Bug 1510816 (CVE-2017-16541)

Summary: CVE-2017-16541 Mozilla: Proxy bypass using automount and autofs
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cschalle, gecko-bugs-nobody, jamielinux, jhorak, lewk, mh, pwouters, rh-bugzilla, s, stransky
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20171103,reported=20171104,source=cve,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,fedora-all/tor=notaffected,epel-all/tor=notaffected,rhel-7/firefox=affected,rhel-6/firefox=affected,rhel-7/thunderbird=affected,rhel-6/thunderbird=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Firefox proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Content can be loaded from this mounted file system directly using a `file:` URI, bypassing configured proxy settings. This issue only affects OS X in default configuration; on Linux systems, autofs must also be installed for the vulnerability to occur.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-13 04:57:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1623040, 1510817, 1510818, 1623016, 1623017, 1623037, 1623039, 1625533, 1625535, 1636821    
Bug Blocks: 1623023, 1636820    

Description Andrej Nemec 2017-11-08 09:55:55 UTC
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil.

Upstream issue:

https://trac.torproject.org/projects/tor/ticket/24052

References:

https://blog.torproject.org/tor-browser-709-released
https://www.bleepingcomputer.com/news/security/tormoil-vulnerability-leaks-real-ip-address-from-tor-browser-users/
https://www.wearesegment.com/research/tormoil-torbrowser-unspecified-critical-security-vulnerability/

Comment 1 Andrej Nemec 2017-11-08 09:56:21 UTC
Created tor tracking bugs for this issue:

Affects: epel-all [bug 1510817]
Affects: fedora-all [bug 1510818]

Comment 4 Doran Moppert 2018-09-06 01:41:26 UTC
This was found to be a bug in Firefox ESR, fixed in 60.2:

Browser proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Content can be loaded from this mounted file system directly using a `file:` URI, bypassing configured proxy settings.

*Note: this issue only affects OS X in default configurations. On Linux systems, autofs must be installed for the vulnerability to occur and Windows is not affected.*

External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2017-16541

Comment 5 errata-xmlrpc 2018-09-12 10:55:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2692 https://access.redhat.com/errata/RHSA-2018:2692

Comment 6 errata-xmlrpc 2018-09-12 10:57:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2693 https://access.redhat.com/errata/RHSA-2018:2693

Comment 8 Doran Moppert 2018-10-09 01:58:45 UTC
Statement:

This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts.

Comment 9 errata-xmlrpc 2018-10-30 16:56:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3403 https://access.redhat.com/errata/RHSA-2018:3403

Comment 10 errata-xmlrpc 2018-11-05 10:43:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3458 https://access.redhat.com/errata/RHSA-2018:3458