Closed Bug 1388015 (CVE-2019-11737) Opened 3 years ago Closed 1 year ago

Partial Content Security Policy bypass if host-part contains wildcard

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- fixed
firefox68 --- wontfix
firefox69 --- fixed
firefox70 --- fixed

People

(Reporter: xiaoyin.l, Assigned: sstreich)

References

Details

(Keywords: sec-low, Whiteboard: [domsecurity-active][post-critsmash-triage][adv-main69+][adv-esr68.1+])

Attachments

(2 files)

Attached file CSP wildcard PoC.html
A Content-Security-Policy: img-src https://*:4433 should only allow port 4433, but Firefox allows a URL with all ports.

Reproducible in Firefox Stable 54 and Nightly 57.0a1. Not reproducible in Edge and Chrome.

This is the same issue as https://bugs.chromium.org/p/chromium/issues/detail?id=682673 in Chromium.
Group: core-security → dom-core-security
I think the issue is at Line 644 in nsCSPUtils.cpp [1]. If the Host part is *, the function returns true if the scheme is not one of blob:, data:, or filesystem:, without checking the port or path. I think Bug 1075230 is related, since

> +  // 2) host matching: Enforce a single *
> +  if (mHost.EqualsASCII("*")) {
> +    return true;
> +  }

was introduced in the patch for that bug.

[1] https://hg.mozilla.org/mozilla-central/file/7f21a31de9fa/dom/security/nsCSPUtils.cpp#l644
Yeah, I think we bail early and allow the load if the wildcard is used for the host without checking the port. I am going to look into that and get that fixed.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Calling this sec-low because if you'll accept any arbitrary host it would be easy for an attacker to use whatever port they needed to bypass CSP anyway. But sure, if the spec says to enforce port then we should do that.

We should check that path is enforced too.
Keywords: sec-low
Any updates on this?
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Assignee: ckerschb → streich.mobile
Priority: P3 → P2
Keywords: checkin-needed
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Please nominate this patch for Beta and ESR68 approval when you're comfortable doing so.

Flags: needinfo?(streich.mobile)
Flags: in-testsuite+

Comment on attachment 9073020 [details]
Bug 1388015 - Add checks to respect CSP-wildcard + Ports r=ckerschb

Beta/Release Uplift Approval Request

  • User impact if declined: The user is left vulnerable to a CSP-Bypass Attack, if the Page uses a "Wildcard+Port" host in its CSP-Rule
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch just adds a single check in case a "*" is present in the CSP host declaration,
    all the other Code paths for checking the host are left untouched.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Currently Firefox ignores the Port in a CSP Host declaration if the host is "*"
    Which opens a Vector for CSP-Bypassing.
  • User impact if declined: The user is left vulnerable to a CSP-Bypass Attack.
  • Fix Landed on Version: Nightly 70
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch just adds a single check in case a "*" is present in the CSP host declaration,
    all the other Code paths for checking the host are left untouched.
  • String or UUID changes made by this patch:
Flags: needinfo?(streich.mobile)
Attachment #9073020 - Flags: approval-mozilla-esr68?
Attachment #9073020 - Flags: approval-mozilla-beta?

Comment on attachment 9073020 [details]
Bug 1388015 - Add checks to respect CSP-wildcard + Ports r=ckerschb

CSP security improvement with automated tests. Approved for 69.0b6 and 68.1esr.

Attachment #9073020 - Flags: approval-mozilla-esr68?
Attachment #9073020 - Flags: approval-mozilla-esr68+
Attachment #9073020 - Flags: approval-mozilla-beta?
Attachment #9073020 - Flags: approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [domsecurity-active] → [domsecurity-active][post-critsmash-triage]
Alias: CVE-2019-11737
Whiteboard: [domsecurity-active][post-critsmash-triage] → [domsecurity-active][post-critsmash-triage][adv-main68+][adv-esr68.1+]
Whiteboard: [domsecurity-active][post-critsmash-triage][adv-main68+][adv-esr68.1+] → [domsecurity-active][post-critsmash-triage][adv-main69+][adv-esr68.1+]
Regressions: 1579094
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.