openSUSE-SU-2019:2249

openSUSE-SU-2019:2248

openSUSE-SU-2019:2251

openSUSE-SU-2019:2260

https://bugzilla.mozilla.org/show_bug.cgi?id=1552993

GLSA-201908-12

https://www.mozilla.org/security/advisories/mfsa2019-21/

This update for MozillaFirefox fixes the following issues :

Updated to new ESR version 68.1 (bsc#1149323).

In addition to the already fixed vulnerabilities released in previous ESR updates, the following were also fixed: CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.

Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).

The version displayed in Help > About is now correct (bsc#1087200).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for MozillaFirefox to 68.1 fixes the following issues :

Security issues fixed :

  - CVE-2019-9811: Fixed a sandbox escape via installation     of malicious language pack. (bsc#1140868)

  - CVE-2019-9812: Fixed a sandbox escape through Firefox     Sync. (bsc#1149294)

  - CVE-2019-11710: Fixed several memory safety bugs.
    (bsc#1140868)

  - CVE-2019-11714: Fixed a potentially exploitable crash in     Necko. (bsc#1140868)

  - CVE-2019-11716: Fixed a sandbox bypass. (bsc#1140868)

  - CVE-2019-11718: Fixed inadequate sanitation in the     Activity Stream component. (bsc#1140868)

  - CVE-2019-11720: Fixed a character encoding XSS     vulnerability. (bsc#1140868)

  - CVE-2019-11721: Fixed a homograph domain spoofing issue     through unicode latin 'kra' character. (bsc#1140868)

  - CVE-2019-11723: Fixed a cookie leakage during add-on     fetching across private browsing boundaries.
    (bsc#1140868)

  - CVE-2019-11724: Fixed an outdated permission, granting     access to retired site input.mozilla.org. (bsc#1140868)

  - CVE-2019-11725: Fixed a Safebrowsing bypass involving     WebSockets. (bsc#1140868)

  - CVE-2019-11727: Fixed a vulnerability where it possible     to force NSS to sign CertificateVerify with PKCS#1 v1.5     signatures when those are the only ones advertised by     server in CertificateRequest in TLS 1.3. (bsc#1141322)

  - CVE-2019-11728: Fixed an improper handling of the     Alt-Svc header that allowed remote port scans.
    (bsc#1140868)

  - CVE-2019-11733: Fixed an insufficient protection of     stored passwords in 'Saved Logins'. (bnc#1145665)

  - CVE-2019-11735: Fixed several memory safety bugs.
    (bnc#1149293)

  - CVE-2019-11736: Fixed a file manipulation and privilege     escalation in Mozilla Maintenance Service. (bnc#1149292) 

  - CVE-2019-11738: Fixed a content security policy bypass     through hash-based sources in directives. (bnc#1149302)

  - CVE-2019-11740: Fixed several memory safety bugs.
    (bsc#1149299)

  - CVE-2019-11742: Fixed a same-origin policy violation     involving SVG filters and canvas to steal cross-origin     images. (bsc#1149303)

  - CVE-2019-11743: Fixed a timing side-channel attack on     cross-origin information, utilizing unload event     attributes. (bsc#1149298)

  - CVE-2019-11744: Fixed an XSS caused by breaking out of     title and textarea elements using innerHTML.
    (bsc#1149304)

  - CVE-2019-11746: Fixed a use-after-free while     manipulating video. (bsc#1149297)

  - CVE-2019-11752: Fixed a use-after-free while extracting     a key value in IndexedDB. (bsc#1149296)

  - CVE-2019-11753: Fixed a privilege escalation with     Mozilla Maintenance Service in custom Firefox     installation location. (bsc#1149295)

Non-security issues fixed :

&#9; - Latest update now also released for s390x. (bsc#1109465)

  - Fixed a segmentation fault on s390vsl082. (bsc#1117473)

  - Fixed a crash on SLES15 s390x. (bsc#1124525)

  - Fixed a segmentation fault. (bsc#1133810)

This update was imported from the SUSE:SLE-15:Update update project.

