-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ################################################################################ # # # SNOWHAZE SECURITY ADVISORIES # # # ################################################################################ =================================== SSA 006 ==================================== Page settings applied in a counter-intuitive manner. DETAILS Under specific circumstances, SnowHaze would apply different page settings than most users would expect. IMPACT Websites may be able to perform operations that the user intended to block. FIX The application of page settings has been reworked to provide more understandable results. AFFECTED VERSIONS SnowHaze 3.1 is affected. WORKAROUND Apply additional care when setting up per-page policies with the affected SnowHaze version. RESOLUTION Update to SnowHaze version 3.1.1 (released January 19, 2021) or newer. SEVERITY Medium MORE INFORMATION Please contact us via snowhaze.com if you have further questions. ================================================================================ =================================== SSA 005 ==================================== DNS queries leaked with some OpenVPN clients. DETAILS A server misconfiguration causes a split tunnel with some OpenVPN clients. IMPACT Some DNS queries can be leaked to a third-party DNS server. FIX The server configuration has been updated. RESOLUTION Ensure that your OpenVPN connections were established on or after Aug 04, 2020. SEVERITY Medium CREDITS Thanks to kilobit for reporting this issue. MORE INFORMATION Please contact us via snowhaze.com if you have further questions. ================================================================================ =================================== SSA 004 ==================================== Domain names in page settings truncated in the middle. DETAILS The page settings display the domain name of the page they affect. If it is too long, the line is truncated. Versions of SnowHaze prior to 2.6.7 performed this truncation in the middle of the domain name. IMPACT Since later domain name components are more important in determining who controls a page, this can facilitate social engineering attacks by hiding important information in favour of data often chosen to be misleading. FIX Domain names are now truncated at the beginning, ensuring that the more important components remain visible. AFFECTED VERSIONS All versions of SnowHaze prior to 2.6.7 (released February 24, 2020) are affected. WORKAROUND Manually check which site is open if the domain name is truncated in the page settings. RESOLUTION Update to SnowHaze version 2.6.7 (released February 24, 2020) or newer. SEVERITY Medium MORE INFORMATION Please contact us via snowhaze.com if you have further questions. ================================================================================ =================================== SSA 003 ==================================== Tab setting no longer applied to closed tabs. DETAILS Tabs which are closed are sometimes not immediately released in order to enable undoing the closing of the tab. In such cases, the tab settings were not applied to the tab properly. IMPACT A webpage loaded in a tab with more restrictive settings may take advantage of more permissive global settings to perform a prohibited action. FIX This issue has been addressed by cancelling any activity in the tab immediately upon it being closed. AFFECTED VERSIONS All SnowHaze versions from the introduction of tab closing undo (Version 1.1, released December 22, 2016) through 2.6.6 (released October 24, 2019) are affected. WORKAROUND Set 'Allow for' in the 'Undo Tab Closing' section of the 'SnowHaze' settings to '0 sec' to disable the feature. RESOLUTION Update to SnowHaze version 2.6.7 (released February 24, 2020) or newer. SEVERITY Low MORE INFORMATION Please contact us via snowhaze.com if you have further questions. ================================================================================ =================================== SSA 002 ==================================== Cancel button in dangerous site warning ignored. DETAILS Tapping the cancel button in the dangerous site warning alert would be treated the same as tapping the continue button. IMPACT A user deciding to cancel a page load due to a dangerous site warning would fail to prevent the page from being loaded. FIX Taps of the cancel button are now properly registered. AFFECTED VERSIONS All SnowHaze versions from the introduction of dangerous sites warnings (Version 2.0, released August 31, 2017) through 2.6.6 (released October 24, 2019) are affected. WORKAROUND Manually navigate away from pages which trigger a dangerous site warning. RESOLUTION Update to SnowHaze version 2.6.7 (released February 24, 2020) or newer. SEVERITY Medium MORE INFORMATION Please contact us via snowhaze.com if you have further questions. ================================================================================ =================================== SSA 001 ==================================== JavaScript blocking bypass when multiple sites use different per-site settings. DETAILS When visiting multiple websites with differing per-site settings for 'Allow JavaScript,' the setting was sometimes applied too late. This could lead to JavaScript being run on pages where JavaScript was supposed to be blocked. IMPACT A webpage may be able to execute JavaScript code even though 'Allow JavaScript' is disabled. This does not require user interaction. FIX This issue has been addressed by more aggressive application of per-site settings. AFFECTED VERSIONS All versions of SnowHaze prior to 2.6.6 (released October 24, 2019) are affected when running on iOS 13. CREDITS Person / People wishing to remain unnamed. RESOLUTION Update to SnowHaze version 2.6.6 (released October 24, 2019) or newer. SEVERITY Medium CVE NUMBER CVE-2019-18949 MORE INFORMATION Please contact us via snowhaze.com if you have further questions. ================================================================================ ################################################################################ # # # FILE HISTORY # # # ################################################################################ Oct 21, 2019 Created File Oct 23, 2019 Added SSA 001 Nov 14, 2019 Added CVE Number Dec 05, 2019 Added Signature Feb 23, 2020 Added SSA 002, 003, and 004 Feb 23, 2020 Added Severity as determined by the CVSS v3.1 Aug 04, 2020 Added SSA 005 Jan 17, 2021 Added SSA 006 Jan 17, 2021 Rename 'AFFECTED VERSION' sections to 'AFFECTED VERSIONS' ################################################################################ # # # SIGNATURE # # # ################################################################################ PGP Key: https://snowhaze.com/security.asc -----BEGIN PGP SIGNATURE----- iQJKBAEBCAA0FiEEsLt+BoDu9SH0xpnZvSUFLbyPNkEFAmAE4ngWHHNlY3VyaXR5 QHNub3doYXplLmNvbQAKCRC9JQUtvI82QXXdD/9TjjgjOZf4EJ0xPgONBmvRu37n FqkPLxyVun5yuGFjqlss5YQe/wH1ujQlbOtBr0ox3cq8nmh6BwDw/7iTHODU3617 PM9vzk5ELS0VOjHjWmWqu/6o+Nw3+Q6l6FRzEy+VhWg2OVyB3evSLdSgsa3aarsi Ns8BUtZkUoEDs/upLmkZ62HL0fAMXKOhvWkos5QaRESjREB0R8k4+3TgP/HG4DQQ DHT87uE3fK6uaQCP2Ejr1R4m9N/1zMo5PLFDfDZ5y91It4H7C5hDiwyzQYEFY8kR rAmF2jeSK4LxnvfbYYkXzbXB9MzizlWUiaaOGptzyBNYchUYnFQej4DbCF9+Vcyi KMSqNDVlKKUFVnmSECHJJrgRYHKxJhTh6SPexUJMqyHRlCFckivU5ACHlWn+T8ff BDiWRGdGPmj4uFYnqfZbteC8g25LyoPpC89//eoCYoqb8JqH4tkqnBKwuPsisJwW QCcAAyTUnyrC3toKrUwKP6byspTXqk7vuWCfXCLh3t282lYgClKCrW7j8zcsxnyF cTFNtM5Y2hyeDgrzU0LuF6V2b2Phq4wma9az0XHOV3dSzxwAaYkiqLZNXd5Lf59I 7XZ2pUhNzEbe3lFCrvgX8Wlu9EMmjyYC9hw8wYhCpFXXLiICExVKgDyp9dQMblS6 2R5Kff72xaHDLcfzlA== =Umwe -----END PGP SIGNATURE-----