As expected, Mozilla patched a highly scrutinized flaw in its automated update process for add-ons in Firefox, specifically around the expiration of certificate pins.
The vulnerability allowed attackers to intercept encrypted browser traffic, inject a malicious NoScript extension update and gain remote code execution. The flaw extended to the Tor Browser as well; Tor is built from the Firefox code base and was patched last Friday shortly after the bug was disclosed by a researcher known as movrck.
In addition to movrck, the bug was also analyzed by researcher Ryan Duff, a former member of U.S. Cyber Command. Both said exploitation of the vulnerability would be a challenge given the circumstances that must be in place because an attacker would have to steal or forge a TLS certificate and then insert themselves in the traffic, either by running malicious Tor exit nodes or via a man-in-the-middle attack.
The attacker would then have to look for an add-on update for NoScript, insert their own and gain remote control of a compromised machine. Attacks against individuals would be much more difficult than to target Firefox or Tor users at scale. Successful exploits are likely in the realm of state-sponsored attackers or resourced criminal operations; movrck, for example, said an attack would likely cost $100,000 to execute.
Mozilla said the vulnerability, CVE-2016-5284, occurred in the process used to update Preloaded Public Key Pinning it its releases. Rather than using HTTP Public Key Pinning (HPKP), Mozilla used its own static pins that expire periodically. In this case, the pins expired on Sept. 3 and users were exposed to this attack for 17 days.
As is the case, movrck’s research was serendipitous. As Duff pointed out, had he tried his attack at any time other than this 17 day period, it would have failed.
Mozilla on Friday admitted to the flaws in its update process and to the expired pins. Mozilla’s Selena Deckelmann, a senior manager of security engineering, said the organization was not aware of malicious certs in the wild, though cautioned that Tor users are especially in the line of fire given that the Tor Browser comes pre-loaded with certain privacy-focused add-ons.
This scenario of expired pins would happen again two more times before the end of this year, Duff learned, with the biggest exposure starting Dec. 17 when Firefox 50 pins were set to expire, but would not be updated until Jan. 24, 2017. The current expiration date in today’s update will carry Mozilla through to November and it will have until then to address this.
The certificate pinning vulnerability was rated high severity by Mozilla, which yesterday patched four bugs in Firefox 49 it rated critical.
Two separate “memory safety bugs,” CVE-2016-5256 and CVE-2016-5257, were patched, both of which were found internally by Mozilla developers and could expose machines to arbitrary code execution.
Also patched with a global buffer overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions, which occurred when working with empty filters during canvas rendering, Mozilla said.
The remaining critical flaw was a heap buffer overflow in nsBMPEncoder::AddImageFrame during the encoding of image frames to images and could lead to an exploitable crash. This vulnerability, along with CVE-2016-5257, were also rated critical and patched in Firefox ESR 45.4.