Tag Archive for: CISA

For several years in a row, the Californian manufacturer Fortinet has been in the public focus due to serious security problems. Known for its secure firewall, VPN and intrusion detection devices, the cyber security expert was again forced to announce several highly critical security vulnerabilities in February 2024.

Staying informed and applying patches promptly is what companies need to proactively protect themselves against such attacks. Products such as Greenbone’s Enterprise Appliances play a central role in this and are meant to help admins. All the vulnerabilities mentioned in this blog post are covered by tests from the Greenbone Enterprise Feed: active procedures check whether the exploit is possible, and versioning tests will deliver results about the success of patch management.

87,000 passwords: Fortinet wins “Vulnerability of the Year 2022”

In 2019, CVE-2018-13379 (CVSS 9.8) allowed over 87,000 passwords for the Fortinet VPN to be read from the devices. In the following years, this vulnerability was exploited so successfully that in 2022 it was awarded the dubious title of “most exploited vulnerability of 2022“. The US authorities reacted and urged all of their clients to be more aware of the problem: Both U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) warned about the fact that many customers did not apply patches promptly. Again, lack of foresight turned out to be one of the main reasons. Patching, so the agencies, would have prevented many of successful attacks.

2023: Unwanted guests in critical networks

What makes it worse, is the fact that Fortinet devices are mostly being used in security-critical areas. Unpatched and equipped with serious vulnerabilities, such devices have become the focus of attackers in recent years, especially by state actors. In 2023, for example, Chinese hacker groups successfully infiltrated Dutch military networks via a vulnerability in the FortiOS SSL VPN from December 2022 that actually had already been patched for a while (CVE-2022-42475, CVSS 9.3).

Even though the network was only used for research and development according to the Military Intelligence and Security Service (MIVD), the attacks published at the beginning of February made it clear how easy it is for attackers to penetrate even highly protected networks. Even worse so, the corresponding backdoor “Coathanger” allows attackers to gain permanent access to devices once they have been hacked, all thanks to the vulnerability 2022-42475, which allows the execution of arbitrary code.

February 2024: Warnings of further vulnerabilities, maximum severity

Unfortunately, the story does not end here: Fortinet also had to admit another serious vulnerability, beginning of February 2024: CVE-2024-21762 (CVSS score: 9.6) allows unauthorized attackers to execute arbitrary code via specially adapted requests. A long list of versions of the Fortinet operating system FortiOS and FortiProxy are affected. The manufacturer advises upgrading or deactivating the SSL VPN and warns of both the severity of the vulnerability and the fact that it is already being massively exploited by attackers.

Fortinet seemed to have some organizational issues, too. Just as bad as the above sounded CVE-2024-23108 and CVE-2024-23109, published just a few days later, which also allow unauthenticated attackers to execute arbitrary code. However, these CVEs have to be taken with a grain of salt: The fact that two CVEs from the same manufacturer received a 10.0 on the threat severity scale on the same day is probably unique and raised some experts’ eyebrows. Apart from that, the confusing communication from the vendor was not really likely to establish or further trust, similarly to the strange story of toothbrush-based attacks told by a Fortinet employee, reaching the mass media at the same time.

Fatal combination – vulnerability management can help

As always, Fortinet published patches promptly, but customers also have to install them. Again, the combination of serious security vulnerabilities, lack of awareness and the absence of patches showed its full impact: Only a few days later the US government pushed out another advisory from CISA, NSA and FBI about Volt Typhoon, a Chinese state hacker group. The US government had evidence that these attackers have permanently nested in critical infrastructure of US authorities for many years via such vulnerabilities – the associated risks should not be underestimated, according to the warning.

The security by design required there also includes the constant monitoring of one’s own servers, computers and installations with vulnerability tests such as those of Greenbone Enterprise Appliances. Those who constantly monitor their networks (not just Fortinet devices) with the vulnerability tests of a modern vulnerability scanner can inform their administrators as quickly as possible if known CVEs in an infrastructure are waiting for patches, reducing the attack surface.

Six high severity vulnerabilities in Atlassian Confluence have been disclosed over the past few months making it imperative for its users to upgrade with urgency. Of these, the most severe, CVE-2023-22527 has been added to CISA’s KEV (Known Exploited Vulnerabilities). Collectively, the recently disclosed vulnerabilities range in severity from CVSS 7.5 (High) to 10 (Critical). Greenbone vulnerability manager is able to detect all vulnerabilities with active checks and version detection tests including the most critical, CVE-2023-22527.

CVE-2023-22527 can be exploited by an attacker to achieve unauthenticated remote code execution (RCE). Impacted products include Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 as well as 8.4.5 which no longer receives backported fixes according to Atlassian’s Security Bug Fix Policy. CVE-2023-22527 is tracked internally through Atlassian’s Jira portal as CONFSERVER-93833 and via a published advisory, and was reported as part of Atlassian’s Bug Bounty program by a contributor with the handle m1sn0w.

The remaining five vulnerabilities can be all exploited remotely without user-interaction, having impacts ranging from only Denial of Service (DoS) (CVE-2023-3635) to high impact to Confidentiality, Integrity, and Availability (CIA). The majority, including several high severity RCE vulnerabilities, were introduced in version 7.13.0 of Confluence Data Center and Server. Customers operating affected products on publicly exposed IP addresses are at increased risk of exploitation.

In total, Confluence has been the subject of 9 CISA KEV alerts for active exploitation. 3 of those have been in recent months; since October 2023:

  • January 24th, 2024: CISA added CVE-2023-22527 to its KEV catalog
  • November 7th, 2023: CISA added CVE-2023-22518 to its KEV catalog
  • December 5th, 2023: CISA added CVE-2023-22515 to its KEV catalog

A recent report based on analysis of publicly available Shodan data from the vulnerability and exploit research group VulnCheck, estimated that more than 235,000 internet-facing Confluence honeypots exist on public-facing IP addresses, while the true number of real internet-facing Confluence servers is closer to 4,000.

Summary Of Vulnerabilities in Atlassian Confluence

Here is a brief summary of all recently disclosed vulnerabilities in Atlassian Confluence:

  • CVE-2023-22527 (CVSS 10 Critical): A template injection vulnerability [CWE-284] on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Most recent supported versions of Confluence Data Center and Server are not affected. After initial disclosure, Atlassian raised the CVSS score of CVE-2023-22527 from 9.1 to the highest possible score of 10.
  • CVE-2024-21673 (CVSS 8.8 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction. The vulnerability was introduced in version 7.13.0 (released August 2021) of Confluence Data Center and Server.
  • CVE-2023-22526 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction.
  • CVE-2024-21672 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without use interaction. The vulnerability was introduced in version 2.1.0 (released December 2005) of Confluence Data Center and Server meaning it affects virtually all versions.
  • CVE-2023-3635 (CVSS 7.5 High): A DoS vulnerability in the Okio client Java library component used in Confluence X. GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer potentially leading to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
  • CVE-2024-21674 (CVSS 7.5 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality without user interaction, but no impact to Integrity or Availability. The vulnerability was introduced in version 13.0 (released August 2021) of Confluence Data Center and Server.

Mitigation Of Vulnerabilities in Atlassian Confluence

There are no reported workarounds to protect against these vulnerabilities. The most severe, CVE-2023-22527, only impacts older versions of Confluence Data Center and Server. Atlassian’s general recommendation for all other CVEs listed above is to download and upgrade to the newest version of Confluence Data Center and Server. However, if users are unable to do so, Atlassian’s mitigation advice is different for each CVE.

Atlasian has also outlined version specific mitigations for CVE-2024-21673, CVE-2023-22526, CVE-2023-3635, and CVE-2024-21674. Customers who are unable to upgrade to the most recent version of Confluence Data Center and Server can upgrade to a minor version which has been patched.

  • Customer’s using Confluence Data Center and Server 7.19: Upgrade to version 19.18, or any higher 7.19.x release
  • Customer’s using Confluence Data Center and Server 8.5: Upgrade to version 5.5 or any higher 8.5.x release
  • Customer’s using Confluence Data Center and Server 8.7: Upgrade to version 7.2 or any higher 8.7.x release

Summary

In January 2024, 1 critical severity vulnerability was disclosed impacting Atlassian Confluence Data Center and Server following in the footsteps of 5 more recently disclosed high impact CVEs. The most critical, CVE-2023-22527 is known to be exploited in the wild making it imperative for users of affected products to upgrade with urgency. Public facing instances of Confluence are most at risk with an estimated 4,000 instances as of February 2nd, 2024.