Australian software firm Atlassian warned customers to immediately patch a critical vulnerability that provides remote attackers with hardcoded credentials to log into unpatched Confluence Server and Data Center servers.
As the company revealed this week, the Questions for Confluence app (installed on over 8,000 servers) creates a disabledsystemuser account with a hardcoded password to help admins migrate data from the app to the Confluence Cloud.
One day after releasing security updates to address the vulnerability (tracked as CVE-2022-26138), Atlassian warned admins to patch their servers as soon as possible, given that the hardcoded password had been found and shared online.
“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately.” the company warned Thursday.
“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known.”
The warning is both timely and necessary because threat actors equipped with this knowledge could use it to log into vulnerable Confluence servers and access pages the confluence-users group has access to.
Also, this is no surprise as Atlassian had already alerted users that the password was” trivial to obtain after downloading and reviewing affected versions of the app.”
Patching and checking for evidence of exploitation
To defend against potential attacks, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.
Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions greater than 3.0.5) will remove the problematic user account if present.
If you want to determine if a server is affected by this hardcoded credentials security flaw, you have to check for an active user account with the following info:
User: disabledsystemuser
Username: disabledsystemuser
Email: dontdeletethisuser@email.com
To look for evidence of exploitation, you can check the last authentication time for disabledsystemuser using the following instructions. If the result is null, the account exists on the system, but no one has yet signed in using it.
It’s also important to mention that uninstalling the Questions for Confluence app on affected servers will not remove the attack vector (i.e., the hardcoded credentials) and the unpatched systems will remain exposed to attacks.
Confluence servers are attractive targets for threat actors, as shown by previous attacks with Linux botnet malware, AvosLocker and Cerber2021 ransomware, and crypto miners.