Initially, this item gave me pause for a vulnerability concern, but, unless I misunderstand it, the issue was patched in April 2024. Did I get that wrong?
Ernie
1 Like
In response to this, Chrome will block access to 0.0.0.0 starting with Chromium 128, and Google will gradually roll out this change to be completed by Chrome 133. Apple has made changes to its WebKit open source software that block access to 0.0.0.0.
Mozilla doesnât have an immediate fix, and has not implemented PNA in Firefox. According to Olgio, Mozilla did change the Fetch specification (RFC) to block 0.0.0.0 following its report.
I think itâs not yet fixed. I still have Chromium 127 on Debian.
I tried to enter 0.0.0.0:631 (CUPS) but I got only a âbad requestâ.
I should have seen something like site not accessible.
Iâm thinking, how I could mitigate this outside of the browser. Maybe Firejail?
2 Likes
I think you got it right.
I have one process that uses 0.0.0.0
I must check it.
1 Like
Iâm thinking that you may have to wait until Debian releases version 128 to get the patch.
Ernie
1 Like
I hope youâre right. Please respond after you check,
Ernie
1 Like
Hi Ernie,
I went to check, and I seem to have already removed 0.0.0.0.
So maybe there were issues and I removed it.
However I tried a ping
$ ping 0.0.0.0
PING 0.0.0.0 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.054 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.070 ms
^C
--- 0.0.0.0 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4082ms
rtt min/avg/max/mdev = 0.036/0.052/0.070/0.014 ms
It is still a valid address.
but
what is the ping finding?
$ traceroute 0.0.0.0
traceroute to 0.0.0.0 (0.0.0.0), 30 hops max, 60 byte packets
1 localhost (127.0.0.1) 0.037 ms 0.010 ms 0.008 ms
it just finds localhost.
Of course I can ping that!
I tried what @kovacslt did
0.0.0.0:631 in browser
it says âBad Requestâ
but localhost:631 works,
so I think firefox is blocking use of 0.0.0.0
If I try to use it with firejail
firejail --private --dns=0.0.0.0 firefox -no-remote
it says âServer not foundâ
but firefox starts up anyway, without a nameserver, so it cant find anything other than Google.
What I normally do with firejail is
firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote
which is the way @Rosika showed me to do it.
That works, because it has 2 valid nameservers.
So I think the conclusion is my firefox is blocking use of 0.0.0.0, but it can be accessed from outside of a browser.
$ firefox --version
Mozilla Firefox 127.0.1
Regards
Neville
3 Likes
Thank you for the feedback. I use Firefox here, so your results make me feel better about this issue. However, I will keep an eye on it, just in case.
Ernie
2 Likes
Can I be really stupid and ask about 0.0.0.0 and why itâs a security issue
Especially when the cups driver appears fine with the extra bit of numbers added.
Itâs a long time since I looked at IP addresses and I did think we were moving to ip 6. With that does it go away or is that worse
I know in principle 192.168.1.1 is my router but not always.
Should this be a new topic looking at IP addresses?
First, let me say that the only stupid question is the one you donât ask. Asking questions is the only way most of us learn anything.
Next, the only things I know about these vulnerabilities are that it has something to do with how web browsers handle requests involving 0.0.0.0, at least thatâs what the linked item suggests.
As my title indicates, this item is the first Iâve heard about this vulnerability, although I get the impression that itâs been around for a while. For the time being, Iâm waiting to learn if thereâs anything to worry about, or if itâs been patched/mitigated.
UPDATE
I found this item that better explains the issue, and links to the original researcherâs note on how to mitigate this for now.
I know this isnât much help, but itâs all I have to offer for now, until I learn more,
Ernie
2 Likes
I think i need to know more about ip addressing and sub masks
Yes i know what is my ip, how that connects and how addresses are really ip numbers in simple terms but think there is a lot more i dont follow
I looked the topic up on the Internet, and I think this item may be a good place to start learning. I hope this helps,
Ernie
2 Likes
Wikipedia seems to be the best definitive statement on 0.0.0.0
It can mean
âThis networkâ
or
" No specific IP address"
or
it can be like leaving the IP address blank⌠requiring attention
Linux treats it differently to Windows
It is not normally used as a destination, but is often used as a source address
Sort of a NULL address I think.?
4 Likes
If anyone is interested, there are some opinions on this subject here.
4 Likes
Thank you for the link. It includes instructions to do the following to mitigate this vulnerability. Install uBlock Origin, and in settings, do the following. Select the Filter List tab. Expand the Privacy area. Select/Enable âBlock Outsider Intrusion into LANâ.
NOTE
To get to uBlock Origin settings, click the âExtensionsâ (jigsaw puzzle) icon (top-right). Select the Extensions item in add-ons manager. Under âEnabledâ in the uBlock Origins item, click the ellipsis icon (at right), and select Preferences.
I hope it helps,
Ernie
2 Likes
I had no idea what Ublock was so I looked it up.
Its a browser extension⌠intended for blocking ads.
I thought browser extensions were suspect for security reasons?
2 Likes
Iâve seen that reported time and again, to my mind the best policy is not to have any but must admit having an adblocker extension in a browser that doesnât block ads helps in my case. I donât personally use uBlock, my preferred blocker is Ghostery.
2 Likes
This from UCB seems to be a level-headed approach to browser extension security
https://security.berkeley.edu/education-awareness/browser-extensions-how-vet-and-install-safely
I think the trusted source bit is the most critical .
1 Like
I agree and finding a trustworthy source aint that easy these days.
Too much false info out there.
2 Likes