Local Privilege Escalation via DLL Hijack in Confluence Server on Windows Installations

NOTE: Only Windows Installations of Confluence Server are affected by this vulnerability. Additionally, this only affects customers who use a non-default installation directory location. If Confluence is not installed in the system wide program files directory (typically C:/Program Files) then that would be considered a non-default installation directory.

Description

The Windows installer for Atlassian Confluence Server before version 7.10.0 allows an unprivileged local attacker to execute an arbitrary DLL file and possible privilege escalation via a DLL hijacking attack.

Affected versions:

  • version <=  7.4.9
  • 7.5.0 <= version <= 7.13.0

Fixed versions (Estimated Release mid July 2021):

  • 7.4.10
  • 7.13.1
  • 7.14.0

Severity

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.0 => High severity

Exploitability Metrics

Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone


Scope Metric

ScopeUnchanged


Impact Metrics

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh


https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Workaround

The root cause of the problem is due to the inherited permission BUILTIN\Users Allow ** from the parent folder. In this case the *C: drive. In order to mitigate the problem we need to remove the Users group from the custom Confluence install folder. Here are steps for that:

  • Go to File Explorer and right click on the Confluence folder then select Properties menu 

  • Select Security tab, then click on Advanced button for advanced settings, then click on Disable inheritance button and select Convert inherited permissions into explicit permissions on this object object. Finally press Ok button to apply changes for Confluence and its sub directories

  • From the Security screen, we click Edit to change permissions. Then we can select the User group in the list and press Remove button to remove it then press Ok to apply changes for Confluence and its sub folders  

  • After this, try to log in Windows again with a normal user account and access Confluence folder. You should not be able to access the folder like following picture 




Last modified on Jun 2, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.