US authorities report multiple vulnerabilities identified in Mozilla Thunderbird, the most severe of which could result in arbitrary code execution. Mozilla Thunderbird is an email service. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.[1]
There are currently no reports of these vulnerabilities being exploited in the wild. The systems affected are Mozilla Thunderbird versions prior to 60.2.1
Technical brief: A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. (CVE-2018-12377) A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. (CVE-2018-12378) When the Mozilla Updater opens a MAR format file which contains a very long item filename, an out-of-bounds write can be triggered, leading to a potentially exploitable crash. This requires running the Mozilla Updater manually on the local system with the malicious MAR file in order to occur. (CVE-2018-12379) Browser proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Content can be loaded from this mounted file system directly using a file: URI, bypassing configured proxy settings. Analyst’s Note: this issue only affects OS X in default configurations. On Linux systems, autofs must be installed for the vulnerability to occur and Windows is not affected. (CVE-2017-16541)
Memory safety bugs are present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2018-12376) A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. (CVE-2018-12385)
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. (CVE-2018-12383) Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Mitigations:
The Multi-State ISAC recommends mitigation actions to apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Apply the Principle of Least Privilege to all systems and services.[2]
Mitre CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16541
For questions, comments or assistance regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com
Please join us every Friday morning for a rebroadcast of our Weekly Red Sky Alliance Threat Brief, a succinct summary of current threat activities designed to inform your decision-making. Listen in on what our Wapack Labs analysts have been working on. (edited)
[1] MS-ISAC ADVISORY NUMBER: 2018-110; DATE ISSUED: 10/05/2018
[2] https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/
Comments