Developers and organizations that use the Bugzilla open source bug-tracking system should upgrade to current versions after the disclosure of details of a vulnerability in its email-based permissions process.
The flaw, CVE-2015-4499, was patched last week in versions 4.2.15, 4.4.10 and 5.0.1 after it was reported Sept. 7 to Mozilla by researchers at security company PerimeterX.
An attacker could manipulate the system to elevate their privileges, putting any vulnerabilities tracked in a Bugzilla implementation at risk for exploit.
“Upon successful exploitation of the vulnerability we were granted permissions that would have potentially allowed us to view confidential data,” wrote researcher Netanel Rubin today in a post to the company’s website. Rubin said the vulnerability was tested on Mozilla’s Bugzilla.mozilla.org. “All Perl-based Bugzilla versions at the time of the report were vulnerable (2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0),” he said.
This is the second security story happening around Bugzilla in the last two weeks. On Sept. 4, Mozilla reported that an internal and privileged Bugzilla user’s account was compromised using a password taken from a data breach on a separate site. Mozilla confirmed that the attacker likely had access to the privileged account for two years and was able to steal information about recently patched Firefox vulnerabilities that were publicly exploited before being fixed.
The issue uncovered by PerimeterX isn’t as splashy, but could still put organizations using vulnerable Bugzilla instances at risk. PerimeterX, in fact, posted a recommendation to take vulnerable Bugzilla deployments offline until patched and to comb server logs for new accounts that could have been created using the vulnerability. Rubin called the vulnerability “extremely easy to exploit.”
Admins are able to configure a number of access levels and group settings for users that restrict what information they can see in the tool; generally access privileges are based via a user’s email address. Email addresses belonging to trusted organizations mean that the user is equally trusted in Bugzilla, Rubin said.
An attacker exploiting the now-patched vulnerability could create an account using an email from said trusted domain, even if they don’t belong to that domain. They could do so because of a weakness in the registration process where an overly long number of characters in a login can is improperly handled by the system. An attacker can take advantage of the weakness to append their true email address to an email trusted by Bugzilla. The system will send the validation link and token to the attacker’s address instead because of the way it handles the extended login, giving the attacker legitimate access to the Bugzilla system.
“The implications of this vulnerability are severe,” Rubin wrote. “It could allow an attacker to access undisclosed security vulnerabilities in hundreds of products, in a manner similar to the Mozilla major data leak in August this year, only multiplied by the thousands of publicly available Bugzilla deployments. Imagine the hundreds or thousands of zero-days and other security vulnerabilities that could potentially be exposed.”