Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code
When Atlassian Companion is installed on macOS, a vulnerability has been detected that enables remote code execution on users’ computers when they click the Edit button on a Confluence page.
With the Atlassian Companion app, users can edit Confluence files in their chosen desktop app and have the changes instantly saved back to Confluence.
The Atlassian Companion software, which must be installed on each user’s computer, manages the download and re-upload of files.
An attacker can remotely execute malicious code on a computer via remote code execution (RCE) assaults. An RCE vulnerability can result in malware execution or an attacker acquiring complete control of a vulnerable system.
This flaw was discovered by blogger and app security expert WOJCIECH REGUA.
Remote Code Execution On MacOS Machine
The security expert says that documents saved in Confluence may be edited on macOS using the Atlassian Companion App. When the user presses the Edit button, the following happens:
The file is downloaded locally on the computer.
The app validates extensions
The app opens the downloaded document
When the document is updated, it is posted back to Confluence.
The issue here is that Atlassian was aware that some of the extensions needed to be disabled. A blocklist may be found in the app’s sources.
Blocklist present in the app’s sources
He mentions that the class extension is only on the windowsDangerous blocklist in this case; therefore, it is an allowed extension on macOS.
The researcher created a malicious Hello.java file when the researcher’s Hello.class file gets uploaded to Confluence and then clicks edit, the code is performed, and the Calculator is launched.
Malicious Hello.java file created
Finally, the mentioned. class file extension is now also blocked on macOS. Reports say Atlassian received the issue report in 2021, fixed the flaw in 90 days, and awarded a reward.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
Hackers exploit Aiohttp bug to find vulnerable networks
The ransomware actor ‘ShadowSyndicate’ was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. […] Read More
New GPU Side Channel Vulnerability Impacts GPUs from Intel, AMD, Apple & Nvidia
A new research paper has been published that mentions a side-channel attack that threat actors can exploit to leak sensitive visual data from modern GPU cards when visiting a malicious website.
This method was published under the name “GPU.zip” by four American universities: the University of Texas at Austin, Carnegie Mellon University, the University of Washington, and the University of Illinois. The attack simulation was based on a cross-origin SVG filter pixel-stealing attack via Chrome browser for research purposes.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
GPU Side-Channel Vulnerability
The lead author Yingchen Wang mentions in his research paper that this attack was due to the undocumented ways of compression used by vendors like Intel and AMD. These vendor-specific compressions took place even when the software program did not specifically request compression.
“Compression induces data-dependent DRAM traffic and cache utilization, which can be measured through side-channel analysis. Unfortunately, besides its well-recognized performance benefits, compression is also a known source of side-channel data leakages. ” reads the research paper.
Intel and AMD do this type of risky compression in their modern GPUs as part of an optimization strategy to save on memory bandwidth and increase their performance without the use of additional software.
Test results for selected GPUs (Source: Hertzbleed)
The research paper also stated, “An attacker can leak secrets in HTTP/HTTPS requests and responses bit-by-bit by exploiting how compressibility is often secret-dependent.” This means that the attack can steal sensitive visual data by reading pixel-by-pixel.
Moreover, the attack demonstration was conducted on the Wikipedia site for stealing the username using an iframe. The results for the Ryzen side-channel attack were within 30 minutes, and for Intel GPUs, it was 215 minutes. Though the attacks took more time, making most threat actors lose their patience, the accuracies were 97% and 98.3%, respectively.
(Source: Hertzbleed)
For detailed information about the case study, attack scenarios, discussion, and other information, following the research paper published by Hertzbleed is recommended.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.