New Bug in Bugzilla Software Could Expose Zero-Day Vulnerabilities

A Critical vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software, used by hundreds of thousands of prominent software organizations, could potentially expose details of their non-public security vulnerabilities to the Hackers.

So it’s time for developers and organizations that use Bugzilla open source bug tracking system to upgrade to the latest patched versions – namely 5.0.1, 4.4.10, or 4.2.15.

Bugzilla is a vulnerability database used by Mozilla as well as many open-source projects and private organizations. Besides patched flaws, these databases also contain sensitive information related to unpatched vulnerabilities reported to organizations.

Unfortunately, the researchers at security firm PerimeterX have discovered a vulnerability (CVE-2015-4499) in Bugzilla’s email-based permissions process that allowed them to gain high-level permissions on Bugzilla.

As a result, it is potentially possible for an attacker to easily access unpatched bugs in your database, which could then be exploited to attack affected pieces of software on people’s computers before security patches are released.

So, anyone who uses Bugzilla and its email-based permissions is affected, including popular free software projects such as Apache Project, LibreOffice and Red Hat.

Incredibly Easy to Exploit

According to the researchers, the vulnerability is “incredibly easy to exploit.” To exploit the vulnerability, all an attacker need is to register for a regular account via email and trick the system into believing that the attacker is part of a privileged domain.

This causes the system into believing that the attacker is part of a privileged domain and grant domain-specific permissions.

> **_“The implications of this vulnerability are severe,” _**PerimeterX’s security researcher Netanel Rubin wrote in a blog post. _“It could allow an attacker to access undisclosed security vulnerabilities in hundreds of products… Imagine the hundreds or thousands of zero-days and other security vulnerabilities that could potentially be exposed.” _

Rubin said the flaw was tested on Mozilla’s Bugzilla.mozilla.org and found that all Perl-based Bugzilla versions, including 2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0, were vulnerable at the time of the report.

It’s not clear whether the Bugzilla vulnerability has been used by malicious hackers to gain access to more unpatched vulnerabilities.