Home Cyber Crime VMware denies allegations it leaked Confluence RCE exploit

VMware denies allegations it leaked Confluence RCE exploit


‘Equivalent’ payload faraway from GitHub after researcher’s complaints

VMware denies allegations it leaked Confluence RCE exploit

VMware has refuted accusations it leaked an exploit for a critical vulnerability in Confluence that impartial safety researchers had original for its servers.

In a blog post revealed on September 7, researcher Thanh Nguyen alleged {that a} payload had surfaced on GitHub that was “equivalent” to a pre-authentication distant code execution (RCE) exploit he had despatched to the virtualization and cloud specialist 17 hours earlier.

Nguyen identified that “no PoC [proof of concept] was public on the web at the moment”.

BACKGROUND Jenkins project succumbs to ‘mass exploitation’ of critical Atlassian Confluence vulnerability

That the unique payload was particularly crafted for a VMWare endpoint (confluence.eng.vmware.com) supported their “perception that it was leaked from VMWare”, he argued.

Echoing denials given to Nguyen, VMWare informed The Every day Swig it had “discovered no proof that VMware leaked the exploit publicly”.

Timeline of an alleged leak

Nguyen stated he despatched the unique exploit, which bypassed VMWare’s WAF, to the enterprise tech agency, through its vulnerability disclosure program, on August 31. This was developed with the assistance of fellow researcher ‘Janggggg’.

The supposed duplicate payload appeared on the Nuclei project inside a pull request for CVE-2021–26084, which Atlassian, the developer of Confluence, has patched and which has been the goal of widespread exploitation attempts.

Nuclei’s maintainer eliminated the exploit after Nguyen and Janggggg queried its provenance, stated Nguyen.

The researcher who posted the contentious payload on Nuclei, ‘Dhiyaneshwaran’, informed The Every day Swig: “I didn’t create the exploit. I simply found [a] HTTP Request associated [to] this exploit through Pastebin scraping.”

They added: “My software would not preserve monitor of the supply URL.”

Catch up on the latest vulnerability disclosure policy (VDP) news

In response to an e mail from Nguyen and Janggggg, VMWare’s safety workforce wrote: “As per our coverage we don’t disclose any reported vulnerability to VMWare and neither will we disclose exploit, payload assault vector, and so on.”

Citing a third exploit for a similar Confluence bug revealed by Rahul Maini and Harsh Jaiswal, they added: “We now have noticed that the exploit was made public by different safety researchers and VMWare has not made it public.”

Nevertheless, Nguyen dismissed the relevance of Maini and Jaiswal’s write-up as a result of the payload differed, and it was revealed a couple of hours after the Nuclei pull request surfaced.

‘Very clear to us’

“Because the exploit payload we despatched to VMWare was particularly crafted for his or her server and we didn’t use this payload on another goal and/or sending it to another firms/bug bounty applications, it’s very clear to us that our payload in some way was leaked from VMWare to the Nuclei undertaking,” stated Nguyen.

“The exploit we despatched to VMWare is our copyright property and we didn’t grant VMWare the proper to re-distribute it,” he continued, including that VMWare had stopped replying to his emails.

A VMware spokesperson informed The Every day Swig:

“VMware values our relationship with the researcher group as a result of their contributions assist us shield our prospects and enhance our merchandise. We additionally work onerous to take care of researcher confidence in our bug bounty program by adhering to typically accepted protocol and appearing in good religion when exploits are reported to us.

“On this case we knowledgeable the researcher that we discovered no proof that VMware leaked the exploit publicly. Constructing belief in our bounty program is necessary to us, and we proceed to overview our processes for alternatives to enhance.”

Researcher Thanh Nguyen has but to answer to our requests for remark, however we’ll replace the article if and when he does.

RECOMMENDED Spook.js – New side-channel attack can bypass Google Chrome’s protections against Spectre-style exploits

Source link