "title": "CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26138", "CVE-2022-27511", "CVE-2022-29499", "CVE-2022-36804"], "modified": "2022-09-20T15:14:26", "id": "RAPID7BLOG:BCF3916E38EC7840E9BABBDD5431352B", "href": "https://blog.rapid7.com/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-26T21:03:28", "description": "\n\nOver the past few weeks, five different vulnerabilities affecting [Zimbra Collaboration Suite](<https://www.zimbra.com/>) have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the **[latest version](<https://wiki.zimbra.com/wiki/Zimbra_Releases>)** on an urgent basis, and to upgrade future versions as quickly as possible once they are released.\n\n## Exploited RCE vulnerabilities\n\nThe following vulnerabilities can be used for remote code execution and are being [exploited in the wild](<https://www.cisa.gov/uscert/ncas/alerts/aa22-228a>).\n\n### CVE-2022-30333\n\n[CVE-2022-30333](<https://nvd.nist.gov/vuln/detail/CVE-2022-30333>) is a path traversal vulnerability in `unRAR`, Rarlab\u2019s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes `unrar`. Zimbra Collaboration Suite uses a vulnerable implementation of `unrar` (specifically, the `amavisd` component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in [9.0.0 patch 25](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25>) and [8.5.15 patch 32](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32>) by replacing `unrar` with `7z`.\n\nOur research team has a [full analysis of CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>) in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16796>) is also available. Note that the server **does not** necessarily need to be internet-facing to be exploited \u2014 it simply needs to receive a malicious email.\n\n### CVE-2022-27924\n\nCVE-2022-27924 is a blind Memcached injection vulnerability [first analyzed publicly](<https://blog.sonarsource.com/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/>) in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user\u2019s credentials when a user attempts to authenticate. Combined with [CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>), an authenticated remote code execution vulnerability, and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>), a currently unpatched privilege escalation issue that was publicly disclosed [in October 2021](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>), capturing a user\u2019s password can lead to remote code execution as the root user on an organization\u2019s email server, which frequently contains sensitive data.\n\nOur research team has a [full analysis of CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>) in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for _any_ user by stacking multiple requests.\n\n### CVE-2022-27925\n\n[CVE-2022-27925](<https://nvd.nist.gov/vuln/detail/CVE-2022-27925>) is a directory traversal vulnerability in Zimbra Collaboration Suite Network Edition versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. (Note that Open Source Edition does not have that endpoint and is therefore not vulnerable.) On August 10, 2022, security firm [Volexity published findings](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 _without_ authentication.\n\n**Note:** Although the public advisories don't mention it, our testing indicated that Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable `mboximport` endpoint). Vulnerable versions are:\n\n * Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)\n * Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)\n\nOur research team has a [full analysis of CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>) in AttackerKB.\n\n### CVE-2022-37042\n\nAs noted above, CVE-2022-37042 is a critical authentication bypass that arises from an incomplete fix for CVE-2022-27925. Zimbra patched CVE-2022-37042 in [9.0.0P26](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26>) and [8.8.15P33](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33>).\n\n## Unpatched privilege escalation CVE-2022-37393\n\nIn October of 2021, researcher Darren Martyn [published an exploit](<https://github.com/darrenmartyn/zimbra-slapper/>) for a zero-day [root privilege escalation vulnerability](<https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/>) in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the `zimbra` user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.\n\nOur research team tested the privilege escalation in combination with CVE-2022-30333 at the end of July 2022, as well as the fully patched version on August 17, 2022, and found that all versions of Zimbra were affected through at least 9.0.0 P26 and 8.8.15 P33. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned [CVE-2022-37393](<https://nvd.nist.gov/vuln/detail/CVE-2022-37393>) (still awaiting NVD analysis) to track it. A [full analysis of CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) is available in AttackerKB. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16807>) is also available.\n\n## Mitigation guidance\n\nWe strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring [Zimbra\u2019s release communications](<https://wiki.zimbra.com/wiki/Zimbra_Releases>) for future security updates, and patching on an urgent basis when new versions become available.