1468525 - AUS Security Audit

Status: RESOLVED FIXED

(Cloud Services :: Security, defect)

Description

[Julien Vehent]

Attachment: X41-Balrog-Review-2018-Final-Report-Private.pdf

The Firefox Application Update Service (AUS) was reviewed for security vulnerabilities in March and April 2018 by X41 D-Sec GmbH in a technical security audit.

From a total of 14 vulnerabilities that were discovered during the test, X41 D-Sec GmbH has found no vulnerabilities rated as critical, three were classified as high severity, seven as medium, and four as low. Also, 21 issues without a direct security impact have been identified.

The goal of this review was to identify security vulnerabilities present in the components of AUS. This includes the updater client components included in Firefox, the backend delivering the updates, and the management web application (Balrog).

The review was conducted in a total of 216 person-hours by a team of 4 security experts including a cryptographer.

Methods of penetration testing have been used against the infrastructure, web applications, and updater clients. Additionally the source code of the tested application components has been reviewed.

X41 D-Sec GmbH found the security level of AUS to be good. No critical vulnerabilities have been identified in any of the components. The most serious vulnerabilities that were discovered are a Cross-Site Request Forgery (CSRF) vulnerability in the administration web application interface that might allow attackers to trigger unintended administrative actions under certain conditions. Other vulnerabilities identified were memory corruption issues, insecure handling of untrusted data, and stability issues (Denial of Service (DoS)). Most of these issues were constrained by requiring to bypass cryptographic signatures.

No issues were identified in the handling of cryptographic signatures for update files. There were no cryptographic signatures on the XML files that describe the update files location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.

It is strongly recommended to sign the update XML files with a strong cryptographic signature to protect metadata values such as links to release notes. This will also reduce attack surface and mitigate attacks against the Extensible Markup Language (XML) parser which runs in a privileged context. The authentica- tion of the Balrog web application is currently using HTTP Basic Authentication without rate limiting. To enable usage of stronger authentication including multiple factors, the usage of a proven authentication system or service is advised.

Several components parsing and handling potentially untrusted data were relying on legacy code written in C. It is recommended to refactor this code and potentially reimplementing only using memory safe operations. Examples are safe language subsets of Rust or Golang.

The number of side findings described in section 5.2 was unusually high. X41 D-Sec GmbH believes the reason can be attributed to the testing mode, and to previous technical audits that attributed to mitigations preventing the exploitation of weaknesses. It cannot be ruled out that some of the side findings might prove to be exploitable with increased time effort resulting in critical vulnerabilities. Therefore it is strongly recommended to fix these issues in a timely manner.

In conclusion the AUS showed a good resistance against actual exploitation of vulnerabilities. Several high severity vulnerabilities and a high number of non directly exploitable bugs have been discovered. It is recommended to fix the issues and conduct a re-test in order to validate the fixes.