Advisory for CVE-2018-7213 | Abine Blur Web Extension
CVE Project Overview
Skip this section if you already understand the CVE Project.
(Source: https://cve.mitre.org/about/index.html)
Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities.
Use of CVE Entries, which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.
CVE is:
- One identifier for one vulnerability or exposure
- One standardized description for each vulnerability or exposure
- A dictionary rather than a database
- How disparate databases and tools can “speak” the same language
- The way to interoperability and better security coverage
- A basis for evaluation among services, tools, and databases
- Free for public download and use
- Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE
Why CVE
With & Without CVE
CVE was launched in 1999 when most cybersecurity tools used their own databases with their own names for security vulnerabilities. At that time there was significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.
CVE’s common, standardized identifiers provided the solution to these problems.
CVE is now the industry standard for vulnerability and exposure identifiers. CVE Entries — also called “CVEs,” “CVE IDs,” and “CVE numbers” by the community — provide reference points for data exchange so that cybersecurity products and services can speak with each other. CVE Entries also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.
CVE ID number
(i.e., “CVE-1999-0067”, “CVE-2014-10001”, “CVE-2014-100001”).
The CVE Contains:
A brief Description of the security vulnerability or exposure. Any pertinent References (i.e., vulnerability reports and advisories).
The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds References, and then the completed CVE Entry is added to the CVE List and posted on the CVE website by the CVE Team.
Topic: Abine Blur Password Manager Insecure Permissions
- Category: Abine Blur
- Module: Blur Web Extension
- Announced: 2018-03-10
- Credits: RS Tyler Schroder
- Affects: 7.8.242*
- Corrected: 2018-02-28
- CVE Name: CVE-2018-7213
I. Background
Abine Blur is a password management suite combined with online anonymity tools
II. Problem Description
CVE Description
The Password Manager Extension in Abine Blur 7.8.242* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data.
Technical
Abine Blur 7.8.242* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.
III. Impact
Access to secured data can lead to secure information exfiltration, a 2FA bypass, and a further undisclosed MacOS(x) disk encryption console bypass (to access secured Abine Blur data).
IV. Workaround
No workaround, as the vendor has issued a patch.
V. Solution
Update your browser plug-in per your browser vendor’s instructions. Firefox 5x.xx and Chrome 63.x are known to automaticlly update to the latest version.
VI. Timeline of Events
- 2018-02-13: Discovery of Vulnerability
- 2018-02-13: Vendor Contacted
- 2018-02-14: CERT/CC activated for vendor PGP coordination
- 2018-02-14: Vendor responds (PGP)
- 2018-02-15: CERT/CC [VU#714299] unable to assist further
- 2018-02-16: MITRE Contacted for CVE
- 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213)
- 2018-02-28: Patch Issued
- 2018-03-10: Public Disclosure.