Новости компьютерной безопасности:

  Latest News

0.0.0.0 Day – 18 Yr Old Vulnerability Let Attackers Bypass All Browser Security

С сайта: Vulnerability(cybersecuritynews.com)

0.0.0.0 Day – 18 Yr Old Vulnerability Let Attackers Bypass All Browser Security

Author: Balaji N

Researchers at Oligo Security have discovered an 18-year-old critical vulnerability, dubbed “0.0.0.0 Day,” that affects all major web browsers, including Chromium, Firefox, and Safari.

This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network.

The issue stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the browser industry.

Specifically, the IP address 0.0.0.0, which is often used as a placeholder or default address, can be exploited by attackers to access local services, including those used for development, operating systems, and even internal networks.

The impact of 0.0.0.0 Day is significant, affecting individuals and organizations alike. With the ability to bypass browser security, attackers can potentially gain access to sensitive services running on local devices, leading to unauthorized access, data breaches, and even remote code execution.

A bug report from 2006 highlights the long-standing issue of browsers allowing requests to be sent to local or internal networks from less-private contexts. Despite numerous comments and reprioritizations, the bug remains open to this day.

The lack of standardization in the browser industry has led to inconsistent implementations of security mechanisms, creating vulnerabilities like 0.0.0.0 Day.

How Does 0.0.0.0 Day Bypass Browser Security
To understand the vulnerability, it’s essential to understand browser security and the role of IP addresses like 0.0.0.0.

Browsers have always been a security target, introducing groundbreaking security concepts like sandboxing and HTTPS-ONLY cookies.

The IP address 0.0.0.0 has multiple uses, including as a placeholder or default address. However, its use as a destination address in IPv4 is prohibited, and it is only allowed as a source address under specific circumstances.

Despite this, 0.0.0.0 has been used in various contexts, including in /etc/hosts files to block certain domains or in networking policies to allow all IPs.

Digitally “fingerprinting” website users is a known technique used for various purposes, including identifying returning users. However, threat actors can also use this technique to gather intelligence for phishing campaigns.

The use of the 0.0.0.0 Day vulnerability allows attackers to port scan users, potentially leading to the identification of open ports and vulnerable services.

Google’s introduction of Private Network Access (PNA) aims to extend CORS by restricting websites’ ability to send requests to servers on private networks. PNA proposes distinguishing between public, private, and local networks, preventing requests from being sent to more secure contexts.

According to the current PNA specification, the following IP segments are considered private or local:

cyber security newsPutting 0.0.0.0 To the Test: PNA Bypass
Researchers at Oligo Security discovered that 0.0.0.0 was not on the list of private or local IP segments, allowing websites to dispatch requests to 0.0.0.0.

Following responsible disclosure, this bypass of the current PNA implementation and inherent flaws in browsers were reported to all browsers.

Many applications are likely to be impacted by the 0.0.0.0 Day vulnerability. Researchers at Oligo Security found several vulnerable applications, including Ray, Selenium Grid, and Pytorch Torchserve (ShellTorch). These vulnerabilities can be leveraged through 0.0.0.0, leading to remote code execution and unauthorized access.

Following responsible disclosure, browser vendors have acknowledged the security flaw and are working to implement browser-level mitigations.

Google Chrome (and Chromium-based browsers like Edge)

  • PNA Initiative: Evolving Private Network Access (PNA) led by Google.
  • Vulnerability: 0.0.0.0 bypasses PNA, allowing access to private IPs.
  • Fix Rollout: Blocking 0.0.0.0 from Chrome 128, fully effective by Chrome 133.
  • Statistics: 0.015% of websites (around 100K) communicate with 0.0.0.0.

Apple Safari

  • WebKit Changes: Now blocks 0.0.0.0 access.
  • Implementation: Requests to all-zero IP addresses are blocked.

Mozilla Firefox

  • Current Status: No immediate fix; PNA not initially implemented.
  • Specification Update: Fetch specification updated to block 0.0.0.0.
  • Future Plans: Implementation of PNA will eventually block 0.0.0.0.

The 0.0.0.0 Day vulnerability highlights the need for browser industry standardization and the implementation of Private Network Access (PNA) according to that standard. Until PNA fully rolls out, public websites can dispatch HTTP requests using Javascript to successfully reach services on the local network, potentially leading to unauthorized access and remote code execution.



#Vulnerability #cyber_security #vulnerability

Оригинальная версия на сайте: 0.0.0.0 Day – 18 Yr Old Vulnerability Let Attackers Bypass All Browser Security
Вернуться к списку новостей К свежим новостям Здесь был google AdSense.
Вместо рекламы товаров началась политическая агитация.
Отключено до получения извинений.

Вернуться к списку новостей Здесь был google AdSense.
Вместо рекламы товаров началась политическая агитация.
Отключено до получения извинений.


Новости проекта CSN:

✉ CSN.net4me.net

Обновление сайта csn.net4me.net

Обновление сайта csn.net4me.net 💻
cyber security news
  • Физически мы переехали на новый сервер. Благодарим наших подписчиков и постоянных читателей за терпение и понимание.
  • Сайт csn.net4me.net полностью адаптирован для работы по шифрованному SSL соединению.
  • Изменен механизм обработки и отображения опасных и критических уязвимостей.

Благодарим что вы с нами.


#CSN_обновление_сайта
https://csn.net4me.net/cyber_security_8301.html

Дополнительный материал

О проекте CSN

Проект CSN.net4me.net родился 16 Марта 2018 года.
Проект находится в самом начале своего развития. Конечно оформление, наполнение будет меняться. Одно останется неизменным - самые свежие новости компьютерной и сетевой безопасности.

О проекте net4me

Проект net4me.net развивался как сборник готовых решений и документации по темам компьютерной безопасности, сетевых решений и СПО (в часности linux). Темпы развития IT отрасли оказались столь быстрыми, что некоторые знания, технологии и информация о них устаревали мгновенно. Тем не менее, некоторый материал net4me.net до сих пор востребован.

Об источниках

Новости берутся CSN из открытых и доступных каждому источников. Авторы проекта стараются подбирать авторитетные и проверенные источники. Но, тем не менее, не несут ответственности за содержимое новостей. В каждой новости указывается источник этой новости, её автор и ссылка на оригинал новости.

Информация

Если вы желаете чтобы новости вашего ресурса были размещены на сайте CSN, то свяжитесь с авторами проекта csn@net4me.net и предложите ссылку на rss или xml ленту новостей вашего ресурса. Любая предложенная информация будет рассмотрена редакцией.