‘0.0.0.0 Day’ Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk

'0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk

August 8, 2024 at 01:57PM

Open source security firm Oligo Security discovered a vulnerability called “0.0.0.0 Day” that allows attackers to remotely execute code on various web browsers, putting users at risk for data theft and other malicious activities. This flaw exploits the 0.0.0.0 IP address and bypasses browser security to interact with services within an organization’s local network. Various technical mitigations and fixes have been implemented by browser owners to address this vulnerability.

The meeting notes highlight a critical security flaw that exploits the 0.0.0.0 IP address to remotely execute code on various web browsers, including Chrome, Safari, and Firefox. This flaw allows attackers to bypass browser security and interact with services running on an organization’s local network from outside the network, leading to potential data theft, malware, and other malicious activities.

The vulnerability arises from inconsistent implementation of security mechanisms across different browsers, lacking standardization in the browser industry. This inconsistency allows attackers to exploit localhost application programming interfaces (APIs) from the browser, enabling a range of malicious activities. The flaw is rooted in the ability of browsers to send requests to almost any HTTP server via JavaScript, without robust security measures to prevent errant or malicious requests from getting through.

Although Chrome’s Private Network Access (PNA) should theoretically protect websites from the 0.0.0.0 day bug, Oligo researchers discovered that website requests sent to 0.0.0.0 are actually received and processed by local servers, bypassing PNA. This presents a significant security risk as it enables attackers to execute arbitrary code from the browser and conduct remote code execution attacks by using 0.0.0.0 together with mode “no-cors.”

Oligo has disclosed the findings to relevant browser owners, and fixes have been made in browsers to block 0.0.0.0 as a target IP. Additionally, network administrators can implement technical mitigations such as PNA headers, verifying the HOST header of the network request, using HTTPS over HTTP, and implementing CSRF tokens in applications, even for local networks, to protect against attacks using this vector.

In conclusion, the notes stress the importance of understanding and addressing the security implications of the 0.0.0.0 vulnerability to protect organizations and users from potential cyber threats.

Full Article