Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera


Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.

Send us news
10 Comments

Orgs are having a major identity crisis while crims reap the rewards

Hacking your way in is so 2022 – logging in is much easier

Security is hard because it has to be right all the time? Yeah, like everything else

It takes only one bottleneck or single point of failure to ruin your week

Hands up if you want to volunteer for layoffs, IBM tells staff

Global 'Resource Actions' to hit Europe hard, with Enterprise Ops & Support, CIO, HR and Real Estate in firing line

Apple promises to protect iMessage chats from quantum computers

Easy to defend against stuff that may never actually work – oh there we go again, being all cynical like

Australian spy chief fears sabotage of critical infrastructure

And accuses a former Australian politician of having 'sold out their country'

Russia's Cozy Bear dives into cloud environments with a new bag of tricks

Kremlin's spies tried out the TTPs on Microsoft, and now they're off to the races

Ransomware gangs are paying attention to infostealers, so why aren't you?

Analysts warn of big leap in cred-harvesting malware activity last year

Cybercrims: When we hit IT, they sometimes pay, but when we hit OT... jackpot

Or so says opsec firm, which confirms 70% of all industrial org ransomware in 2023 targeted manufacturers

Broadcom builds a SASE out of VMware VeloCloud and Symantec

First integration across properties, as end user compute division readies to leave home

Preview edition of Microsoft OS/2 2.0 surfaces on eBay

Discounted from $2,600 down to just $650. What a bargain!

GitHub struggles to keep up with automated malicious forks

Cloned then compromised, bad repos are forked faster than they can be removed

ALPHV/BlackCat claims responsibility for Change Healthcare attack

Brags it lifted 6TB of data, but let's remember these people are criminals and not worthy of much trust