Earlier this month, it was reported that hackers managed to breach the bug database of Mozilla. From here, the attackers accessed 185 non-public bugs for the popular Internet browser Firefox, 53 of which were categorized as “severe vulnerabilities.” At least one of these has been used in the wild, against visitors of a Russian news site.

Now, it might not just be Mozilla’s non-public bugs that are under threat. A security company has discovered how to obtain high-level permissions on Bugzilla, the vulnerability database used by Mozilla as well as a host of open-source projects and private businesses. These databases contain all sorts of sensitive information, including details on vulnerabilities that organizations have been told about, but are yet to fix. From here, it is potentially possible for an attacker to view details on unpatched problems, which could then be deployed against people who use Mozilla products, or any of the other affected pieces of software.

The Hack

When an organization employee or contributor, likely part of a security team, creates an account on Bugzilla, they will be sent a verification email, to check they do indeed own the address. But the bug, discovered by PerimeterX and written up by senior vulnerability researcher Netanel Rubin, allows anybody to create an account looking like it comes from a specific organization, even if they don’t work for it.

By registering on Bugzilla with an email address of exactly 255 bytes, including the domain of the target organization, instead of rejecting the large string, Bugzilla’s database trims the data down so it fits into the appropriate column. On the end of this, a hacker attaches a domain they own.

This results in the verification email to join Bugzilla being sent to an account controlled by the hacker, but being given the access allowed to the target.

“This essentially performs a privilege-escalation attack, allowing us to obtain privileges we otherwise could not,” Rubin writes.

Who’s Affected?

“Basically, anyone who uses Bugzilla,” who uses email based permissions is affected, Rubin told WIRED in a phone interview. That might include popular free software projects such as LibreOffice and Apache Project, as well as a number of Linux distributions, including Red Hat. 136 other projects are listed on the Bugzilla website, although that only includes public facing ones. “There are probably at least 10 times as many private ones,” the Bugzilla website reads.

It also affects Mozilla, who have already had a large cache of their non-public vulnerabilities accessed. In fact, this bug was tested on Mozilla’s Bugzilla.

And of course, it could also have a knock-on effect onto everyday users. Any vulnerabilities learned about by hackers by accessing a company’s Bugzilla system are ripe for being used.

Rubin told WIRED the bug has likely existed for around five to seven years, however it is impossible to tell whether it has been actively exploited.

How Severe Is This?

As for how worried the everyday person should be, the threat is pretty mild: it’s not clear whether the bug has been used maliciously in order to gain access to more juicy vulnerabilities, and Bugzilla patched the issue on September 10. In short, normal consumers don’t have to be immediately concerned.

But Bugzilla admins do need to take it seriously, and have to make sure to apply the fix, if they haven’t already. Bugzilla is used by some of the most popular software projects around, including the people who maintain the Firefox browser. Another worrying thing is how trivially the vulnerability can be exploited.

“It’s super easy. It’s just one simple request, and that’s it, you’re in,” Rubin continued. Once in, a hacker could potentially look at information concerning any vulnerabilities known to the product maintainers, but not yet patched. “The implications of this vulnerability are severe – it could allow an attacker to access undisclosed security vulnerabilities in hundreds of products,” Rubin’s writeup continues.

Go Back to Top. Skip To: Start of Article.

View original: 

Hack Brief: Oh Good, Anyone Can Access a List of Unpatched Firefox Bugs