Atlassian Crowd flaw exposes server

A flaw in the Atlassian Crowd single sign-on software which allowed attackers to expose files remotely has been fixed in an update. Similar to a 2012 vulnerability (CVE-2012-2926), the new problem occurs when an attacker makes calls on the SOAP interface of Crowd with classes including entities that require resolving by the server.

Details of how to exploit the vulnerability appeared in a Threat Advisory from Command Five. They explain that by injecting references to file:, http: or https: entities, the server can be tricked into disclosing some of its content or make it perform requests, originating from localhost, against the server itself. When the issue in 2012 was fixed, it appears that the change to restrict entity expansion was only applied to specific paths; the new exploit makes use of that fact to attack other paths in the interface.

A bug report was raised for the vulnerability in the Atlassian tracker on 18 June, and an update, Crowd 2.6.3, was apparently released on 24 June. Updates for 2.5 (2.5.4) and 2.7 are also available. For users of any version, instructions are available on how to replace the xfire-servlet.xml file in the crowd-server.jar file. Crowd 2.6.3 is available to download and updated older versions are available from the archive.

In the advisory, Command Five also refer to another unpatched vulnerability, CVE-2013-3926, which it says "allows unauthenticated remote parties to take full control of any Crowd server to which they are able to make a network connection" and that "this vulnerability could be classified as a symmetric backdoor if malicious intent were to be established (which it has not)". Atlassian says that it has been unable to substantiate this claim, noting that "the author of the article has not contacted Atlassian and has provided no detail, making it difficult to validate the claim".

(djwm)