Patch Bugzilla! Anyone can access your private bugs – including your security vulns
Buggy bug bag bug will spill software secrets
If you or your organization is running Bugzilla, and you're using email-based permissions, make sure you've updated to the latest version – namely 5.0.1, 4.4.10, or 4.2.15.
That's because someone's found a way to easily access private bugs in your codebase – such as critical security holes you're still working on to fix. An attacker must be able to register for a normal account via email, before exploiting a programming blunder to gain extra access.
The vulnerability within Bugzilla, going back to version 2.0, means big-name open-source projects, such as Mozilla's Firefox, potentially exposed details of their non-public security flaws to the world.
Armed with this sensitive information, miscreants can develop exploits to attack software on people's computers before patches are released.
It would give malware writers and other villains all the blueprints they need to potentially infect people's machines.
The Mozilla Bugzilla team was warned about the gaping hole in its management software on September 7 by infosec outfit PerimeterX. Three days later, the code was fixed and released.
"The discovered vulnerability allows an attacker to obtain permissions on a Bugzilla service they would not otherwise receive," explained PerimeterX's Netanel Rubin in a blog post published today.
"This is achieved by tricking the system into believing that the attacker is part of a privileged domain, causing the system to grant domain-specific permissions.
"If you are using email-based permissions in your Bugzilla deployment and have not yet installed a patched version, take it down until patched. Make sure to go over the logs and user-list to identify users that were created using this vulnerability.
"This vulnerability is extremely easy to exploit and the details have been known for more than a week, you have been or will be attacked."
The Bugzilla hole can be exploited by writing more than 255 bytes of data to a tinytext MySQL database entry that expects no more than 255 bytes – and truncates it. That means you can register for an account using an email address such as:
Provided you've setup yourevildomain.org to receive email from that long address, the record in the database will be truncated to:
If you've set up Bugzilla to give special permissions – such as accessing private security bugs – to people with victimdomain.org email addresses, bingo: the attacker can now see more than they should. The victimdomain.org domain could be your corporate or organization's official domain for staffers and trusted contributors, separating them from normal netizens who register accounts and have limited access.
"The implications of this vulnerability are severe," Rubin added.
"It could allow an attacker to access undisclosed security vulnerabilities in hundreds of products, in a manner similar to the Mozilla major data leak in August this year, only multiplied by the thousands of publicly available Bugzilla deployments. Imagine the hundreds or thousands of zero-days and other security vulnerabilities that could potentially be exposed."
In an advisory, Mozilla said: "The Bugzilla team wish to thank the following people for their assistance in locating, advising us of, and assisting us to fix these issues: Byron Jones, Frédéric Buclin, and Netanel Rubin." ®