October 6, 2014

A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.

The Bugzilla mascot.

The Bugzilla mascot.

Multiple software projects use Bugzilla to keep track of bugs and flaws that are reported by users. The Bugzilla platform allows anyone to create an account that can be used to report glitches or security issues in those projects. But as it turns out, that same reporting mechanism can be abused to reveal sensitive information about as-yet unfixed security holes in software packages that rely on Bugzilla.

A developer or security researcher who wants to report a flaw in Mozilla Firefox, for example, can sign up for an account at Mozilla’s Bugzilla platform. Bugzilla responds automatically by sending a validation email to the address specified in the signup request. But recently, researchers at security firm Check Point Software Technologies discovered that it was possible to create Bugzilla user accounts that bypass that validation process.

“Our exploit allows us to bypass that and register using any email we want, even if we don’t have access to it, because there is no validation that you actually control that domain,” said Shahar Tal, vulnerability research team leader for Check Point. “Because of the way permissions work on Bugzilla, we can get administrative privileges by simply registering using an address from one of the domains of the Bugzilla installation owner. For example, we registered as admin@mozilla.org, and suddenly we could see every private bug under Firefox and everything else under Mozilla.”

Bugzilla is expected today to release updates to remove the vulnerability and help further secure its core product. Update, 1:59 p.m. ET: An update that addresses this vulnerability and several others in Bugzilla is available here.

“An independent researcher has reported a vulnerability in Bugzilla which allows the manipulation of some database fields at the user creation procedure on Bugzilla, including the ‘login_name’ field,” said Sid Stamm, principal security and privacy engineer at Mozilla, which developed the tool and has licensed it for use under the Mozilla public license.

“This flaw allows an attacker to bypass email verification when they create an account, which may allow that account holder to assume some privileges, depending on how a particular Bugzilla instance is managed,” Stamm said. “There have been no reports from users that sensitive data has been compromised and we have no other reason to believe the vulnerability has been exploited. We expect the fixes to be released on Monday.”

The flaw is the latest in a string of critical and long-lived vulnerabilities to surface in the past year — including Heartbleed and Shellshock — that would be ripe for exploitation by nation state adversaries searching for secret ways to access huge volumes of sensitive data.

“The fact is that this was there for 10 years and no one saw it until now,” said Tal. “If nation state adversaries [had] access to private bug data, they would have a ball with this. There is no way to find out if anyone did exploit this other than going through user list and seeing if you have a suspicious user there.”

Like Heartbleed, this flaw was present in open source software to which countless developers and security experts had direct access for years on end.

“The perception that many eyes have looked at open source code and it’s secure because so many people have looked at it, I think this is false,” Tal said. “Because no one really audits code unless they’re committed to it or they’re paid to do it. This is why we can see such foolish bugs in very popular code.”

Update, Oct. 7, 12:44 p.m. ET: Mozilla issued the following statement in response to this story:

Regarding the comment in the first paragraph: While it’s a theoretical possibility that other Bugzilla installations expose security bugs to “all employees,” Mozilla does not do this and as a result our security bugs were not available to potential exploiters of this flaw.
At no time did Check Point get “administrative privileges” on bugzilla.mozilla.org. They did create an account called admin@mozilla.org that would inherit “netscapeconfidential” privileges, but we stopped using this privilege level long before the reported vulnerability was introduced.  They also created “admin@mozilla.com” which inherited “mozilla-employee” access. We do actively use that classification, but not for security bugs.
In addition, on bugzilla.mozilla.org Mozilla regularly checks @mozilla.com addresses against the employee database and would have caught any fraudulently created @mozilla.com accounts quickly.

trackbugdawg


37 thoughts on “Bugzilla Zero-Day Exposes Zero-Day Bugs

  1. Robert.Walter

    The myth that open source is secure source dies by another degree.

    1. lel

      Who ever said i was secure ?

      Nothing is 100% secure.. Commercial or other, only a fool would believe it was. Just someone isnt out of pocket on this.

      Your useless comment has spoiled my day already.

    2. MC

      Good thing commercial software vendors never have security bugs.

      This bug had nothing to do with the license model, nor was it discovered through a detailed analysis of the code. But, you knew that already.

    3. tmt

      And how many times did Microsoft release critical fixes for all supported windows versions, from Windows XP till Windows 8 and Windows 7 before? Or am I just imagining that this is over 10 years of OS development?

    4. coolac

      this article is too funny.

      Yes its true windows has more people looking at its code whether good or bad then the open source community does…lol

      These communities like to blame the users all the time, well if thats the case, then the operating system really doesn’t matter at all.

      Imo windows can be just as hardened much easier. http://hardenwindows7forsecurity.com/Harden%20Windows%207%20Home%20Premium%2064bit%20-%20Standalone.html is really all you need. compare that to the ubuntu hardening guide.