\n\nThe AttackerKB analyses for [CVE-2022-30333](<https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis?referrer=blog>), [CVE-2022-27924](<https://attackerkb.com/topics/6vZw1iqYRY/cve-2022-27924/rapid7-analysis?referrer=blog>), [CVE-2022-27925](<https://attackerkb.com/topics/dSu4KGZiFd/cve-2022-27925/rapid7-analysis>), and [CVE-2022-37393](<https://attackerkb.com/topics/92AeLOE1M1/cve-2022-37393/rapid7-analysis?referrer=blog>) all include vulnerability details (including proofs of concept) and sample indicators of compromise (IOCs). Volexity\u2019s [blog](<https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/>) also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published [lists of valid JSP files included in Zimbra installations](<https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20\\(Un\\)authenticated%20Zimbra%20RCE%20CVE-2022-27925>) for the latest version of 8.8.15 and of 9.0.0 (at time of writing).\n\nFinally, we recommend blocking internet traffic to Zimbra servers wherever possible and [configuring Zimbra to block external Memcached](<https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack>), even on patched versions of Zimbra.\n\n## Rapid7 customers\n\nVulnerability checks for all five Zimbra CVEs are available via a content-only update as of August 18, 3pm ET.\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR\u2019s built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Suspicious Process - Zimbra Collaboration Suite Webserver Spawns Script Interpreter\n * Suspicious Process - \u201cZimbra\u201d User Runs Shell or Script Interpreter\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Active Exploitation of Atlassian\u2019s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_\n * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_\n * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_\n * _[Active Exploitation of Confluence CVE-2022-26134](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-17T12:55:18", "type": "rapid7blog", "title": "Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-08-17T12:55:18", "id": "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "href": "https://blog.rapid7.com/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-28T15:43:01", "description": "\n\nAnother quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let\u2019s take a look at some of the key releases in [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) from Q3. \n\n## [[InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) and [Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>)] Recurring coverage for VMware vCenter\n\nRecurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.\n\nVMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a [number](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>) [of](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.\n\n## [InsightVM and Nexpose] Tune Assistant\n\nThe Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.\n\nTuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our [docs page](<https://docs.rapid7.com/insightvm/configuring-maximum-performance-in-an-enterprise-environment/>) on configuring maximum performance in an enterprise environment.\n\n\n\n## [InsightVM and Nexpose] Windows Server 2022 Support\n\nWe want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. [Learn more](<https://www.rapid7.com/products/insightvm/system-requirements/>) about the systems we support. \n\n## [InsightVM and Nexpose] Checks for notable vulnerabilities\n\nWith exploitation of major vulnerabilities in [Mitel MiVoice Connect](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>), multiple [Confluence](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>) [applications](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>), and [other](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>) [popular](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>) [solutions](<https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/>), the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:\n\n * **Mitel MiVoice Connect Service Appliance | CVE-2022-29499:** An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>).\n * **\u201cQuestions\u201d add-on for Confluence Application | CVE-2022-26138:** This vulnerability affected \u201cQuestions,\u201d an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>).\n * **Multiple vulnerabilities in Zimbra Collaboration Suite:** Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. [Learn more about the vulnerability and our response](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>).\n * **CVE-2022-30333**\n * **CVE-2022-27924**\n * **CVE-2022-27925**\n * **CVE-2022-37042**\n * **CVE-2022-37393**\n\nWe were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.