Closed Bug 1720098 (CVE-2022-22757) Opened 2 years ago Closed 1 year ago

Need to validate Host and Origin headers for remote agent websockets connection

Categories

(Remote Protocol :: Agent, defect, P2)

defect
Points:
2

Tracking

(firefox-esr91 wontfix, firefox95 wontfix, firefox96 wontfix, firefox97 fixed)

RESOLVED FIXED
97 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- fixed

People

(Reporter: jgraham, Assigned: jdescottes)

References

Details

(Keywords: sec-moderate, Whiteboard: [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage][adv-main97+])

Attachments

(2 files, 1 obsolete file)

Otherwise it may be posibble for websites to connect to the remote agent c.f. https://bugzilla.mozilla.org/show_bug.cgi?id=1648964. Checxks should go in https://searchfox.org/mozilla-central/source/remote/server/WebSocketHandshake.jsm#76

Whiteboard: [webdriver:triage]
Priority: -- → P2
Whiteboard: [webdriver:triage]

We'll call this sec-moderate for now because we don't know of a specific exploitable case at the moment and not many users run this, but like bug 1648964 failures are likely to be of the sec-high type

Keywords: sec-moderate
Whiteboard: failures could end up being sec-high
Whiteboard: failures could end up being sec-high → [failures could end up being sec-high][webdriver:triage]

As discussed in our triage meeting checking headers should actually be easy. But it might be harder to figure out what we actually need here. So we could start simple with just allowing localhost/127.0.0.1 even without IPv6 support which would reduce the points to just 2.

But for now lets add to our M2 milestone because it would be bad to tell Selenium folks to not use our BiDi implementation for logging because it totally unsecure.

Points: --- → 8
Whiteboard: [failures could end up being sec-high][webdriver:triage] → [failures could end up being sec-high][bidi-m2-mvp]
Severity: -- → S3
Assignee: nobody → jdescottes
Status: NEW → ASSIGNED
Points: 8 → 2
Attachment #9254227 - Attachment is obsolete: true
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

WebDriver Bidi is not enabled by default on release branches. And as such no testing is done. Therefore we aren't considering an uplift to beta.

Same applies also to the esr91 branch.

Whiteboard: [failures could end up being sec-high][bidi-m2-mvp] → [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage]
Blocks: 1746953
Whiteboard: [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage] → [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage][adv-main97+]
Attached file advisory.txt
Alias: CVE-2022-22757
See Also: → 1754738
Blocks: 1755317
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.