Mozilla’s web-based bug tracker Bugzilla is plagued by a critical vulnerability that allows an attacker to register accounts with apparently privileged email addresses and possibly gain access to sensitive bug information.
The vulnerability, identified by PerimeterX senior vulnerability researcher Netanel Rubin, affects Bugzilla deployments that use email-based permissions. Bugzilla users that rely on this model assign privileges to newly created accounts based on the email address that is used for registration. If the email address is on a domain associated with a trusted organization, the user is granted elevated privileges (i.e. they are given access to sensitive information).
For example, in the case of bugzilla.mozilla.org, anyone registering an account with a mozilla.com email address is granted access to confidential bugs.
Gaining privileged access to private bug reports poses a serious risk, as demonstrated by a recent incident involving bugzilla.mozilla.org. An attacker gained access to the details of 185 non-public vulnerabilities after stealing the credentials of a privileged Bugzilla user. While it seems that most of these security holes have not been exploited in the wild, at least one of them has been leveraged to steal files from users’ computers.
The problem discovered and reported by Rubin is that in unpatched versions of Bugzilla an attacker can create an account using an email address in any domain, even if they don’t actually own the said email account.
The vulnerability (CVE-2015-4499) is caused by the fact that a field in the database storing user registration data is set to “tinytext,” which represents a text string of maximum 255 bytes. If more than 255 bytes are inserted, the data is truncated, which allows a malicious actor to register an account using their own email address while tricking Bugzilla into thinking that it’s an address on a privileged domain.
When users register on Bugzilla, they have to click on a link received via email to confirm that they are the owners of the account. Since the entered email address is truncated in the database, the attacker can use an address like “aaaa[…]aaa @mozilla.com. attackerdomain.com” and the “.attackerdomain.com” part is trimmed when the validation is performed, resulting in Bugzilla treating the account as being registerd with a mozilla.com address. However, the email containing the confirmation link is still sent to the attacker’s email account. Rubin says the validation flaw is triggered if the address is longer than 127 characters.
The vulnerability, reported by Rubin on September 7, affects Bugzilla versions 2.0 through 4.2.14, 4.3.1 through 4.4.9, and 4.5.1 through 5.0. The issue has been patched in versions 4.2.15, 4.4.10, 5.0.1.
Since a large number of software projects use Bugzilla for tracking bugs, many serious vulnerabilities could become exposed before they are patched. Organizations using Bugzilla have been informed of the existence of patches and some of them, including the maintainers of Red Hat and Gentoo, have confirmed applying them.
“If you are using email based permissions in your Bugzilla deployment and have not yet installed a patched version, take it down until patched. Make sure to go over the logs and user-list to identify users that were created using this vulnerability. This vulnerability is extremely easy to exploit and the details have been known for more than a week, you have been or will be attacked!” Rubin warned in a blog post.
This is not the first time Rubin has found a Bugzilla vulnerability exposing undisclosed bugs. Back in October 2014, when he worked for Check Point Technologies, the researcher discovered a flaw that allowed him to create accounts with names that ensured privileged access to all bug reports.