A vulnerability affecting all major browsers, dubbed “0.0.0.0 Day,” could enable attackers to send malicious requests to local networks, potentially leading to remote code execution (RCE).
Oligo Security disclosed the flaw on Wednesday, detailing how the ability to contact the 0.0.0.0 IP address from public websites puts services running on the localhost on macOS and Linux devices at risk. Notably, Windows devices are not affected due to Windows blocking 0.0.0.0 access at the operating system level.
The researchers discovered that sending a single crafted HTTP POST request to 0.0.0.0 successfully redirected the request to the localhost (127.0.0.1) despite standards such as Cross Origin Resource Sharing (CORS) and Chrome’s Private Network Access (PNA) being designed to block public domains from contacting local networks.
Attackers could exploit this vulnerability by setting up a malicious public site that sends a crafted request to 0.0.0.0 when visited. Because most applications assume a certain level of safety when running on the localhost, few applications have sufficient authentication and authorization measures to prevent a request exploiting 0.0.0.0 Day from executing arbitrary code, the researchers found.
Browsers begin blocking 0.0.0.0 access
Mozilla Firefox, Apple Safari, Google Chrome and Chromium-based browsers such as Microsoft Edge are all affected by this flaw, which was reported to the browser maintainers by Oligo in early April 2024.
In response to the report, all three companies took action toward blocking 0.0.0.0 access. Google began deprecating 0.0.0.0 access for PNA starting with Chromium 128, with plans to completely block access by the release of Chromium 133.
Apple made changes to its WebKit software, which drives Safari and other iOS browsers, to block requests to the 0.0.0.0 IP address. Mozilla also updated the Fetch standard to block 0.0.0.0 access, with a direct fix to Firefox in progress, the researchers said. Mozilla also plans to implement PNA for Firefox in the future.
Discovery of the 0.0.0.0 Day flaw demonstrated a need for better standardization of security measures across all browsers, according to Oligo Security, which hoped that PNA will become the new accepted standard, extending the safety afforded by CORS.
How app developers, users can address 0.0.0.0 Day vulnerability
As browser maintainers work to remediate the 0.0.0.0 Day flaw, app developers and users also have a role in preventing its exploitation. As noted, many applications do not require Cross Site Request Forgery (CSRF) token verification or any other authentication or authorization measures when running on localhost due to inherent trust that localhost is a safe and constrained environment.
The Oligo Security researchers recommend app developers add a layer of authorization and implement CSRF tokens even when running on localhost, noting Jupyter Notebook as a good example of an application that implements token-based authentication by default. They also recommended implementing PNA headers, verifying the HOST header of requests and using HTTPS when possible.
Users can also protect their own machines by taking measures to block redirects to the localhost from 0.0.0.0, Boris Cipot, senior sales engineer at Synopsys Software Integrity Group, told SC Media in an email.
“Starting with the machine configuration and network security standpoint, restricting local services to specific IP addresses rather than allowing a redirect from 0.0.0.0 would be the first step,” Cipot said. “Also making sure that external entities cannot interact with the localhost is advisable. Therefore, making sure that the firewall configuration restricts this communication and other network tools monitor any attempts to do so.”
Users should also take care not to visit untrusted websites that could send out malicious requests and ensure their browser software remains updated to apply all fixes for 0.0.0.0 Day as they roll out, Cipot concluded.
