Closed Bug 1844827 (CVE-2024-6611) Opened 2 years ago Closed 1 year ago

SameSite cookies are set by cross-site iframe navigations

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Version:
Firefox 117
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox127 --- wontfix
firefox128 + fixed
firefox129 + fixed

People

(Reporter: pedrob, Assigned: edgul)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: reporter-external, sec-low, Whiteboard: [necko-priority-queue][necko-triaged][adv-main128+])

Attachments

(4 files, 3 obsolete files)

poc.js
923 bytes, application/x-javascript
Details
Bug 1844827 - Update the cookie test expectations for iframe samesite r?valentin
48 bytes, patch
Details | Diff | Splinter Review
Bug 1844827 - Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=valentin,dveditz,bvandersloot
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
advisory.txt
156 bytes, text/plain
Details
Attached file poc.js

Hello,

As part of a research project at TU Wien, we are assessing the security implications of WPT tests. We encountered an inconsistency in Firefox, which allows setting SameSite=Strict and Lax cookies from cross-site navigations. This inconsistency allows a gadget attacker (e.g., an ad embedded as an iframe in a benign website, good.com) to deauthenticate users. When paired with a same-site attacker scenario (e.g., when the attacker controls a subdomain of the target website such as atk.good.com), this inconsistency enables stealthy cookie-tossing attacks, which an attacker could leverage to perform more effective session fixation or CSRF token fixation attacks by removing the need for the victim to navigate to the attacker-controlled subdomain.

The deauth attack has the following flow:

  1. User navigates to good.com
  2. good.com sets a cookie auth=1; SameSite=Strict and embeds evil.com.
  3. evil.com navigates itself to good.com/logout, e.g., via window.location.href="http://good.com/logout", which overwrites the auth cookie with auth=0; SameSite=Strict.

The auth cookie (SameSite=Strict or Lax) is set for good.com from a non-top-level cross-origin navigation originating from evil.com. In contrast with Firefox, Chrome does not set these cookies. Although not explicitly mentioned by rfc6265bis, we would argue that Chrome's behavior is more in line with the semantics and expectations of SameSite cookies.

The complete NodeJS code of the PoC is attached to this vulnerability report.

This behavior is captured by the (failing) WPT test: setcookie-navigation.https.html, in particular, the subtest "Cross-site to same-site iframe navigation should only be able to set SameSite=None cookies".

We searched Bugzilla for related issues but found only two bug reports (bug#1692207 and bug#1572607) referencing this test without a clear discussion of its security implications.

Thank you and best regards,
Pedro

Group: firefox-core-security → core-security
Component: Security → Networking: Cookies
Product: Firefox → Core
Group: core-security → network-core-security
URL: https://wpt.fyi/results/cookies/sames...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low

We searched Bugzilla for related issues but found only two bug reports (bug#1692207 and bug#1572607) referencing this test without a clear discussion of its security implications.

and bug 1793083

Blocks: samesite-cookies
See Also: → 1793083, 1692207, 1797033

Although not explicitly mentioned by rfc6265bis, we would argue that Chrome's behavior is more in line with the semantics and expectations of SameSite cookies.

I agree that the Firefox behavior is wrong here. I find the spec to be pretty explicit about that. With the caveat that §4.1.2 is labeled "non-normative", it does tell us what ought to happen. §4.1.2.7 says:

The "SameSite" attribute affects cookie creation as well as delivery. Cookies which assert "SameSite=Lax" or "SameSite=Strict" cannot be set in responses to cross-site subresource requests, or cross-site nested navigations. They can be set along with any top-level navigation, cross-site or otherwise.

In the definitely-normative §5.6 Storage Model algorithm, step 18 describes what to do when setting a cookie with a SameSite value of "Strict" or "Lax". If the request is same-site then you can always set the cookie (point 2). If you get to point 3 then you're dealing with a cross-site request, and those are only allowed if you are "navigating a top-level traversable". iframe navigations are not "top-level" so point 4 says "ignore the newly created cookie entirely".

