=====================================================================
CERT-Renater
Note d'Information No. 2023/VULN010
_____________________________________________________________________
DATE : 19/01/2023
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running Firefox versions prior
to 109, ESR 102.7.
=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
_____________________________________________________________________
Mozilla Foundation Security Advisory 2023-01
Security Vulnerabilities fixed in Firefox 109
Announced January 17, 2023
Impact high
Products Firefox
Fixed in
Firefox 109
#CVE-2023-23597: Logic bug in process allocation allowed to read
arbitrary files
Reporter Niklas Baumstark
Impact high
Description
A compromised web child process could disable web security opening
restrictions, leading to a new child process being spawned within
the file:// context. Given a reliable exploit primitive, this new
process could be exploited again leading to arbitrary file read.
References
Bug 1538028
#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
Reporter Tom Schuster
Impact high
Description
Due to the Firefox GTK wrapper code's use of text/plain for drag data
and GTK treating all text/plain MIMEs containing file URLs as being
dragged a website could arbitrarily read a file via a call to
DataTransfer.setData.
References
Bug 1800425
#CVE-2023-23599: Malicious command could be hidden in devtools output on
Windows
Reporter Vadim
Impact moderate
Description
When copying a network request from the developer tools panel as a
curl command the output was not being properly sanitized and could
allow arbitrary commands to be hidden within.
References
Bug 1777800
#CVE-2023-23600: Notification permissions persisted between Normal
and Private Browsing on Android
Reporter Kazuki Nomoto of Waseda University
Impact moderate
Description
Per origin notification permissions were being stored in a way that
didn't take into account what browsing context the permission was
granted in. This lead to the possibility of notifications to be
displayed during different browsing sessions.
This bug only affects Firefox for Android. Other operating systems
are unaffected.
References
Bug 1787034
#CVE-2023-23601: URL being dragged from cross-origin iframe into
same tab triggers navigation
Reporter Luan Herrera
Impact moderate
Description
Navigations were being allowed when dragging a URL from a
cross-origin iframe into the same tab which could lead to website
spoofing attacks
References
Bug 1794268
#CVE-2023-23602: Content Security Policy wasn't being correctly
applied to WebSockets in WebWorkers
Reporter Dave Vandyke
Impact moderate
Description
A mishandled security check when creating a WebSocket in a WebWorker
caused the Content Security Policy connect-src header to be ignored.
This could lead to connections to restricted origins from inside
WebWorkers.
References
Bug 1800890
#CVE-2023-23603: Calls to console.log allowed bypasing
Content Security Policy via format directive
Reporter Dan Veditz
Impact low
Description
Regular expressions used to filter out forbidden properties and values
from style directives in calls to console.log weren't accounting for
external URLs. Data could then be potentially exfiltrated from the
browser.
References
Bug 1800832
#CVE-2023-23604: Creation of duplicate SystemPrincipal
from less secure contexts
Reporter Nika Layzell
Impact low
Description
A duplicate SystemPrincipal object could be created when parsing a
non-system html document via DOMParser::ParseFromSafeString. This
could have lead to bypassing web security checks.
References
Bug 1802346
#CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and
Firefox ESR 102.7
Reporter Mozilla developers
Impact high
Description
Mozilla developers and the Mozilla Fuzzing Team reported memory
safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of
these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run
arbitrary code.
References
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
#CVE-2023-23606: Memory safety bugs fixed in Firefox 109
Reporter Mozilla developers
Impact high
Description
Mozilla developers and the Mozilla Fuzzing Team reported memory
safety bugs present in Firefox 108. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 109
_____________________________________________________________________
Mozilla Foundation Security Advisory 2023-02
Security Vulnerabilities fixed in Firefox ESR 102.7
Announced January 17, 2023
Impact high
Products Firefox ESR
Fixed in
Firefox ESR 102.7
#CVE-2022-46871: libusrsctp library out of date
Reporter Mozilla Developers
Impact high
Description
An out of date library (libusrsctp) contained vulnerabilities that
could potentially be exploited.
References
Bug 1795697
#CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
Reporter Tom Schuster
Impact high
Description
Due to the Firefox GTK wrapper code's use of text/plain for drag data
and GTK treating all text/plain MIMEs containing file URLs as being
dragged a website could arbitrarily read a file via a call to
DataTransfer.setData.
References
Bug 1800425
#CVE-2023-23599: Malicious command could be hidden in devtools output
on Windows
Reporter Vadim
Impact moderate
Description
When copying a network request from the developer tools panel as a
curl command the output was not being properly sanitized and could
allow arbitrary commands to be hidden within.
References
Bug 1777800
#CVE-2023-23601: URL being dragged from cross-origin iframe into
same tab triggers navigation
Reporter Luan Herrera
Impact moderate
Description
Navigations were being allowed when dragging a URL from a cross-origin
iframe into the same tab which could lead to website spoofing attacks
References
Bug 1794268
#CVE-2023-23602: Content Security Policy wasn't being correctly applied
to WebSockets in WebWorkers
Reporter Dave Vandyke
Impact moderate
Description
A mishandled security check when creating a WebSocket in a WebWorker caused
the Content Security Policy connect-src header to be ignored. This could
lead to connections to restricted origins from inside WebWorkers.
References
Bug 1800890
#CVE-2022-46877: Fullscreen notification bypass
Reporter Hafiizh
Impact low
Description
By confusing the browser, the fullscreen notification could have been
delayed or suppressed, resulting in potential user confusion or
spoofing attacks.
References
Bug 1795139
#CVE-2023-23603: Calls to console.log allowed bypasing
Content Security Policy via format directive
Reporter Dan Veditz
Impact low
Description
Regular expressions used to filter out forbidden properties and
values from style directives in calls to console.log weren't
accounting for external URLs. Data could then be potentially
exfiltrated from the browser.
References
Bug 1800832
#CVE-2023-23605: Memory safety bugs fixed in Firefox 109 and
Firefox ESR 102.7
Reporter Mozilla developers and community
Impact high
Description
Mozilla developers and the Mozilla Fuzzing Team reported memory
safety bugs present in Firefox 108 and Firefox ESR 102.6. Some
of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================