Critical Bugzilla flaw allows access to unpatched vulnerability information
Mozilla has patched a critical vulnerability (CVE-2015-4499) in its popular open source bug-tracking Bugzilla software – a vulnerability that can be exploited by attackers to gain access to information about a project’s still unpatched flaws.
“The discovered vulnerability allows an attacker to obtain permissions on a Bugzilla service they would not otherwise receive. This is achieved by tricking the system into believing that the attacker is part of a privileged domain, causing the system to grant domain-specific permissions,” Netanel Rubin, a senior vulnerability researcher with PerimeterX has shared.
“Login names (usually an email address) longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted,” Mozilla explained in the security advisory published along the updates. “An attacker could use this vulnerability to create an account with an email address different from the one originally requested. The login name could then be automatically added to groups based on the group’s regular expression setting.”
He discovered the flaw on September 7, and let Mozilla know (he tested it on Mozilla’s Bugzilla). The organization took three days to patch it, and included the fix in Bugzilla versions 5.0.1, 4.4.10 and 4.2.15 pushed out on September 10.
All previous versions of Bugzilla are vulnerable, so Bugzilla administrators are advised to update their installation as soon as possible. If, for whatever reason, they can’t do it, standalone patches are also available.
“If you are using email based permissions in your Bugzilla deployment and have not yet installed a patched version, take it down until patched,” Rubin advised. “Make sure to go over the logs and user-list to identify users that were created using this vulnerability. This vulnerability is extremely easy to exploit and the details have been known for more than a week, you have been or will be attacked!”
For more technical details about the flaw, check out Rubin’s blog post.
The discovery of the flaw came mere days after Mozilla admitted that a hacker had managed to access their own Bugzilla, and had access to vulnerability information about their products for over a year.