Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0675
Mozilla Firefox Security Vulnerabilities
24 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox
Mozilla Firefox ESR
Publisher: Mozilla
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23979 CVE-2021-23978 CVE-2021-23977
CVE-2021-23976 CVE-2021-23975 CVE-2021-23974
CVE-2021-23973 CVE-2021-23972 CVE-2021-23971
CVE-2021-23970 CVE-2021-23969 CVE-2021-23968
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
Comment: This bulletin contains two (2) Mozilla security advisories.
This advisory references vulnerabilities in products which run on
platforms other than Mozilla. It is recommended that administrators
running Mozilla Firefox and Firefox ESR check for an updated version
of the software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2021-07
Security Vulnerabilities fixed in Firefox 86
Announced: February 23, 2021
Impact: high
Products: Firefox
Fixed in: Firefox 86
# CVE-2021-23969: Content Security Policy violation report could have contained
the destination of a redirect
Reporter: Masato Kinugawa
Impact: high
Description
As specified in the W3C Content Security Policy draft, when creating a
violation report, "User agents need to ensure that the source file is the URL
requested by the page, pre-redirects. If that's not possible, user agents need
to strip the URL down to an origin to avoid unintentional leakage." Under
certain types of redirects, Firefox incorrectly set the source file to be the
destination of the redirects. This was fixed to be the redirect destination's
origin.
References
o Bug 1542194
# CVE-2021-23970: Multithreaded WASM triggered assertions validating separation
of script domains
Reporter: J. Ryan Stinnett
Impact: high
Description
Context-specific code was included in a shared jump table; resulting in
assertions being triggered in multithreaded wasm code.
References
o Bug 1681724
# CVE-2021-23968: Content Security Policy violation report could have contained
the destination of a redirect
Reporter: Ademar Nowasky Junior
Impact: high
Description
If Content Security Policy blocked frame navigation, the full destination of a
redirect served in the frame was reported in the violation report; as opposed
to the original frame URI. This could be used to leak sensitive information
contained in such URIs.
References
o Bug 1687342
# CVE-2021-23974: noscript elements could have led to an HTML Sanitizer bypass
Reporter: Masato Kinugawa and Michal Bentkowski
Impact: moderate
Description
The DOMParser API did not properly process <noscript> elements for escaping.
This could be used as an mXSS vector to bypass an HTML Sanitizer.
References
o Bug 1528997, 1683627
# CVE-2021-23971: A website's Referrer-Policy could have been be overridden,
potentially resulting in the full URL being sent as a Referrer
Reporter: Luca Moretto
Impact: moderate
Description
When processing a redirect with a conflicting Referrer-Policy, Firefox would
have adopted the redirect's Referrer-Policy. This would have potentially
resulted in more information than intended by the original origin being
provided to the destination of the redirect.
References
o Bug 1678545
# CVE-2021-23976: Local spoofing of web manifests for arbitrary pages in Firefox
for Android
Reporter: Muneaki Nishimura
Impact: moderate
Description
When accepting a malicious intent from other installed apps, Firefox for
Android accepted manifests from arbitrary file paths and allowed declaring
webapp manifests for other origins. This could be used to gain fullscreen
access for UI spoofing and could also lead to cross-origin attacks on targeted
websites.
Note: This issue is a different issue from CVE-2020-26954 and only affected
Firefox for Android. Other operating systems are unaffected.
References
o Bug 1684627
# CVE-2021-23977: Malicious application could read sensitive data from Firefox
for Android's application directories
Reporter: fatal0
Impact: moderate
Description
Firefox for Android suffered from a time-of-check-time-of-use vulnerability
that allowed a malicious application to read sensitive data from application
directories.
Note: This issue is only affected Firefox for Android. Other operating systems
are unaffected.
References
o Bug 1684761
# CVE-2021-23972: HTTP Auth phishing warning was omitted when a redirect is
cached
Reporter: Vijay Tikudave
Impact: low
Description
One phishing tactic on the web is to provide a link with HTTP Auth. For example
https://www.phishingtarget.com@evil.com. To mitigate this type of attack,
Firefox will display a warning dialog; however, this warning dialog would not
have been displayed if evil.com used a redirect that was cached by the browser.
References
o Bug 1683536
# CVE-2021-23975: about:memory Measure function caused an incorrect pointer
operation
Reporter: Brian Carpenter of Geeknik Labs & Farm
Impact: low
Description
The developer page about:memory has a Measure function for exploring what
object types the browser has allocated and their sizes. When this function was
invoked we incorrectly called the sizeof function, instead of using the API
method that checks for invalid pointers.
