Researcher releases PoC code for critical Atlassian Crowd RCE flaw

A researcher has released proof-of-concept code for a critical code execution vulnerability (CVE-2019-11580) in Atlassian Crowd, a centralized identity management solution providing single sign-on and user identity.

CVE-2019-11580

Atlassian plugged the hole in late May, but administrators that failed to implement it should consider doing so now, as full-fledged exploits are likely to pop up soon.

About the vulnerability (CVE-2019-11580)

Atlassian Crowd allows enterprise admins to manage users from Active Directory, LDAP, OpenLDAP or Microsoft Azure AD and control application authentication permissions in one single location. Users are given one set of login credentials to log into all the applications they need to access and use.

The flaw arose due to a development plugin incorrectly getting enabled in release builds.

“Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center,” the Australian enterprise software firm explained.

Corben Leo, the security researcher that came up with the exploit PoC, analyzed the plugin in question (pdkinstall) and the PdkInstallFilter servlet, and found a way to remotely install another malicious plugin.

Steps to take

Admins still running one of the vulnerable software versions (2.1.0 – 3.0.4, 3.1.0 – 3.1.5, 3.2.0 – 3.2.7, 3.3.0 – 3.3.4, 3.4.0 – 3.4.3) should upgrade to Crowd and Crowd Data Center version 3.0.5, 3.1.6, 3.2.8, 3.3.5 or 3.4.4.

If that’s not possible, they can mitigate the issue by stopping Crowd, remove all instances of the pdkinstall plugin from the installation, and the starting Crowd again.

Detailed steps on how to do that and a bash script that automates the mitigation steps on Linux systems can be found in Atlassian’s security advisory.