CVE-2016-5284
published 2016-09-22CVE-2016-5284: Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which…
PriorityP434high7.4CVSS 3.0
AVNACLPRNUIRSCCHINAN
EPSS
2.37%
81.8th percentile
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 49.0-1 (sid) | firefox 49.0-1 (sid) |
| debian | firefox-esr | < firefox 49.0-1 (sid) | firefox 49.0-1 (sid) |
| mozilla | firefox | <= 48.0.2 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 49.0+build4-0ubuntu0.14.04.1 | 49.0+build4-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 49.0+build4-0ubuntu0.16.04.1 | 49.0+build4-0ubuntu0.16.04.1 |
| mozilla | thunderbird | >= 0 < 1:45.4.0+build1-0ubuntu0.14.04.1 | 1:45.4.0+build1-0ubuntu0.14.04.1 |
| mozilla | thunderbird | >= 0 < 1:45.4.0+build1-0ubuntu0.16.04.1 | 1:45.4.0+build1-0ubuntu0.16.04.1 |
CVSS provenance
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.4HIGH
vendor_debian7.4HIGH
vendor_redhat7.4HIGH
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2fqh-hxv3-hqmx: Mozilla Firefox before 49
ghsa_unreviewed·2022-05-14
CVE-2016-5284 [HIGH] CWE-20 GHSA-2fqh-hxv3-hqmx: Mozilla Firefox before 49
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
OSV
thunderbird vulnerabilities
osv·2016-10-27·CVSS 4.3
CVE-2016-5250 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)
Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5257)
Atte Kettunen discovered a heap buffer overflow during text co
OSV
CVE-2016-5284: Mozilla Firefox before 49
osv·2016-09-22·CVSS 7.4
CVE-2016-5284 [HIGH] CVE-2016-5284: Mozilla Firefox before 49
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
OSV
firefox vulnerabilities
osv·2016-09-22·CVSS 6.5
CVE-2016-2827 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Atte Kettunen discovered an out-of-bounds read when handling certain
Content Security Policy (CSP) directives in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2016-2827)
Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas,
Seth Fowler, Michael Smith, Andrew McCreight, Dan Minor, Byron Campen, Jon
Coppeard, Steve Fink, Tyson Smith, and Carsten Book discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5256, CVE-
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2016-10-27·CVSS 4.3
CVE-2016-5250 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)
Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2016-09-22·CVSS 6.5
CVE-2016-2827 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Atte Kettunen discovered an out-of-bounds read when handling certain
Content Security Policy (CSP) directives in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2016-2827)
Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas,
Seth Fowler, Michael Smith, Andrew McCreight, Dan Minor, Byron Campen, Jon
Coppeard, Steve Fink, Tyson Smith, and Carsten Book discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially e
Red Hat
Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)
vendor_redhat·2016-09-20·CVSS 7.4
CVE-2016-5284 [HIGH] Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)
Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2016-5284: firefox - Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45....
vendor_debian·2016·CVSS 7.4
CVE-2016-5284 [HIGH] CVE-2016-5284: firefox - Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45....
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
Scope: local
sid: resolved (fixed in 49.0-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-5284 Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)
bugzilla·2016-09-20·CVSS 7.4
CVE-2016-5284 [HIGH] CVE-2016-5284 Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)
CVE-2016-5284 Mozilla: Add-on update site certificate pin expiration (MFSA 2016-85, MFSA 2016-86)
Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected.
External Reference:
https://www.mozilla.org/security/advisories/mfsa2016-85/
https://www.mozilla.org/security/advisories/mfsa2016-86/
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Ryan Duff
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Red Hat
Bugzilla
ESR-45/Tor Browser certificate pinning bypass for addons.mozilla.org and other built-in sites
bugzilla·2016-09-15
[MEDIUM] ESR-45/Tor Browser certificate pinning bypass for addons.mozilla.org and other built-in sites
ESR-45/Tor Browser certificate pinning bypass for addons.mozilla.org and other built-in sites
User Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D415 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Mobile Safari/537.36
Steps to reproduce:
Write a malicious extension to be payload. Have it signed by Mozilla using their automated process. Generate a forged certificate for addons.mozilla.org that validates up through any CA built in to the Firefox certificate store. MiTM traffic to addons.mozilla.org trying to update NoScript or HTTPS Everywhere. Serve your malicious extension instead of the requested update to the target.
http://seclists.org/dailydave/2016/q3/51
Actual results:
Said "certificate issuer is not built-in", obviously not failing due to pinning re
http://rhn.redhat.com/errata/RHSA-2016-1912.htmlhttp://seclists.org/dailydave/2016/q3/51http://www.debian.org/security/2016/dsa-3674http://www.mozilla.org/security/announce/2016/mfsa2016-85.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/93049http://www.securitytracker.com/id/1036852https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/https://bugzilla.mozilla.org/show_bug.cgi?id=1303127https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95https://security.gentoo.org/glsa/201701-15https://www.mozilla.org/security/advisories/mfsa2016-86/https://www.mozilla.org/security/advisories/mfsa2016-88/http://rhn.redhat.com/errata/RHSA-2016-1912.htmlhttp://seclists.org/dailydave/2016/q3/51http://www.debian.org/security/2016/dsa-3674http://www.mozilla.org/security/announce/2016/mfsa2016-85.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/93049http://www.securitytracker.com/id/1036852https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/https://bugzilla.mozilla.org/show_bug.cgi?id=1303127https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95https://security.gentoo.org/glsa/201701-15https://www.mozilla.org/security/advisories/mfsa2016-86/https://www.mozilla.org/security/advisories/mfsa2016-88/
2016-09-22
Published