References
o Bug 1685145
# CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
Reporter: Andreas Pehrson
Impact: low
Description
When trying to load a cross-origin resource in an audio/video context a
decoding error may have resulted, and the content of that error may have
revealed information about the resource.
References
o Bug 1690976
# CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
Reporter: Mozilla developers and community
Impact: high
Description
Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats
Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR
78.7. Some of these bugs showed evidence of memory corruption and we presume
that with enough effort some of these could have been exploited to run
arbitrary code.
References
o Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
# CVE-2021-23979: Memory safety bugs fixed in Firefox 86
Reporter: Mozilla developers
Impact: high
Description
Mozilla developers Tyson Smith, Lars T Hansen, Valentin Gosu, and Sebastian
Hengst reported memory safety bugs present in Firefox 85. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code.
References
o Memory safety bugs fixed in Firefox 86
- -------------------------------------------------------------------------------
Mozilla Foundation Security Advisory 2021-08
Security Vulnerabilities fixed in Firefox ESR 78.8
Announced: February 23, 2021
Impact: high
Products: Firefox ESR
Fixed in: Firefox ESR 78.8
# CVE-2021-23969: Content Security Policy violation report could have contained
the destination of a redirect
Reporter: Masato Kinugawa
Impact: high
Description
As specified in the W3C Content Security Policy draft, when creating a
violation report, "User agents need to ensure that the source file is the URL
requested by the page, pre-redirects. If that's not possible, user agents need
to strip the URL down to an origin to avoid unintentional leakage." Under
certain types of redirects, Firefox incorrectly set the source file to be the
destination of the redirects. This was fixed to be the redirect destination's
origin.
References
o Bug 1542194
# CVE-2021-23968: Content Security Policy violation report could have contained
the destination of a redirect
Reporter: Ademar Nowasky Junior
Impact: high
Description
If Content Security Policy blocked frame navigation, the full destination of a
redirect served in the frame was reported in the violation report; as opposed
to the original frame URI. This could be used to leak sensitive information
contained in such URIs.
References
o Bug 1687342
# CVE-2021-23973: MediaError message property could have leaked information
about cross-origin resources
Reporter: Andreas Pehrson
Impact: low
Description
When trying to load a cross-origin resource in an audio/video context a
decoding error may have resulted, and the content of that error may have
revealed information about the resource.
References
o Bug 1690976
# CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
Reporter: Mozilla developers
Impact: high
Description
Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats
Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR
78.7. Some of these bugs showed evidence of memory corruption and we presume
that with enough effort some of these could have been exploited to run
arbitrary code.
References
o Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYDWIBONLKJtyKPYoAQj1Yw//VSFgHsGB8/T8j3i+r7f7ejJavzRkYhsX
2LN6iLCluy22MxPZa1oMURk7u/s/ulqtyFB1esapAbYaGkz1mEyM6a3e8khilEL3
wYQ/Wey5wVmV4LHA4KJXLjUIS/QTxE/0vV9bdzH3Y7LqTToaZegmstXZte2uSxpz
k8pBsnyPunRikjn4vgCKYJv5U5lVCdU9bCIYDmDSyslU7ytYqFRBEHKOt5nA2kSa
y6uYq0KANsiDdsB58X6CMs0Qkx3c3ys6RvheFkdig2JE8DwuHnuyigk3aSGCRpmc
c2D8L6sbpKgObbD2Xnt48Mn6/q+4X622bXmjdsDc0pwIT7yUi++WatcJJwSuf+Lh
iMUvht+ZkQ0fWbOZyNMtBuqjlE6lXotpA/BcFz7Nrm+XR0+qaddOBVsUTrKO9Goc
yNvBCufEaPKj5c0fWv9vcT0LMkoKSYba4XuCZFz1KkqRu38UNxDDBzxRpJbrABZX
wLuMK0FX57s3TPRYF1x+k2OYdANgfm68I49f/JnFH4wj4QNRLmW5+WU4SeMdl79r
Pz7puQZNlDaHh4wdi8vis6/j4z2xO9EO8fydRSRWp6ctJ/Lk24Eo7+J4Z/YiuVaa
1dBPgsjwudxWn6evvTXCmGSdodYMwJXcR5Ry/kd7u7oaqUmv84qJizQu5VrYqAje
fSgxyPcrYrw=
=55T9
-----END PGP SIGNATURE-----