This update for MozillaThunderbird to version 68.1.1 fixes the following issues :

  - CVE-2019-11709: Fixed several memory safety bugs.
    (bsc#1140868)

  - CVE-2019-11710: Fixed several memory safety bugs.
    (bsc#1140868)

  - CVE-2019-11711: Fixed a script injection within domain     through inner window reuse. (bsc#1140868)

  - CVE-2019-11712: Fixed an insufficient validation of     cross-origin POST requests within NPAPI plugins.
    (bsc#1140868)

  - CVE-2019-11713: Fixed a use-after-free with HTTP/2     cached stream. (bsc#1140868)

  - CVE-2019-11714: Fixed a crash in NeckoChild.
    (bsc#1140868)

  - CVE-2019-11715: Fixed an HTML parsing error that can     contribute to content XSS. (bsc#1140868)

  - CVE-2019-11716: Fixed an enumeration issue in     globalThis. (bsc#1140868)

  - CVE-2019-11717: Fixed an improper escaping of the caret     character in origins. (bsc#1140868)

  - CVE-2019-11719: Fixed an out-of-bounds read when     importing curve25519 private key. (bsc#1140868)

  - CVE-2019-11720: Fixed a character encoding XSS     vulnerability. (bsc#1140868)

  - CVE-2019-11721: Fixed domain spoofing through unicode     latin 'kra' character. (bsc#1140868)

  - CVE-2019-11723: Fixed a cookie leakage during add-on     fetching across private browsing boundaries.
    (bsc#1140868)

  - CVE-2019-11724: Fixed a permissions issue with the     retired site input.mozilla.org. (bsc#1140868)

  - CVE-2019-11725: Fixed a SafeBrowsing bypass through     WebSockets. (bsc#1140868)

  - CVE-2019-11727: Fixed an insufficient validation for     PKCS#1 v1.5 signatures being used with TLS 1.3.
    (bsc#1140868)

  - CVE-2019-11728: Fixed port scanning through Alt-Svc     header. (bsc#1140868)

  - CVE-2019-11729: Fixed a segmentation fault due to empty     or malformed p256-ECDH public keys. (bsc#1140868)

  - CVE-2019-11730: Fixed an insufficient enforcement of the     same-origin policy that treats all files in a directory     as having the same-origin. (bsc#1140868)

  - CVE-2019-11739: Fixed a Covert Content Attack on S/MIME     encryption using a crafted multipart/alternative     message. (bsc#1150939)

  - CVE-2019-11740: Fixed several memory safety bugs.
    (bsc#1149299)

  - CVE-2019-11742: Fixed a same-origin policy violation     with SVG filters and canvas that enabled theft of     cross-origin images. (bsc#1149303)

  - CVE-2019-11743: Fixed a cross-origin access issue.
    (bsc#1149298)

  - CVE-2019-11744: Fixed a XSS involving breaking out of     title and textarea elements using innerHTML.
    (bsc#1149304)

  - CVE-2019-11746: Fixed a use-after-free while     manipulating video. (bsc#1149297)

  - CVE-2019-11752: Fixed a use-after-free while extracting     a key value in IndexedDB. (bsc#1149296)

  - CVE-2019-11755: Fixed an insufficient validation of     S/MIME messages that allowed the author to be spoofed.
    (bsc#1152375)

This update was imported from the SUSE:SLE-15:Update update project.

This update for MozillaFirefox to 68.1 fixes the following issues :

Security issues fixed :

CVE-2019-9811: Fixed a sandbox escape via installation of malicious language pack. (bsc#1140868)

CVE-2019-9812: Fixed a sandbox escape through Firefox Sync.
(bsc#1149294)

CVE-2019-11710: Fixed several memory safety bugs. (bsc#1140868)

CVE-2019-11714: Fixed a potentially exploitable crash in Necko.
(bsc#1140868)

CVE-2019-11716: Fixed a sandbox bypass. (bsc#1140868)

CVE-2019-11718: Fixed inadequate sanitation in the Activity Stream component. (bsc#1140868)

CVE-2019-11720: Fixed a character encoding XSS vulnerability.
(bsc#1140868)

CVE-2019-11721: Fixed a homograph domain spoofing issue through unicode latin 'kra' character. (bsc#1140868)

CVE-2019-11723: Fixed a cookie leakage during add-on fetching across private browsing boundaries. (bsc#1140868)

CVE-2019-11724: Fixed an outdated permission, granting access to retired site input.mozilla.org. (bsc#1140868)

CVE-2019-11725: Fixed a Safebrowsing bypass involving WebSockets.
(bsc#1140868)

CVE-2019-11727: Fixed a vulnerability where it possible to force NSS to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3.
(bsc#1141322)

CVE-2019-11728: Fixed an improper handling of the Alt-Svc header that allowed remote port scans. (bsc#1140868)

CVE-2019-11733: Fixed an insufficient protection of stored passwords in 'Saved Logins'. (bnc#1145665)

