Threat Spotlight: Remote Code Execution Vulnerabilities – XaaS Journal

The need for a WAF-as-a-Service (WAAP) solution has never been more relevant with many companies supporting remote work and a lot of applications moving online.
Anyone with access to an endpoint with a vulnerable version of software can execute arbitrary commands over an HTTP request without the need of an authorization header. The expected response to this request would be a 401 “Unauthorized” response page. However, the user can execute commands with root privileges. These threats were previously seen during the Equifax attack back in 2017.
Two recently uncovered vulnerabilities are the latest evolutions of this type of attack: The Atlassian Confluence OGNL injection vulnerability and a vulnerability affecting the Azure Open Management Infrastructure (OMI). Barracuda researchers analyzed attacks attempting to exploit these vulnerabilities over a 45-day period in August and September and found spikes in attacks coming from more than 500 unique attacker IPs.
Here’s a closer look at these vulnerabilities, recent attack patterns, and solutions you can use to help protect against these types of attacks.
Remote code execution (RCE) vulnerabilities RCE is the term to describe the execution of arbitrary code on a computer system, where the threat actor does not have direct access to the console. It is as if the attacker is physically sitting in front of the system as they take full control of it.
The Atlassian Confluence OGNL injection vulnerability was first published by Atlassian on August 25, 2021. Shortly after that, it was added to the National Vulnerability Database (CVE-2021-26084). This vulnerability allows threat actors to commit a “POST” request, using the Confluence template engine, without an authorization header. This grants the threat actor “root” access into the system. Using the parameters “queryString” and “linkCreation”, the attackers can inject Java code.
Atlassian has announced that “All versions of Confluence Server and Data Center prior to the fixed versions are affected by this vulnerability.”
Analyzing data from late August through the end of September, Barracuda researchers found the attacks against the Confluence vulnerability started to spike and the attacks have continued to stay elevated as many Confluence users still have a vulnerable version of the software.
Confluence attacks over time
Azure released CVE-2021-38647 on September 15, 2021. This vulnerability effects the Azure Open Management Infrastructure (OMI). Azure OMI is a software agent that is silently pre-installed and deployed within cloud environments. This silent installation has now put Azure customers at risk until they update their systems to the latest version of OMI.
Attackers are targeting these systems by sending a specially crafted HTTPS message to one of the ports listening for OMI traffic (Ports 1270/5985/5986), which gives the attacker initial access to the machine. Commands sent by the attacker will be executed by the SCXcore service, allowing the attacker to leverage the vulnerabilities. The attacker can pass a command to the machine without an authorization header, which the OMI server will treat as trusted and give the attacker “root” access to the system.
Microsoft stated in their blog, “The ExecuteShellCommand RunAsProvider will execute any UNIX/Linux command using the /bin/sh shell.”
Looking at data from Barracuda systems starting in mid-September, Barracuda researchers saw a sharp increase in the number of attackers trying to exploit this vulnerability. After the initial spike on September 18, the number of attempted attacks dropped off, but this continued to spike and then balance out over time.
Azure OMI attacks over time
During Barracuda’s analysis of attacks over the 45-day period in August and September, 550 unique attacker IPs were discovered to have attempted to exploit the Atlassian Confluence vulnerability, and 542 unique attacker IPs were attempting to exploit the Azure OMI vulnerability.
Behind each IP were multiple attackers, which means the number of attacks were significantly higher than the number of IPs. Researchers uncovered this information using client fingerprinting and other techniques.
Heat map of attacker IPs
As can be seen from the heat map above, most attacker IPs are based in U.S., which includes Alaska. This may be because most server farms are based in these regions. Attacks were also being sent from countries such as Russia, United Kingdom, Poland, and India. Attackers worldwide are attempting to exploit these vulnerabilities, and organizations must be one step ahead to protect their web applications.
Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks. However, all-in-one solutions are now available to protect your web applications from being exploited because of these vulnerabilities. WAF/WAF-as-a-Service solutions, also known as Web Application and API Protection (WAAP) services, can help protect your web applications by providing all the latest security solutions in one easy-to-use product.
Gartner stated, “Cloud web application and API protection services are the   of cloud web application firewall services.
The need for a WAF-as-a-Service or WAAP solution has never been more relevant than now, with many workforces still supporting remote work and a lot of applications moving online. Organizations need to ensure they have a solution that includes bot mitigation, DDoS protection, and API security.
Test drive WAF-as-a-Service in Azure Marketplace
Marcus Gower is an Inside Systems Engineer, Application Security at Barracuda. He is a recent graduate from the University of Portsmouth where he studied Cyber Security & Forensic Computing. Marcus is passionate about protecting users from cyber threats and is constantly expanding his knowledge to have a deeper understanding of many different IT fields. Connect with him on LinkedIn here.