Mozilla plans to release a Firefox update to address the cross-platform remote code-execution vulnerability recently patched in the Tor browser.
The tor is inviting its users to install the security update urgently, and Mozilla follows close behind as soon as possible.
Mozilla will release the fix next Tuesday, the flaw could be exploited by attackers to launch a man-in-the-middle attack by impersonating Mozilla servers through forged certificate.
According to the TorProject, once the attacker is in the position to launch a MiTM and he is able to forge a single TLS certificate for addons.mozilla.org, he could inject in the traffic malicious update for NoScript or many other Firefox extensions installed on a targeted computer.
“I spent a decent portion of my day looking into the claim by the Tor-Fork developer that you could get cross-platform RCE on Tor Browser if you’re able to both MitM a connection and forge a single TLS certificate for addons.mozilla.org. This is well within the capability of any decently resourced nation-state.” wrote the researcher Ryan Duff.
The fake certificate would have to be issued by any one of several Firefox-trusted certificate authorities (CA).
Such kind of attack is not easy to carry on for a common attacker that would be able to forge a certificate for addons.mozilla.org.
Anyway, there is the concrete risk that a nation-state actor or a persistent attacker could exploit the vulnerability to launch an attack and eavesdrop protected traffic or de-anonymize Tor users.
Persistent attackers could target a CA with the specific intent of forging counterfeit digital certificates. In 2011, hackers alleged linked to the Iranian Government hacked the Dutch CA DigiNotar and issued forged certificates for more hundred of domains, including the Mozilla add-ons subdomain
The security researcher Ryan Duff explained that production versions of Firefox are affected by the flaw, anyway, a nightly build version released on September 4 is not vulnerable.
“Firefox uses its own static key pinning method for it’s own Mozilla certs instead of using HPKP. The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario. The bug appears to be fixed as of the September 4th nightly build of Firefox but is obviously still unpatched in both the current production versions of Firefox and Tor Browser.” added Duff.
Duff analyzed the cross-platform RCE and reproduced the hack described by the researcher @movrcx, which define himself as and “anti-torcorp insurgent.” @movrcx explained in his analysis titled “Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale” that the “certificate pinning” mechanism implemented by Firefox was ineffective against the attack described in this post.
Duff highlighted that the problem is related the implementation of a static key pinning that is not based on the HTTP Public Key Pinning protocol.
“We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions.” reads a statement issued by Mozilla. “We will be turning on HPKP on the addons.mozilla.org server itself so that users will remain protected once they have visited the site even if the built-in pins expire. We will be changing our internal processes so built-in certificate pins do not expire prematurely in future releases.”
Waiting for an update, users should consider stopping automatically accepting extension updates.
(Security Affairs – Mozilla, Tor Network)