\n\n_**Additional reading:**_\n\n * _[The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading](<https://www.rapid7.com/blog/post/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/>)_\n * _[InsightVM: Best Practices to Improve Your Console](<https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/>)_\n * _[5 Steps for Dealing With Unknown Environments in InsightVM](<https://www.rapid7.com/blog/post/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/>)_\n * _[What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)_[ \n](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-28T14:11:35", "type": "rapid7blog", "title": "What\u2019s New in InsightVM and Nexpose: Q3 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005", "CVE-2022-26134", "CVE-2022-26138", "CVE-2022-27511", "CVE-2022-27924", "CVE-2022-27925", "CVE-2022-29499", "CVE-2022-30333", "CVE-2022-36804", "CVE-2022-37042", "CVE-2022-37393"], "modified": "2022-09-28T14:11:35", "id": "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "href": "https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-08-14T16:51:25", "description": "Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the [avleonovcom](<https://t.me/avleonovcom>) and [avleonovrus](<https://t.me/avleonovrus>) telegram channels. Therefore, if you want to read them earlier, subscribe to these channels.\n\n_The main idea of \u200b\u200bthis episode. Microsoft is a biased company. In fact, they should now be perceived as another US agency. Does this mean that we need to forget about Microsoft and stop tracking what they do? No, it doesn't. They do a lot of interesting things that can at least be researched and copied. Does this mean that we need to stop using Microsoft products? In some locations (you know which ones) for sure, in some we can continue to use such products if it is reasonable, but it's necessary to have a plan B. And this does not only apply to Microsoft. So, it's time for a flexible approaches. Here we do it this way, there we do it differently. It seems that rather severe fragmentation of the IT market is a long-term trend and it's necessary to adapt to it._\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239097>\n\nWhat's in this episode:\n\n 1. Microsoft released a propaganda report, what does this mean for us?\n 2. Microsoft released the Autopatch feature, is it a good idea to use it?\n 3. Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n 4. The new Nessus Expert and why it's probably Tenable's worst release\n 5. Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n 6. Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?\n 7. 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\n## Microsoft released a propaganda report, what does this mean for us?\n\nLet's start with the most important topic. Microsoft [released a propaganda report](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK>) about the evil Russians and how they (Microsoft) defend one well-known country. I usually avoid such topics, but in this case, I just can't.\n\n 1. Most of the report is "water" and unproven "highly-likely" stuff. It's boring to read. More than half of the report is not about cyber attacks at all, but about propaganda/disinformation "attacks" in media, social networks, etc. With strange historical digressions. For example, they give a photo of some article from an Indian newspaper of the 1980s and write that this publication was organized by the KGB. I'm not kidding, look at page 12.\n 2. On the other hand, the most important thing in this report is not what is written, but who released it. It's not mainstream media, it's not a government agency like the NSA or CIA, it's Microsoft - a global IT vendor that should, in theory, be more or less neutral. And now they are releasing such reports! If you still believe Microsoft is a non-government commercial company, look through this report. This position is the most official, the foreword was written by the current president of Microsoft.\n 3. From a technical point of view, it is interesting that the state IT infrastructure was transferred to the cloud and Microsoft technologies (Defender for Endpoint?) were used to protect it. Almost all technical information is on the 9th page of the report.\n 4. They write about 2 important security options. The first is that Microsoft made a free Vulnerability Management for them. "The first has been the use of technology acquired from RiskIQ that identifies and maps organizational attack surfaces, including devices that are unpatched against known vulnerabilities and therefore are the most susceptible to attack." It's not entirely clear how they did it. They could just connect hosts to Defender for Endpoint. But perhaps they massively activated the collection of data from hosts in some other way.\n 5. The description of the second protection option hints at the existence of a such non-standard methods: "MSTIC recognized that XXX malware could be mitigated meaningfully by turning on a feature in Microsoft Defender called controlled folder access. This typically would require that IT administrators access devices across their organization, work made more difficult and potentially even dangerous in ZZZ conditions. The YYY government therefore authorized Microsoft through special legal measures to act proactively and remotely to turn on this feature across devices throughout the government and across the country." And here it is not so important that Microsoft set up controlled folder access, it is important how they did it. It turns out that MS can massively remotely tweak security options if the government of a certain country has allowed them to do so. Wow! And what else can they do, on which hosts and under what conditions?