Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera

Thomas Claburn Thu 5 Dec 2019  //  00:55 UTC

Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.

In an email to The Register, Atlassian said it's aware of the issue and is actively working to resolve it. "We have requested that the certificate be revoked, and we're evaluating whether other technical solutions are required to protect our customers," a company spokesperson said.

DevOpsery-dispenser Atlassian's customers settle into the cloudy subscription world

READ MORE

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM's Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."

There's no indication at the moment that IBM does add that certificate to its system store, according to Stone.

Nonetheless, Ormandy contends the certificate issue with local.connectme.us is real and argues the certificate should be revoked.

The Register asked IBM for comment but we've not heard back. ®

Updated to add

After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June. "We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments," the spinner explained.

Also, we note, the certificate for local.connectme.us has been revoked.
Send us news
10 Comments

IBM accused of cheating its own executive assistants out of overtime pay

Big Blue bosses retaliate against those seeking overtime, lawsuit claims

Cisco creates architecture to improve security and sell you new switches

Hypershield detects bad behavior and automagically reconfigures networks to snuff out threats

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

While some other LLMs appear to flat-out suck

Japanese government rejects Yahoo<i>!</i> infosec improvement plan

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

'I want to buy a car. That's all'

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Source blames BlackSuit infection – as separately ISP Frontier confirms cyberattack

Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

Also warns of brute force attacks targeting its own VPNs, Check Point, Fortinet, SonicWall and more

Old Windows print spooler bug is latest target of Russia's Fancy Bear gang

Putin's pals use 'GooseEgg' malware to launch attacks you can defeat with patches or deletion

US House passes fresh TikTok ban proposal to Senate

Sadly no push to end stupid TikTok dances, but ByteDance would have year to offload app stateside

Ex-CEO of 'unicorn' app startup HeadSpin heads to jail after BS'ing investors

Lachwani faked it but didn't make it

HPE sues China's Inspur Group over server patents

Middle Kingdom biz accused of IP theft and changing names to evade sanctions