===================================================================== CERT-Renater Note d'Information No. 2022/VULN335 _____________________________________________________________________ DATE : 21/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Firefox versions prior to 105, ESR 102.3. ===================================================================== https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-40/ _____________________________________________________________________ Mozilla Foundation Security Advisory 2022-41 Security Vulnerabilities fixed in Firefox ESR 102.3 Announced: September 20, 2022 Impact: high Products: Firefox ESR Fixed in: Firefox ESR 102.3 # CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages Reporter: Armin Ebert Impact: high Description During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. References o Bug 1782211 # CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads Reporter: Armin Ebert Impact: high Description Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. References o Bug 1787633 # CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix Reporter: Axel Chong (@Haxatron) Impact: moderate Description By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. References o Bug 1779993 # CVE-2022-40956: Content-Security-Policy base-uri bypass Reporter: Satoki Tsuji Impact: low Description When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. References o Bug 1770094 # CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64 Reporter: Gary Kwong Impact: low Description Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. This bug only affects Firefox on ARM64 platforms. References o Bug 1777604 # CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3 Reporter: Mozilla developers and community Impact: high Description Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3 _____________________________________________________________________ Mozilla Foundation Security Advisory 2022-40 Security Vulnerabilities fixed in Firefox 105 Announced: September 20, 2022 Impact: high Products: Firefox Fixed in: Firefox 105 # CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages Reporter: Armin Ebert Impact: high Description During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. References o Bug 1782211 # CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads Reporter: Armin Ebert Impact: high Description Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. References o Bug 1787633 # CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix Reporter: Axel Chong (@Haxatron) Impact: moderate Description By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. References o Bug 1779993 # CVE-2022-40961: Stack-buffer overflow when initializing Graphics Reporter: Mozilla Fuzzing Team Impact: moderate Description During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected. References o Bug 1784588 # CVE-2022-40956: Content-Security-Policy base-uri bypass Reporter: Satoki Tsuji Impact: low Description When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. References o Bug 1770094 # CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64 Reporter: Gary Kwong Impact: low Description Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. This bug only affects Firefox on ARM64 platforms. References o Bug 1777604 # CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3 Reporter: Mozilla developers and community Impact: high Description Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================