Mozilla Foundation Security Advisory 2021-21

Insecure Proxy Configuration in Hubs Cloud Reticulum

Announced

May 6, 2021

Impact

critical

Products

Hubs Cloud

Fixed in

• Hubs Cloud mozillareality/reticulum/1.0.1/20210428201255

The proxy functionality built into our Reticulum software package was overly permissive allowing access to internal URLs, including the metadata service, which could allow access to credentials specific to a Hubs Cloud Instance. Both existing and new Hubs Cloud instances have since been patched.

You can determine if your Hubs Cloud stack was abused by inspecting the HTTP access logs on the “app” EC2 instances associated with your Hubs Cloud stack. Check the logs for the presence of “/meta-data/iam/security-credentials/” string in the URI path which resulted in an HTTP 200 response.

To locate the running instances for your Hubs Cloud instance:

1. Go to AWS Marketplace (https://aws.amazon.com/marketplace) and log into your AWS Marketplace Account
2. In the top right drop down under "Hello, {username}" select "Your Marketplace Software"
3. On the "Manage Subscriptions" page under "Your subscriptions" type "Mozilla" into the search box to pull up all Mozilla products you are subscribed to
4. Select the "Manage" button on the subscription you want to update
5. On the "Manage Subscriptions" page, select the "Actions" dropdown and then "Instances" > "View Instances"
6. In the "View instances" display window you'll see region, instance ID, and status for all instances your Mozilla subscription is running

Detailed instructions for checking your logs:

1. In order to access your EC2 instance using SSH, you’ll need to follow the instructions in the “Server Access” section of your Hubs Cloud admin console. You will need the SSH key file that you used when setting up your Hubs Cloud stack.
2. Retrieve the server names for the “app” EC2 instances under your Hubs Cloud stack. The easiest way to do this is to filter the list of EC2 instances in the AWS Console.
   1. Visit the EC2 service in the AWS Console. Make sure you are in the region associated with your Hubs Cloud stack.
   2. In the “Instances” panel, filter the instances using “polycosm-type: app”
3. SSH into the instances in that filtered list using your SSH key file, the EC2 instance name and your internal domain name.
   • The SSH command will look something like this: ssh -i key_file ubuntu@server_name.domainname
4. Once you’ve accessed your EC2 instance, you can paste the following command into the terminal to determine if the vulnerability was exploited.
   • journalctl | grep "29954-no-results|$(journalctl | grep -i meta-data/iam/security-credentials | grep -o 'request_id=[^ ]\+' | tr '\n' '|' | sed 's/|$//g' | sed 's/|/\\|/g')" | grep ' 200 in ' | wc -l
5. If the output of the command above is a number other than zero (0), your stack was abused and you should contact Mozilla at hubs-support@mozilla.com for help.
6. You will have to do this for each of the “app” EC2 instances, since they each have their own separate access log.

Note: that web requests which contain the string “/meta-data/iam/security-credentials/” and result in an HTTP 401 response are an example of patched behavior, and should be treated as benign.

If you find any examples of this vulnerability being abused or have any questions, please contact Mozilla directly via hubs-support@mozilla.com

#CVE-2021-29954: Insecure Proxy Configuration

Reporter

Torsten Trumm

Impact

critical

Description

Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service.

References

• Bug Bounty Report