CVE-2019-11735: Fixed several memory safety bugs. (bnc#1149293)

CVE-2019-11736: Fixed a file manipulation and privilege escalation in Mozilla Maintenance Service. (bnc#1149292)

CVE-2019-11738: Fixed a content security policy bypass through hash-based sources in directives. (bnc#1149302)

CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)

CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)

CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)

CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)

CVE-2019-11746: Fixed a use-after-free while manipulating video.
(bsc#1149297)

CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)

CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)

Non-security issues fixed: Latest update now also released for s390x.
(bsc#1109465)

Fixed a segmentation fault on s390vsl082. (bsc#1117473)

Fixed a crash on SLES15 s390x. (bsc#1124525)

Fixed a segmentation fault. (bsc#1133810)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Thunderbird installed on the remote Windows host is prior to 68.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-28 advisory.

  - When an inner window is reused, it does not consider the     use of document.domain for cross-origin protections. If     pages on different subdomains ever cooperatively use     document.domain, then either page can abuse this to     inject script into arbitrary pages on the other     subdomain, even those that did not use document.domain     to relax their origin security. This vulnerability     affects Firefox ESR < 60.8, Firefox < 68, and     Thunderbird < 60.8. (CVE-2019-11711)

  - POST requests made by NPAPI plugins, such as Flash, that     receive a status 308 redirect response can bypass CORS     requirements. This can allow an attacker to perform     Cross-Site Request Forgery (CSRF) attacks. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11712)

  - A use-after-free vulnerability can occur in HTTP/2 when     a cached HTTP/2 stream is closed while still in use,     resulting in a potentially exploitable crash. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11713)

  - Necko can access a child on the wrong thread during UDP     connections, resulting in a potentially exploitable     crash in some instances. This vulnerability affects     Firefox < 68. (CVE-2019-11714)

  - Empty or malformed p256-ECDH public keys may trigger a     segmentation fault due values being improperly sanitized     before being copied into memory and used. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11729)

  - Due to an error while parsing page content, it is     possible for properly sanitized user input to be     misinterpreted and lead to XSS hazards on web sites in     certain circumstances. This vulnerability affects     Firefox ESR < 60.8, Firefox < 68, and Thunderbird <     60.8. (CVE-2019-11715)

  - Until explicitly accessed by script, window.globalThis     is not enumerable and, as a result, is not visible to     code such as Object.getOwnPropertyNames(window). Sites     that deploy a sandboxing that depends on enumerating and     freezing access to the window object may miss this,     allowing their sandboxes to be bypassed. This     vulnerability affects Firefox < 68. (CVE-2019-11716)

  - A vulnerability exists where the caret (^) character     is improperly escaped constructing some URIs due to it     being used as a separator, allowing for possible     spoofing of origin attributes. This vulnerability     affects Firefox ESR < 60.8, Firefox < 68, and     Thunderbird < 60.8. (CVE-2019-11717)

  - When importing a curve25519 private key in PKCS#8format     with leading 0x00 bytes, it is possible to trigger an     out-of-bounds read in the Network Security Services     (NSS) library. This could lead to information     disclosure. This vulnerability affects Firefox ESR <     60.8, Firefox < 68, and Thunderbird < 60.8.
    (CVE-2019-11719)

  - Some unicode characters are incorrectly treated as     whitespace during the parsing of web content instead of     triggering parsing errors. This allows malicious code to     then be processed, evading cross-site scripting (XSS)     filtering. This vulnerability affects Firefox < 68.
    (CVE-2019-11720)

  - The unicode latin 'kra' character can be used to spoof a     standard 'k' character in the addressbar. This allows     for domain spoofing attacks as do not display as     punycode text, allowing for user confusion. This     vulnerability affects Firefox < 68. (CVE-2019-11721)

  - A vulnerability exists where if a user opens a locally     saved HTML file, this file can use file: URIs to access     other files in the same directory or sub-directories if     the names are known or guessed. The Fetch API can then     be used to read the contents of any files stored in     these directories and they may uploaded to a server. It     was demonstrated that in combination with a popular     Android messaging app, if a malicious HTML attachment is     sent to a user and they opened that attachment in     Firefox, due to that app's predictable pattern for     locally-saved file names, it is possible to read     attachments the victim received from other     correspondents. This vulnerability affects Firefox ESR <     60.8, Firefox < 68, and Thunderbird < 60.8.
    (CVE-2019-11730)

