Does anything need to be done to protect against supposed 0.0.0.0 vulnerability?

bzgnyc

Does anything need to be done in Orion to protect against this supposed 0.0.0.0 vulnerability? It's not even clear to me what this vulnerability is based on the reports I've read so far which to be honest seem more like AI chatbot summaries of the same vague press release. Is it an API issue, a kernel issue, a browser issue? Are typical desktops vulnerable or only machines on both public and private networks where the latter was assumed to be isolated?

https://www.macrumors.com/2024/08/07/safari-18-to-block-0000-security-vulnerability/

The best I've been able to piece together is that if a user connects to a malicious/infected website via browser, that website could potentially connect to presumably private resources. I am assuming that requires the browser to either run malicious client-side JavaScript, etc or a honor a redirect to 0.0.0.0? On the flip side, supposedly Windows is not vulnerable implying that it's core API sidesteps the issue? Though it looks like Apple plans to mitigate in a future version of WebKit?

Or are Orion users already protected by rules in the Content Blocker anyway?

eirk

I personally am not well versed in security or this vulnerability, but this is what I found:

from the Oligo Security team's blog (they were the ones to report this vuln):

‍Apple Safari: Apple-based browsers including Safari are based on open source software called “WebKit.”
Following our report, Apple made breaking changes to WebKit that block access to 0.0.0.0. As part of this change, they added a check to the destination host IP address. If it is all zeros, the request is blocked. The specific changes can be found here: https://github.com/WebKit/WebKit/pull/29592/files

https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

Seems like the fix was to WebKit, the rendering engine used by both Orion and Safari.
It was merged june 7, when the webkit version was 619.1.17. Orion RC currently is on version 619.1.11.111.2.
The fix for orion would to be to update to a version of webkit after 619.1.17.

gp

The vulnerability, in essence, arises because there is an assumption that an internet-origin website (example.net) should not generally be able to make XHR type requests via JS to 127.0.0.1:8080/blah, as this is a violation of CORS policy.

JS run from an internet website should not be able to interact with things on other origins, like your local PC, or your local network.

It appears that some browsers had some exemption for 0.0.0.0 (which can be used sometimes to refer to all IPs) - so if you were running a service bound to 127.0.0.1:8080, then in theory an internet service would be able to access it via 0.0.0.0:8080 when this bug is in effect. 0.0.0.0 is a reserved IP address (it's not a real one), commonly used to refer to "all IP addresses on this host" when you are setting up a server.

This could be a security issue as software running locally might (erroneously) assume that all local network traffic is secure - imagine a password manager communicating with its browser extension, for example, or a developer running a web service or database locally.

mbierman

Is this fixed in Orion? If not, when will it be?

Is this an issue for Orion?

0.99.128.2.1-beta (WebKit 619.1.11.111.2)

Sonoma (14)

eirk

See https://orionfeedback.org/d/8390-does-anything-need-to-be-done-to-protect-against-supposed-0000-vulnerability