A critical zero-day vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software used by hundreds of prominent software organizations, both private and open-source, could expose sensitive information and vulnerabilities of the software projects to the hackers.
The critical flaw allows an attacker to bypass email verification part when registering a new Bugzilla account, which clearly means that an attacker can register accounts using any email addresses of their choice without the need to access the actual inbox for validation purposes.
VALIDATION BYPASS AND PRIVILEGE ESCALATION BUG
Security firm Check Point Software Technologies disclosed the flaw (CVE-2014-1572) on Monday and said that it’s the first time when a privilege-escalation vulnerability has been found in the Bugzilla project since 2002. The Mozilla foundation has also confirmed that this particular bug exists in all versions of Bugzilla going back to version 2.23.3 from 2006.
An analysis carried out by the researchers at Check Point revealed that the critical "bug enables unknown users to gain administrative privileges" as well as "by using these admin credentials, attackers can then view and edit private and undisclosed bug details."
Furthermore, a hacker exploiting the flaw could intervene to destroy bug information in an effort to slow down the process of fixing vulnerabilities in a particular piece of software.
"The successful exploitation of the vulnerability allows the manipulation of any (database) field at the user creation procedure, including the 'login_name' field," Netanel Rubin, a researcher with Check Point, wrote in the initial report to Bugzilla. "This breaks the e-mail validation process and allows an attacker to create accounts which match the group's regex policies, effectively becoming a privileged user."
BUGZILLA AND ITS REACH
Bugzilla is a Web-based general-purpose bugtracker and testing tool originally developed by the Mozilla Foundation, and has been used by a variety of organizations as a bug tracking system for free and open source software projects.
Among others, the software is used by the Mozilla Foundation, Apache, the Linux kernel, OpenSSH, Eclipse, KDE, Wikimedia Foundation, Wireshark, Novell, and GNOME as well as, many Linux distributions.
Nearly 150 large software developers and open-source projects use Mozilla’s Bugzilla software to track the vulnerabilities in their products. The actual figure could be even higher since many of the organisations are private.
Check Point reported the vulnerability to the Mozilla Foundation on September 29 and on Monday, Bugzilla rushed to release a patch for the issue to the public and warned the prominent organizations about its availability.
New Bugzilla versions are offered for download: 4.0.15, 4.2.11, 4.4.6, and 4.5.6. “The overridden login name could be automatically added to groups based on the group's regular expression setting,” the advisory says.
While Mozilla has already patched its own public Bugzilla server at bugzilla.mozilla.org, that installation was never configured to allow email-based privilege escalation.