Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera


Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.

Send us news
10 Comments

Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

Continue reading

IBM buys Randori to address multicloud security messes

Big Blue joins the hot market for infosec investment

RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

Continue reading

IBM ordered to hand over ex-CEO emails plotting cuts in older workers

Infamous 'Dinobabies' memo comes back to haunt Big Blue again

Updated In one of the many ongoing age discrimination lawsuits against IBM, Big Blue has been ordered to produce internal emails in which former CEO Ginny Rometty and former SVP of Human Resources Diane Gherson discuss efforts to get rid of older employees.

IBM as recently as February denied any "systemic age discrimination" ever occurred at the mainframe giant, despite the August 31, 2020 finding by the US Equal Employment Opportunity Commission (EEOC) that "top-down messaging from IBM’s highest ranks directing managers to engage in an aggressive approach to significantly reduce the headcount of older workers to make room for Early Professional Hires."

The court's description of these emails between executives further contradicts IBM's assertions and supports claims of age discrimination raised by a 2018 report from ProPublica and Mother Jones, by other sources prior to that, and by numerous lawsuits.

Continue reading

Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

Continue reading

Microsoft fixes under-attack Windows zero-day Follina

Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Continue reading

CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure

Nearly 60 holes found affecting 'more than 30,000' machines worldwide

Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

Continue reading

1Password's Insights tool to help admins monitor users' security practices

Find the clown who chose 'password' as a password and make things right

1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

Continue reading

Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence

One option: Take the thing offline until Friday patch applied

Updated Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.

An advisory dated June 2, 1300 PT (2000 UTC), does not describe the nature of the flaw, and reveals "current active exploitation" has been detected. No patch is available.

The flaw is present in version 7.18 of Confluence Server, which is under attack, as well as potentially versions 7.4 and higher of Confluence Server and Confluence Data Center. Version 7.4 is a long-term support edition.

Continue reading

Inside the RSAC expo: Buzzword bingo and the bear in the room

We mingle with the vendors so you don't have to

RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

Continue reading

Info on 1.5m people stolen from US bank in cyberattack

Time to rethink that cybersecurity strategy?

A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

Continue reading