Local Privilege Escalation via DLL Hijack in Confluence Server on Windows Installations

NOTE: Only Windows Installations of Confluence Server are affected by this vulnerability. Additionally, this only affects customers who use a non-default installation directory location. If Confluence is not installed in the system wide program files directory (typically C:/Program Files) then that would be considered a non-default installation directory.

説明

The Windows installer for Atlassian Confluence Server before version 7.10.0 allows an unprivileged local attacker to execute an arbitrary DLL file and possible privilege escalation via a DLL hijacking attack.

Affected versions:

  • version <=  7.4.9
  • 7.5.0 <= version <= 7.13.0

Fixed versions (Estimated Release mid July 2021):

  • 7.4.10
  • 7.13.1
  • 7.14.0

深刻度

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.0 => High severity

Exploitability Metrics

攻撃ベクトルLocal
攻撃の複雑さ
必要な権限
ユーザー相互作用なし


Scope Metric

範囲Unchanged


Impact Metrics

機密性
整合性
可用性


https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

回避策

The root cause of the problem is due to the inherited permission BUILTIN\Users Allow ** from the parent folder. In this case the *C: drive. In order to mitigate the problem we need to remove the Users group from the custom Confluence install folder. Here are steps for that:

  • Go to File Explorer and right click on the Confluence folder then select Properties menu 

  • Select Security tab, then click on Advanced button for advanced settings, then click on Disable inheritance button and select Convert inherited permissions into explicit permissions on this object object. Finally press Ok button to apply changes for Confluence and its sub directories

  • From the Security screen, we click Edit to change permissions. Then we can select the User group in the list and press Remove button to remove it then press Ok to apply changes for Confluence and its sub folders  

  • After this, try to log in Windows again with a normal user account and access Confluence folder. You should not be able to access the folder like following picture 




最終更新日 2021 年 6 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.