July 01, 2013, 12:13 PM — A critical vulnerability that could allow remote attackers to access sensitive enterprise log-in credentials and other data was fixed last week in Crowd, a single sign-on (SSO) and identity management tool used by large organizations to simplify access to their internal Web applications and services.
According to Atlassian, the Sydney-based software company that develops Crowd, the product is used by around 1,000 organizations in 55 countries, including large banks, car manufacturers, government agencies, telecommunication companies, software firms, online services providers, universities and others.
Crowd can be used to link identities between Active Directory, LDAP and other directory services; Atlassian's popular bug tracking, collaboration, project management and code repository tools; third party services like Google Apps, Apache or Subversion, and custom in-house developed Web applications.
The newly patched vulnerability stems from the way in which Crowd parses external XML entities defined in Document Type Definition (DTD) headers and is a variation of a vulnerability known as CVE-2012-2926 that was reported and patched back in 2012, researchers from security consultancy firm Command Five said Friday in a security advisory.
An attacker can exploit the vulnerability by sending requests with specially crafted entity URLs in order to trick the server into returning any file from the internal network that it has access to, including its own configuration files that contain unencrypted credentials, or to initiate a denial-of-service attack that would make the server inaccessible to users.
The 2012 vulnerability, for which an exploit module already exists in the Metasploit penetration testing tool, was fixed in Crowd 2.4.1. However, that patch only blocks external entities defined in requests sent to Crowd URLs that end in "/services," the Command Five researchers said.
Versions of Crowd up to and including 2.6.2 continue to process entities defined in DTD headers for requests that are sent to URLs ending in "/services/2" or "/services/latest," which re-enables the exploit, they said. "With a two character change to the targeted URL the Metasploit module is again 'fully armed and operational'."
The new issue has been assigned the CVE-2013-3925 identifier and was fixed in the latest stable version of the product, Crowd 2.6.3, that was released on June 24. According to the corresponding entry in Atlassian's bug tracker, the vulnerability has also been fixed in versions 2.5.4 and 2.7.