As part of the beta testing phase that took place earlier this year for our recently launched Software Composition Analysis solution, CxSCA, the Checkmarx Security Research Team investigated Mozilla-Bleach, finding multiple concerning security vulnerabilities. Patches were released in mid-March 2020, with Checkmarx CxSCA customers using Bleach receiving notice of the issues in advance. Given that the patches have been in-market for some time, giving Bleach users sufficient time to update their software versions, we’re now publishing the full technical report and proof-of-concept video for educational purposes.
Vulnerability: CVE-2020-6816Shortly after, the Checkmarx Security Research Team discovered another mXSS vulnerability in Mozilla-Bleach, this time with the use of svg/math tags. The caveat here is that the parsing inside those tags is like XML. So, if we enter, for example, a style tag, the data inside will act differently, whether inside or outside. Inside an svg tag: Without an svg tag: This shows how differently the data inside the style tag is being parsed. In addition, some unwanted tags inside the svg/math will automatically pop out of the svg/math and will be parsed as HTML (e.g., <img>). When the team tried to put a malicious img tag in svg/math->style->img, Bleach acted strangely. In case the img tag was whitelisted, it parsed it like the browser and sanitized unwanted attributes as expected. And when the “strip” variable was set to true (meaning it will delete unwanted data instead of sanitizing it, default is false), it got deleted. But in case “strip” was not changed, we could use any tag that wasn’t allowed and bypass Bleach. After further investigation, we saw that html5lib (the parser behind Bleach) does recognize the data inside svg->style as tags. But for some reason, Bleach doesn’t sanitize unwanted tags.
ImpactAccording to GitHub, more than 72,000 repositories are dependent on Bleach. Among them are major vendors, including multiple Fortune 500 tech companies.
Summary of Disclosure and EventsWhen the first vulnerability was discovered, our research team ensured that they could reproduce the process of exploiting it. Once that was confirmed, the Checkmarx team responsibly notified Mozilla of their findings. Subsequently, they opened a Bugzilla ticket where the team helped Mozilla find a proper mitigation approach, and they fixed the issue rapidly. Soon after that, the second vulnerability was discovered by the research team. Again, a responsible notification was sent to Mozilla, and a Bugzilla ticket was quickly opened and resolved. Checkmarx customers using CxSCA were automatically notified to update Mozilla-Bleach.
Bugzilla ticketsCVE-2020-6802 - https://bugzilla.mozilla.org/show_bug.cgi?id=1615315 CVE-2020-6816 - https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
Timeline of Disclosure
- 13-Feb-2020: First vulnerability reported
- 14-Feb-2020: Checkmarx customers who were using Bleach were warned, without exposing the vulnerability's details
- 19-Feb-2020: Fixed version v3.1.1 and an advisory on GitHub was released
- 25-Feb-2020: CVE-2020-6802 was assigned
- 11-Mar-2020: Second vulnerability reported
- 11-Mar-2020: Checkmarx customers who were using Bleach were warned, without exposing the vulnerability's details
- 17-Mar-2020: Fixed version v3.1.2 and an advisory on GitHub was released
- 19-Mar-2020: CVE-2020-6816 was assigned