Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree

A recently disclosed critical vulnerability in Atlassian's Bitbucket is actively being exploited, according to the US government.

The Cybersecurity and Infrastructure Security Agency (CISA) late on Friday placed the flaw – tracked as CVE-2022-36804 – on its catalog of Known Exploited Vulnerabilities (KEV), effectively a must-patch list.

GreyNoise, a company that tracks and analyzes internet traffic, said it found evidence the security hole was being exploited in the wild.

CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.

Atlassian disclosed the vulnerability August 24, saying it affected both the Server and Data Center builds of its Git-based source code management tool. Both are code-hosting and collaboration offerings for development teams, but while Server is designed for a single-server deployment, Data Center offers active-active clustering and smart mirroring capabilities.

The flaw, which was discovered via Atlassian's bug bounty program, was introduced in version 7.0.0 of both, impacting all versions released running that version through 8.3.0. It's a command-injection vulnerability in a number of API endpoints that attackers could abuse through specially crafted HTTP requests to execute arbitrary code on vulnerable installations.

In a blog post about the vulnerability in late September, researchers at Rapid7 initially said there had been no public reports of exploits in the wild as of September 20, but changed that three days later as such reports began to emerge.

"There has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available," they wrote before the reports of exploitation attempts arose, foretelling the future.

"Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse-engineer, it's likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon."

In its alert, Atlassian listed seven versions that had been fixed and recommended that organizations upgrade their tools immediately. If that's not possible, they should turn off public repositories.

The flaw was the latest problem for the Aussie software shop, which also disclosed two critical flaws in July that impacted its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that could be exploited by remote and unauthenticated attackers to bypass authentication used by third-party applications. Before that was another critical flaw in Confluence and in the spring a two-week-long cloud outage that affected almost 800 customers.

Exchange users, stop looking so smug

Also added to CISA's list are the two zero-day vulnerabilities in Microsoft Exchange Server. One (CVE-2022-41040) is a server-side request forgery vulnerability and the other (CVE-2022-41082) is a remote code execution bug; both can exploited together to run PowerShell commands on a vulnerable system and hijack it.

Both were reported by Vietnamese cybersecurity firm GTSC late last week and Microsoft's Threat Intelligence Team (MSTIC) said in a blog post October 1 that the holes were being exploited in "limited targeted attacks." We're told a single crew in August was able to exploit the bugs to install a backdoor and exfiltrate data from a victim's network, for instance.

"Microsoft observed these attacks in fewer than 10 organizations globally," the Windows giant wrote. "MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization."

The vulnerabilities have been dubbed ProxyNotShell because of their similarities with the ProxyShell bug. Travis Smith, vice president of malware threat research at Qualys, told The Register there are still thousands of systems that remain vulnerable to the ProxyShell flaws.

"Organizations who responded to the ProxyShell vulnerability should pay close attention to this one as well," Smith said. "Those responsible for patching Exchange servers need to take their lessons learned on rapid remediation, as this vulnerability is likely to see increased exploitation quickly in the coming days."

• Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
• Sophos fixes critical firewall hole exploited by miscreants
• National Cybersecurity Awareness program 18 years on: Don't click that
• Shout-out to whoever went to Black Hat and had North Korean malware on their PC

The Azure titan has yet to issue a fix for the Exchange bugs. It has published mitigation steps, though some security researchers are questioning whether those efforts will be enough. One infosec bod with the Twitter handle Janggggg wrote that the URL pattern to detect and prevent exploitation can be bypassed, while Will Dormann wrote that the mitigations seem "unnecessarily precise, and therefore insufficient."

Security in Exchange Server has been an ongoing issue for Microsoft, so much so that the mega-corp is vowing to improve its defenses through such methods as adopting zero-trust principles.

Qualys' Smith said Exchange is a "juicy target" for attackers.

"Exchange is an email server, so it must be connected directly to the internet," he said. "And being directly connected to the internet creates an attack surface which is accessible from anywhere in the world, drastically increasing its risk of being attacked."

In addition, Exchange is "a mission-critical function. Organizations can't just unplug or turn off email without severely impacting their business in a negative way," he said. ®