Critical vulnerabilities found in single sign-on enterprise tool Atlassian Crowd

One critical vulnerability was fixed, but a second one remains unpatched, security researchers from Command Five said

A critical vulnerability that could allow remote attackers to access sensitive enterprise log-in credentials and other data was fixed last week in Crowd, a single sign-on (SSO) and identity management tool used by large organizations to simplify access to their internal Web applications and services.

According to Atlassian, the Sydney-based software company that develops Crowd, the product is used by around 1,000 organizations in 55 countries, including large banks, car manufacturers, government agencies, telecommunication companies, software firms, online services providers, universities and others.

Crowd can be used to link identities between Active Directory, LDAP and other directory services; Atlassian's popular bug tracking, collaboration, project management and code repository tools; third party services like Google Apps, Apache or Subversion, and custom in-house developed Web applications.

The newly patched vulnerability stems from the way in which Crowd parses external XML entities defined in Document Type Definition (DTD) headers and is a variation of a vulnerability known as CVE-2012-2926 that was reported and patched back in 2012, researchers from security consultancy firm Command Five said Friday in a security advisory.

An attacker can exploit the vulnerability by sending requests with specially crafted entity URLs in order to trick the server into returning any file from the internal network that it has access to, including its own configuration files that contain unencrypted credentials, or to initiate a denial-of-service attack that would make the server inaccessible to users.

The 2012 vulnerability, for which an exploit module already exists in the Metasploit penetration testing tool, was fixed in Crowd 2.4.1. However, that patch only blocks external entities defined in requests sent to Crowd URLs that end in "/services," the Command Five researchers said.

Versions of Crowd up to and including 2.6.2 continue to process entities defined in DTD headers for requests that are sent to URLs ending in "/services/2" or "/services/latest," which re-enables the exploit, they said. "With a two character change to the targeted URL the Metasploit module is again 'fully armed and operational'."

The new issue has been assigned the CVE-2013-3925 identifier and was fixed in the latest stable version of the product, Crowd 2.6.3, that was released on June 24. According to the corresponding entry in Atlassian's bug tracker, the vulnerability has also been fixed in versions 2.5.4 and 2.7.

"Successful exploitation of this vulnerability can (but does not necessarily) lead to a hacker taking full control of an organization's single sign-on service, potentially resulting in a catastrophic security event," the Command Five researchers said in their advisory. At the very least, successful exploitation is likely to enable attackers to expand their unauthorized access within the targeted organization, they said.

Organizations that expose their Crowd installations to the Internet in order to enable remote authentication for employees or affiliates are at increased risk of suffering a security breach, the researchers said.

Aside from this patched vulnerability, Command Five is also aware of at least another critical vulnerability in Atlassian Crowd that hasn't been fixed yet. That vulnerability could be classified as a backdoor and allows unauthenticated attackers to take full control of any Crowd server they can access over the network, the researchers said.

Successful exploitation of the yet-to-be-patched vulnerability "invariably results" in the compromise of all active Crowd application credentials, user credentials, accessible data storage, configured directories and dependent secure systems, they said.

Atlassian didn't immediately respond to a request for comment.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesCommand FiveatlassiansecurityAccess control and authenticationExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?