Multiple reports have recently emerged about serious security flaws affecting cloud deployments. This time, digital forensics experts at security firm Palo Alto Networks reported a critical server-side vulnerability in Jira, an issue tracking product of Atlassian Corp. which, if exploited, could expose users’ stored data.
To be precise, this is a server-side request forgery vulnerability whose exploit is related to an attacker’s request redirection web application to an internal network behind a particular firewall.
When exploiting this flaw a threat actor could use an application to access information underlying the structure of the cloud deployment (logs, login credentials, configurations, etc.). Although the metadata API is only locally accessible, this flaw functions as a gateway to this resource through the public Internet, and threat actors can bypass the sandbox environment when running it, digital forensics experts mentioned.
Using custom analysis tools, Palo Alto experts discovered that at least 7,000 Jira implementations are exposed via the public Internet; in addition, it is reported that about 45% of exposed deployments are vulnerable to this critical flaw, while 56% of the more than 3,000 vulnerable hosts are filtering metadata from the cloud infrastructure.
Among the deployments with the highest rate of data leakage by this vulnerability are:
- Digital Ocean (93%)
- Google Cloud (80%)
- Alibaba (70%)
- Amazon Web Services (68%)
According to digital forensics experts, Microsoft Azure has a data exposure index of 0% since this implementation blocks forged server-side requests from the default metadata API. Apparently this vulnerability is really similar to the one that was exploited in the attack on the Capital One Financial Corporation networks a few months ago, an incident that led to the theft of more than 100 million records stored by the company.
This attack variant is really serious, as it allows the internal networks reconnaissance, the exploitation of side channel flaws and even remote code execution. In their report, experts mention that sensitive information, such as credentials or network architecture, could be exposed, compromising internal services.
According to the digital forensics specialists from the International Institute of Cyber Security (IICS) the problem stems directly from the inadequate disinfection implemented by the developers; as a security recommendation, developers could more strictly validate the format and pattern of user input before integrating into application logic.
Other recommendations for system administrators include integrating a whitelist of domains, setting zero-trust network principles, using firewalls for web applications, and installing the corresponding security patches.