Lucene search

K
talosTalos IntelligenceTALOS-2017-0306
HistorySep 06, 2017 - 12:00 a.m.

Microsoft Edge Content Security Bypass Vulnerability

2017-09-0600:00:00
Talos Intelligence
www.talosintelligence.com
39

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.1

Confidence

Low

EPSS

0.007

Percentile

79.6%

Summary

An exploitable information leak vulnerability exists in the Content Security Policy enforcement functionality of Microsoft Edge 40.15063.0.0. A specially crafted web page can cause a content security policy bypass resulting in an information leak. An attacker can create a malicious webpage to trigger this vulnerability.

Tested Versions

Microsoft Edge 40.15063.0.0

Product URLs

https://www.microsoft.com/en-us/windows/microsoft-edge

CVSSv3 Score

4.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-284: Improper Access Control

Details

An attacker can bypass the Content-Security-Policy header that is used to make the browser protect against information leakage from a web site.

By loading a new document using window.open(β€œβ€,”_blank”) and document.write-ing into it, (being in about:blank) an attacker can circumvent the CSP restrictions put on the document that the original page’s Javascript code was running on and reach out to other sites. One could argue that the code was loaded with unsafe-inline in the CSP header, but that should still block any cross-site communication (e.g. 1x1px tracking image etc).

The about:blank page has the same origin as its loading document, but CSP restrictions have been removed. The spec is pretty explicit that the CSP restrictions should be inherited: https://w3c.github.io/webappsec-csp/#initialize-document-csp.

Tests show that e.g. Firefox does not show this behavior, but rather makes the new document inherit CSP from its loading document. This vulnerability was also present in Apple Safari (CVE-2017-2419) and Google Chrome (CVE-2017-5033) and was corrected there.

Timeline

2016-11-29 - Initial vendor contact by Nicolai
2016-12-01 - Vendor confirms receipt
2017-01-04 - Follow up with Vendor
2017-01-04 - Vendor confirms reproduction
2017-03-06 - Follow up with Vendor
2017-03-07 - Vendor says this is by design and does not consider it a vulnerability
2017-03-07 - More information provided to vendor
2017-03-29 - Talos involvement, asks vendor to reconsider
2017-06-06 - Follow up with vendor
2017-06-07 - Vendor reopens case to reconsider
2017-08-22 - Vendor informed about pending release date
2017-09-06 - Public Release

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.1

Confidence

Low

EPSS

0.007

Percentile

79.6%