Researchers recently found a new vulnerability under active attack that impacts all major web browsers. Identified as a ‘0.0.0.0 Day’ flaw, the zero-day vulnerability allows an adversary to bypass web browsers’ security features and gain access to the local network.
The Zero-Day Flaw ‘0.0.0.0 Day’ Impacts Chrome, Firefox, And Safari Web Browsers Alike
As elaborated in a recent post from Oligo Security, their research team detected active exploitation attempts of the new 0.0.0.0 Day vulnerability affecting web browsers. Exploiting this vulnerability allows an adversary to gain unauthorized access to a target organization’s internal network services and perform remote code execution attacks.
The vulnerability caught the researchers’ attention when they detected the malicious ShadowRay campaign targeting AI workloads. This campaign exploited a vulnerability in the AI framework Ray, that allowed arbitrary code execution. Moreover, another malicious cryptomining campaign, SeleniumGreed, exploited Selenium Grid (web app testing framework) public servers for remote code execution.
Investigating such exploitations led the researchers to detect a nearly two-decade-old zero-day vulnerability in web browsers. This vulnerability allows web browsers to provide access to the 0.0.0.0 IPv4 address—a prohibited address that only serves computers to communicate temporarily during DHCP handshakes.
Web browsers should ideally not allow access to this address as it exposes the local network. However, the vulnerability exposing this IP address existed even 18 years ago. Since then, it has largely remained unaddressed across all major browsers.
Google Chrome implemented PNA (Private Network Access) to extend the existing CORS (Cross-Origin Resource Sharing) and prevent access to the private IP address. Yet, its PNA did not include 0.0.0.0 as a private IP address, leaving it accessible.
An attacker may leverage this browser vulnerability to target local networks and exploit internal systems for development and operating systems.
The researchers have shared the technical details in their post.
No Patch Available Yet – Researchers Advised Mitigations
The researchers confirmed that the 0.0.0.0 Day vulnerability does not impact Windows systems. However, macOS and Linux systems are vulnerable.
The researchers advise app developers to deploy mitigations to prevent potential threats until web browsers address the flaw. These include implementing PNA headers, using HTTPS, implementing HOST header verification to prevent DNS rebinding attacks, implementing CSRF token applications, and limiting authorization to the localhost network.
Let us know your thoughts in the comments.
1 comment
Comments are closed.
Add Comment