Lateral or upwards movement beyond the instance was theoretically possible, concludes researcher

Lateral or upwards movement beyond the instance was theoretically possible, concludes researcher

A pair of vulnerabilities patched in Jira Align could in the “worst-case scenario” be combined by low-privileged malicious users to target Atlassian’s cloud infrastructure, a security researcher warns.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application, in the cloud.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance.

**MisAligned permissions**

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.

Catch up with the latest cloud security news

“While, for good reason, my testing stopped at the edge of the Atlassian infrastructure, under the right conditions \[leveraging the SSRF\] potentially means gaining access to other client data through lateral or upward movement through Atlassian’s AWS infrastructure.

“Since Atlassian’s providing cloud tenants to these clients, gaining access to the infrastructure of the SaaS provider itself is pretty much worst-case scenario.”

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

**People permissions**

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix version 10.108.3.5 on June 28.

The Daily Swig has invited Atlassian to comment. We will update the article if they do so.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

Adam Bannister 26 October 2022 at 16:00 UTC  
Updated: 27 October 2022 at 09:42 UTC

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

UPDATED A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.

**MisAligned permissions**

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”

Catch up with the latest cloud security news

Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.

However, Atlassian disputed this assertion in response to queries from The Daily Swig, emphasizing “that Jira Align's SaaS and Atlassian's wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.

**No exploitation detected**

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.

Bala Sathiamurthy, chief information security officer at Atlassian, told The Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”

He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”

**People permissions**

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

This article was updated on October 27 with the addition of comment from Atlassian.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Jira Align flaws enabled malicious users to gain super admin privileges

### Impact

Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.

### Patches
The problem was patched in version https://github.com/zalando/skipper/releases/tag/v0.13.237.
Users need to upgrade to skipper `>=v0.13.237`.

### Workarounds

Use `dropRequestHeader("X-Skipper-Proxy")` filter

### References

https://github.com/zalando/skipper/releases/tag/v0.13.237

### For more information
If you have any questions or comments about this advisory:

* Open an issue in https://github.com/zalando/skipper/issues/new/choose
* Chat with us in slack: https://app.slack.com/client/T029RQSE6/C82Q5JNH5

**Package**

gomod github.com/zalando/skipper (Go)

**Affected versions**

< 0.13.237

**Patched versions**

0.13.237

**Description**

**Impact**

Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.

**Patches**

The problem was patched in version https://github.com/zalando/skipper/releases/tag/v0.13.237.  
Users need to upgrade to skipper >=v0.13.237.

**Workarounds**

Use dropRequestHeader("X-Skipper-Proxy") filter

**References**

https://github.com/zalando/skipper/releases/tag/v0.13.237

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/zalando/skipper/issues/new/choose
*   Chat with us in slack: https://app.slack.com/client/T029RQSE6/C82Q5JNH5

**References**

*   GHSA-f2rj-m42r-6jm2
*   https://nvd.nist.gov/vuln/detail/CVE-2022-38580
*   https://gist.github.com/Fadavvi/9fffcfa4aaa9e25b77cfe7b3044b2857#file-cve-2022-38580
*   https://pastebin.com/dXxpgPAK
*   http://skipper.com
*   http://zalando.com

 szuecs published the maintainer security advisory

Oct 24, 2022

GHSA-f2rj-m42r-6jm2: Skipper vulnerable to SSRF via X-Skipper-Proxy

Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).

CVE-2022-38580

Two flaws in the popular developer cloud platform show how weaknesses in authorization functions and SaaS flaws can put cloud apps at risk.

Two vulnerabilities in Atlassian Jira Align, an agile planning software-as-a-service (SaaS) tool, could allow users with access to the service to become application administrators, and then attack the Atlassian service.

That's according to cybersecurity services firm Bishop Fox, which said in an advisory today that the vulnerabilities typify the risks posed to cloud services by relatively well-known, but often hard to catch, flaws. 

The two vulnerabilities found by Bishop Fox affect the Jira Align application, which is used to set agile-development goals, track efforts toward those goals, and create agile strategies. Because every instance of Jira Align is provisioned by Atlassian, an attacker could gain control of a part of the company's cloud infrastructure, Bishop Fox stated.

One vulnerability, a server-side request forgery (SSRF), could allow a user to retrieve "the AWS credentials of the Atlassian service account that provisioned the Jira Align instance," according to Bishop Fox.

The second vulnerability — in the authorization mechanism for users with the People role — could allow those users to elevate their role to Super Admin, which has access to all settings for the Jira Align tenant, such as resetting accounts and modifying settings.

The combination of the two flaws could allow a significant attack, says Jake Shafer, a security consultant with Bishop Fox, who found the flaws.

