Closed Bug 1870262 (CVE-2024-0753) Opened 1 year ago Closed 1 year ago

HSTS policy on subdomain without includeSubDomains can bypass policy of upper domain

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 122+ fixed
firefox121 --- wontfix
firefox122 + fixed
firefox123 + fixed

People

(Reporter: hanno, Assigned: keeler)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [adv-main122+][adv-esr115.7+])

Attachments

(3 files)

Bug 1870262 - a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS r?jschanck
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Bug 1870262 - a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS (ESR115) r?jschanck
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-esr115+
Details | Review
advisory.txt
159 bytes, text/plain
Details

I believe I have found a security problem in the HSTS interpretation of Firefox.

Take the following three URLs (this is a live example on a test domain of mine; I intend to keep it functional until this issue is resolved):

If one opens these URLs in that order, it will open the last one over unencrypted HTTP.

It appears Firefox interprets the policy on the subdomain without includeSubDomains as a signal to unset HSTS for further sub-subdomains.

In my reading of the RFC 6797, this is wrong. The policy on the apex domain - with includeSubDomains - applies to all subdomains. The policy without includeSubDomains on the subdomain only applies to that specific host. It should not have any transitive effects on further subdomains.

Notably, this even works for preloaded domains. This severely breaks expectations. When one preloads a domain, it is expected that no unencrypted access is possible.

A plausible scenario where this could lead to an attack could look like this:

  • https://example.com/ has a strict HSTS policy with includeSubDomains and may even be preloaded.
  • https://example.com/ sets a cookie scoped for .example.com without a secure flag. (This is not unusual - there is advice out there that the secure flag is less important if one uses HSTS. This is e.g. implied by the Mozilla Observatory scoring.)
  • Attacker looks for any subdomain of example.com with an HSTS policy without includeSubDomains. (This is also not unusual. The expectation may be that includeSubDomains is only important for the apex domain.)

I quickly found a live example on a popular page (netflix.com) where all criteria apply (though I do not know if the cookie is security relevant). I have not performed a thorough search for affected pages, I expect this to be very common.

Given it is close to the end of the year, I should say that I do not plan any short-term disclosure and do not expect any handling of this issue during Christmas and New Year time.

Dana, since you have been doing a lot of great work on HSTS recently, do you wanna take a look? Maybe it's an easy fix after all.

Flags: needinfo?(dkeeler)
Group: firefox-core-security → core-security
Component: Security → Security: PSM
Product: Firefox → Core
Group: core-security → crypto-core-security

Previously, the HSTS implementation would only consider the first superdomain
that had any HSTS information and use the presence or absence of the
includeSubdomains directive to determine if the subdomain was HSTS. However,
the specification actually stipulates that if any superdomain that is HSTS
asserts includeSubdomains, the subdomain is HSTS.

Assignee: nobody → dkeeler
Status: NEW → ASSIGNED

Yeah, originally we interpreted the spec differently, but I agree that that reading is correct.
Seems like a sec-moderate, since it requires the site to be set up in a certain way.

Severity: -- → S2
Flags: needinfo?(dkeeler)
Keywords: sec-moderate
Priority: -- → P1
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a5d65b2a47ae a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS r=jschanck

https://hg.mozilla.org/mozilla-central/rev/a5d65b2a47ae

Group: crypto-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox123: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch

This'll need rebasing if we're going to uplift to ESR115.

status-firefox121: --- → wontfix
status-firefox122: --- → affected
status-firefox-esr115: --- → affected
tracking-firefox122: --- → +
tracking-firefox123: --- → +
tracking-firefox-esr115: --- → 122+

The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox122 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(dkeeler)

Comment on attachment 9368975 [details]
Bug 1870262 - a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS r?jschanck

Beta/Release Uplift Approval Request

  • User impact if declined: If a site were configured in a specific but not unreasonable way, an attacker could essentially bypass HSTS and e.g. steal login cookies.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a small, localized change, and the implementation is well-tested.
  • String changes made/needed: none
  • Is Android affected?: Yes
Flags: needinfo?(dkeeler)
Attachment #9368975 - Flags: approval-mozilla-beta?

Comment on attachment 9368975 [details]
Bug 1870262 - a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS r?jschanck

Approved for 122.0b3

Attachment #9368975 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

FYI, I have submitted a talk to the nullcon conference (14th/15th march 2024 https://nullcon.net/ ) where I plan to disclose this.
That's still plenty of time, so I expect releases with the fix will be ready by then.

Previously, the HSTS implementation would only consider the first superdomain
that had any HSTS information and use the presence or absence of the
includeSubdomains directive to determine if the subdomain was HSTS. However,
the specification actually stipulates that if any superdomain that is HSTS
asserts includeSubdomains, the subdomain is HSTS.

Comment on attachment 9370811 [details]
Bug 1870262 - a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS (ESR115) r?jschanck

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: HSTS bypass
  • User impact if declined: login cookies could be stolen
  • Fix Landed on Version: 123
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a pretty straightforward change in a self-contained area of code. Also, we had a preexisting test for exactly this case (just flipped, logically).
Attachment #9370811 - Flags: approval-mozilla-esr115?

Comment on attachment 9370811 [details]
Bug 1870262 - a subdomain of any HSTS superdomain that asserts includeSubdomains is HSTS (ESR115) r?jschanck

Approved for 115.7esr.

Attachment #9370811 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Whiteboard: [adv-main122+][adv-esr115.7+]
Alias: CVE-2024-0753
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+

Can we make this bug public now? I'd like to have a public reference where it is described.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: