Cybersecurity researchers have discovery a new “0.0.0.0 Day” that affects all major web browsers, allowing malicious websites to exploit the vulnerability to breach local networks.
This vulnerability, 0.0.0.0 day, affects especially Linux-based and macOS operating systems.
0.0.0.0 Day, what is the vulnerability?
Critical vulnerability 0.0.0.0 day “exposes a fundamental flaw in the way browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices“, has affirmed Avi Lumelsky, researcher at Oligo Security.
The Israeli application security firm said the implications of the vulnerability are far-reaching and that it stems from inconsistent implementation of security mechanisms and a lack of standardization across browsers.
As a result, a seemingly benign IP address like 0.0.0.0 could be weaponized to exploit local services, leading to unauthorized access and remote code execution by attackers outside the network. This flaw is said to have existed since 2006.
When Windows Becomes More Secure Than Its “Cousins”
“0.0.0.0 Day” Hits Google Chrome/Chromium, Mozilla Firefox, and Apple Safariallowing external websites to communicate with software running locally on MacOS and Linux, note that it does not affect Windows devices, because Microsoft blocks the IP address at the operating system level.
In particular, Oligo Security discovered that public websites with domains ending in “.com” are able to communicate with services running on the local network and execute arbitrary code on the user’s device using the address 0.0.0.0 instead of localhost/127.0.0.1.
This is also a bypass of the Private Network Access (PNA), designed for impede public websites to directly access endpoints located within private networks.
The conclusion of cybersecurity researchers
Any application running on localhost that can be reached via 0.0.0.0 is likely vulnerable to remote code execution, including local Selenium Grid instances, by sending a POST request to 0.0.0[.]0:4444 with a custom-made payload.
In response to the findings in April 2024, web browsers should completely block access to 0.0.0.0, thereby deprecating direct access to private network endpoints from public websites.
“When services use localhost, they assume they are in a controlled environment.“, Lumelsky said. “This assumption, which can (as in the case of this vulnerability) be incorrect, leads to insecure server implementations..”
“Using 0.0.0.0 together with the ‘no-cors’ mode, attackers can use public domains to attack services running on localhost and even achieve arbitrary code execution (RCE), all using a single HTTP request..”
Similar cases occurred in the past
0.0.0.0 day certainly wasn’t the first (and won’t be the last) security issue to hit various operating systems.
Over the years, several similar issues have emerged that have exposed vulnerabilities in web browsers and local networks. For example, the CVE-2018-11763 exploited a flaw in Apache HTTP Server that allowed attackers to execute arbitrary code on vulnerable servers via specific requests.
Another well-known case was the Cross-Site Request Forgery (CSRF)which allowed attackers to perform unauthorized actions on trusted websites, tricking the user and the browser. Additionally, the DNS Rebindinga technique used to bypass browser security policies, allowed attackers to hijack DNS resolution to execute malicious code on local devices.
These examples demonstrate how crucial it is to maintain high security standards in browsers and network applications to prevent unauthorized access and protect sensitive data.
#0.0.0.0 #Day #18YearOld #Flawk #Affects #Linux #macOS
