topic Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632 in Advanced Threat Prevention Discussions

False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

Adrian_Jensen — Mon, 06 Jun 2022 21:14:51 GMT

Threat ID 92632 was added late 6/3 for the new Atlassian 0-day exploit. All morning we have been seeing false positives on the new signature. Anyone else seeing the same?

Seems to be alerting to the inclusion of javascript ad code across multiple websites, sourced from:

https://pdc.bidswitch.net/max_mrc_vimp/<long-alphanum-string>

https://pdc.bidswitch.net/max_mimp/<long-alphanum-string>

https://pdc.bidswitch.net/max_groupm_vimp/<long-alphanum-string>

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

PStrickland — Tue, 07 Jun 2022 04:46:33 GMT

Can confirm, we are seeing at least one of the same domains showing up with the same false positives.

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

RicardoWaffle — Wed, 15 Jun 2022 21:59:34 GMT

Seeing the same from that domain.

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

jdub_cloud — Fri, 22 Jul 2022 21:38:54 GMT

We are seeing the same false positive.

I opened a ticket the TAC and they are requesting a full packet capture. I'm hesitant to do this on prisma gateways because it's unclear how to reproduce the traffic AND the destination IP changes so the packet capture could be running and running.

We are using the SaaS version of Atlassian, and according to the Security Advisory (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) :

Atlassian Cloud sites are protected

If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable.
Our investigations have not found any evidence of exploitation of Atlassian Cloud.

So I'm tempted to make a signature exception in the Antivirus Profile.

Other ideas?

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

Adrian_Jensen — Fri, 22 Jul 2022 22:02:18 GMT

Are you receiving the alert on connections to your Atlassian instance? Or on connections from your users to a random third party website? For my false alert (and others I believe), there is no Atlassian server involved at all.

From the threat alert there should be a packet capture. If you export that capture and open it in Wireshark you can reassemble the packets into a formated output: select a packet in the capture and select "Follow -> tcp stream". A new window will pop up of the assembled packet like:

GET /max_groupm_vimp/WfcV4AtmWp-XiYB2f6ONSJuCKVlVq

AawN1cry1La8bIQ_hGvGVv9Gvscuzgnjh0c6FKolAawN1cry1La8bIQ_hGvGVv9Gv

...

Host: pdc.bidswitch.net

...

Referer: https://www.cnn.com/

...

GET - the URL path

Host - the host server FQDN that was connected to

Referer - the original server FQDN of the page that the reference to the URL was in (if it was an included object)

You should be able to identify the destination and recreate the alert by copying the host and URL into a separate browser window and downloading again.

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

jdub_cloud — Mon, 25 Jul 2022 21:54:30 GMT

Just like you, I'm receiving these alerts on traffic NOT going to Atlassian instances.

Looking at the PCAP, I see:

GET /max_groupm_vimp/cqBEM_QBMxlLhguztF9yWmT6DTPGVEEVnYEQlMjfCLPdRn-yMBZug....

...

Host: pdc.bidswitch.net

...

Referer: https://www.usatoday.com/

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

Adrian_Jensen — Mon, 25 Jul 2022 22:10:30 GMT

Yep, so the alert is hitting on the content included from pbc.bidswitch.net on usatoday.com. Bidswitch is an ad company. You can probably replicate the alert by calling the URL

https://pdc.bidswitch.net /max_groupm_vimp/cqBEM_QBMxlLhguztF9yWmT6DTPGVEEVnYEQlMjfCLPdRn-yMBZug....

directly in your browser (you might have to play around some HTTP variables). Once you can replicate the alert from calling the URL directly (instead of being buried in usatoday.com's code), its easy to do a packet capture of just that request.

Re: False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

jdub_cloud — Wed, 27 Jul 2022 00:02:12 GMT

Right on! Thanks so much @Adrian_Jensen

I feel like this should be the responsibility of TAC engineering to identify / test their patterns, but if it can help others, I'll give it a go. 🙂