False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

False positive - Atlassian Confluence Remote Code Execution Vulnerability 92632

L6 Presenter

Threat ID 92632 was added late 6/3 for the new Atlassian 0-day exploit. All morning we have been seeing false positives on the new signature. Anyone else seeing the same? 

 

Seems to be alerting to the inclusion of javascript ad code across multiple websites, sourced from:

https://pdc.bidswitch.net/max_mrc_vimp/<long-alphanum-string>

https://pdc.bidswitch.net/max_mimp/<long-alphanum-string>

https://pdc.bidswitch.net/max_groupm_vimp/<long-alphanum-string>

7 REPLIES 7

L0 Member

Can confirm, we are seeing at least one of the same domains showing up with the same false positives.

L1 Bithead

Seeing the same from that domain.

 

L1 Bithead

We are seeing the same false positive. 

 

I opened a ticket the TAC and they are requesting a full packet capture. I'm hesitant to do this on prisma gateways because it's unclear how to reproduce the traffic AND the destination IP changes so the packet capture could be running and running.

 

We are using the SaaS version of Atlassian, and according to the Security Advisory (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) :

 

Atlassian Cloud sites are protected

If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable.
Our investigations have not found any evidence of exploitation of Atlassian Cloud.
 

 

So I'm tempted to make a signature exception in the Antivirus Profile. 


Other ideas?

L6 Presenter

Are you receiving the alert on connections to your Atlassian instance? Or on connections from your users to a random third party website? For my false alert (and others I believe), there is no Atlassian server involved at all.

 

From the threat alert there should be a packet capture. If you export that capture and open it in Wireshark you can reassemble the packets into a formated output: select a packet in the capture and select "Follow -> tcp stream". A new window will pop up of the assembled packet like:


GET /max_groupm_vimp/WfcV4AtmWp-XiYB2f6ONSJuCKVlVq

AawN1cry1La8bIQ_hGvGVv9Gvscuzgnjh0c6FKolAawN1cry1La8bIQ_hGvGVv9Gv

...

Host: pdc.bidswitch.net

...

Referer: https://www.cnn.com/

...

GET - the URL path

Host - the host server FQDN that was connected to

Referer - the original server FQDN of the page that the reference to the URL was in (if it was an included object)

 

You should be able to identify the destination and recreate the alert by copying the host and URL into a separate browser window and downloading again.

Just like you, I'm receiving these alerts on traffic NOT going to Atlassian instances. 

 

Looking at the PCAP, I see:

 

GET /max_groupm_vimp/cqBEM_QBMxlLhguztF9yWmT6DTPGVEEVnYEQlMjfCLPdRn-yMBZug....

...

Host: pdc.bidswitch.net

...

Referer: https://www.usatoday.com/

L6 Presenter

Yep, so the alert is hitting on the content included from pbc.bidswitch.net on usatoday.com. Bidswitch is an ad company. You can probably replicate the alert by calling the URL

https://pdc.bidswitch.net /max_groupm_vimp/cqBEM_QBMxlLhguztF9yWmT6DTPGVEEVnYEQlMjfCLPdRn-yMBZug....

directly in your browser (you might have to play around some HTTP variables). Once you can replicate the alert from calling the URL directly (instead of being buried in usatoday.com's code), its easy to do a packet capture of just that request.

L1 Bithead

Right on! Thanks so much @Adrian_Jensen

 

I feel like this should be the responsibility of TAC engineering to identify / test their patterns, but if it can help others, I'll give it a go. 🙂

  • 3657 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!