Critical vulnerabilities found in single sign-on enterprise tool Atlassian Crowd

One critical vulnerability was fixed, but a second one remains unpatched, security researchers from Command Five said

A critical vulnerability that could allow remote attackers to access sensitive enterprise log-in credentials and other data was fixed last week in Crowd, a single sign-on (SSO) and identity management tool used by large organizations to simplify access to their internal Web applications and services.

According to Atlassian, the Sydney-based software company that develops Crowd, the product is used by around 1,000 organizations in 55 countries, including large banks, car manufacturers, government agencies, telecommunication companies, software firms, online services providers, universities and others.

Crowd can be used to link identities between Active Directory, LDAP and other directory services; Atlassian's popular bug tracking, collaboration, project management and code repository tools; third party services like Google Apps, Apache or Subversion, and custom in-house developed Web applications.

The newly patched vulnerability stems from the way in which Crowd parses external XML entities defined in Document Type Definition (DTD) headers and is a variation of a vulnerability known as CVE-2012-2926 that was reported and patched back in 2012, researchers from security consultancy firm Command Five said Friday in a security advisory.

An attacker can exploit the vulnerability by sending requests with specially crafted entity URLs in order to trick the server into returning any file from the internal network that it has access to, including its own configuration files that contain unencrypted credentials, or to initiate a denial-of-service attack that would make the server inaccessible to users.

The 2012 vulnerability, for which an exploit module already exists in the Metasploit penetration testing tool, was fixed in Crowd 2.4.1. However, that patch only blocks external entities defined in requests sent to Crowd URLs that end in "/services," the Command Five researchers said.

Versions of Crowd up to and including 2.6.2 continue to process entities defined in DTD headers for requests that are sent to URLs ending in "/services/2" or "/services/latest," which re-enables the exploit, they said. "With a two character change to the targeted URL the Metasploit module is again 'fully armed and operational'."

The new issue has been assigned the CVE-2013-3925 identifier and was fixed in the latest stable version of the product, Crowd 2.6.3, that was released on June 24. According to the corresponding entry in Atlassian's bug tracker, the vulnerability has also been fixed in versions 2.5.4 and 2.7.

"Successful exploitation of this vulnerability can (but does not necessarily) lead to a hacker taking full control of an organization's single sign-on service, potentially resulting in a catastrophic security event," the Command Five researchers said in their advisory. At the very least, successful exploitation is likely to enable attackers to expand their unauthorized access within the targeted organization, they said.

Organizations that expose their Crowd installations to the Internet in order to enable remote authentication for employees or affiliates are at increased risk of suffering a security breach, the researchers said.

Aside from this patched vulnerability, Command Five is also aware of at least another critical vulnerability in Atlassian Crowd that hasn't been fixed yet. That vulnerability could be classified as a backdoor and allows unauthenticated attackers to take full control of any Crowd server they can access over the network, the researchers said.

Successful exploitation of the yet-to-be-patched vulnerability "invariably results" in the compromise of all active Crowd application credentials, user credentials, accessible data storage, configured directories and dependent secure systems, they said.

Atlassian didn't immediately respond to a request for comment.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesCommand FiveatlassiansecurityAccess control and authenticationExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?