\n 6. The main concern, of course, is that Microsoft products, including cloud-based security services, are still widely used in Russian organizations. And not only in Russia, but also in other countries that have some disagreements with US policy. Such publications confirm that Microsoft is a highly biased and unstable IT vendor, and something needs to be done about it quickly.\n\nAnd it would be fair to ask: "Weren't you, Alexander, promoting Microsoft's security services? And now you've turned against them?" \n\nAnd it's easy to point to some posts from my blog:\n\n 1. [Microsoft security solutions against ransomware and APT](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) (the best business breakfast I've ever had - the catering was top notch )\n 2. [Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python](<https://avleonov.com/2021/02/19/microsoft-defender-for-endpoint-why-you-may-need-it-and-how-to-export-hosts-via-api-in-python/>)\n 3. [Getting Hosts from Microsoft Intune MDM using Python](<https://avleonov.com/2021/06/09/getting-hosts-from-microsoft-intune-mdm-using-python/>)\n 4. [How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API](<https://avleonov.com/2021/08/16/how-to-get-antivirus-related-data-from-microsoft-defender-for-endpoint-using-intune-and-graph-api/>)\n 5. [Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures](<https://avleonov.com/2021/09/14/microsoft-defender-for-endpoint-the-latest-versions-of-antivirus-engine-signatures/>)\n\nIt's paradoxical, but I don't have a post about exporting vulnerabilities from Defender for Endpoint.  I was going to make a post about it, but there were always more important topics. \n\nWhat can I say. I still think that Defender for Endpoint is a cool and user-friendly solution. Although sometimes it may be buggy. I also think it's logical to use your OS vendor's security services. Just because you already have complete trust in your OS vendor. Right? \u0410nd other OS vendors should provide security services, as Microsoft does. But the question is what to do if it has become very difficult to trust your OS vendor? To put it mildly.\n\nNot to say that I did not [write about such risks](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) at all:\n\n"It will be a difficult decision to store this critical data in Microsoft cloud. Even with Microsoft\u2019s guarantees that all the data is stored securely and they touch it with AI only."\n\nBut of course this was not enough. And 5 years ago, things looked very different. \n\u00af_(\u30c4)_/\u00af\n\n## Microsoft released the Autopatch feature, is it a good idea to use it?\n\nContinuing the topic of Microsoft security services. In mid-July, Microsoft [released the Autopatch feature](<https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-autopatch-is-now-generally-available/>) for Windows 10/11 with Enterprise E3 and E5 licenses (not regular, but more expensive licenses). Also [Hybrid Azure Active Directory must be configured](<https://www.theregister.com/2022/07/12/windows_auopatch_live/>). But if everything is purchased and configured properly, then updates for MS products, drivers and other software (in perspective) can be automatically installed from the MS cloud. And it will be more often than once a month. And in the correct way. If you install all updates on all hosts at the same time, there will be a high risk of mass failures. Therefore, patches will be installed gradually. If a failure is detected, the system administrator will be able to react and roll back the problematic patch.\n\n"The 'test ring' contains a minimum number of devices, the 'first ring' roughly 1% of all endpoints in the corporate environment, the 'fast ring' around 9%, and the 'broad ring" the rest of 90% of devices. \nThe updates get deployed progressively, starting with the test ring and moving on to the larger sets of devices after a validation period that allows device performance monitoring and pre-update metrics comparison. \nWindows Autopatch also has built-in Halt and Rollback features that will block updates from being applied to higher test rings or automatically rolled back to help resolve update issues."\n\nIs it convenient? Yes, of course it's convenient. Is it dangerous? Well, it depends on trust in the vendor, faith in vendor's stability and security. Speaking of Microsoft, this can be very controversial for many organizations in many locations. \n\nBut in general, along with Defender for Endpoint (EDR, VM) and Intune this Autopatch feature looks like a step in the right direction for the OS vendor. At least if we're talking about desktops. If you trust your OS vendor, it makes sense to trust that vendor's services to make life easier for system administrators and security guys. I don't know if vendors of commercial Linux distributions, including Russian ones, are thinking about this, but it seems it makes sense to take such concepts from MS.\n\nOn the other hand, such Autopatch is not a panacea of course. Everything is not so trivial with updating third-party software. But MS seems to have a lot of resources to gradually move in this direction. Vulnerability detection for third-party software in Defender for Endpoint works quite well, which is also not an easy task. Therefore, I think they will be able to update such software in future. If [Qualys can](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-zero-touch-patching-for-vulnerability-remediation/>), then MS will handle this as well.