Cyble-Blogs-Atlassian

BitBucket Server and Data Center at risk via Command Injection Vulnerability

Exposed instances increase risk of active exploitation

Introduction

When it comes to vulnerabilities, Atlassian vulnerabilities have been one of the highlights of Q2 2022. Threat Actors (TAs) have been actively exploiting the Atlassian vulnerabilities and selling accesses over cybercrime forums for the past few months. Some notable examples of actively exploited Atlassian vulnerabilities are:

CVE-2022-26134
CVE-2022-26138

In addition to the Atlassian vulnerabilities mentioned above, there is another vulnerability tracked as CVE-2022-36804, which might be actively exploited due to:

  • Number of exposed assets that may be vulnerable
  • The ease of exploitation
  • Multiple public exploits are available

As per the advisory released by Atlassian on 24th August 2022, CVE-2022-36804 is a command injection vulnerability in multiple API endpoints of the Bitbucket Server and Data Center.

Using this vulnerability, attackers with access to either a public repository or read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

An online scanner points out there are over 1500 exposed instances of Bitbucket, out of which some might be vulnerable and under the attacker’s scope, as shown below.

 Figure 1 – Geographical representation of Exposed Instances

The chart below shows the count of exposed instances across countries.

Figure 2 –  Countries with the highest amount of exposed assets

While investigating these exposed instances, Cyble Research & Intelligence Labs (CRIL) observed that organizations dealing in critical infrastructure sectors such as Finance, Power, Government, etc., also had a few exposed assets (as shown below) that might be vulnerable.

Figure 3 – Exposed assets of National Critical Infrastructure organizations

It should be noted that the vulnerability was reported by @GrandPew via the Atlassian Bug bounty program, as mentioned in the advisory released by the vendor.

On 25th August 2022, @GrandPew mentioned that they would release the PoC within 30 days, as mentioned in the tweet shown below.

Figure 4 – Tweet mentioning the release of POC

On 4th  September 2022, a GitHub repository indicated the sale of Proof of Concept for CVE-2022-36804 via a crypto site for USD 210.00 (Figure 5).

The same repo also contains a warning “use at your own risk there is no way to avoid abuse”.

Figure 5 – Screenshot of Individual selling POC

While analyzing the commit made by the repo owner, it was found that one of their earlier commits contained an uncensored screenshot of the POC they were claiming to sell.

The screenshot also shows the contents of “etc/passwd” without sending the request for the same. This particular scenario highlights scammers selling fake POCs for vulnerabilities that are in the limelight.

Cyble Research & Intelligence Labs (CRIL) also noticed that one of the Threat Actors (TA) was selling CVE-2022-36804 on a Russian forum on 18th September 2022, as shown below.

Figure 6 – Screenshot of TA selling POC in a Russian cybercrime forum

As the patch released by the vendor for the same vulnerability was relatively simple to reverse engineer, the corresponding POC made its way into the public domain and was seen actively being distributed across social media.

Technical Analysis

Bitbucket is a web-based version control repository hosting service owned by Atlassian for source code and development projects. Bitbucket has three deployment options, each with its own functionality, as mentioned below:

Bitbucket Cloud
Bitbucket Server
Bitbucket Data Center

This vulnerability affects Bitbucket Server and Data Center. Atlassian Cloud sites have not been affected so far.

While scrutinizing Atlassian’s patch, a researcher noticed that Atlassian had patched the bug by checking for null bytes in all indexes of the command argument passed to the class com.zaxxer.nuprocess.NuProcessBuilder.

This was a major clue since it implied that this class oversees the splitting up of the command using null bytes.

Researchers observed that com.zaxxer.nuprocess does not use ProcessBuilder or getRuntime().exec but rather uses the native Java_java_lang_ProcessImpl_forkAndExec,which requires a character array as the command argument.

Indexes inside the character arrays are separated by null bytes. Through the way the prepareProcess function transformed the arguments, the creation of new indexes in this char array by injecting null bytes became possible.

This vulnerability was made feasible due to how the underlying process creation library handles null bytes.

Affected Versions

All versions of Bitbucket Server and Datacenter released after 6.10.17, including 7.0.0 and newer, are affected. All instances that are running any versions from 7.0.0 to 8.3.0 are affected by this vulnerability.

Fixed Versions

Supported VersionBug Fix Release
Bitbucket Server and Data Center 7.67.6.17(LTS) or newer
Bitbucket Server and Data Center 7.177.17.10(LTS) or newer
Bitbucket Server and Data Center 7.217.21.4(LTS) or newer
Bitbucket Server and Data Center 8.08.0.3 or newer
Bitbucket Server and Data Center 8.18.1.3 or newer
Bitbucket Server and Data Center 8.28.2.2 or newer
Bitbucket Server and Data Center 8.38.3.1 or newer

Conclusion

As several internet-facing assets can be scanned via online scanners, there is a high possibility for the active exploitation of CVE-2022-36804. Additionally, as the POCs, online scripts, and nuclei templates for the vulnerability are available in the public domain, TAs might use the vulnerability to gain shells over the vulnerable instances.

Attackers could use this vulnerability to steal organizations’ code and repositories which can be further distributed over Dark web forums and Cybercrime markets, as previously observed with Atlassian vulnerabilities.

Recommendations

1. Update vulnerable versions with the recent patches released by the official vendor.

2. If you are unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false, as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered complete mitigation as an attacker with a user account could still gain access.

3. Limit the exposure of critical assets over the internet by proper network segmentation.

Scroll to Top