2019-09-09 Host-Header Injection
Summary | Host-Header injection possible with recent SAML SSO versions |
|---|---|
Advisory Release Date | 2019/09/09 |
Products | SAML Single Sign On (SSO) for JIRA SAML Single Sign On (SSO) for Confluence SAML Single Sign On (SSO) Bitbucket |
Affected SAML SSO versions | 2.0.8 - 3.3.2 |
Fixed SAML SSO versions | 3.4.0 for Jira, Confluence and Bitbucket; 2.5.5 for Bamboo/Fisheye |
CVSS Score: Base Score / Temporal Score | 5.3 |
Summary
This advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin since Version 2.0.8.
Please upgrade your Installations to fix this vulnerability. Please be aware that enabling (3.6.x) Alternate AssertionConsumerServiceURL in SAML-Request could keep your system vulnerable.
Details
The Atlassian APIs provide methods to detect the applications absolute base-URL (e.g. https://your.jira.example.com/jira). These methods rely on the request's host-header. Older versions of SAML Single Sign On use that information to generate several URLs, including the AssertionConsumerServiceURL in the SAML-requests. By overriding the Host-header, an attacker could potentially change these values to redirect users to a malicous server. Fixed versions are using relative URLs or the application's configured base URL when generating URLs. Please be aware that there is on excemption to this when enabling (3.6.x) Alternate AssertionConsumerServiceURL in SAML-Request.
In a scenario of several hosted web apps or websites on the same ip address, the web server uses the host header to decide where to send the HTTP request to. If an attacker is able to modify the host header, the user is redirected to the host as specified by the attacker.
Fortunately, attack vectors are rather limited, altering the host header is not easy. Two attack vectors are
Web-cache poisoning (An attacker needs to modify a caching mechanism between your Atlassian product and the user. The cache then serves the malicious host and the victim is redirected to it.)
Password Reset Poisoning (An attacker sends a password reset email to the victim with a malicious host, thus the victim will be redirected to the attacker's side and needs to enter their password. In consequence, the attacker gains knowledge of the password).
Please see https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/ for further information.
What You Need to Do
In general, please update the SAML SSO plugins to the latest versions, especially for versions 2.0.8 to 2.5.0 and 3.0.0 to 3.1.5 of the SAML SSO plugin.
For versions 2.5.1 to 2.5.4 and 3.1.6 to 3.3.1, one important attack vector was closed, but please also considering updating the plugin.
If you cannot update the plugin, configure your reverse proxy to prevent cache poisoning with alternative host headers, e.g. by deactivating caching at all or by not using the Atlassian app as the default backend. Please note, that this does not close all attack vectors.
If you need help with either if these courses of action, please raise a support request via our Support Portal.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.