Local Privilege Escalation via DLL Hijack in Confluence Server on Windows Installations
NOTE: Only Windows Installations of Confluence Server are affected by this vulnerability. Additionally, this only affects customers who use a non-default installation directory location. If Confluence is not installed in the system wide program files directory (typically C:/Program Files) then that would be considered a non-default installation directory.
The Windows installer for Atlassian Confluence Server before version 7.10.0 allows an unprivileged local attacker to execute an arbitrary DLL file and possible privilege escalation via a DLL hijacking attack.
- version <= 7.4.9
- 7.5.0 <= version <= 7.13.0
Fixed versions (Estimated Release mid July 2021):
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.0 => High severity
The root cause of the problem is due to the inherited permission BUILTIN\Users Allow ** from the parent folder. In this case the *C: drive. In order to mitigate the problem we need to remove the Users group from the custom Confluence install folder. Here are steps for that:
- Go to File Explorer and right click on the Confluence folder then select Properties menu
- Select Security tab, then click on Advanced button for advanced settings, then click on Disable inheritance button and select Convert inherited permissions into explicit permissions on this object object. Finally press Ok button to apply changes for Confluence and its sub directories
- From the Security screen, we click Edit to change permissions. Then we can select the User group in the list and press Remove button to remove it then press Ok to apply changes for Confluence and its sub folders
- After this, try to log in Windows again with a normal user account and access Confluence folder. You should not be able to access the folder like following picture