CVE-2019-11728 in Firefox
Summary
by MITRE
The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded. This vulnerability affects Firefox < 68.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2020
The vulnerability described in CVE-2019-11728 represents a significant security flaw in Firefox browsers versions prior to 68, where the HTTP Alternative Services header implementation allows for unintended network scanning capabilities. This issue arises from how Firefox processes the Alt-Svc header, which is designed to enable HTTP/2 connections to alternative servers or ports, but is being exploited to perform TCP port scanning against hosts accessible to users. The vulnerability specifically targets the browser's handling of alternative service information, creating a mechanism through which malicious websites can indirectly probe network infrastructure without direct network access.
The technical flaw manifests in Firefox's interpretation of the Alt-Svc HTTP header, which normally facilitates connection to alternative servers for improved performance and reliability. However, when malicious sites implement this header with specific port configurations, the browser's processing logic inadvertently triggers TCP connection attempts to various ports on target hosts. This occurs because the browser attempts to establish connections to the alternative service endpoints specified in the header, effectively enabling a form of passive port scanning that can reveal open ports and services running on network hosts. The vulnerability is particularly concerning as it operates entirely within the browser context, requiring no special privileges or direct network manipulation.
The operational impact of this vulnerability extends beyond simple port scanning to potentially expose sensitive network information and create attack vectors for more sophisticated exploits. When users visit malicious websites, their browsers automatically attempt connections to the specified alternative services, inadvertently revealing network topology information to attackers. This scanning capability can identify open ports, running services, and potentially vulnerable systems within the user's network environment. The vulnerability affects any host that is accessible to the user, including internal network devices that might not be directly exposed to the internet, making it particularly dangerous in corporate or home network environments where internal systems are accessible to browser clients.
This vulnerability aligns with CWE-200, which addresses information exposure, and represents a form of information leakage through indirect network probing. The attack pattern follows techniques described in MITRE ATT&CK framework under T1046, network service scanning, where adversaries use legitimate system features to gather information about network services. The flaw demonstrates how HTTP header processing can be weaponized to create unintended network reconnaissance capabilities, making it a significant concern for organizations relying on Firefox browsers. The vulnerability also relates to T1071.004, application layer protocol, as it exploits the HTTP protocol's alternative service mechanisms for malicious purposes.
Mitigation strategies for CVE-2019-11728 primarily focus on updating Firefox browsers to version 68 or later, where the vulnerability has been addressed through improved Alt-Svc header processing. Organizations should implement network monitoring to detect unusual scanning patterns and ensure that browser updates are applied promptly across all user systems. Additionally, implementing network segmentation and firewall rules can help limit the potential impact of such scanning activities, while regular security assessments should verify that browsers are properly updated and that no legacy versions remain in use. The vulnerability underscores the importance of careful HTTP header processing and the potential for legitimate protocol features to be exploited for malicious reconnaissance purposes.