Mozilla is expected tomorrow to patch a critical vulnerability in Firefox’s automated update process for extensions that should put the wraps on a confusing set of twists surrounding this bug. The flaw also affected the Tor Browser and was patched Friday by the Tor Project.
The vulnerability first saw light of day last week when a researcher who goes by the handle movrck published his disclosure. He said that a resourced attacker with the ability to steal or forge a TLS certificate for addons.mozilla.org could put the entire Tor (and Firefox) ecosystem at risk to compromise.
In explaining the exploit chain required, movrck said an attacker would have to run malicious exit nodes on the Tor network putting himself in man-in-the-middle position to intercept update traffic for addons. The attacker would then be able to inject a malicious NoScript update that would be sent to a Tor browser, gaining remote code execution.
Movrck said that the attack could be pulled off for about $100,000, a cost well within the reach of a criminal operation or nation-state attacker. Forging or stealing a TLS certificate is the hard part, but it has been done before in 2011 when Iranian hackers compromised Dutch Certificate Authority DigiNotar and obtained valid wildcard certificates for Google, Mozilla, Yahoo and others.
The twist is that movrck’s discovery was a bit serendipitous, researcher and former U.S. Cyber Command member Ryan Duff said. Duff wrote last week in a post to the Daily Dave mailing list that movrck’s attack against Tor should have failed and his malicious extension should not have loaded because of Tor’s strict enforcement of certificate pinning.
Tor, which is built from the Firefox code base, suffered from Mozilla’s decision to use a static certificate pin list and a HPKP (HTTP Public Key Pinning) pre-load list of pins with the browser. These pins expire and the expiration dates are set, in this case, by Mozilla. Mozilla, however, did not set the expiration data to last until the next Firefox release, which is tomorrow, Duff said. The Firefox ESR pins expired, instead, on Sept. 3 and the regular Firefox release pins expired Sept. 10, meaning that pinning had not been enforced since.
“If he had not done this test between Sept . 3 and Sept. 20, it would have failed,” Duff told Threatpost.
Duff said exploitation of this vulnerability would be a challenge and likely be limited to a nation-state level of attack. It would be easier to pull off against Tor users at scale, but more difficult to target individuals, he said.
“Since pinning fails, you could forge a TLS certificate that reaches CAs built into Firefox,” Duff said. “It’s not easy, but it has been done. Then you need to man-in-the-middle the connection to addons (addons.mozilla.org), catch an update process in the traffic and put down a malicious update.”
Mozilla on Friday admitted to the flaws in its update process and to the expired pins. Mozilla’s Selena Deckelmann, a senior manager of security engineering, said the organization was not aware of malicious certs in the wild, though cautioned that Tor users are especially in the line of fire given that the Tor Browser comes pre-loaded with certain privacy-focused add-ons.
“We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions,” Mozilla said in a statement sent to Threatpost. “We have turned on HPKP on the Add-ons Update service itself so that users will remain protected as part of the background updates performed regularly by Firefox.”
As Duff pointed out in a post-mortem he wrote today, the bug would have cropped up again several more times before the end of the year, with the biggest window of exposure starting Dec. 17 when Firefox 50 static pins were set to expire and not be updated until five weeks later, Jan. 24, 2017. Duff raised the issue in an IRC channel devoted to Tor developers and data compiled by Matt Nordhoff shows that the situation has not happened frequently. Firefox ESR pinning, for example, has expired only once before, from July 4-Aug 11, 2015. Tor, meanwhile, did not support static pins until version 5.0 and has not been vulnerable until this most recent release.
“I will never handle anything this interesting again,” Duff said.