14 DAY TRIAL // A zero-day security glitch in the Bugzilla bug-tracking platform used for managing vulnerabilities by prominent software organizations, both private and open-source, was disclosed on Monday.
The flaw is quite serious, as it allows an individual to register an account with the service using an email of their choice, without requiring access to the actual inbox for validation purposes.
Attackers could modify vulnerability information
Such a security vulnerability in the platform means that an attacker could view all the bugs in software tracked through Bugzilla.
Check Point Software Technologies uncovered the flaw and reported it to the team leading the Bugzilla project, who recognized its severity; the CVE-2014-1572 identifier has been assigned to it.
According to Check Point’s Shahar Tal, the “bug enables unknown users to gain administrative privileges” and “by using these admin credentials, attackers can then view and edit private and undisclosed bug details.”
Another risk is that a malicious actor exploiting the flaw could intervene to destroy information in order to slow down the process of fixing vulnerabilities in a particular piece of software.
Patch is available, clients urged to apply it
Due to the critical nature of the glitch, the Mozilla Foundation rushed to release a patch and warned the prominent organizations about its availability.
As a result, new Bugzilla versions are offered for download: 4.0.15, 4.2.11, 4.4.6, and 4.5.6. The security advisory published with them says that the “realname” parameter in the “login_name” field is not filtered correctly when creating an account, which could lead to user data overwrite.
“The overridden login name could be automatically added to groups based on the group's regular expression setting,” the advisory says.
Hundreds of organizations use Bugzilla
Bugzilla is used for reporting and managing bugs, among others, in projects like Mozilla Firefox, Apache, OpenSSH, Eclipse, KDE, GNOME, Wikimedia Foundation, Wireshark, Novell, and different Linux distributions.
According to the installation list, there are 148 companies running public Bugzilla installations, but the number could be at least ten times higher since many of them are private, meaning that the log-in page is not accessible over the Internet.
This particular vulnerability is credited to Netanel Rubin of Check Point, who discovered it on September 29 and reported it to the Bugzilla team the following day.
On September 30, developers at Bugzilla acknowledged the flaw and delivered confirmation to the researcher, at the same time preparing an initial patch. On Monday, the final patch was released and it is recommended that all Bugzilla clients apply it.