Closed Bug 1677940 (CVE-2021-23961) Opened 4 years ago Closed 4 years ago

Consider blocking ports 69, 137, 161, 1719, 6566, 10080

Categories

(Core :: Networking, task)

Product:
Core
Component:
Networking
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox-esr78 88+ fixed
firefox83 --- wontfix
firefox84 - wontfix
firefox85 + fixed

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main85+][adv-esr78.10+])

Attachments

(3 files)

Bug 1677940 Consider blocking ports 69, 137, 161, 1719, 6566, 10080 r?valentin
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review
Bug 1677940 - clang-format r?valentin
47 bytes, text/x-phabricator-request
Details | Review
advisory.txt
327 bytes, text/plain
Details

+++ This bug was initially created as a clone of Bug #1677047 +++

Samy thinks that we should also block the ports for the following protocols:

  • 6566 SANE
  • 10080 Amanda
  • 69 TFTP
  • 161 SNMP
  • 1719 H323 (RAS)
  • 137 NetBIOS

The more ports we add, the more concerned I am about breakage, but I'll write a patch..

Assignee: nobody → fbraun
Status: NEW → ASSIGNED

Depends on D97423

Hi freddy, does this need approval requests also?

status-firefox83: --- → wontfix
status-firefox84: --- → affected
status-firefox-esr78: --- → affected
tracking-firefox84: --- → +
tracking-firefox85: --- → +
tracking-firefox-esr78: --- → 84+
Flags: needinfo?(fbraun)

Of all changes, this seems to be the most controversial. Other folks expect push back especially for port 10080 (looking at code search and given that it's ending on "80". I would rather have this one ride the trains.

Flags: needinfo?(fbraun)

OK. I'll set ESR78 back to ? for now and we can decide at a later time if it's needed there or not after more bake time.

status-firefox84: affectedwontfix
tracking-firefox84: +-
tracking-firefox-esr78: 84+?

Regarding the 10080 port, that ALG requires the communication to use UDP so I think it would be reasonable to allow 10080 TCP but block 10080 UDP (eg when using UDP STUN/TURN)
https://github.com/torvalds/linux/blob/3c00fb0bf0e0f061715c04ad609de93ddc046aa1/net/netfilter/nf_conntrack_amanda.c#L178-L199

Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

Hi Freddy, we're a week out from the 78.7esr RC. Have we given any more thought as to whether we want to include this change or not?

Flags: needinfo?(fbraun)
Flags: needinfo?(fbraun)
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main85+]
Attached file advisory.txt
Alias: CVE-2021-23961
Regressions: 1689107
Group: core-security-release

Comment on attachment 9188543 [details]
Bug 1677940 Consider blocking ports 69, 137, 161, 1719, 6566, 10080 r?valentin

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: likely to be more dangerous in enterprise settings, as their local network is busier and has more interesting services
  • User impact if declined: missing a security fix
  • Fix Landed on Version: 85
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): blocking access to specific ports is tricky. we have no insights as to whether it will break things for a specific enterprise. that being said, a pref exists to allow specific ports regardless of our defaults
  • String or UUID changes made by this patch: none
Attachment #9188543 - Flags: approval-mozilla-esr78?
Attachment #9188544 - Flags: approval-mozilla-esr78?

A bit more information for the approval request: Chrome finally decided to implement port 10080 blocking as well as per https://github.com/whatwg/fetch/issues/1191#issuecomment-815434180
I didn't want us to backport until we know we won't undo it, but chrome's support convinced me we're unlikely to revert now

Comment on attachment 9188544 [details]
Bug 1677940 - clang-format r?valentin

AFAICT this isn't needed for the uplift. Try seems fine without it.

Attachment #9188544 - Flags: approval-mozilla-esr78?

Comment on attachment 9188543 [details]
Bug 1677940 Consider blocking ports 69, 137, 161, 1719, 6566, 10080 r?valentin

Approved for 88.0b9.

Attachment #9188543 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Whiteboard: [post-critsmash-triage][adv-main85+] → [post-critsmash-triage][adv-main85+][adv-esr78.10+]

(In reply to Frederik Braun [:freddy] from comment #1)

The more ports we add, the more concerned I am about breakage, but I'll write a patch..

This breaks captive portal (“Guest WiFi”) on Linksys WRT1900AC… any chance of a “Continue Anyways” button?

See https://www.reddit.com/r/HomeNetworking/comments/nyr6il/tcp_port_10080_blocked_by_google_chrome/ and https://stackoverflow.com/questions/27209915/bash-curl-wget-with-linksys-guest-network

There has been a bit of an explanation of why we can't easily revert our logic in https://bugzilla.mozilla.org/show_bug.cgi?id=1689107#c10, but I could imagine a "temporarily allow for this site" functionality... Let's file a feature request.

See Also: → 1720442
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: