Atlassian fends off backdoor claims in Crowd

Atlassian claims it was never notified of a backdoor in its Crowd software, but the security company making the accusation says its warning went unheeded.
Written by Michael Lee, Contributor

A threat advisory paper by information security firm Command Five has made the claim that Atlassian may be including a backdoor in its Crowd software.

The paper in question (PDF) focuses on an XML parsing vulnerability in Crowd, designated by the CVE identifier CVE-­2013-­3925. This vulnerability allows an attacker to do things like remotely retrieve files from the network or conduct denial-of-service attacks, but it has since been patched.

However, the paper also highlights another, yet unreported, vulnerability: CVE­-2013­-3926. According to Command Five, it allows a remote attacker to "take full control of any Crowd server to which they are able to make a network connection". Unlike an accidental vulnerability, though, the paper said that it is covertly positioned, needs of the use of special parameters, leaves no log messages, and has the ability to persist once exploited.

Due to these features, as well as there being no apparent purpose for what might be intentionally built in to the software, Command Five said it could be classified as a backdoor.

Exploiting the vulnerability would result in the compromise of application and user credentials, data storage, configured directories, and any dependent systems.

The paper said that a full analysis of this vulnerability will be conducted and only made public once a vendor fix has been released, but Atlassian said that Command Five has not contacted it about the vulnerability at all.

A spokesperson for Atlassian told ZDNet that "the author of the paper did not report the second vulnerability to us, so we are unclear about what he means. We have not found anything that can be classified as a 'backdoor' in Crowd".

But according to Command Five, it had notified Atlassian.

"Atlassian was informed on 5 June 2013 that a second vulnerability existed (CVE-2013-3926), and that it had exceptionally grave security implications," the company said in an emailed statement.

Despite this, Command Five has said that it will continue to withhold its findings until it is confident that the vulnerability can be closed.

"Command Five has not received any requests for technical details from Atlassian. Technical details of the remaining vulnerability have not been communicated outside of Command Five, and will continue to be held in strictest confidence until our ongoing investigations are completed and a vendor fix is made available."

Editorial standards