Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Overview

App name

Secure Login (2FA)

Advisory Release Date

 

Severity

MEDIUM

Affected Versions

  • Secure Login (2FA) - Jira <= 3.1.4.5

  • Secure Login (2FA) - Confluence <= 3.1.4.5

  • Secure Login (2FA) - Bitbucket <= 3.1.4.5

Fixed Versions

tbd.

Summary of Vulnerability

This advisory discloses two medium severity security vulnerabilities in the Secure Login product family. All versions of Secure Login are affected. Both of these vulnerabilities had been found by the independent security specialist Christian Flaßkamp, who gratefully informed us about the issues.

Both vulnerabilities described below relate to the default configuration of the app. Under certain cirumstances, the default configuration would allow an attacker to bypass the MFA mechanism, or to access sensitive information hosted in the instance, without MFA. We have no information that these vulnerabilities have already been actively exploited.

According to our agreement as a vendor, we informed Atlassian about the vulnerabilities beforehand.

Customers who have downloaded and installed Secure Login for Jira less than 2.2.2.5

Please upgrade your Secure Login for Jira installations immediately to fix this vulnerability.

Vulnerability 1:  Unsecure default TOTP configuration

In the default configuration, the value for Time Window Size is set to 30. That means, that the last 30 and the next 30 tokens are valid. With the default time step value of 30 seconds, it is possible to use an up to 15 minutes old token. Together with the deactivated brute force detection, in the default configuration, this might make a brute-force attack feasible.

Based on the calculation of our internal security consultant, this vulnerability has an overall CVSS score of 3.1, which means medium severity.

Vulnerability 2:  Unsecure default whitelist

In the default configuration, the URL endpoints /rest and /downloads are whitelisted. So in default REST service relying only on username and password. Whitelisting of the REST services ensures, other systems are still able to communicate with your Jira instance, as there is no reliable way to include 2FA in machine to machine communication.

Due to an error in the status management of Secure Login, it was possible to call the OnBoarding dialog through a deep link after a successful login, but before PIN validation. That was also possible if the user was already successfully registered for the two-factor authentication.

A potential attacker would have been able to exploit this error, to get access to the secret key of a user. The precondition again is, the potential attacker already was in possession of the login credentials of that user.

Fix

Both vulnerabilities have been fixed with version 2.2.2.5 of Secure Login for Jira. To ensure the necessary security, the update contains a significant change concerning the whitelisting. After the update, all administrative and self-service functions require a valid 2FA authentication. That also applies if the corresponding user is actually on the whitelist through IP or group filters.

What you need to do

We recommend that you upgrade to the latest version. For a full description of the latest version of Secure Login for Jira, see the release notes in the Atlassian Marketplace. You can upgrade from the UPM or download the latest version from the Atlassian Marketplace.

Support

If you have any questions or concerns regarding this advisory, please raise a support request at our Service Desk.

  • No labels