Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

guest · Dec 4, 2019

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter
Exposed private cert key may also be an issue for IBM Aspera
December 5, 2019
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.
The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

As Ormandy explained, "you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker."
Click to expand...

SwiftOnSecurity reported the issue to Atlassian and obtained CVE-2019-15006 for the bug.
According to Ormandy, that has the potential to be even worse. "There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL," he wrote. "I would consider that *critical*."
Click to expand...

Log in or Sign up

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

guest Guest

Log in or Sign up

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

guest Guest

Useful Searches