A technical advisory from Command Five, an Australian security consultancy, has outlined the recently patched flaws in Atlassian’s Crowd Single Sign-on (SSO) software package. However, despite fixes, the turnkey identity management offering still appears to be vulnerable to a major flaw that allows attackers to take complete control of any Crowd server.
Atlassian’s Crowd is an SSO add-on that can be used with any of their products, which is tied into Active Directory or LDAP, but doubles as an identity management platform that enables organizations to manage permissions, aliases, logins, application access, and more.
According to the company, more than 20,000 major organizations use their products, the most popular being JIRA and Confluence, including several in the Fortune 500. Crowd ties into both of them.
According to Command Five, the companies using Atlassian products would be considered high-value targets due to their operations, and the flaws within the SSO software could have enabled “large scale unauthenticated access to sensitive data and facilitate corruption of the chain-of-trust.”
The Command Five advisory deals with a flaw in Crowd that allowed an attacker to use specially crafted external URLs in the XML’s Document Type Definition (DTD) headers.
By altering the headers, an attacker could make the Crowd server perform GET requests and any data retrieved would be returned to them, or use the file:// parameter in the URL to retrieve any file available to the Crowd server or the target network. This includes, the advisory adds, files available on public shares as well as local files on the machine hosting the Crowd software. Such exploits would bypass the trusted proxy/remote address validation rules that exist within Crowd as a security measure.
In addition, Command Five also discovered that Atlassian products (including the Open ID server that ships with Crowd) store Crowd credentials unencrypted within text files named crowd.properties.
“If a hacker uses the vulnerability to retrieve a file containing credentials, they can then authenticate with the Crowd server directly, or use the exploit again to bypass trusted proxy/remote address validation,” the advisory explains.
Prior to publication, Atlassian fixed the Command Five flaws by releasing version 2.6.3 of Crowd. However, that release has an even bigger problem; because the unpatched flaws within could enable an attacker to “take full control of any Crowd server to witch they are able to make a network connection.”
Exploiting this latest flaw would compromise all Crowd credentials (application and user), Crowd accessible data storage, configured directories (LDAP and Active Directory and the data within them), and all secure systems dependent on the vulnerable Crowd server.
Command Five is withholding additional details until Atlassian delivers a second set of fixes.