\n\n## Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n\nThere has been a lot of news about [Confluence vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) this week. Atlassian has released three of them.\n\n[CVE-2022-26136 & CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>): Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it's time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.\n\n[CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>): Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled!  The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn't it funny?  This can be fixed by patching or blocking/deleting the user.\n\nWhat can be said here:\n\n 1. Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.\n 2. This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that "oh, sorry, that was a bug".\n 3. Those who make Confluence and similar services available on the network perimeter are their own enemies.\n\n## The new Nessus Expert and why it's probably Tenable's worst release\n\nTenable [introduced Nessus Expert](<https://www.tenable.com/blog/introducing-nessus-expert-now-built-for-the-modern-attack-surface>). They have Nessus Professional, and now there will be Nessus Expert with new features:\n\n 1. [Infrastructure as Code Scanning](<https://youtu.be/Ks5XN0ZpzBw>). In fact, they added [Terrascan](<https://runterrascan.io/>) (acquired this year) to Nessus. So far, it looks very sloppy. This is a separate independent tab in the menu and scan results cannot be viewed in the GUI and can only be downloaded as Json file.\n 2. [External attack surface scanning](<https://youtu.be/_TYvN_GS-AA>). They took these features from [Bit Discovery](<https://www.whitehatsec.com/bit-discovery/>) (also acquired this year). You can run a scan that will look for subdomains for a domain. But only for 5 domains per quarter. If you want more, you need to pay extra. Not to say that this is some kind of exclusive feature. The results can be viewed in the GUI. But that's all. There is no synergy with the usual functionality of Nessus.\n\nThe press release recalls how [Renaud Deraison](<https://t.me/avleonovcom/966>) released first Nessus 24 years ago. But under him, and even more so under Ron Gula, there were no such terrible releases with freshly bought functionality, attached to the main product "with blue electrical tape". And such a Frankenstein monster could never be presented as a new product. Sadness and marketing. Let's see if it gets better with time.\n\n## Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n\nI looked at the new features in [Rapid7 Nexpose/InsightVM added in Q2 2022](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>). Some changes are like "OMG, how did they live without it?!"\n\nThey just added support for CVSS v3 severity in dashboards. CVSS v3 was released in June 2015. CVSS v3 data has been available in NVD since 2017. And now, 5 years after that, Rapid7 decided to take into account these data as well? Well, ok.\n\nOr that they used to have such weird patching dashboards that progress on the Remediation Project was only visible when the patches were applied to all assets. And now it's better: "Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress". Indeed, better late than never.\n\nRapid7 just added support for AlmaLinux and Rocky Linux. Although stable versions of these distributions appeared more than a year ago and are already actively used in enterprise businesses as a replacement for CentOS. It turns out that Rapid7 clients have just now got the opportunity to scan these distributions.\n\nRapid7 use the term "recurring coverage" for supported software products. And they have a [public list of such products](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>). "The following software list encompasses those products and services that we are specifically committed to providing ongoing, automated coverage". The list is not very big, but it's cool that it's public.\n\nOn the other hand, there are cool features. At least one, [Scan Assistant](<https://docs.rapid7.com/insightvm/scan-assistant/>). This feature was introduced in December last year, but now it has been improved. This is an agent that does not collect or analyze data, but is only needed for authentication. It solves the problems of using system accounts for scanning, which can be very risky if the scanner host or one of the targets is compromised. This way you can install Scan Assistant on hosts and Vulnerability Scanner will authenticate to hosts using certificates rather than real system accounts.\n\n"Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter."\n\nThis is a cool and useful feature. As far as I know, other VM vendors do not have this. In Q2, Rapid7 added some automation for updating this Scan Assistant and rotating certificates. It's cool that the functionality is evolving. But for now, it's only for Windows.\n\nAnd there are updates that did not cause any special emotions in me. These are, for example, Asset correlation for Citrix VDI instances and vulnerability detection for Oracle E-Business Suite and VMware Horizon. They added and it's good.\n\n## **Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?