  2. Derp

    “The myth that open source is secure source dies by another degree.”

    Keep telling yourself that when you update Windows and patch r00ted remote exploit after exploit – the hits keep on coming!

  3. nobody

    Checkpoint will never give credit to the person who did it, instead it will always be something like

    “Check Point’s Malware and Vulnerability Research Group”.

    Good luck, PR machine.

  4. Eric

    “…The fact is that this was there for 10 years and no one saw it until now…”

    At least, no one reported it till now. That doesn’t mean that no one has used it till now. If Joe Hacker has an undetectable shorthand method of probing everyone’s sites to see which hosts are vulnerable to what – I don’t think he’s going to make a lot of noise about it.

  5. Richard

    The use of “fool and the other day someone’s use of “stupid” does not lead to a productive dialog. I think that most of the posters here can get there points across in a more polite way.

    1. Yesitwas

      Yes, but it still made me laugh when that guy said “Google it Turdface” Probably should have been turdhead, but it made me laugh anyway.

  6. Frédéric Buclin

    This article is full of inaccuracies! The vulnerability doesn’t let you access sensitive bugs; it only lets you change your email address used for your account to one email address which doesn’t belong to you. But such account do no get special privileges by default and so this means you cannot access confidential bugs.
    And mentioning that Bugzilla is going to release a fix later today is just irresponsible from you. You could have waited that the releases were available from the Mozilla FTP webiste before disclosing the vulnerability. You just wanted to make a buzz, right?

    1. sven

      @frederic

      so which is it? is this no big deal, as you claim? if that’s true, why is it also so irresponsible of Mr. Krebs to report this?

      1. Frédéric Buclin

        @sven: because Mr. Krebs doesn’t know all the details, and take the risk to disclose a security vulnerability without giving Bugzilla admins a chance to upgrade their installations. This is just the wrong way to talk about security.

    2. Mike Long

      So you completely missed this part of the article huh Frederic:

      For example, we registered as admin@mozilla.org, and suddenly we could see every private bug under Firefox and everything else under Mozilla.”

      Seems more then just a little name changing if you can register and SEE ALL BUGS REPORTED (even the private ones).

      1. Frédéric Buclin

        @Mike: I know what the article says, but this is plain wrong! I’m a Bugzilla core developer and I got confirmation from Mozilla admins themselves that neither @mozilla.org nor @mozilla.com accounts can see security bugs by default. This is just plain wrong. Checkpoint clearly wants to make the buzz too.

        1. Shahar Tal

          I stand corrected, I rechecked it and we were not able to see all Firefox bugs. We were positively members of multiple “confidential” groups I will not mention here, as well as the permission to edit bugs and perform various actions. We did not dive deeper than that as that was not a direct research goal.

          1. Frédéric Buclin

            Now we agree. 🙂 You indeed couldn’t see any of the security bugs, because Mozilla Bugzilla is not configured that way (i.e. automatically give such privileges based on your domain name only). What is true is that you could see *some* of the bugs restricted to some groups.
            I’m going to reword what I said before: *by default* Bugzilla doesn’t give you any special privileges based on the domain name of your email address. But an admin is free to configure his installation to automatically give some given permissions to all users belonging to some domain name. In the case of Mozilla, this involves e.g. the @mozilla.com or @mozilla.org domains. But the article wasn’t clear about that, and let everybody thought that you could get admins privileges and see all security bugs magically, which is not true.

        2. Hans

          I see that, Mr Buclin, found a lot of bugs in the comment section!

    1. timeless

      I don’t think it should.

      1. Tor uses Trac to track bugs:
      https://trac.torproject.org/projects/tor

      (It wouldn’t shock me if Trac has its own bugs.)

      2. Any Tor impacted bugs in Gecko weren’t accessible to the researcher who performed this attack / wouldn’t be accessible to someone else performing the same attack.

  7. Andrew Chipman

    I’m glad to see these published. I’ve heard a lot of people say that Linux/Mac is more secure than Windows. (I realize that is not what this is about.)

    I believe that people will begin to see the folly of thinking that systems that aren’t popular are somehow more secure.

    Just because your system is not a target now, doesn’t mean it won’t be soon. Anyone have the latest numbers on the marketshare of malware per OS?

    1. timeless

      FWIW, Bugzilla can also be installed on Windows.

      Most server software is fairly platform agnostic.

      This isn’t about Linux vs. Mac (you can run Bugzilla on OS X too) vs. Windows.

      And it isn’t really about open-source vs. closed-source (you can and will find bugs in closed-source software too).

      It is true that the idea “given enough eyeballs all bugs are shallow” is unfortunately false. At best “given enough eyeballs with excellent domain specific knowledge/understanding, bugs can be fixed given additional time and resources”.

      A bug like this one would be much harder to find without the source, since you would have to have a hunch that a given area might be vulnerable, instead of some other area. There are lots of entry-points to modern web applications, which means that there are lots of places where you could choose to focus your efforts. With the source, you can more easily identify areas worth probing.

      1. Rick

        ‘It is true that the idea “given enough eyeballs all bugs are shallow” is unfortunately false.’

        It’s not necesarily false (or true? way to confuse me with that sentence 🙂 ), it’s simply that there weren’e enoughf eyeballs on this code.

        What is true is that not every OSS project has the benefit of a lot of eyes looking at its code.

  8. David

    Bugzilla.org seems to be down. At least, I cannot connect to it.

    1. JimV

      Probably either crashed from an induced DDoS-level of demand by developers to see if there’s a fix and users to see whether it’s a problem that affects them, or it’s been taken offline until there is a fix.

  9. TheOreganoRouter.onion.it

    The internet security issues never seem to end

    1. Robert

      I was an IT and networking professional until 2003 when I moved away from the US. That’s a lot of time to forget, and to watch things move forward without you. I’m a somewhat savvy layman now.

      I started paying attention to security issues again several years ago when the Stuxnet story broke. It gets worse and worse every year. Every week or every month something new crashes in on us.

      People keep adding on layer after layer of techno complexity to society, and people keep consuming all that is new – while criminals are jumping on every opportunity to work the technology to their gain.

      I don’t know how people with no real IT background can possible keep up with it. Most of the people who use computers, and smart phones, are stationary targets for cyber criminals.

      It’s not going to end. Cyber crime is analogous to jihad across North Africa and the Middle East. Or border security against drug trafficking. It’s like climate change.

      There’s not going to be a happy ending.

  10. EllenC

    Brian…I tried downloading bugzilla to install it and then get the security update you’re reporting on but I get a file association of .gz. Can’t download. Any suggestions?

    1. timeless

      EllenC: Ideally if you’re actually hosting your own Bugzilla installation, you’d understand what to do with the file that you downloaded.

      That said, if you inherited a Bugzilla installation:
      http://www.bugzilla.org/support/

      If you’re just a user, there’s nothing you can do beyond asking your admin.
      In general, the main page of bugzilla will indicate the version it’s running.

      * If it says any of: 4.0.15, 4.2.11, 4.4.6, 4.5.6, it has the fix.
      * If its version is older than that, then you can contact your administrator and ask them to upgrade.

  11. bob

    ” The perception that many eyes have looked at open source code and it’s secure because so many people have looked at it, I think this is false,” Tal said. “Because no one really audits code unless they’re committed to it or they’re paid to do it. ”

    Moronic statement.

    Code that has been looked at by many eyes is more secure than code that hasn’t. Note this doesn’t mean there are no bugs.

    Whether the code is open source or not makes no difference to people being paid to audit it or being committed to it (whatever that means).

    The fact that this bug has been found is proof that someone is looking for bugs.

    People who see the finding and reporting of bugs as a sign of insecurity have such a skewed perception of the world that it’s very hard to know what to say without resorting to verbal abuse.

    This sort of thing happens just as often in the world of closed source. Only it happens without your knowledge; without your understanding of the issue and how it affects you; without giving you any ability to apply temporary workarounds or prioritise your updates. If you think this is an open source problem you are naive to the point of retardation.

  12. Diane Trout

    Were any of the listed bugs discovered by after-the-fact forensic analysis of hacked systems? Perhaps these constant discoveres are what “many eyes searching for vulnerabilities” looks like.

    At least no one found evidence of exploitation of heartbleed prior to the announcement http://seclists.org/dataloss/2014/q2/32

  13. Quinn

    ” The perception that many eyes have looked at open source code and it’s secure because so many people have looked at it, I think this is false,” Tal said. “Because no one really audits code unless they’re committed to it or they’re paid to do it. ”

    OpenBSD is audited constantly, for all bugs, including security bugs, and is probably one of the safest common OS at this time.

    Then there is the live CD or USB install, as suggested by Brian. Your only vulnerability then is the BIOS or router.

    A even safer OS is QubesOS, created by Joanna Rutkowska, a top security analyst. Every aspect of the OS is isolated in a separate domain with restricted privileges.

    1. Spacewalker

      I 2nd the motion to use QubesOS. I’ve mentioned it before in a reply to a Krebs Blog, but haven’t heard of Brian taking a look or commenting on it.

      I wish he would because I think it would be useful for more people to actively use a more natively secure platform and procedures, shrinking the overall active footprint for the bad guys.

Comments are closed.