Closed Bug 1924154 (CVE-2024-10466) Opened 1 year ago Closed 1 year ago

An encrypted push message with rs=0 can freeze the parent process (DoS)

Categories

(Core :: DOM: Push Subscriptions, defect, P2)

Product:
Core
Component:
DOM: Push Subscriptions
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 132+ fixed
firefox131 --- wontfix
firefox132 + fixed
firefox133 + fixed

People

(Reporter: saschanaz, Assigned: saschanaz)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: [adv-main132+] [adv-esr128.4+])

Attachments

(5 files)

Bug 1924154 - Disallow too small record r=asuth
48 bytes, text/x-phabricator-request
Details | Review
Bug 1924154 - Add test r=asuth
48 bytes, text/x-phabricator-request
Details | Review
Bug 1924154 - Disallow too small record r=asuth
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1924154 - Disallow too small record r=asuth
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
advisory.txt
219 bytes, text/plain
Details

https://searchfox.org/mozilla-central/rev/0cd8e314881fc6c216586d1adc13eb8a03f5d040/dom/push/PushCrypto.sys.mjs#111-115

function getCryptoParamsFromPayload(payload) {
  if (payload.byteLength < 21) {
    throw new CryptoError("Truncated header", BAD_CRYPTO);
  }
  let rs =
    (payload[16] << 24) |
    (payload[17] << 16) |
    (payload[18] << 8) |
    payload[19];

if rs becomes 0, it means each record has size of 0. Here we iterate the buffer based on that size, resulting an infinite loop.

The implication here is that a remote server can send a push message with those bytes being 0, which then freezes the subscriber's user agent when it receives the message (which can happen in random time, as it's a push message).

Group: core-security → dom-core-security

Does this code run in the parent process or a content process? The latter sounds less bad.

PushCrypto runs on the parent process as PushService runs on it.

Assignee: nobody → krosylight
Severity: -- → S2
Priority: -- → P2

Comment on attachment 9431075 [details]
Bug 1924154 - Disallow too small record r=asuth

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: (No sec triage yet, but feel free to discard if not needed)

One would have to understand what record size can do in aes128gcm decryption and what 0 can mean there. (The patch disallows any number below 18 and also touched aesgcm which I believe is not affected, but should help for not-drawing bulls-eye)

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all branches
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Shouldn't cause regression; any other incorrect rs value causes decode failure anyway.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9431075 - Flags: sec-approval?

This would be a nasty mean trick to pull on people, and probably hard for people to figure out where it's coming from, but it's still hard to rate it much higher "low" given you'd also have to convince people to accept your notifications.

Blocks: eviltraps
Keywords: sec-low

https://hg.mozilla.org/mozilla-central/rev/a6638d339037

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox133: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Attachment #9431695 - Flags: approval-mozilla-beta?

Comment on attachment 9431075 [details]
Bug 1924154 - Disallow too small record r=asuth

This is sec-low (rated after the approval was requested, so thank you), so no approval is needed.

Attachment #9431075 - Flags: sec-approval?

beta Uplift Approval Request

  • User impact if declined: An evil remote server can freeze push notification subscribers using Firefox anytime.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: None
  • Risk associated with taking this patch: low
  • Explanation of risk level: Explicitly banning invalid values; those (other than 0) already throws a (more vague) error already
  • String changes made/needed: None
  • Is Android affected?: no
Attachment #9431859 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: An evil remote server can freeze push notification subscribers using Firefox anytime.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: None
  • Risk associated with taking this patch: low
  • Explanation of risk level: Explicitly banning invalid values; those (other than 0) already throws a (more vague) error already
  • String changes made/needed: None
  • Is Android affected?: no
Attachment #9431859 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9431695 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main132+] [adv-esr128.4+]
Attached file advisory.txt
Alias: CVE-2024-10466
Pushed by nfay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/68328f7bb076 Fix lint failure in test_crypto_encrypt.js r=fix CLOSED TREE
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: