Vulnerabilities > CVE-2018-5152 - Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products
Summary
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. This issue does not expose synchronization traffic directly and is limited to the process of user login to the website and the data displayed to the user once logged in. This vulnerability affects Firefox < 60.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Encryption Brute Forcing An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
- Signature Spoof An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
- Cryptanalysis Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: 1. Total Break - Finding the secret key 2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key. 3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known 4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOS_FIREFOX_60_0_0.NASL description The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 60. It is, therefore, affected by multiple critical and high severity vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109867 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109867 title Mozilla Firefox < 60 Multiple Critical Vulnerabilities (macOS) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_5AEFC41ED3044EC88C82824F84F08244.NASL description Mozilla Foundation reports : CVE-2018-5183: Backport critical security fixes in Skia CVE-2018-5154: Use-after-free with SVG animations and clip paths CVE-2018-5155: Use-after-free with SVG animations and text paths CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer CVE-2018-5159: Integer overflow and out-of-bounds write in Skia CVE-2018-5160: Uninitialized memory use by WebRTC encoder CVE-2018-5152: WebExtensions information leak through webRequest API CVE-2018-5153: Out-of-bounds read in mixed content websocket messages CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace CVE-2018-5166: WebExtension host permission bypass through filterReponseData CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger CVE-2018-5168: Lightweight themes can be installed without user interaction CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies CVE-2018-5176: JSON Viewer script injection CVE-2018-5177: Buffer overflow in XSLT during number formatting CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar CVE-2018-5151: Memory safety bugs fixed in Firefox 60 CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 last seen 2020-06-01 modified 2020-06-02 plugin id 109661 published 2018-05-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109661 title FreeBSD : mozilla -- multiple vulnerabilities (5aefc41e-d304-4ec8-8c82-824f84f08244) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2872-1.NASL description This update for MozillaFirefox to 68.2.0 ESR fixes the following issues : Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738). Security issues fixed : CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429). CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738). CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738). CVE-2019-11759: Fixed a stack-based buffer overflow in HKDF output (bsc#1154738). CVE-2019-11760: Fixed a stack-based buffer overflow in WebRTC networking (bsc#1154738). CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738). CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738). CVE-2019-11763: Fixed an XSS bypass (bsc#1154738). CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738). Non-security issues fixed: Firefox 60.7 ESR changed the user interface language (bsc#1137990). Wrong Firefox GUI Language (bsc#1120374). Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235). Firefox hangs randomly when browsing and scrolling (bsc#1043008). Firefox stops loading page until mouse is moved (bsc#1025108). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130450 published 2019-11-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130450 title SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2872-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3645-1.NASL description Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, install lightweight themes without user interaction, spoof the filename in the downloads panel, or execute arbitrary code. (CVE-2018-5150, CVE-2018-5151, CVE-2018-5153, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5160, CVE-2018-5163, CVE-2018-5164, CVE-2018-5168, CVE-2018-5173, CVE-2018-5175, CVE-2018-5177, CVE-2018-5180) Multiple security issues were discovered with WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to obtain sensitive information, or bypass security restrictions. (CVE-2018-5152, CVE-2018-5166) It was discovered that the web console and JavaScript debugger incorrectly linkified chrome: and JavaScript URLs. If a user were tricked in to clicking a specially crafted link, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2018-5167) It was discovered that dragging and dropping link text on to the home button could set the home page to include chrome pages. If a user were tricked in to dragging and dropping a specially crafted link on to the home button, an attacker could potentially exploit this bypass security restrictions. (CVE-2018-5169) It was discovered that the Live Bookmarks page and PDF viewer would run script pasted from the clipboard. If a user were tricked in to copying and pasting specially crafted text, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2018-5172) It was discovered that the JSON viewer incorrectly linkified javascript: URLs. If a user were tricked in to clicking on a specially crafted link, an attacker could potentially exploit this to obtain sensitive information. (CVE-2018-5176) It was discovered that dragging a file: URL on to a tab that is running in a different process would cause the file to open in that process. If a user were tricked in to dragging a file: URL, an attacker could potentially exploit this to bypass intended security policies. (CVE-2018-5181) It was discovered that dragging text that is a file: URL on to the addressbar would open the specified file. If a user were tricked in to dragging specially crafted text on to the addressbar, an attacker could potentially exploit this to bypass intended security policies. (CVE-2018-5182). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109798 published 2018-05-14 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109798 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox vulnerabilities (USN-3645-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3645-2.NASL description USN-3645-1 fixed vulnerabilities in Firefox. The update caused an issue where users experienced long UI pauses in some circumsances. This update fixes the problem. We apologize for the inconvenience. Original advisory details : Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, install lightweight themes without user interaction, spoof the filename in the downloads panel, or execute arbitrary code. (CVE-2018-5150, CVE-2018-5151, CVE-2018-5153, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5160, CVE-2018-5163, CVE-2018-5164, CVE-2018-5168, CVE-2018-5173, CVE-2018-5175, CVE-2018-5177, CVE-2018-5180) Multiple security issues were discovered with WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to obtain sensitive information, or bypass security restrictions. (CVE-2018-5152, CVE-2018-5166) It was discovered that the web console and JavaScript debugger incorrectly linkified chrome: and JavaScript URLs. If a user were tricked in to clicking a specially crafted link, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2018-5167) It was discovered that dragging and dropping link text on to the home button could set the home page to include chrome pages. If a user were tricked in to dragging and dropping a specially crafted link on to the home button, an attacker could potentially exploit this bypass security restrictions. (CVE-2018-5169) It was discovered that the Live Bookmarks page and PDF viewer would run script pasted from the clipboard. If a user were tricked in to copying and pasting specially crafted text, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2018-5172) It was discovered that the JSON viewer incorrectly linkified javascript: URLs. If a user were tricked in to clicking on a specially crafted link, an attacker could potentially exploit this to obtain sensitive information. (CVE-2018-5176) It was discovered that dragging a file: URL on to a tab that is running in a different process would cause the file to open in that process. If a user were tricked in to dragging a file: URL, an attacker could potentially exploit this to bypass intended security policies. (CVE-2018-5181) It was discovered that dragging text that is a file: URL on to the addressbar would open the specified file. If a user were tricked in to dragging specially crafted text on to the addressbar, an attacker could potentially exploit this to bypass intended security policies. (CVE-2018-5182). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109940 published 2018-05-21 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109940 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : firefox regression (USN-3645-2) NASL family Windows NASL id MOZILLA_FIREFOX_60_0_0.NASL description The version of Mozilla Firefox installed on the remote Windows host is prior to 60. It is, therefore, affected by multiple critical and high severity vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109869 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109869 title Mozilla Firefox < 60 Multiple Critical Vulnerabilities
References
- http://www.securityfocus.com/bid/104139
- http://www.securityfocus.com/bid/104139
- http://www.securitytracker.com/id/1040896
- http://www.securitytracker.com/id/1040896
- https://bugzilla.mozilla.org/show_bug.cgi?id=1415644
- https://bugzilla.mozilla.org/show_bug.cgi?id=1415644
- https://bugzilla.mozilla.org/show_bug.cgi?id=1427289
- https://bugzilla.mozilla.org/show_bug.cgi?id=1427289
- https://usn.ubuntu.com/3645-1/
- https://usn.ubuntu.com/3645-1/
- https://www.mozilla.org/security/advisories/mfsa2018-11/
- https://www.mozilla.org/security/advisories/mfsa2018-11/