"Using the authorization finding would allow a low-privileged user to elevate their role to super admin which, in terms of information disclosure, would allow the attacker to gain access to everything the client of the SaaS had in their Jira deployment," he says. "From there, the attacker could then leverage the SSRF finding to go after the infrastructure of Atlassian themselves."

Both vulnerabilities have been patched — the first within a week and the second within a month, according to the disclosure timeline published by Bishop Fox.

However, companies should note that the increasing reliance on cloud applications has made attacks on cloud services and workloads much more common, so much so that the top class of vulnerability, according to the Open Web Application Security Project (OWASP), is broken authentication and access-control issues.

Furthermore, authorization issues are difficult for automated tools to pinpoint; plus, SSRF is a relatively new class of vulnerability that uses a cloud service's functionality and servers to conduct attacks, often bypassing security at the network edge as well as some internal security measures. 

Atlassian's Jira software has already had to deal with other instances of server-side request forgery, but the company is not alone. In 2019, a former Amazon Web Services used a SSRF vulnerability to steal data from financial firm Capital One.

**How to Combat Cloud Security Bugs**

With cloud services becoming part of operations for the vast majority of companies, tackling the top cloud vulnerabilities is critical, Shafer says.

"With the prevalence of how integrated these SaaS applications have become in the day-to-day operations of small and large companies, it’s important to remember that even these well-established companies can make mistakes," he says. "Trust but verify for all new software you’ll have to be reliant on, especially something as entrenched in the tech."

These most recent vulnerabilities highlight that developers should always make sure to double-check content supplied by users before completing a request, Shafer says. Additional input-sanitization checks could prevent both attacks.

"You're allowing customers into your cloud infrastructure, they may be paying for the service but at the end of the day they should be considered just as untrusted as a potential attacker," he says.

Companies should make sure to either manually test third-party applications or reach out to the cloud provider and check the results of their security assessments. Unfortunately, automated tools are not great at discovering authorization issues, Shafer says.

"These tools rely on a set of instructions or guidelines for what to look for and dealing with authorization issues will be different for every single piece of software out there," he says. "It’s very difficult to establish a set of rules that a scanner can pick up on and say 'Hey, user X shouldn’t be able to do Y in the context of this specific functionality.'"

Shafer lauded Atlassian's response, saying the company "did all the right things." Atlassian did not provide a comment by publishing time.

Atlassian Vulnerabilities Highlight Criticality of Cloud Services

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

CVE-2022-38108: Published | Zero Day Initiative

Behavior functioning as intended, Microsoft reportedly says, and offers mitigation advice instead

Ben Dickson 20 October 2022 at 15:46 UTC

Behavior functioning as intended, Microsoft reportedly says, and offers mitigation advice instead

Windows servers running Microsoft Office Online Server can be exploited to achieve server-side request forgery (SSRF) and thereafter remote code execution (RCE) on the host, according to security researchers.

Researchers from MDSec said they informed the Microsoft Security Response Center of their findings, but were told that the vulnerable behavior is not a bug but a feature of Office Online Server, and therefore will not be fixed.

Read more of the latest Microsoft security news

According to MDSec, Microsoft has instead advised administrators to “lock down ports and any accounts on that farm to have least privilege” to avoid attacks against internet-connected Office Online hosts.

Administrators can also set the service’s flag to false to prevent access to files through UNC paths, which is the feature used to attack the server.

**SSRF**

Office Online Server is an ASP.NET service that provides browser-based versions of Word, Excel, PowerPoint, and OneNote. Office Online provides access to Office files through SharePoint, Exchange Server, shared folders, and websites.

Office Online has a .aspx page for retrieving documents from remote resources. Attackers can use this endpoint to initiate connections to remote resources through the server and perform SSRF, according to a technical write-up from security firm MDSec.

For example, the researchers found that they could send unauthenticated requests to the page to fingerprint the devices of the server’s local network. Based on the timing of the response, they could identify active IP addresses in the server’s network.

**RCE**

Attackers could further exploit the bug if they controlled an SMB server that the Office Online Server could access.

Office Online Server uses its machine account to initiate connections to remote resources. When using the endpoint to retrieve a document on their SMB server, researchers could use the tool ntlmrelayx to force the server to relay the connection to the Active Directory Certificate Services (ACDS) and retrieve a client certificate for the Active Directory network.

Using this certificate, they were able to obtain a Ticket-Granting Ticket (TGT) – a logon session token – to the Office Online Server host. They used the TGT to send an S4U2Self request to forge a service ticket to the server. This allowed them to obtain local administrator access to the host.

