====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN175
_____________________________________________________________________

DATE                : 24/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox versions prior to 87,
                                    ESR 78.9.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2021-11
Security Vulnerabilities fixed in Firefox ESR 78.9

Announced    March 23, 2021
Impact       high
Products     Firefox ESR
Fixed in
        Firefox ESR 78.9

#CVE-2021-23981: Texture upload into an unbound backing buffer resulted
in an out-of-bound read

Reporter     Omair
Impact       high

Description

A texture upload of a Pixel Buffer Object could have confused the WebGL
code to skip binding the buffer used to unpack it, resulting in memory
corruption and a potentially exploitable information leak or crash.

References

    Bug 1692832


#CVE-2021-23982: Internal network hosts could have been probed by a
malicious webpage

Reporter     Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact       moderate

Description

Using techniques that built on the slipstream research, a malicious
webpage could have scanned both an internal network's hosts as well as
services running on the user's local machine utilizing WebRTC
connections.

References

    Bug 1677046

#CVE-2021-23984: Malicious extensions could have spoofed popup information

Reporter      Rob Wu
Impact        moderate

Description

A malicious extension could have opened a popup window lacking an
address bar. The title of the popup lacking an address bar should not be
fully controllable, but in this situation was. This could have been used
to spoof a website and attempt to trick the user into providing
credentials.

References

    Bug 1693664

#CVE-2021-23987: Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9

Reporter        Mozilla developers and community
Impact          high

Description

Mozilla developers and community members Alexis Beingessner, Tyson
Smith, Julien Wajsberg, and Matthew Gregan reported memory safety bugs
present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9

_____________________________________________________________________


Mozilla Foundation Security Advisory 2021-10
Security Vulnerabilities fixed in Firefox 87

Announced    March 23, 2021
Impact       high
Products     Firefox
Fixed in
        Firefox 87


#CVE-2021-23981: Texture upload into an unbound backing buffer resulted
in an out-of-bound read

Reporter     Omair
Impact       high

Description

A texture upload of a Pixel Buffer Object could have confused the WebGL
code to skip binding the buffer used to unpack it, resulting in memory
corruption and a potentially exploitable information leak or crash.

References

    Bug 1692832

#CVE-2021-23982: Internal network hosts could have been probed by a
malicious webpage

Reporter     Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact       moderate

Description

Using techniques that built on the slipstream research, a malicious
webpage could have scanned both an internal network's hosts as well as
services running on the user's local machine utilizing WebRTC
connections.

References

    Bug 1677046

#CVE-2021-23983: Transitions for invalid ::marker properties resulted in
memory corruption

Reporter      Irvan Kurniawan
Impact        moderate

Description

By causing a transition on a parent node by removing a CSS rule, an
invalid property for a marker could have been applied, resulting in
memory corruption and a potentially exploitable crash.

References

    Bug 1692684

#CVE-2021-23984: Malicious extensions could have spoofed popup information

Reporter      Rob Wu
Impact        moderate

Description

A malicious extension could have opened a popup window lacking an
address bar. The title of the popup lacking an address bar should not be
fully controllable, but in this situation was. This could have been used
to spoof a website and attempt to trick the user into providing
credentials.

References

    Bug 1693664

#CVE-2021-23985: Devtools remote debugging feature could have been
enabled without indication to the user

Reporter      Anonymous working with Trend Micro's Zero Day Initiative
Impact        low

Description

If an attacker is able to alter specific about:config values (for
example malware running on the user's computer), the Devtools remote
debugging feature could have been enabled in a way that was unnoticable
to the user. This would have allowed a remote attacker (able to make a
direct network connection to the victim) to monitor the user's browsing
activity and (plaintext) network traffic. This was addressed by
providing a visual cue when Devtools has an open network socket.

References

    Bug 1659129

#CVE-2021-23986: A malicious extension could have performed
credential-less same origin policy violations

Reporter       Armin Razmjou
Impact         low

Description

A malicious extension with the 'search' permission could have installed
a new search engine whose favicon referenced a cross-origin URL. The
response to this cross-origin request could have been read by the
extension, allowing a same-origin policy bypass by the extension, which
should not have cross-origin permissions. This cross-origin request was
made without cookies, so the sensitive information disclosed by the
violation was limited to local-network resources or resources that
perform IP-based authentication.

References

    Bug 1692623

#CVE-2021-23987: Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9

Reporter       Mozilla developers and community
Impact         high

Description

Mozilla developers and community members Matthew Gregan, Tyson Smith,
Julien Wajsberg, and Alexis Beingessner reported memory safety bugs
present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9

#CVE-2021-23988: Memory safety bugs fixed in Firefox 87

Reporter        Mozilla developers and community
Impact          moderate

Description

Mozilla developers Tyson Smith and Christian Holler reported memory
safety bugs present in Firefox 86. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these
could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox 87




=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================