PT-2020-16578 · Google+2 · Android+2

Muneaki Nishimura

Published

2020-11-21

Updated

2024-12-12

CVE-2020-26964

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 83

Description The issue arises when the Remote Debugging via USB feature is enabled in Firefox for Android on Android versions prior to 6.0, allowing untrusted apps to connect and operate with browser privileges, thus enabling them to read and interact with web content. This is due to the lack of SELinux enforcement in Android versions prior to 6.0, despite the feature being protected by the Android SELinux policy as a unix domain socket.

Recommendations For Firefox versions prior to 83, the issue was fixed by removing the Remote Debugging via USB feature from affected devices. As a temporary workaround, consider disabling the Remote Debugging via USB feature until the issue is resolved. Restrict access to the unix domain socket to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2020-3384

ALT-PU-2021-3368

CVE-2020-26964

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

Affected Products

Alt Linux

Android

Firefox

PT-2020-16578 · Google+2 · Android+2

CVE-2020-26964

Related Identifiers

Affected Products

References · 1886