Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera

10 Got Tips?

Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

Keep Reading

Days after President Trump suggests pausing election over security, US House passes $500m for states to shore up election security

Chances of it getting enacted in time for November – slim to almost nil

Galaxy S20 security is already old hat as Samsung launches new safety silicon

Passport-grade chippery to help mobile devices prove their identity

Big Tech trade association warns Uncle Sam against knee-jerk national security measures that harm industry

There'll be 'unintended negative consequences' if we continue like this

Zoom continues its catch-up security sprint with new training, bug bounty tweaks and promise of crypto playbook

Sigh. How many users did it have before it started this stuff?

US voting hardware maker's shock discovery: Security improves when you actually work with the community

Black Hat ES&S takes the bold step of not ignoring vulnerability reports

Linux Foundation rolls bunch of overlapping groups into one to tackle growing number of open-source security vulns

OpenSSF to take projects from CII and OSSC under its umbrella

This week of never-ending security updates continue. Now Apple emits dozens of fixes for iOS, macOS, etc

Make sure your iThing installs these patches

Tech Resources

4 Steps to Prove the Value of Your Vulnerability Management Program

Vulnerability management can feel like an endless climb. Learn how to focus your efforts, prove the value of your program, and gain trust, budget, and recognition in 4 doable steps

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Why Data Growth is Not a Storage Problem

Storage capacity’s running out, backups lengthen, and budgets can’t keep up with the unstructured data deluge. Learn how Komprise's Intelligent Data Management can help you …