‘Identical’ payload removed from GitHub after researcher’s complaints

VMware denies allegations it leaked Confluence RCE exploit

UPDATED VMware has refuted accusations it leaked an exploit for a critical vulnerability in Confluence that independent security researchers had fashioned for its servers.

In a blog post published on September 7, researcher Thanh Nguyen alleged that a payload had surfaced on GitHub that was “identical” to a pre-authentication remote code execution (RCE) exploit he had sent to the virtualization and cloud specialist 17 hours earlier.

Nguyen pointed out that “no PoC [proof of concept] was public on the internet at this time”.

BACKGROUND Jenkins project succumbs to ‘mass exploitation’ of critical Atlassian Confluence vulnerability

That the original payload was specifically crafted for a VMWare endpoint (confluence.eng.vmware.com) supported their “belief that it was leaked from VMWare”, he argued.

VMWare told The Daily Swig it had “found no evidence that VMware leaked the exploit publicly”.

Timeline of an alleged leak

Nguyen said he sent the original exploit, which bypassed VMWare’s WAF, to the enterprise tech firm, via its vulnerability disclosure program, on August 31. This was developed with the help of fellow researcher ‘Janggggg’.

The supposed duplicate payload appeared on the Nuclei project within a pull request for CVE-2021–26084, which Atlassian, the developer of Confluence, has patched and which has been the target of widespread exploitation attempts.

Nuclei’s maintainer removed the exploit after Nguyen and Janggggg queried its provenance, said Nguyen.

The researcher who posted the contentious payload on Nuclei, ‘Dhiyaneshwaran’, told The Daily Swig: “I didn’t create the exploit. I just discovered [a] HTTP Request related [to] this exploit via Pastebin scraping.”

They added: “My tool doesn't keep track of the source URL.”

However, Nguyen told The Daily Swig: “Dhiyaneshwara’s answer on finding the leaked payload via OSINT is not really convincing to me. We have contacted and asked Dhiyaneshwara to provide us the source of information (link) on Sept 1st, 2021 right after we saw his PR on Nuclei’s GitHub but he could not provide anything [so far].”

Catch up on the latest vulnerability disclosure policy (VDP) news

In response to an email from Nguyen and Janggggg, VMWare’s security team wrote: “As per our policy we do not disclose any reported vulnerability to VMWare and neither do we disclose exploit, payload attack vector, etc.”

Citing a third exploit for the same Confluence bug published by Rahul Maini and Harsh Jaiswal, they added: “We have observed that the exploit was made public by other security researchers and VMWare has not made it public.”

However, Nguyen dismissed the relevance of Maini and Jaiswal’s write-up because the payload differed, and it was published a few hours after the Nuclei pull request surfaced.

‘Very clear to us’

“As the exploit payload we sent to VMWare was specifically crafted for their server and we did not use this payload on any other target and/or sending it to any other companies/bug bounty programs, it’s very clear to us that our payload somehow was leaked from VMWare to the Nuclei project,” said Nguyen.

“The exploit we sent to VMWare is our copyright property and we did not grant VMWare the right to re-distribute it,” he continued, adding that VMWare had stopped replying to his emails.

A VMware spokesperson told The Daily Swig:

“VMware values our relationship with the researcher community because their contributions help us protect our customers and improve our products. We also work hard to maintain researcher confidence in our bug bounty program by adhering to generally accepted protocol and acting in good faith when exploits are reported to us.

“In this case we informed the researcher that we found no evidence that VMware leaked the exploit publicly. Building trust in our bounty program is important to us, and we continue to review our processes for opportunities to improve.”

Nguyen responded to VMWare’s statement, saying: “IMHO, there could be a dozen of VMWare security engineers who received our report so VMWare cannot just simply deny the leak without a proper explanation on how they investigated the issue.”

This article was updated on September 12 with comments from Thanh Nguyen.

RECOMMENDED Spook.js – New side-channel attack can bypass Google Chrome’s protections against Spectre-style exploits