Threat actors often target and exploit security flaws in web browsers, as exploiting flaws in web browsers enables them to gain unauthorized access and perform several illicit activities.
Not only that, threat actors also get a wide attack surface with minimal effort by exploiting the security flaws in browsers.
Cybersecurity researchers at Oligo Security’s research team recently discovered 0.0.0.0 day, an 18-year-old vulnerability that enables attackers to bypass all browser security.
Technical Analysis
It’s a major security problem affecting all popular web browsers (Chromium, Firefox, and Safari) that allows external websites to interface with software that is being run locally on macOS and Linux.
The vulnerability known as “ow.night” was caused due to the fact that the security mechanisms were implemented in different ways depending on what browser was used and the lack of any uniform standards in this industry.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
This vulnerability allows malicious websites to bypass browser security and communicate with the organization’s local network services which could lead to unauthorized access by hackers who are outside of its network and remote code execution upon these local services.
Consequently, using a rather harmless 0.0.0.0 IP address, attackers can target the local services for development purposes, and operating systems among others including internal networks.
While this vulnerability was again shown to be urgent by the recent discovery of active campaigns of ShadowRay.
Oligo researchers have shared their findings with the security teams for all major browsers and the browser vendors recognized the security problem.
Related standard modifications are being processed and some browser-level mitigations that will not accept 0.0.0.0 addresses are planned to be activated soon.
However, due to its complexity as well as lack of any finalized standard, this vulnerability still remains under attack in between allowing external websites access services on localhost.
This shows the need for a common browser industry standard that can address this fundamental security flaw and protect users and organizations from potential “0.0.0.0 Day.”
This critical flaw allowed public websites to override browser protections and access local network services, which can result in remote code execution.
At first, the vulnerability was caused by the Private Network Access (PNA) standard, which does not consider 0.0.0.0 as a private IP address.
This deletion allowed hackers to use public domains for reaching local resources and, at the same time, skip the restrictions of CORS and exploit flaws in Ray frameworks or Selenium Grid as well as PyTorch TorchServe that were installed on localhost.
The researchers provided an example of unauthorized access and control of these local applications using only one HTTP request showing how essential it is to ensure a comprehensive standardized approach to secure local network access.
It is incredible how their disclosure helped with fixing this vulnerability in various browsers consequently demonstrating how responsible disclosure aids in internet security improvement.
Recommendations
Here below we have mentioned all the recommendations:-
- Implement PNA headers.
- Verify HOST headers to prevent DNS rebinding.
- Add authorization layers for localhost.
- Use HTTPS.
- Implement CSRF tokens.
- Remember browsers route to internal IPs.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download