Multiple reports have recently emerged about serious security flaws affecting cloud deployments. This time, digital forensics experts at security firm Palo Alto Networks reported a critical server-side vulnerability in Jira, an issue tracking product of Atlassian Corp. which, if exploited, could expose users’ stored data.
To be precise, this is a server-side request forgery vulnerability whose exploit is related to an attacker’s request redirection web application to an internal network behind a particular firewall.
When exploiting this flaw a threat actor could
use an application to access information underlying the structure of the cloud
deployment (logs, login credentials, configurations, etc.). Although the metadata
API is only locally accessible, this flaw functions as a gateway to this resource
through the public Internet, and threat actors can bypass the sandbox
environment when running it, digital forensics experts mentioned.
Using custom analysis tools, Palo Alto experts
discovered that at least 7,000 Jira implementations are exposed via the public
Internet; in addition, it is reported that about 45% of exposed deployments are
vulnerable to this critical flaw, while 56% of the more than 3,000 vulnerable
hosts are filtering metadata from the cloud infrastructure.
Among the deployments with the highest rate of
data leakage by this vulnerability are:
- Digital Ocean (93%)
- Google Cloud (80%)
- Alibaba (70%)
- Amazon
Web Services (68%)
According to digital forensics experts,
Microsoft Azure has a data exposure index of 0% since this implementation
blocks forged server-side requests from the default metadata API. Apparently
this vulnerability is really similar to the one that was exploited in the
attack on the Capital One Financial Corporation networks a few months ago, an
incident that led to the theft of more than 100 million records stored by the
company.
This attack variant is really serious, as it
allows the internal networks reconnaissance, the exploitation of side channel flaws
and even remote
code execution. In their report, experts mention that sensitive
information, such as credentials or network architecture, could be exposed,
compromising internal services.
According to the digital forensics specialists
from the International Institute of Cyber Security (IICS) the problem stems
directly from the inadequate disinfection implemented by the developers; as a
security recommendation, developers could more strictly validate the format and
pattern of user input before integrating into application logic.
Other recommendations for system administrators
include integrating a whitelist of domains, setting zero-trust network
principles, using firewalls for web applications, and installing the corresponding
security patches.