  - A vulnerability exists during the installation of add-     ons where the initial fetch ignored the origin     attributes of the browsing context. This could leak     cookies in private browsing mode or across different     containers for people who use the Firefox Multi-     Account Containers Web Extension. This vulnerability     affects Firefox < 68. (CVE-2019-11723)

  - Application permissions give additional remote     troubleshooting permission to the site     input.mozilla.org, which has been retired and now     redirects to another site. This additional permission is     unnecessary and is a potential vector for malicious     attacks. This vulnerability affects Firefox < 68.
    (CVE-2019-11724)

  - When a user navigates to site marked as unsafe by the     Safebrowsing API, warning messages are displayed and     navigation is interrupted but resources from the same     site loaded through websockets are not blocked, leading     to the loading of unsafe resources and bypassing     safebrowsing protections. This vulnerability affects     Firefox < 68. (CVE-2019-11725)

  - A vulnerability exists where it possible to force     Network Security Services (NSS) to sign     CertificateVerify with PKCS#1 v1.5 signatures when those     are the only ones advertised by server in     CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures     should not be used for TLS 1.3 messages. This     vulnerability affects Firefox < 68. (CVE-2019-11727)

  - The HTTP Alternative Services header, Alt-Svc, can be     used by a malicious site to scan all TCP ports of any     host that the accessible to a user when web content is     loaded. This vulnerability affects Firefox < 68.
    (CVE-2019-11728)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 67. Some of these bugs     showed evidence of memory corruption and we presume that     with enough effort that some of these could be exploited     to run arbitrary code. This vulnerability affects     Firefox < 68. (CVE-2019-11710)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 67 and Firefox ESR 60.7.
    Some of these bugs showed evidence of memory corruption     and we presume that with enough effort that some of     these could be exploited to run arbitrary code. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11709)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 68.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-28 advisory.

  - When an inner window is reused, it does not consider the     use of document.domain for cross-origin protections. If     pages on different subdomains ever cooperatively use     document.domain, then either page can abuse this to     inject script into arbitrary pages on the other     subdomain, even those that did not use document.domain     to relax their origin security. This vulnerability     affects Firefox ESR < 60.8, Firefox < 68, and     Thunderbird < 60.8. (CVE-2019-11711)

  - POST requests made by NPAPI plugins, such as Flash, that     receive a status 308 redirect response can bypass CORS     requirements. This can allow an attacker to perform     Cross-Site Request Forgery (CSRF) attacks. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11712)

  - A use-after-free vulnerability can occur in HTTP/2 when     a cached HTTP/2 stream is closed while still in use,     resulting in a potentially exploitable crash. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11713)

  - Necko can access a child on the wrong thread during UDP     connections, resulting in a potentially exploitable     crash in some instances. This vulnerability affects     Firefox < 68. (CVE-2019-11714)

  - Empty or malformed p256-ECDH public keys may trigger a     segmentation fault due values being improperly sanitized     before being copied into memory and used. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11729)

  - Due to an error while parsing page content, it is     possible for properly sanitized user input to be     misinterpreted and lead to XSS hazards on web sites in     certain circumstances. This vulnerability affects     Firefox ESR < 60.8, Firefox < 68, and Thunderbird <     60.8. (CVE-2019-11715)

  - Until explicitly accessed by script, window.globalThis     is not enumerable and, as a result, is not visible to     code such as Object.getOwnPropertyNames(window). Sites     that deploy a sandboxing that depends on enumerating and     freezing access to the window object may miss this,     allowing their sandboxes to be bypassed. This     vulnerability affects Firefox < 68. (CVE-2019-11716)

  - A vulnerability exists where the caret (^) character     is improperly escaped constructing some URIs due to it     being used as a separator, allowing for possible     spoofing of origin attributes. This vulnerability     affects Firefox ESR < 60.8, Firefox < 68, and     Thunderbird < 60.8. (CVE-2019-11717)

  - When importing a curve25519 private key in PKCS#8format     with leading 0x00 bytes, it is possible to trigger an     out-of-bounds read in the Network Security Services     (NSS) library. This could lead to information     disclosure. This vulnerability affects Firefox ESR <     60.8, Firefox < 68, and Thunderbird < 60.8.
    (CVE-2019-11719)

  - Some unicode characters are incorrectly treated as     whitespace during the parsing of web content instead of     triggering parsing errors. This allows malicious code to     then be processed, evading cross-site scripting (XSS)     filtering. This vulnerability affects Firefox < 68.
    (CVE-2019-11720)

  - The unicode latin 'kra' character can be used to spoof a     standard 'k' character in the addressbar. This allows     for domain spoofing attacks as do not display as     punycode text, allowing for user confusion. This     vulnerability affects Firefox < 68. (CVE-2019-11721)

  - A vulnerability exists where if a user opens a locally     saved HTML file, this file can use file: URIs to access     other files in the same directory or sub-directories if     the names are known or guessed. The Fetch API can then     be used to read the contents of any files stored in     these directories and they may uploaded to a server. It     was demonstrated that in combination with a popular     Android messaging app, if a malicious HTML attachment is     sent to a user and they opened that attachment in     Firefox, due to that app's predictable pattern for     locally-saved file names, it is possible to read     attachments the victim received from other     correspondents. This vulnerability affects Firefox ESR <     60.8, Firefox < 68, and Thunderbird < 60.8.
    (CVE-2019-11730)

  - A vulnerability exists during the installation of add-     ons where the initial fetch ignored the origin     attributes of the browsing context. This could leak     cookies in private browsing mode or across different     containers for people who use the Firefox Multi-     Account Containers Web Extension. This vulnerability     affects Firefox < 68. (CVE-2019-11723)

  - Application permissions give additional remote     troubleshooting permission to the site     input.mozilla.org, which has been retired and now     redirects to another site. This additional permission is     unnecessary and is a potential vector for malicious     attacks. This vulnerability affects Firefox < 68.
    (CVE-2019-11724)

  - When a user navigates to site marked as unsafe by the     Safebrowsing API, warning messages are displayed and     navigation is interrupted but resources from the same     site loaded through websockets are not blocked, leading     to the loading of unsafe resources and bypassing     safebrowsing protections. This vulnerability affects     Firefox < 68. (CVE-2019-11725)

  - A vulnerability exists where it possible to force     Network Security Services (NSS) to sign     CertificateVerify with PKCS#1 v1.5 signatures when those     are the only ones advertised by server in     CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures     should not be used for TLS 1.3 messages. This     vulnerability affects Firefox < 68. (CVE-2019-11727)

  - The HTTP Alternative Services header, Alt-Svc, can be     used by a malicious site to scan all TCP ports of any     host that the accessible to a user when web content is     loaded. This vulnerability affects Firefox < 68.
    (CVE-2019-11728)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 67. Some of these bugs     showed evidence of memory corruption and we presume that     with enough effort that some of these could be exploited     to run arbitrary code. This vulnerability affects     Firefox < 68. (CVE-2019-11710)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 67 and Firefox ESR 60.7.
    Some of these bugs showed evidence of memory corruption     and we presume that with enough effort that some of     these could be exploited to run arbitrary code. This     vulnerability affects Firefox ESR < 60.8, Firefox < 68,     and Thunderbird < 60.8. (CVE-2019-11709)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201908-12 (Mozilla Firefox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page, possibly resulting in the execution of arbitrary code with the       privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

USN-4054-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems.

We apologize for the inconvenience.

Original advisory details :

A sandbox escape was discovered in Firefox. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. (CVE-2019-9811)

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass same origin restrictions, conduct cross-site scripting (XSS) attacks, conduct cross-site request forgery (CSRF) attacks, spoof origin attributes, spoof the addressbar contents, bypass safebrowsing protections, or execute arbitrary code.
(CVE-2019-11709, CVE-2019-11710, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-11718, CVE-2019-11719, CVE-2019-11720, CVE-2019-11721, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11729)

It was discovered that Firefox treats all files in a directory as same origin. If a user were tricked in to downloading a specially crafted HTML file, an attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2019-11730).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A sandbox escape was discovered in Firefox. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. (CVE-2019-9811)

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass same origin restrictions, conduct cross-site scripting (XSS) attacks, conduct cross-site request forgery (CSRF) attacks, spoof origin attributes, spoof the addressbar contents, bypass safebrowsing protections, or execute arbitrary code.
(CVE-2019-11709, CVE-2019-11710, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714, CVE-2019-11715, CVE-2019-11716, CVE-2019-11717, CVE-2019-11718, CVE-2019-11719, CVE-2019-11720, CVE-2019-11721, CVE-2019-11723, CVE-2019-11724, CVE-2019-11725, CVE-2019-11727, CVE-2019-11728, CVE-2019-11729)

It was discovered that Firefox treats all files in a directory as same origin. If a user were tricked in to downloading a specially crafted HTML file, an attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2019-11730).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Firefox installed on the remote Windows host is prior to 68.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-21 advisory.

  - As part of his winning Pwn2Own entry, Niklas Baumstark     demonstrated a sandbox escape by installing a malicious     language pack and then opening a browser feature that     used the compromised translation. (CVE-2019-9811)

  - When an inner window is reused, it does not consider the     use of document.domain for cross-origin     protections. If pages on different subdomains ever     cooperatively use document.domain, then     either page can abuse this to inject script into     arbitrary pages on the other subdomain, even those that     did not use document.domain to relax their     origin security. (CVE-2019-11711)

  - POST requests made by NPAPI plugins, such as Flash, that     receive a status 308 redirect response can bypass CORS     requirements. This can allow an attacker to perform     Cross-Site Request Forgery (CSRF) attacks.
    (CVE-2019-11712)

  - A use-after-free vulnerability can occur in HTTP/2 when     a cached HTTP/2 stream is closed while still in use,     resulting in a potentially exploitable crash.
    (CVE-2019-11713)

  - Necko can access a child on the wrong thread during UDP     connections, resulting in a potentially exploitable     crash in some instances. (CVE-2019-11714)

  - Empty or malformed p256-ECDH public keys may trigger a     segmentation fault due values being improperly sanitized     before being copied into memory and used.
    (CVE-2019-11729)

  - Due to an error while parsing page content, it is     possible for properly sanitized user input to be     misinterpreted and lead to XSS hazards on web sites in     certain circumstances. (CVE-2019-11715)

  - Until explicitly accessed by script,     window.globalThis is not enumerable and, as     a result, is not visible to code such as     Object.getOwnPropertyNames(window). Sites     that deploy a sandboxing that depends on enumerating and     freezing access to the window object may miss this,     allowing their sandboxes to be bypassed.
    (CVE-2019-11716)

  - A vulnerability exists where the caret (^) character     is improperly escaped constructing some URIs due to it     being used as a separator, allowing for possible     spoofing of origin attributes. (CVE-2019-11717)

  - Activity Stream can display content from sent from the     Snippet Service website. This content is written to     innerHTML on the Activity Stream page     without sanitization, allowing for a potential access to     other information available to the Activity Stream, such     as browsing history, if the Snipper Service were     compromised. (CVE-2019-11718)

  - When importing a curve25519 private key in PKCS#8format     with leading 0x00 bytes, it is possible to trigger an     out-of-bounds read in the Network Security Services     (NSS) library. This could lead to information     disclosure. (CVE-2019-11719)

  - Some unicode characters are incorrectly treated as     whitespace during the parsing of web content instead of     triggering parsing errors. This allows malicious code to     then be processed, evading cross-site scripting (XSS)     filtering. (CVE-2019-11720)

  - The unicode latin 'kra' character can be used to spoof a     standard 'k' character in the addressbar. This allows     for domain spoofing attacks as do not display as     punycode text, allowing for user confusion.
    (CVE-2019-11721)

  - A vulnerability exists where if a user opens a locally     saved HTML file, this file can use file:
    URIs to access other files in the same directory or sub-     directories if the names are known or guessed. The Fetch     API can then be used to read the contents of any files     stored in these directories and they may uploaded to a     server. Luigi Gubello demonstrated that in combination     with a popular Android messaging app, if a malicious     HTML attachment is sent to a user and they opened that     attachment in Firefox, due to that app's predictable     pattern for locally-saved file names, it is possible to     read attachments the victim received from other     correspondents. (CVE-2019-11730)

  - A vulnerability exists during the installation of add-     ons where the initial fetch ignored the origin     attributes of the browsing context. This could leak     cookies in private browsing mode or across different     containers for people who use the Firefox Multi-     Account Containers Web Extension. (CVE-2019-11723)

  - Application permissions give additional remote     troubleshooting permission to the site     input.mozilla.org, which has been retired and now     redirects to another site. This additional permission is     unnecessary and is a potential vector for malicious     attacks. (CVE-2019-11724)

  - When a user navigates to site marked as unsafe by the     Safebrowsing API, warning messages are displayed and     navigation is interrupted but resources from the same     site loaded through websockets are not blocked, leading     to the loading of unsafe resources and bypassing     safebrowsing protections. (CVE-2019-11725)

  - A vulnerability exists where it possible to force     Network Security Services (NSS) to sign     CertificateVerify with PKCS#1 v1.5     signatures when those are the only ones advertised by     server in CertificateRequest in TLS 1.3.
    PKCS#1 v1.5 signatures should not be used for TLS 1.3     messages. (CVE-2019-11727)

  - The HTTP Alternative Services header, Alt-     Svc, can be used by a malicious site to scan all     TCP ports of any host that the accessible to a user when     web content is loaded. (CVE-2019-11728)

  - Mozilla developers and community members Andr Bargull,     Christian Holler, Natalia Csoregi, Raul Gurzau, Daniel     Varga, Jon Coppeard, Marcia Knous, Gary Kwong, Randell     Jesup, David Bolter, Jeff Gilbert, and Deian Stefan     reported memory safety bugs present in Firefox 67. Some     of these bugs showed evidence of memory corruption and     we presume that with enough effort that some of these     could be exploited to run arbitrary code.
    (CVE-2019-11710)

  - Mozilla developers and community members Andreea Pavel,     Christian Holler, Honza Bambas, Jason Kratzer, and Jeff     Gilbert reported memory safety bugs present in Firefox     67 and Firefox ESR 60.7. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2019-11709)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 68.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-21 advisory.

  - As part of his winning Pwn2Own entry, Niklas Baumstark     demonstrated a sandbox escape by installing a malicious     language pack and then opening a browser feature that     used the compromised translation. (CVE-2019-9811)

  - When an inner window is reused, it does not consider the     use of document.domain for cross-origin     protections. If pages on different subdomains ever     cooperatively use document.domain, then     either page can abuse this to inject script into     arbitrary pages on the other subdomain, even those that     did not use document.domain to relax their     origin security. (CVE-2019-11711)

  - POST requests made by NPAPI plugins, such as Flash, that     receive a status 308 redirect response can bypass CORS     requirements. This can allow an attacker to perform     Cross-Site Request Forgery (CSRF) attacks.
    (CVE-2019-11712)

  - A use-after-free vulnerability can occur in HTTP/2 when     a cached HTTP/2 stream is closed while still in use,     resulting in a potentially exploitable crash.
    (CVE-2019-11713)

  - Necko can access a child on the wrong thread during UDP     connections, resulting in a potentially exploitable     crash in some instances. (CVE-2019-11714)

  - Empty or malformed p256-ECDH public keys may trigger a     segmentation fault due values being improperly sanitized     before being copied into memory and used.
    (CVE-2019-11729)

  - Due to an error while parsing page content, it is     possible for properly sanitized user input to be     misinterpreted and lead to XSS hazards on web sites in     certain circumstances. (CVE-2019-11715)

  - Until explicitly accessed by script,     window.globalThis is not enumerable and, as     a result, is not visible to code such as     Object.getOwnPropertyNames(window). Sites     that deploy a sandboxing that depends on enumerating and     freezing access to the window object may miss this,     allowing their sandboxes to be bypassed.
    (CVE-2019-11716)

  - A vulnerability exists where the caret (^) character     is improperly escaped constructing some URIs due to it     being used as a separator, allowing for possible     spoofing of origin attributes. (CVE-2019-11717)

  - Activity Stream can display content from sent from the     Snippet Service website. This content is written to     innerHTML on the Activity Stream page     without sanitization, allowing for a potential access to     other information available to the Activity Stream, such     as browsing history, if the Snipper Service were     compromised. (CVE-2019-11718)

  - When importing a curve25519 private key in PKCS#8format     with leading 0x00 bytes, it is possible to trigger an     out-of-bounds read in the Network Security Services     (NSS) library. This could lead to information     disclosure. (CVE-2019-11719)

  - Some unicode characters are incorrectly treated as     whitespace during the parsing of web content instead of     triggering parsing errors. This allows malicious code to     then be processed, evading cross-site scripting (XSS)     filtering. (CVE-2019-11720)

  - The unicode latin 'kra' character can be used to spoof a     standard 'k' character in the addressbar. This allows     for domain spoofing attacks as do not display as     punycode text, allowing for user confusion.
    (CVE-2019-11721)

  - A vulnerability exists where if a user opens a locally     saved HTML file, this file can use file:
    URIs to access other files in the same directory or sub-     directories if the names are known or guessed. The Fetch     API can then be used to read the contents of any files     stored in these directories and they may uploaded to a     server. Luigi Gubello demonstrated that in combination     with a popular Android messaging app, if a malicious     HTML attachment is sent to a user and they opened that     attachment in Firefox, due to that app's predictable     pattern for locally-saved file names, it is possible to     read attachments the victim received from other     correspondents. (CVE-2019-11730)