Although Firefox is getting this wrong, this mechanism provides only limited protection. As §5.5.7.1 points out,

Attackers can still pop up new windows or trigger top-level navigations in order to create a "same-site" request (as described in Section 5.2.1), which is only a speedbump along the road to exploitation.

Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-priority-review][necko-triaged]
Blocks: cookie
Whiteboard: [necko-priority-review][necko-triaged] → [necko-priority-next][necko-triaged]

changes r?#cookie-reviewers

Depends on D199770

Assignee: nobody → edgul
Attachment #9376732 - Attachment description: WIP: Bug 1844827 - Update the cookie test expectations for iframe samesite → Bug 1844827 - Update the cookie test expectations for iframe samesite changes r?#cookie-reviewers
Status: NEW → ASSIGNED
Attachment #9376728 - Attachment description: WIP: Bug 1844827 - Added third party detection for subdocuments visiting top-level same site pages → Bug 1844827 - Added third party detection for subdocuments visiting top-level same site pages
Whiteboard: [necko-priority-next][necko-triaged] → [necko-priority-queue][necko-triaged]
Attachment #9376732 - Attachment description: Bug 1844827 - Update the cookie test expectations for iframe samesite changes r?#cookie-reviewers → Bug 1844827 - Update the cookie test expectations for iframe samesite
Attachment #9376732 - Attachment description: Bug 1844827 - Update the cookie test expectations for iframe samesite → WIP: Bug 1844827 - Update the cookie test expectations for iframe samesite
Attachment #9376728 - Attachment is obsolete: true
Attachment #9376732 - Attachment description: WIP: Bug 1844827 - Update the cookie test expectations for iframe samesite → Bug 1844827 - Update the cookie test expectations for iframe samesite

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
Attachment #9376732 - Attachment description: Bug 1844827 - Update the cookie test expectations for iframe samesite → WIP: Bug 1844827 - Update the cookie test expectations for iframe samesite
Attachment #9376732 - Attachment description: WIP: Bug 1844827 - Update the cookie test expectations for iframe samesite → Bug 1844827 - Update the cookie test expectations for iframe samesite r?valentin
Pushed by acseh@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/1eb6a4e2316b Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=cookie-reviewers,valentin,bvandersloot https://hg.mozilla.org/mozilla-central/rev/00d52f0a38b3 Update the cookie test expectations for iframe samesite r=cookie-reviewers,valentin
Group: network-core-security → core-security-release

:edgul could you please add a beta uplift request when ready?

tracking-firefox129: --- → +

Comment on attachment 9376732 [details] [diff] [review]
Bug 1844827 - Update the cookie test expectations for iframe samesite r?valentin

Beta/Release Uplift Approval Request

  • User impact if declined: Malicious iframes will be able to force a website to set a samesite strict or lax cookie it may not have otherwise set.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Should only affect cross-origin (ABA-like) scenarios on navigation.
    We added a pref to easily toggle this off.
    WPTs seem fine. Manual testing seems fine.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9376732 - Attachment is patch: true
Attachment #9376732 - Attachment mime type: text/x-phabricator-request → text/plain
Attachment #9376732 - Flags: approval-mozilla-release?
Attachment #9376732 - Flags: approval-mozilla-beta?

Comment on attachment 9390230 [details]
Bug 1844827 - Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=valentin,dveditz,bvandersloot

Approved for 128.0b3.

Attachment #9390230 - Flags: approval-mozilla-beta+
Attachment #9376732 - Flags: approval-mozilla-release?
Attachment #9376732 - Flags: approval-mozilla-beta?
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [necko-priority-queue][necko-triaged] → [necko-priority-queue][necko-triaged][adv-main128+]
Attached file advis (obsolete) —
Attached file advisory.txt (obsolete) —
Attachment #9411721 - Attachment is obsolete: true
Attached file advisory.txt
Attachment #9411776 - Attachment is obsolete: true
Alias: CVE-2024-6611
Group: core-security-release
Duplicate of this bug: 1959501
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: