Closed Bug 1720098 (CVE-2022-22757) Opened 3 years ago Closed 3 years ago

Need to validate Host and Origin headers for remote agent websockets connection

Categories

(Remote Protocol :: Agent, defect, P2)

Product:
Remote Protocol
Component:
Agent
Type:
defect
Points:
2

Tracking

(firefox-esr91 wontfix, firefox95 wontfix, firefox96 wontfix, firefox97 fixed)

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 --- fixed

People

(Reporter: jgraham, Assigned: jdescottes)

References

Details

(Keywords: sec-moderate, Whiteboard: [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage][adv-main97+])

Attachments

(2 files, 1 obsolete file)

Bug 1720098 - [remote] Check websocket handshake requests are from localhost
(deleted), text/x-phabricator-request
Details
advisory.txt
(deleted), text/plain
Details

Otherwise it may be posibble for websites to connect to the remote agent c.f. https://bugzilla.mozilla.org/show_bug.cgi?id=1648964. Checxks should go in https://searchfox.org/mozilla-central/source/remote/server/WebSocketHandshake.jsm#76

Whiteboard: [webdriver:triage]
Priority: -- → P2
Whiteboard: [webdriver:triage]

We'll call this sec-moderate for now because we don't know of a specific exploitable case at the moment and not many users run this, but like bug 1648964 failures are likely to be of the sec-high type

Keywords: sec-moderate
Whiteboard: failures could end up being sec-high
Whiteboard: failures could end up being sec-high → [failures could end up being sec-high][webdriver:triage]

As discussed in our triage meeting checking headers should actually be easy. But it might be harder to figure out what we actually need here. So we could start simple with just allowing localhost/127.0.0.1 even without IPv6 support which would reduce the points to just 2.

But for now lets add to our M2 milestone because it would be bad to tell Selenium folks to not use our BiDi implementation for logging because it totally unsecure.

Points: --- → 8
Whiteboard: [failures could end up being sec-high][webdriver:triage] → [failures could end up being sec-high][bidi-m2-mvp]
Severity: -- → S3
Assignee: nobody → jdescottes
Status: NEW → ASSIGNED
Points: 8 → 2
Attachment #9254227 - Attachment is obsolete: true

https://hg.mozilla.org/mozilla-central/rev/e426e5c345bf

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox95: --- → wontfix
status-firefox96: --- → affected
status-firefox97: --- → fixed
status-firefox-esr91: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

WebDriver Bidi is not enabled by default on release branches. And as such no testing is done. Therefore we aren't considering an uplift to beta.

status-firefox96: affectedwontfix

Same applies also to the esr91 branch.

status-firefox-esr91: affectedwontfix
Whiteboard: [failures could end up being sec-high][bidi-m2-mvp] → [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage]
Blocks: 1746953
Whiteboard: [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage] → [failures could end up being sec-high][bidi-m2-mvp][post-critsmash-triage][adv-main97+]
Attached file advisory.txt (deleted) —
Alias: CVE-2022-22757
Blocks: 1755317
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: