Closed Bug 1677047 (CVE-2020-26978) Opened 5 months ago Closed 5 months ago

Add the ports for the H323, PPTP, RTSP protocols (1720, 1723, 554) to the restricted ports list.

Categories

(Core :: Networking, task)

task

Tracking

()

RESOLVED FIXED
85 Branch
Tracking Status
firefox-esr78 84+ fixed
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 + fixed
firefox85 + fixed

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Keywords: sec-moderate, Whiteboard: [adv-main84+][adv-esr78.6+])

Attachments

(3 files)

Summary: Add the ports for the SIP, H323, PPTP, RTSP protocols (5060, 1720, 1723, 554) to the restricted ports list. → Add the ports for the H323, PPTP, RTSP protocols (1720, 1723, 554) to the restricted ports list.
Type: enhancement → task
Keywords: sec-moderate
Attachment #9187612 - Attachment description: Bug 1677047 - Testing to block ports 1720, 1723, 554- r?jgraham → Bug 1677047 - Testing to block ports 1720, 1723, 554- r=valentin

Please nominate this for Beta and ESR78 approval when you're comfortable doing so.

Flags: needinfo?(fbraun)
Flags: in-testsuite+

Comment on attachment 9187611 [details]
Bug 1677047 - Add the ports for the H323, PPTP, RTSP protocols (1720, 1723, 554) to the restricted ports list. - r?valentin

Beta/Release Uplift Approval Request

  • User impact if declined: less protection for a (yet to be disclosed) bug. Would be great if we could get the fix out soon.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The port shouldn't be used for HTTP(s) and seldomly is. Users who really need this can override themselves. If there's significant breakage, we can override globally with remote settings
  • String changes made/needed:
Flags: needinfo?(fbraun)
Attachment #9187611 - Flags: approval-mozilla-beta?
Attachment #9187612 - Flags: approval-mozilla-beta?

Comment on attachment 9187611 [details]
Bug 1677047 - Add the ports for the H323, PPTP, RTSP protocols (1720, 1723, 554) to the restricted ports list. - r?valentin

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: blocking a non-HTTP port for HTTP traffic.
  • User impact if declined: less protection for an (undisclosed) bug
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Might be risky if enterprises run stuff on very odd ports in their intranet. We don't have telemetry for this. Users can override with a pref. We can also override the blocking with a remote pref, but I honestly don't know if these overrides would be valid for ESR or if we'd remove the protection on all branches. (Same as https://bugzilla.mozilla.org/show_bug.cgi?id=1674735#c9), though this issue here is not public yet
  • String or UUID changes made by this patch:
Attachment #9187611 - Flags: approval-mozilla-esr78?
Attachment #9187612 - Flags: approval-mozilla-esr78?

Mike, do you have any thoughts on how likely this and bug 1674735 are to cause problems in enterprise environments?

Flags: needinfo?(mozilla)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

Mike, do you have any thoughts on how likely this and bug 1674735 are to cause problems in enterprise environments?

Unfortunately I don't and I can't ask.

How are these flipped back by prefs exactly? the bug is changing hardcoded lists.

Do we know of any legitimate uses of these ports?

Flags: needinfo?(mozilla)

Comment on attachment 9187611 [details]
Bug 1677047 - Add the ports for the H323, PPTP, RTSP protocols (1720, 1723, 554) to the restricted ports list. - r?valentin

Approved for 84.0b2.

Attachment #9187611 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9187612 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Hi! I believe the following ports should additionally be blocked (otherwise the same attacks can likely continue to be employed) which I did not see in the two patches above. I've pulled these from the Linux netfilter source and documented them here):

  • 6566 SANE
  • 10080 Amanda
  • 69 TFTP
  • 161 SNMP
  • 1719 H323 (RAS)
  • 137 NetBIOS

Thanks! Please shoot over any questions.

(In reply to Mike Kaply [:mkaply] from comment #9)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

Mike, do you have any thoughts on how likely this and bug 1674735 are to cause problems in enterprise environments?

Unfortunately I don't and I can't ask.

How are these flipped back by prefs exactly? the bug is changing hardcoded lists.

When going over the list, our code will check for the (non-default) network.security.ports.banned.override pref.
Any port in that list will not be blocked after all.

(In reply to Samy Kamkar from comment #12)

Hi! I believe the following ports should additionally be blocked (otherwise the same attacks can likely continue to be employed) which I did not see in the two patches above. I've pulled these from the Linux netfilter source and documented them here):

  • 6566 SANE
  • 10080 Amanda
  • 69 TFTP
  • 161 SNMP
  • 1719 H323 (RAS)
  • 137 NetBIOS

Thanks! Please shoot over any questions.

I just realized I didn't respond to the comment. This has been fixed in bug 1677940, which landed earlier in the week and should be ready for testing in Firefox Nightly.

Comment on attachment 9187611 [details]
Bug 1677047 - Add the ports for the H323, PPTP, RTSP protocols (1720, 1723, 554) to the restricted ports list. - r?valentin

approved for 78.6esr

Attachment #9187611 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Attachment #9187612 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+

Backed out for perma failures on websockets/Create-blocked-port.any.html:

https://hg.mozilla.org/releases/mozilla-esr78/rev/a84355c618cace81392286f557b8f2874347aaae

Push with failures: https://treeherder.mozilla.org/jobs?repo=mozilla-esr78&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunning%2Cpending%2Crunnable&revision=0724cae903ec40535803c41f61e45638377d8b5e&selectedTaskRun=PnBWafuzTsKZMZu6RsFxKA.0
Failure log: https://treeherder.mozilla.org/logviewer?job_id=323461686&repo=mozilla-esr78

[task 2020-12-03T17:25:48.727Z] 17:25:48 INFO - TEST-UNEXPECTED-FAIL | /websockets/Create-blocked-port.any.worker.html | WebSocket blocked port test 554 - The operation is insecure.
[task 2020-12-03T17:25:48.728Z] 17:25:48 INFO - CreateWebSocketWithBlockedPort@http://web-platform.test:8000/websockets/websocket.sub.js:43:12
[task 2020-12-03T17:25:48.728Z] 17:25:48 INFO - @http://web-platform.test:8000/websockets/Create-blocked-port.any.js:83:46
[task 2020-12-03T17:25:48.729Z] 17:25:48 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:1977:25
[task 2020-12-03T17:25:48.729Z] 17:25:48 INFO - async_test@http://web-platform.test:8000/resources/testharness.js:571:22
[task 2020-12-03T17:25:48.730Z] 17:25:48 INFO - @http://web-platform.test:8000/websockets/Create-blocked-port.any.js:82:13
[task 2020-12-03T17:25:48.730Z] 17:25:48 INFO - @http://web-platform.test:8000/websockets/Create-blocked-port.any.js:81:3
[task 2020-12-03T17:25:48.730Z] 17:25:48 INFO - @http://web-platform.test:8000/websockets/Create-blocked-port.any.worker.js:8:14

Flags: needinfo?(fbraun)

Can we land this without the websockets hunk, at https://hg.mozilla.org/releases/mozilla-esr78/rev/64addb3cd358#l3.2?
We're effectively hitting https://bugzilla.mozilla.org/show_bug.cgi?id=1349969, which I don't think is worth uplufting.

Flags: needinfo?(fbraun)
Whiteboard: [adv-main84+] → [adv-main84+][adv-esr78.6+]
Regressions: 1684007
Regressions: 1687282
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.