PT-2023-2781 · Mozilla+3 · Firefox Esr+5

Holger Fuhrmannek

·

Publicado

2023-04-11

·

Atualizado

2024-12-12

·

CVE-2023-29532

CVSS v3.1

5.5

Média

VetorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 112 Firefox ESR versions prior to 102.10 Thunderbird versions prior to 102.10
Description A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server. This issue requires local system access and only affects Windows, with other operating systems not being affected.
Recommendations For Firefox versions prior to 112, update to version 112 or later to resolve the issue. For Firefox ESR versions prior to 102.10, update to version 102.10 or later to resolve the issue. For Thunderbird versions prior to 102.10, update to version 102.10 or later to resolve the issue. As a temporary workaround, consider restricting access to SMB servers to minimize the risk of exploitation.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-264

Identificadores relacionados

ALT-PU-2023-1621
ALT-PU-2023-1648
ALT-PU-2023-1649
ALT-PU-2023-1758
ALT-PU-2023-1765
ALT-PU-2023-1783
ALT-PU-2023-1797
ALT-PU-2023-1817
ALT-PU-2023-4365
ALT-PU-2023-4366
ALT-PU-2023-5202
BDU:2023-02675
CVE-2023-29532
OESA-2024-1746
OESA-2024-1747
OESA-2024-1748
OPENSUSE-SU-2024:12852-1
OPENSUSE-SU-2024:12856-1
OPENSUSE-SU-2024:12882-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2023:1817-1
SUSE-SU-2023:1819-1
SUSE-SU-2023:1855-1
SUSE-SU-2023:2064-1

Produtos afetados

Alt Linux
Firefox
Firefox Esr
Red Os
Suse
Thunderbird