Researcher revealed Tor flaw after initially being ignored
Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network.
The flaw was first noticed by researchers describing the attacks against Tor ahead of the publication of a patch in version 6.0.5.
“That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla’s servers and to deliver a malicious extension update,” Tor developer Georg Koppen says.
“This could lead to arbitrary code execution.
“Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it’s within reach of powerful adversaries such as nation states.”
Security researcher Movrcx detailed the then-zero-day flaw in analysis estimating attackers would need to burn US$100,000 to launch the multi-platform attacks.
“This attack enables arbitrary remote code execution against users accessing specific clearnet resources when used in combination with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific clearnet resources,” he wrote.
“Additionally this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met – such as an installed language pack, public IP address, DNS cache, stored cookie, stored web history, and so on.”
The need to obtain a legitimate TLS certificate for addons.mozilla.org was the cause of the high cost of entry to the attack, something Movrcx says was “difficult to accomplish but not impossible”.
He claimed members of the Tor Project did not accept his initial private disclosure.
Independent security researcher Ryan Duff who maintains an interest in cross-platform remote code execution says Firefox used its own weaker version of key pinning which created the attack vector, adding Mozilla had fixed the flaw in the nightly version of its browser.
“Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP.
The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario.”
Mozilla will push the fix into its stable release version on 20 September. ®