A recently disclosed critical vulnerability in Atlassian’s Bitbucket is being actively exploited, according to the US government.
The Cybersecurity and Infrastructure Security Agency (CISA) added the bug — tracked as CVE-2022-36804 — to its Known Exploited Vulnerabilities (KEV) catalog late Friday, effectively a must-patch list.
GreyNoise, a company that tracks and analyzes Internet traffic, said it found evidence the vulnerability was being exploited in the wild.
CISA placed the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile zero-day bugs in Microsoft Exchange.
Atlassian disclosed the vulnerability on August 24, stating that it affected both server and data center builds of its Git-based source code management tool. Both are code hosting and collaboration offerings for development teams, but while Server is designed for a single-server deployment, Data Center offers active-active clustering and smart mirroring capabilities.
The bug, discovered via Atlassian’s bug bounty program, was introduced in version 7.0.0 by both and affects all versions released with that version up to 8.3.0. It is a command injection vulnerability in a set of API endpoints that attackers could exploit through specially crafted HTTP requests to run arbitrary code on vulnerable installations.
In a blog post about the vulnerability in late September, Rapid7 researchers initially said that there had been no public reports of exploits in the wild as of September 20, but changed that three days later when such reports surfaced.
“There has been strong interest in the vulnerability from researchers and exploit brokers, and several public exploits are now available,” they wrote, ahead of reports of exploit attempts, predicting the future.
“Because the vulnerability is trivially exploitable and the patch is relatively easy to reverse engineer, it is likely that a targeted exploit has already occurred in the wild. We expect large-scale exploitation of CVE-2022-36804 soon.”
In its warning, Atlassian listed seven fixed versions and advised companies to update their tools immediately. If this is not possible, they should disable public repositories.
The flaw was the latest problem for the Australian software store, which in July also disclosed two critical flaws affecting its products Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira, which could be exploited by remote and unauthenticated attackers to bypass the authentication used by third-party applications. Before that was another critical bug in Confluence and in the spring, a two-week cloud outage that affected nearly 800 customers.
Swap users, stop looking so smug
Also added to the CISA list are the two zero-day vulnerabilities in Microsoft Exchange Server. One (CVE-2022-41040) is a server-side request forging vulnerability and the other (CVE-2022-41082) is a remote code execution bug; both can be exploited together to run PowerShell commands on a vulnerable system and hijack it.
Both were reported by Vietnamese cybersecurity firm GTSC late last week, and Microsoft’s Threat Intelligence Team (MSTIC) said in an Oct. 1 blog post that the vulnerabilities were being exploited in “limited targeted attacks.” We’re told that in August, a single crew was able to exploit the flaws to, for example, install a backdoor and exfiltrate data from a victim’s network.
“Microsoft has observed these attacks in fewer than 10 organizations worldwide,” the Windows giant wrote. “MSTIC has a reasonable estimate that each activity group is likely a government-sponsored organization.”
The vulnerability was dubbed ProxyNotShell due to its similarity to the ProxyShell bug. Travis Smith, vice president of malware threat research at Qualys, said The registry There are still thousands of systems that remain vulnerable to the ProxyShell bugs.
“Organizations that have responded to the ProxyShell vulnerability should also pay close attention to this vulnerability,” Smith said. “Those responsible for patching Exchange servers need to learn their lessons from fast remediation as this vulnerability is likely to see rapid exploitation over the coming days.”
The Azure titan has yet to issue a fix for the Exchange bugs. It has released mitigation steps, though some security researchers question whether those efforts will be enough. An infosec bod with the Twitter handle Janggggg wrote that the exploit detection and prevention URL pattern can be bypassed, while Will Dormann wrote that the countermeasures appear “unnecessarily precise and therefore inadequate”.
Security in Exchange Server is a constant concern for Microsoft, so much so that the megacorporation promises to beef up its defenses through methods such as adopting Zero Trust principles.
Qualys’ Smith said Exchange is a “juicy target” for attackers.
“Exchange is an email server, so it has to be directly connected to the internet,” he said. “And the direct connection to the Internet creates an attack surface that’s accessible from anywhere in the world, dramatically increasing the risk of attack.”
Additionally, Exchange is “a mission-critical function. Businesses can’t just unplug or turn off email without seriously impacting their business,” he said. ®
https://www.theregister.com/2022/10/04/atlassian_microsoft_cisa_flaws/ Atlassian and Microsoft bugs are on CISA • The Register’s must-patch list