  - A vulnerability exists during the installation of add-     ons where the initial fetch ignored the origin     attributes of the browsing context. This could leak     cookies in private browsing mode or across different     containers for people who use the Firefox Multi-     Account Containers Web Extension. (CVE-2019-11723)

  - Application permissions give additional remote     troubleshooting permission to the site     input.mozilla.org, which has been retired and now     redirects to another site. This additional permission is     unnecessary and is a potential vector for malicious     attacks. (CVE-2019-11724)

  - When a user navigates to site marked as unsafe by the     Safebrowsing API, warning messages are displayed and     navigation is interrupted but resources from the same     site loaded through websockets are not blocked, leading     to the loading of unsafe resources and bypassing     safebrowsing protections. (CVE-2019-11725)

  - A vulnerability exists where it possible to force     Network Security Services (NSS) to sign     CertificateVerify with PKCS#1 v1.5     signatures when those are the only ones advertised by     server in CertificateRequest in TLS 1.3.
    PKCS#1 v1.5 signatures should not be used for TLS 1.3     messages. (CVE-2019-11727)

  - The HTTP Alternative Services header, Alt-     Svc, can be used by a malicious site to scan all     TCP ports of any host that the accessible to a user when     web content is loaded. (CVE-2019-11728)

  - Mozilla developers and community members Andr Bargull,     Christian Holler, Natalia Csoregi, Raul Gurzau, Daniel     Varga, Jon Coppeard, Marcia Knous, Gary Kwong, Randell     Jesup, David Bolter, Jeff Gilbert, and Deian Stefan     reported memory safety bugs present in Firefox 67. Some     of these bugs showed evidence of memory corruption and     we presume that with enough effort that some of these     could be exploited to run arbitrary code.
    (CVE-2019-11710)

  - Mozilla developers and community members Andreea Pavel,     Christian Holler, Honza Bambas, Jason Kratzer, and Jeff     Gilbert reported memory safety bugs present in Firefox     67 and Firefox ESR 60.7. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2019-11709)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Mozilla Foundation reports :

CVE-2019-9811: Sandbox escape via installation of malicious language pack

CVE-2019-11711: Script injection within domain through inner window reuse

CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

CVE-2019-11713: Use-after-free with HTTP/2 cached stream

CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

CVE-2019-11715: HTML parsing error can contribute to content XSS

CVE-2019-11716: globalThis not enumerable until accessed

CVE-2019-11717: Caret character improperly escaped in origins

CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

CVE-2019-11720: Character encoding XSS vulnerability

CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

CVE-2019-11725: Websocket resources bypass safebrowsing protections

CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

CVE-2019-11728: Port scanning through Alt-Svc header

CVE-2019-11710: Memory safety bugs fixed in Firefox 68

CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

ID	Name	Product	Family	Severity
129772	SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2019:2620-1)	Nessus	SuSE Local Security Checks	high
129665	openSUSE Security Update : MozillaFirefox (openSUSE-2019-2260)	Nessus	SuSE Local Security Checks	high
129664	openSUSE Security Update : MozillaFirefox (openSUSE-2019-2251)	Nessus	SuSE Local Security Checks	high
129663	openSUSE Security Update : MozillaThunderbird (openSUSE-2019-2249)	Nessus	SuSE Local Security Checks	high
129662	openSUSE Security Update : MozillaThunderbird (openSUSE-2019-2248)	Nessus	SuSE Local Security Checks	high
129583	SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2019:2545-1)	Nessus	SuSE Local Security Checks	high
128970	Mozilla Thunderbird < 68.0	Nessus	Windows	high
128969	Mozilla Thunderbird < 68.0	Nessus	MacOS X Local Security Checks	high
127961	GLSA-201908-12 : Mozilla Firefox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
127093	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : firefox regressions (USN-4054-2)	Nessus	Ubuntu Local Security Checks	high
126698	Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : firefox vulnerabilities (USN-4054-1)	Nessus	Ubuntu Local Security Checks	high
126622	Mozilla Firefox < 68.0	Nessus	Windows	high
126621	Mozilla Firefox < 68.0	Nessus	MacOS X Local Security Checks	high
126592	FreeBSD : mozilla -- multiple vulnerabilities (0592f49f-b3b8-4260-b648-d1718762656c)	Nessus	FreeBSD Local Security Checks	high

CVE-2019-11728

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins