Hundreds of open source software projects that make use of Bugzilla, Mozilla’s bug-tracking software, anxiously await a patch for a vulnerability that exposes private bugs collected by the system.
Mozilla is today expected to make available a patch for the vulnerability in its account creation processes which affords anyone the ability to create a Bugzilla account that bypasses validation and allows for privilege escalation.
Shahar Tal, a vulnerability researcher with Check Point Software Technologies, reported the vulnerability to Mozilla; a hacker could exploit the vulnerability to register any email address with the Bugzilla, even administrator profiles that belong to the targeted domain.
Tal said, for example, he was able to register firstname.lastname@example.org and as a result was able to access private bugs shared with and stored by Mozilla. That kind of exposure would be quite a find for criminals and state-sponsored hackers looking for exploitable vulnerabilities collected by popular open source projects and software companies.
A request for comment from Mozilla was not returned in time for publication. Sid Stamm, a security and privacy engineer with Mozilla confirmed the vulnerability to security website Krebs on Security. He said the vulnerability allows the manipulation of database fields in Bugzilla during the creation of a user account. Depending on the Bugzilla configuration present, an attacker could create an account and elevate privileges on the Bugzilla tracker. Stamm said Mozilla is not aware of any breaches related to this vulnerability.
“The vulnerability allows registration of a user account with an attacker-chosen email address,” Check Point’s Tal told Threatpost. “In certain Bugzilla deployments, this effectively gains users with elevated permissions (e.g. registering ‘email@example.com’ gives you visibility on many records).”
Tal said the vulnerability resides in code that creates user accounts in the Bugzilla database.
“We were able to inject an attacker-controlled string into any database field post-validation, including the ‘login_name’,” Tal said. “I don’t want to get into more details than that at this point in time.” He would not divulge details about the exploit.
Close to 150 public Bugzilla installations are listed on the project’s website, noting that public installations are those that are accessible online; the organization estimates there are likely 10 times as many private ones. Noteworthy on the list are Mozilla, Apache Project, OpenOffice, Red Hat, Novell, GNOME, the Nessus Security Scanner, Sandia National Laboratories, Wikimedia Foundation, Wireshark and many others.
Tal said the vulnerability team at Check Point is often called in to perform assessments for popular software and Internet infrastructure.
“This vulnerability was discovered during an investigation we are currently running of some Perl issues,” he said. “We have some very interesting results coming up in that research (Bugzilla is a good sample, but not the last one), which we plan to present at the upcoming CCC in Hamburg later this year.”