Backdoor Discovered In Atlassian Crowd 133
An anonymous reader writes "Recently published on the Command Five website is a technically detailed threat advisory (PDF) in relation to a recurring vulnerability in Atlassian Crowd. Tucked away inconspicuously at the end of this document in a section entitled 'Unpatched Vulnerabilities' is the real security bombshell: Atlassian's turnkey solution for enterprise single sign-on and secure user authentication contains an unpatched backdoor. The backdoor allows anyone to remotely take full control of a Crowd server and, according to Command Five, successful exploitation 'invariably' results in compromise of all application and user credentials as well as accessible data storage, configured directories (for example Active Directory), and dependent systems."
Re:Huh? (Score:3, Informative)
Here comes the aeroplane spoon... open up the hangar!
From the first page of the advisory:
"Atlassian Crowd is marketed as a secure single signon (SSO) product for the enterprise and is designed to be incorporated into third party applications and systems"
Re:Huh? (Score:2, Informative)
Atlassian's turnkey solution for enterprise single sign-on and secure user authentication. Atlassian is a software vendor of modest relevance, producing Jira issue tracking and Confluence wiki software. I assume this would only be relevant if you run are rely on a system that uses Crowd for authentication. Where is it used? Where is any software package used?
Re:Huh? (Score:4, Informative)
It appears to be some sort of software managing logins to sites. Their site cites their clientele to be a lot of major companies, such as facebook, twitter, hulu and netflix.
I imagine if you have a backdoor into software that manages facebook's login systems, that's pretty damn major.
Re:Huh? (Score:4, Informative)
"Atlassian's turnkey solution for enterprise single sign-on and secure user authentication"
So Atlassian is some company, and it's a single sign-on/authentication system used in businesses.
And it lets a remote attacker take control of the servers it runs on, and possibly other computers in the business (via Active Directory, which is Microsoft's system administration/management package.)
Re:Huh? (Score:5, Informative)
They make Jira and Confluence... 2 applications that are widely used by some IS departments to manage their work. Jira for example, is an application for tracking software development, deployment and bugs. It's basically a ticketing system for programmers. You can track who created what, which bugs showed up in it later, who fixed them, how long all that took, etc...
I'm not sure how many people are using their LDAP/SSO stuff though though. There are lot bigger (and clearly more trustworthy) providers in town.
The bug report with included patch (Score:3, Informative)
Re:Not surprising (Score:5, Informative)
... So when they repeatedly state that the built in database is for evaluation purposes ONLY and that usage of it may result in data corruption or loss ... on EVERY PAGE ADMIN PAGE UNTIL YOU SWITCH OFF OF the built in database, that wasn't enough of a warning for you?
I'm not sure how much more warning you can get, short of them corrupting your database intentionally on a daily basis so you get the point sooner.
Re:Huh? (Score:4, Informative)
All of the individual apps can be tied to AD (or another directory) directly. Crowd is pretty much what you use when you want single sign-on/centralized auth, but you don't want to deploy AD or go through the pain in the ass of setting up and maintaining your own LDAP server.
I've also seen it used in large enterprises which have multiple authentication sources, the kind where systems just kind of creep, but no one wants to take the time (or risk the downtime) for consolidation. In that scenario, it's alot easier to tie the apps to Crowd for authentication, and then you just need to manage authentication sources in Crowd, instead of individually on the apps.
Atlassian actually makes some pretty good software, and their prices are reasonable for their starter kits to get used to it. My only gripe is that it's all pretty much Tomcat based
Re:Huh? (Score:2, Informative)
It's some Java bug tracker software which whenever someone uses for their project you get frustrated with (and some open source does use it since it's monetarily free for them but fairly expensive normally), and a wiki that nobody but big business uses and is very slow. The SSO lets people in the java world integrate standard technologies for federated identity (so that the apps don't need to store or know the username/password of the people using them).
Re:The report's author are pretty convincing (Score:4, Informative)
I work for Atlassian and the author has not yet disclosed the vulnerability described in the "UNPATCHED VULNERABILITIES" section to us.
Atlassian provides source code for most of our products (including Crowd) to paying customers. We would never deliberately build a backdoor into any of our products and I personally would never work for a company that would do that.