Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera

By Thomas Claburn in San Francisco

10 SHARE

Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

Keep Reading

Microsoft brings K8s Security Center out of preview, replaces CoreOS Container Linux with Flatcar

Azure security dashboard now covers Kubernetes service - at a price

Google's OpenSK lets you BYOSK – burn your own security key

Now there's no excuse

Access Analysis, GuardDuty and Inspector gadgets not enough? Here comes another AI-driven security tool for AWS

What have you got for us, Detective?

SecureX gon give it to ya: Cisco muscles into the integrated security game

Push to get punters inhaling one cloudy product

US telcos tossed yet another extension to keep going with Huawei kit despite America's 'security threat' concerns

It's clearly not a pressing issue – this is the fourth time now

IoT security? We've heard of it, says UK.gov waving new regs

Department of Fun straps on a holster, strides into the wild west of online gadget users

Staffer emails compromised and customer details exposed in T-Mobile US's third security whoopsie in as many years

And there it is – exactly what telco was fretting over in FY'19 results

Avast pulls plug on insecure JavaScript engine in its security software suite

Code interpreter ran with admin-level access, not sand-boxed, potentially open to remote-code execution

US Homeland Security mistakenly seizes British ad agency's website in prostitution probe gone wrong

They got it back – after reneging any claim against Uncle Sam for damages

UK.gov tells rebel MPs to go Huawei – but 5G Telecoms Security Bill was the price

Narrow House of Commons victory sees fresh wave of counter-Chinese comms pledges

Tech Resources

The Guide to Supplier CCPA Readiness for Security and IT Teams

This document provides several frequently asked questions to clarify companies’ responsibilities regarding how to prepare for this far-reaching legislation as it pertains to supplier relationships, as well as best practices for supplier CCPA readiness.

The Five Essential Elements of Next-Generation Endpoint Protection

The endpoint security market continues to expand with vendors old and new marketing their solutions as “next-generation” game-changers.

A Definitive Guide to Understanding and Meeting the CIS Critical Security Controls

The CIS Critical Security Controls are the industry standard for good security. Are you up to par?

The Data-Driven Case for CI

What does a high performing technology delivery team look like? How do you know if your team is doing well?