A Zero Day that went undiscovered for 18 years

Eighteen years is a long time by anyone’s standards – and it’s certainly a long time for a vulnerability to go undetected and unpatched. 

But in early April 2024, researchers at Oligo Security disclosed their discovery of a critical vulnerability, dubbed the ‘0.0.0.0 Day,’ that puts all major web browsers at risk – including Firefox, Chromium, and Safari. 

The vulnerability “allows malicious websites to bypass browser security and interact with services running on an organisation’s local network,” they reported, which could lead to unauthorised access and the execution of remote code on local services. 

Inconsistent security mechanisms leave room for threat actors to manoeuvre 

According to Oligo, the problem is rooted in the inconsistent implementation of security mechanisms across different browsers, and a lack of standardisation in the browser industry. This means that the seemingly harmless IP address, 0.0.0.0, can be leveraged by attackers to exploit local services. 

Both individuals and organisations can be affected by related attacks, and this has become evident through the discovery of active exploitation campaigns; including ShadowRay. So although it’s been around for a long time, this vulnerability now needs to be addressed urgently. 

One bug report that dates back to 2006 highlights it as a long-standing issue; and at time of writing, the bug still hasn’t been fixed. That bug report claimed that public websites had attacked a user’s router in the internal networks, noting that websites shouldn’t be able to do this. At that time, however, internal networks were insecure by design, as noted by the Oligo researchers. With a widespread lack of authentication and limited reach of HTTPS, websites were loaded via insecure HTTP protocols, which were easy to exploit. 

Remediation is in progress 

Now that the issue has been disclosed, browsers will soon block access to 0.0.0.0 and it will no longer be permitted as a target IP in the Fetch specification which determines the behaviour of browsers during HTTP requests. 

Because of the complexity of patching across different browsers, it’s taking time to ensure that the vulnerability is no longer exploitable – and without standardisation, different browsers are implementing different remediations. 

In the meantime, Oligo encourages developers to protect local applications by: 

• Implementing PNA headers.
• Verifying the HOST header of requests.
•  Not putting trust in localhost networks just because they’re ‘local’, and adding layers of authorisation even when running on localhost.
• Using HTTPS.
• Implementing CSRF tokens in applications (including local applications).
• Recognising that browsers act as network gateways, and they offer opportunities to route to internal IP address spaces. 

As cybersecurity research strengthens, we’ll keep discovering old vulnerabilities 

In 2018, cybersecurity expert Joseph Steinberg wrote this article for Inc. – exploring why it is that long-standing vulnerabilities are frequently discovered by a number of different (unrelated) researchers at the same time; for example, the vulnerabilities Meltdown and Spectre, which had both been around for about 20 years before they were discovered by four different research teams at the same time. 

The circumstances around the discovery of old vulnerabilities often seem coincidental; but there’s something about the cultural thought focus of the moment that drives researchers to look in certain places. And on top of that, cybersecurity research tools and practices are improving and evolving all the time – so researchers are increasing their potential to uncover vulnerabilities that were missed in previous years. 

It’s surprising to discover a Zero Day that’s been active for nearly two decades. But it’ll happen again – and as developers continue to strengthen their technical capacities and deepen their knowledge, we’ll see more buried vulnerabilities rise to the surface of the threat landscape.

Join us at Black Hat MEA 2024 to discover the latest developments in international cybersecurity standards.