Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera

By Thomas Claburn in San Francisco

10 SHARE

Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

More from The Register

Judge to interview Assange over claims Spanish security firm snooped on him during Ecuador embassy stint

Video link request from September finally granted

How does £36m sound, mon CHERI? UK.gov pumps cash into Arm security research

That's 'Capability Hardware Enhanced RISC Instructions'

SIEMs like a stretch: Elastic searches for cash from IT pros with security budgets

Black Hat Europe Open-source product now has yet another paid option on top

150 infosec bods now know who they're up against thanks to BT Security cc/bcc snafu

Mass-mail fail followed outfit's appearance at jobs fair

Cert authority Sectigo whisks infosec biz Icon Labs into IoT security kit

Secure boot, local CA for your network o' widgets, and more

AWS Security Hub takes half-hearted bite out of SIEM vendors' lunches

SIEMless pitch, amirite?

Ding-dong: Cisco delivers your Patch Tuesday warm-up with WebEx, IOS fixes for a few irritating security holes

The main event is next week

Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers' payment cards

Malware loaded onto more than 5k cash tills but pre-GDPR screw-up means retailer dodged bigger financial bullet

While Apple fanbois rage at Catalina, iGiant quietly drops iOS and macOS security patches

RCEs and all sorts of other vulns plugged, so get installing

Whitepapers

Faster Response with CrowdStrike and MITRE ATT&CK

Today’s threat landscape has created new challenges for security analysts and incident responders.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

SANS Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

Download this 18-page asset to learn how the most effective threat hunters generate hypotheses, maximize the value of their security tech stacks, and more.