Vulnerability Takes Advantage of Old, Fundamental Flaw in Browsers

The Oligo Security research team has recently disclosed a vulnerability present in all major web browsers (Chromium (Chrome/Edge), Firefox, and Safari). The vulnerability which has been named “0.0.0.0 Day” is the result of a “fundamental flaw with how browsers handle network requests”. The vulnerability allows attackers to access sensitive services that are running on local devices running MacOS and Linux operating systems.  Oligo disclosed these findings in the beginning of April 2024, to security teams for each of the major browsers. Each have acknowledged the flaw and are working on changing the standards and blocking the 0.0.0.0 address.

The Vulnerability

This vulnerability takes advantage of the iPv4 address of 0.0.0.0 and the way browsers handle requests. Public websites can access any port on your host, without seeing a response.  This allows public websites to utilize HTTP requests and Javascript to reach services on a local network. Also, when utilizing an attack with the “no-cors” mode this extends the capability of the attacker by being able to attack services running on localhost and perform remote code execution through a single HTTP request.

Impact

This vulnerability has no CVSS score or CVE associated, but according to researchers at Oligo this vulnerability has a massive impact. It affects all major browsers running on the MacOS and Linux operating systems. As well as any applications which leverage the local host internally, some examples were provided in Oligo’s research such as Pytorch and Selenium Grid.

Remediation

Currently there are no official fixes for this vulnerability as it is an inherent error in the current browser's function and will have to be fixed on a case-by-case basis for certain applications. There is evidence that this vulnerability has been present for at least 18 years, as bug reports in the past have indicated it’s presence.

There are two main protections for browsers CORS and PNA (Private Network Access), a newer standard for browser security supposed to extend the ability of CORS. This is done by restricting the ability of websites to send requests to servers on private networks.  CORS which protects unintended content from being loaded from an unsafe context is only done at the response level whereas PNA prevents a request from being sent.

Chrome – PNA is being introduced, but the vulnerability bypassed the mechanism in chromium. Chrome is blocking access to 0.0.0.0 starting in Chromium version 128 through version 133 and will rollout this change slowly to all chromium users during this time.

Safari – The open-source software WebKit has had a change which blocks access to 0.0.0.0 IP address. WebKit is used to run the Safari browser.

Mozilla Firefox – There are no fixes at this time for firefox, but it is in progress. Currently Mozilla has blocked access in it’s fetch specification to address 0.0.0.0 and is priortizing the implementation of Private Network Access.

Recommendations

Review usage of localhost – Make a catalogue of all applications and services which utilize localhost, specifically iPv4 address 0.0.0.0.

Developers – Fixes can be made to protect local applications such as implementing PNA headers, utilizing HTTPS, add authorization even on the localhost, implement CSRF tokens on local applications. These are all recommendations from Oligo Researchers.

Stay informed – This topic is still currently developing and new vulnerabilities will be discovered utilizing this flaw.  Exploitation of this vulnerability is very likely.

Associated Bulletins

0.0.0.0 Day: Exploiting Localhost APIs From the Browser | Oligo Security

‍