2018-07-05 - Secure Login for Jira security advisory
Overview
| Summary |
|
|---|---|
| Advisory Release Date | |
| Product | Secure Login for Jira |
| Severity | HIGH |
| Affected Versions | <= 2.2.2.4 |
| Fixed Versions | 2.2.2.5 |
Summary of Vulnerability
This advisory discloses two high severity security vulnerabilities in Secure Login for Jira. All versions of Secure Login for Jira before 2.2.2.5 are affected. Both of these vulnerabilities had been found by the independent security specialist Kacper Szurek, who gratefully informed us about the issues.
Both attack vectors described below assume that a potential attacker already has a user's credentials (username and password). If the login information is that of an administrator, the criticality is somewhat higher than with a regular user. The security of your Jira base system is not affected. The vulnerabilities refer to Secure Login itself, only. Furthermore, we have no indications that the vulnerabilities have already been exploited.
According to our agreement as a vendor, we informed Atlassian about the vulnerabilities beforehand.
Customers who have upgraded Secure Login for Jira to version 2.2.2.5 are not affected.
Customers who have downloaded and installed Secure Login for Jira less than 2.2.2.5
Please upgrade your Secure Login for Jira installations immediately to fix this vulnerability.
Vulnerability 1: Revoking a user's secret key without permission
In the default configuration, REST services bypass the validation of the second factor of Secure Login. So REST service relying only on username and password. Whitelisting of the REST services ensures, other systems are still able to communicate with your Jira instance, as there is no reliable to include 2FA in machine to machine communication. This whitelisting also affected the internal REST services used by Secure Login. If the default configuration is not changed, a potential attacker would have been able to call an internal REST service for revoking the user's secret key. The precondition for that is, the potential attacker is in possession of the user's login credentials. After withdrawing the secret, the attacker would have been able to go through the Secure Login OnBoarding process to register a new secret and to gain access to the system.
Vulnerability 2: Capturing a user's secret key without permission
Due to an error in the status management of Secure Login, it was possible to call the OnBoarding dialog through a deep link after a successful login, but before PIN validation. That was also possible if the user was already successfully registered for the two-factor authentication.
A potential attacker would have been able to exploit this error, to get access to the secret key of a user. The precondition again is, the potential attacker already was in possession of the login credentials of that user.
Fix
Both vulnerabilities have been fixed with version 2.2.2.5 of Secure Login for Jira. To ensure the necessary security, the update contains a significant change concerning the whitelisting. After the update, all administrative and self-service functions require a valid 2FA authentication. That also applies if the corresponding user is actually on the whitelist through IP or group filters.
What you need to do
We recommend that you upgrade to the latest version. For a full description of the latest version of Secure Login for Jira, see the release notes in the Atlassian Marketplace. You can upgrade from the UPM or download the latest version from the Atlassian Marketplace.
Support
If you have any questions or concerns regarding this advisory, please raise a support request at our Service Desk.