Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0191
MFSA 2019-23 Security vulnerabilities fixed in Thunderbird 60.8
12 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Thunderbird
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11730 CVE-2019-11729 CVE-2019-11719
CVE-2019-11717 CVE-2019-11715 CVE-2019-11713
CVE-2019-11712 CVE-2019-11711 CVE-2019-11709
CVE-2019-9811
Member content until: Sunday, August 11 2019
Reference: ASB-2019.0190
ESB-2019.2569
ESB-2019.2566
OVERVIEW
Mozilla has published a nedw version of Thunderbird to address multiple
vulnerabilities in versions prior to 60.8 [1]
IMPACT
Mozilla has provided the following information:
"# CVE-2019-9811: Sandbox escape via installation of malicious language pack
Reporter
Niklas Baumstark
Impact
high
Description
As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox
escape by installing a malicious language pack and then opening a browser
feature that used the compromised translation.
References
o Bug 1538007
o Bug 1539598
o Bug 1563327
# CVE-2019-11711: Script injection within domain through inner window reuse
Reporter
Boris Zbarsky
Impact
high
Description
When an inner window is reused, it does not consider the use of document.domain
for cross-origin protections. If pages on different subdomains ever
cooperatively use document.domain , then either page can abuse this to inject
script into arbitrary pages on the other subdomain, even those that did not use
document.domain to relax their origin security.
References
o Bug 1552541
# CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by
following 308 redirects
Reporter
Gregory Smiley of Security Compass
Impact
high
Description
POST requests made by NPAPI plugins, such as Flash, that receive a status 308
redirect response can bypass CORS requirements. This can allow an attacker to
perform Cross-Site Request Forgery (CSRF) attacks.
References
o Bug 1543804
# CVE-2019-11713: Use-after-free with HTTP/2 cached stream
Reporter
Hanno Bock
Impact
high
Description
A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream
is closed while still in use, resulting in a potentially exploitable crash.
References
o Bug 1528481
# CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
segmentation fault
Reporter
Jonas Allmann
Impact
moderate
Description
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due
values being improperly sanitized before being copied into memory and used.
References
o Bug 1515342
# CVE-2019-11715: HTML parsing error can contribute to content XSS
Reporter
Linus Sarud
Impact
moderate
Description
Due to an error while parsing page content, it is possible for properly
sanitized user input to be misinterpreted and lead to XSS hazards on web sites
in certain circumstances.
References
o Bug 1555523
# CVE-2019-11717: Caret character improperly escaped in origins
Reporter
Tyson Smith
Impact
moderate
Description
A vulnerability exists where the caret ("^") character is improperly escaped
constructing some URIs due to it being used as a separator, allowing for
possible spoofing of origin attributes.
References
o Bug 1548306
# CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
Reporter
Henry Corrigan-Gibbs
Impact
moderate
Description
When importing a curve25519 private key in PKCS#8format with leading 0x00
bytes, it is possible to trigger an out-of-bounds read in the Network Security
Services (NSS) library. This could lead to information disclosure.
References
o Bug 1540541
# CVE-2019-11730: Same-origin policy treats all files in a directory as having
the same-origin
Reporter
Luigi Gubello
Impact
moderate
Description
A vulnerability exists where if a user opens a locally saved HTML file, this
file can use file: URIs to access other files in the same directory or
sub-directories if the names are known or guessed. The Fetch API can then be
used to read the contents of any files stored in these directories and they may
uploaded to a server. Luigi Gubello demonstrated that in combination with a
popular Android messaging app, if a malicious HTML attachment is sent to a user
and they opened that attachment in Firefox, due to that app's predictable
pattern for locally-saved file names, it is possible to read attachments the
victim received from other correspondents.
References
o Bug 1558299
# CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and
Thunderbird 60.8
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Andreea Pavel, Christian Holler, Honza
Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in
Firefox 67, Firefox ESR 60.7, and Thunderbird 60.7. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code."
MITIGATION
Mozilla advises upgrading to Thunderbird 60.8 to address these
vulnerabilities [1]
REFERENCES
[1] Mozilla Foundation Security Advisory 2019-23 - Security
vulnerabilities fixed in Thunderbird 60.8
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSgjMGaOgq3Tt24GAQhpMA//Vfq98oa1vbPmIBUWBj1ShnvidaZ82f3y
fH9Pw+r7jRh9d/Yq7C2UJRsnZaPhpoKU3+vLLfw5teumADuEuCIg82Uv8B7wuAKg
o3+bAsEVkA871FYB/ScO/DlNN8jJTtvVGcpDbur0jvNEdyKgTu6LBbHktJxjpVl+
kxUcZ0cq0aSnb/+JmwrSPD2KmABifXB/XyWrbi/nORK9JqziAWDBSy2OdnRJ8N+O
moFFTeSVxw/QiYEjENkLmZSdojBr8TpTj9e4ghRJYFHbPs9ChYsG4Nqbq1AN5kL2
UkjvKztDr2LGHJU7u2AzegLgcbfC25pF4SID9OzbCdV0gs0LFqAapDM54b5Xak8t
i2rQViWDmE0eY7PugT0Y3SrUV9bO3CkKdLNoFJMP7uAjR0VRtRSEmnPgyhAUE8JU
u1QlPyopaR9opqql2vi9OeXevYo3RSZfk/Eiv6arvlgeNQgjnC2MUy/3JurFHeuF
bUKX16jA0ohs6VAcI6U3W/oSl71pV3wIMZKHBKlTtXObdxpbKtEKv2Wip0h+lA51
PGQDcB1CU+WSRW04DPOBP6+sC6EgZyf9l0e/R1WK5lC2KQCIBnLypwrRy6o3tdpQ
1lJ4Rf2GwFtfhDZHNzHQzbJdhUYXRvyfOpdM+twNvSjSQB5TMzR6ZoDk+tQcD3m0
98DFQnMS9HA=
=Nb08
-----END PGP SIGNATURE-----