BOOK THIS SPACE FOR AD
ARTICLE AD‘Identical’ payload removed from GitHub after researcher’s complaints
VMware has refuted accusations it leaked an exploit for a critical vulnerability in Confluence that independent security researchers had fashioned for its servers.
In a blog post published on September 7, researcher Thanh Nguyen alleged that a payload had surfaced on GitHub that was “identical” to a pre-authentication remote code execution (RCE) exploit he had sent to the virtualization and cloud specialist 17 hours earlier.
Nguyen pointed out that “no PoC [proof of concept] was public on the internet at this time”.
BACKGROUND Jenkins project succumbs to ‘mass exploitation’ of critical Atlassian Confluence vulnerability
That the original payload was specifically crafted for a VMWare endpoint (confluence.eng.vmware.com) supported their “belief that it was leaked from VMWare”, he argued.
Echoing denials given to Nguyen, VMWare told The Daily Swig it had “found no evidence that VMware leaked the exploit publicly”.
Timeline of an alleged leak
Nguyen said he sent the original exploit, which bypassed VMWare’s WAF, to the enterprise tech firm, via its vulnerability disclosure program, on August 31. This was developed with the help of fellow researcher ‘Janggggg’.
The supposed duplicate payload appeared on the Nuclei project within a pull request for CVE-2021–26084, which Atlassian, the developer of Confluence, has patched and which has been the target of widespread exploitation attempts.
Nuclei’s maintainer removed the exploit after Nguyen and Janggggg queried its provenance, said Nguyen.
The researcher who posted the contentious payload on Nuclei, ‘Dhiyaneshwaran’, told The Daily Swig: “I didn’t create the exploit. I just discovered [a] HTTP Request related [to] this exploit via Pastebin scraping.”
They added: “My tool doesn't keep track of the source URL.”
Catch up on the latest vulnerability disclosure policy (VDP) news
In response to an email from Nguyen and Janggggg, VMWare’s security team wrote: “As per our policy we do not disclose any reported vulnerability to VMWare and neither do we disclose exploit, payload attack vector, etc.”
Citing a third exploit for the same Confluence bug published by Rahul Maini and Harsh Jaiswal, they added: “We have observed that the exploit was made public by other security researchers and VMWare has not made it public.”
However, Nguyen dismissed the relevance of Maini and Jaiswal’s write-up because the payload differed, and it was published a few hours after the Nuclei pull request surfaced.
‘Very clear to us’
“As the exploit payload we sent to VMWare was specifically crafted for their server and we did not use this payload on any other target and/or sending it to any other companies/bug bounty programs, it’s very clear to us that our payload somehow was leaked from VMWare to the Nuclei project,” said Nguyen.
“The exploit we sent to VMWare is our copyright property and we did not grant VMWare the right to re-distribute it,” he continued, adding that VMWare had stopped replying to his emails.
A VMware spokesperson told The Daily Swig:
“VMware values our relationship with the researcher community because their contributions help us protect our customers and improve our products. We also work hard to maintain researcher confidence in our bug bounty program by adhering to generally accepted protocol and acting in good faith when exploits are reported to us.
“In this case we informed the researcher that we found no evidence that VMware leaked the exploit publicly. Building trust in our bounty program is important to us, and we continue to review our processes for opportunities to improve.”
Researcher Thanh Nguyen has yet to reply to our requests for comment, but we will update the article if and when he does.
RECOMMENDED Spook.js – New side-channel attack can bypass Google Chrome’s protections against Spectre-style exploits