Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0675 Mozilla Firefox Security Vulnerabilities 24 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Firefox Mozilla Firefox ESR Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-23979 CVE-2021-23978 CVE-2021-23977 CVE-2021-23976 CVE-2021-23975 CVE-2021-23974 CVE-2021-23973 CVE-2021-23972 CVE-2021-23971 CVE-2021-23970 CVE-2021-23969 CVE-2021-23968 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/ Comment: This bulletin contains two (2) Mozilla security advisories. This advisory references vulnerabilities in products which run on platforms other than Mozilla. It is recommended that administrators running Mozilla Firefox and Firefox ESR check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2021-07 Security Vulnerabilities fixed in Firefox 86 Announced: February 23, 2021 Impact: high Products: Firefox Fixed in: Firefox 86 # CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect Reporter: Masato Kinugawa Impact: high Description As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that's not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. References o Bug 1542194 # CVE-2021-23970: Multithreaded WASM triggered assertions validating separation of script domains Reporter: J. Ryan Stinnett Impact: high Description Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. References o Bug 1681724 # CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect Reporter: Ademar Nowasky Junior Impact: high Description If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. References o Bug 1687342 # CVE-2021-23974: noscript elements could have led to an HTML Sanitizer bypass Reporter: Masato Kinugawa and Michal Bentkowski Impact: moderate Description The DOMParser API did not properly process <noscript> elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. References o Bug 1528997, 1683627 # CVE-2021-23971: A website's Referrer-Policy could have been be overridden, potentially resulting in the full URL being sent as a Referrer Reporter: Luca Moretto Impact: moderate Description When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. References o Bug 1678545 # CVE-2021-23976: Local spoofing of web manifests for arbitrary pages in Firefox for Android Reporter: Muneaki Nishimura Impact: moderate Description When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. References o Bug 1684627 # CVE-2021-23977: Malicious application could read sensitive data from Firefox for Android's application directories Reporter: fatal0 Impact: moderate Description Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. References o Bug 1684761 # CVE-2021-23972: HTTP Auth phishing warning was omitted when a redirect is cached Reporter: Vijay Tikudave Impact: low Description One phishing tactic on the web is to provide a link with HTTP Auth. For example https://www.phishingtarget.com@evil.com. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. References o Bug 1683536 # CVE-2021-23975: about:memory Measure function caused an incorrect pointer operation Reporter: Brian Carpenter of Geeknik Labs & Farm Impact: low Description The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers. References o Bug 1685145 # CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources Reporter: Andreas Pehrson Impact: low Description When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. References o Bug 1690976 # CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 Reporter: Mozilla developers and community Impact: high Description Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 # CVE-2021-23979: Memory safety bugs fixed in Firefox 86 Reporter: Mozilla developers Impact: high Description Mozilla developers Tyson Smith, Lars T Hansen, Valentin Gosu, and Sebastian Hengst reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 86 - ------------------------------------------------------------------------------- Mozilla Foundation Security Advisory 2021-08 Security Vulnerabilities fixed in Firefox ESR 78.8 Announced: February 23, 2021 Impact: high Products: Firefox ESR Fixed in: Firefox ESR 78.8 # CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect Reporter: Masato Kinugawa Impact: high Description As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that's not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. References o Bug 1542194 # CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect Reporter: Ademar Nowasky Junior Impact: high Description If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. References o Bug 1687342 # CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources Reporter: Andreas Pehrson Impact: low Description When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. References o Bug 1690976 # CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 Reporter: Mozilla developers Impact: high Description Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYDWIBONLKJtyKPYoAQj1Yw//VSFgHsGB8/T8j3i+r7f7ejJavzRkYhsX 2LN6iLCluy22MxPZa1oMURk7u/s/ulqtyFB1esapAbYaGkz1mEyM6a3e8khilEL3 wYQ/Wey5wVmV4LHA4KJXLjUIS/QTxE/0vV9bdzH3Y7LqTToaZegmstXZte2uSxpz k8pBsnyPunRikjn4vgCKYJv5U5lVCdU9bCIYDmDSyslU7ytYqFRBEHKOt5nA2kSa y6uYq0KANsiDdsB58X6CMs0Qkx3c3ys6RvheFkdig2JE8DwuHnuyigk3aSGCRpmc c2D8L6sbpKgObbD2Xnt48Mn6/q+4X622bXmjdsDc0pwIT7yUi++WatcJJwSuf+Lh iMUvht+ZkQ0fWbOZyNMtBuqjlE6lXotpA/BcFz7Nrm+XR0+qaddOBVsUTrKO9Goc yNvBCufEaPKj5c0fWv9vcT0LMkoKSYba4XuCZFz1KkqRu38UNxDDBzxRpJbrABZX wLuMK0FX57s3TPRYF1x+k2OYdANgfm68I49f/JnFH4wj4QNRLmW5+WU4SeMdl79r Pz7puQZNlDaHh4wdi8vis6/j4z2xO9EO8fydRSRWp6ctJ/Lk24Eo7+J4Z/YiuVaa 1dBPgsjwudxWn6evvTXCmGSdodYMwJXcR5Ry/kd7u7oaqUmv84qJizQu5VrYqAje fSgxyPcrYrw= =55T9 -----END PGP SIGNATURE-----