Finding Confluence servers with Rumble
The U.S. Cyber Command recently reported “mass exploitation” of a code execution vulnerability in Atlassian’s popular Confluence software (CVE-2021-26084). This vulnerability has a CVSS Base score of 9.8 (considered “critical”), requires no authentication for exploitation, and affects many on-prem versions of the product (Atlassian says that Confluence Cloud customers are not affected). Public reports of exploitation are surfacing, including a Confluence instance of the Jenkins project compromised for cryptomining purposes.
Atlassian has provided fixed versions that on-prem Confluence admins should upgrade to as soon as possible, as well as mitigations for those who cannot upgrade immediately. As an aside, there have been some interesting events around the leaking of a private exploit PoC during disclosure with a vulnerable party.
From the Services Inventory, use the following pre-built query to locate systems in your network that are running Confluence:
_asset.protocol:http AND has:http.head.xConfluenceRequestTime
Don’t have Rumble and need help finding your Confluence servers? Start your Rumble trial today.
August 25, 2021
Finding Fortinet web application firewall devices with Rumble
Recently published security research from Rapid7 provides details on an OS command injection vulnerability in Fortinet’s web application firewall (WAF) product line known as FortiWeb. This vulnerability exists in the FortiWeb management interface (versions 6.3.11 and prior) …Read More
July 15, 2021
How to find SolarWinds Serv-U systems on your network
Microsoft recently notified SolarWinds that they had discovered a remote code execution vulnerability in Serv-U Managed File Transfer and Serv-U Secure FTP. The vulnerability being exploited is CVE-2021-35211 and only exists when SSH is enabled in Serv-U environments. …Read More
May 4, 2021
How to find Exim mail servers on your network
In their security advisory for 21Nails, the Qualys Research team communicated their discovery of several critical vulnerabilities in Exim mail servers that can be exploited for unauthenticated code execution and root privileges. Recently, maintainers of the Exim mail server …Read More