According to the researchers’ findings, there was another pathway to obtain remote access to the server by relaying the endpoint connection to the LDAP service and performing a shadow credential attack.

The Daily Swig reached out to Microsoft for comments. We will update this post if we hear back.

YOU MIGHT ALSO LIKE Adobe patches critical Magento XSS that puts sites at takeover risk

Microsoft Office Online Server open to SSRF-to-RCE exploit

Experts say CVE-2022-42899 is a serious vulnerability, but widespread exploitation is unlikely because of the specific conditions that need to exist for it to happen.

Researchers who have analyzed the recently disclosed vulnerability in Apache Commons Text — referred to by some as Text4Shell — described it this week as serious but unlikely to be as disruptive as last year's Log4j bug.

The flaw (CVE-2022-42889) is present in versions 1.5 through 1.9 of Apache Commons Text and gives attackers a way to run malicious code remotely on vulnerable systems. The Apache Software Foundation (ASF) disclosed the flaw last week in a brief advisory and recommended that organizations upgrade to Apache Commons Text 1.10.0, a version that the ASF released on Sept. 24 or more than two weeks before bug disclosure.

CVE-2022-42889 stems from insecure defaults when Apache Commons Text performs a function called variable interpolation, which involves the process of looking up and evaluating code strings that contain placeholders. According to the ASF, the set of Lookup instances in versions 1.5 through 1.9 of Apache Commons Text included interpolators that could trigger arbitrary code execution or contact with remote servers. Since the vulnerability was disclosed, several researchers have released proof-of-concept code showing how it can be exploited and scanners for finding potential targets to attack.

Shachar Menashe, senior director of security research at JFrog, says Apache Commons Text (ACT) is an extremely common Java library focused on algorithms that work on strings. "ACT provides an API to perform variable interpolation — or substitution — allowing properties to be dynamically evaluated and expanded," Menashe says. "Some functions of this library were found to lead to remote code execution if attacker-controlled data is passed to these functions."

There are three potential substitution sources that could have a security impact if an attacker has control of the string being interpolated: script, dns, and url, he explains. Attackers could use the script source to execute arbitrary JavaScript code; they could use the dns source to proxy dns requests, and the url source as a server-side request forgery vector, Menashe says.

However, "the vulnerability can only be exploited in cases where some Java code exists that uses \[Apache Commons Text\] and passes attacker-controlled data to specific functions," he says. "We believe exploitation won't be as widespread as Log4Shell since these functions seem to be less likely to receive external user input." 

An attacker would have to research the target Java application and find an input that is passed to the vulnerable functions, which the attacker can control, Menashe says. At the same time, it's unwise to rule out that possibility.

"It's still possible this will blow up if researchers start finding other popular third-party services that use this library and pass external input to these vulnerable functions by default," Menashe notes. "But as of now, no such third-party services have been found."

ASF describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Sonatype's Maven Central Java repository lists 2,588 projects that currently use the library. Among them are Apache Hadoop Common, Apache Velocity, Spark Project Core, and Apache Commons Configuration,

**Widespread Exploitation Seems Unlikely**

Erick Galinkin, principal researcher at Rapid7, says the fact that CVE-2022-42889 is a library vulnerability makes it hard to say for certain what its impact will be. A lot depends on how the vulnerable object is used in a particular application. "Overall, our assessment is that the vulnerability is potentially serious," he says. "It is certainly important to patch affected applications as those patches become available, but not worth panicking over."

The severity is really a function of how the vulnerable object — the Commons Text StringSubstitutor interpolator — is used. "If there's an application out there that is using the interpolator on arbitrary untrusted input, a user of that application is going to have a bad time," he says. 

But based on initial research, the vulnerable object isn't very common, and it is implausible for an unprivileged attacker to actually gain control of the relevant strings. "That said, there may still be some application using this in a way that is risky, and in that case, the potential for code execution is very high," Galinkin said.

He adds that the ability for an attacker to discover vulnerable targets depends on how an organization might have implemented the vulnerable component. "Many of the proofs-of-concept for the vulnerability, including ours, just involve passing a crafted string to the interpolator — so in that sense, it is extremely easy to exploit," he says. In many other implementations an attacker would need to already have some level of access, making it difficult to exploit.

Menashe notes that JFrog has written an open source tool to detect Java binaries that are vulnerable to this issue. The tool can help organizations determine whether the version of commons-text is vulnerable.

He adds: "The tool also locates the calls to the vulnerable functions in compiled \[.jar files\] and reports the findings as class name and method names in which each vulnerable call appears."

Apache Commons Vulnerability: Patch but Don't Panic

Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Tag

#ssrf