**\n\nThe ["Palo Alto 2022 Unit 42 Incident Response Report" makes the amusing claim](<https://unit42.paloaltonetworks.com/incident-response-report/>) that attackers typically start scanning organizations' perimeters for vulnerabilities 15 minutes after a CVE is published.\n\nJust like this:\n\n"The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced."\n\nThey do not write how exactly they got these 15 minutes. Or I didn't find it. But apparently they could detect attempts to exploit some specific vulnerabilities. They could use honeypots or IDS for this. And then they could get the difference between the timestamp for exploitaition and the timestamp for vulnerability publication.\n\n[There is an example](<https://unit42.paloaltonetworks.com/cve-2022-1388/>) that 5 days after some vulnerability was published, they released a detection signature. And in 10 hours, they collected two and a half thousand attempts to exploit this vulnerability.\n\n"For example, Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts".\n\nIt's cool of course. But still, the signature was not released immediately. Therefore, it is difficult to say exactly when the malicious scans began.\n\nBut that's not the point. It is not so important whether the scans really start after 15 minutes or some time later. The fact is that attackers monitor the news flow about vulnerabilities. And the fact that they are motivated to scan your perimeter more often than you. And they are motivated to use non-standard checks for this. Not just the ones in your commercial vulnerability scanner.\n\nTherefore, there are only two options. You can compete in speed with attackers. Or you may know and control your perimeter far better than any outside researcher can. This means that you must understand why a particular service is needed on the perimeter. And whenever possible, try to minimize the number of such services as much as possible. For such services, you should specifically monitor security bulletins and start responding even before detection checks appear in vulnerability scanners. And of course before the media starts screaming about this vulnerability.\n\nOf course, it's easier said than done.\n\n## 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\nIn the same "[Palo Alto 2022 Unit 42 Incident Response Report](<https://unit42.paloaltonetworks.com/incident-response-report/>)" there is one more interesting point. Groups of vulnerabilities that were most often used in attacks. "For cases where responders positively identified the vulnerability exploited by the threat actor, more than 87% of them fell into one of six CVE categories.".\n\nCVE categories:\n\n * 55% Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)\n * 14% Log4j\n * 7% SonicWall CVEs\n * 5% Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)\n * 4% Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)\n * 3% Fortinet CVEs\n * 13% Other\n\nOn the one hand, this can be used to prioritize vulnerabilities. And also to identify software and software groups that need special monitoring. I would also like to look at the vulnerabilities in the Other category. But unfortunately they are not included in the report.\n\nOn the other hand, it shows how all these vulnerabilities and incidents depend on a particular region. Well of course Microsoft Exchange is used everywhere. Log4j has also affected almost every organization in one way or another. Perhaps in our region, I mean in Russia, some organizations use Fortinet. But SonicWall and Zoho look absolutely exotic. And in those locations where Unit 42 solves incident response cases, these are very important vendors and products.\n\nOr we can remember [last year's story with Kaseya VSA](<https://avleonov.com/2021/07/05/last-weeks-security-news-printnightmare-kaseya-intune-metasploit-docker-escape/>). Thousands of companies have been affected by the ransomware. But again, it was not in our region and therefore it was not particularly interesting for us.\n\nTaking into account the exodus of Western vendors from the Russian IT market, the landscapes "here" and "there" will differ more and more. More and more incidents in Russia, will occur due to vulnerabilities in our local software. In software that Western information security vendors may never have heard of. BTW, have you heard about [1C](<https://en.wikipedia.org/wiki/1C_Company>) ([Odin-Ass](<https://pikabu.ru/story/rossiyskiy_ryinok_programmnogo_obespecheniya_takoy_strannyiy_3895019>) )? And it works both ways. Does this mean that in Russia, we will need Vulnerability Management solutions focused on our Russian IT realities? Well apparently yes. And something tells me that this will not only happen in Russia.\n\nIt seems that the time of total globalization in IT is running out. And the ability of VM vendors to relatively easily take positions in new regions is also disappearing. The great fragmentation is coming. But it will be even more interesting that way. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T11:30:44", "type": "avleonov", "title": "Vulnerability Management news and publications #2", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2022-1388", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-08-14T11:30:44", "id": "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "href": "https://avleonov.com/2022/08/14/vulnerability-management-news-and-publications-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2022-26138
