CVE-2017-7764
published 2018-06-11CVE-2017-7764: Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as…
PriorityP425medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EPSS
2.00%
78.4th percentile
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 54.0-1 (sid) | firefox 54.0-1 (sid) |
| debian | firefox-esr | < firefox 54.0-1 (sid) | firefox 54.0-1 (sid) |
| mozilla | firefox | < 52.2.0 | 52.2.0 |
| mozilla | firefox | < 54.0 | 54.0 |
| mozilla | firefox | >= 0 < 54.0+build3-0ubuntu0.14.04.1 | 54.0+build3-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 54.0+build3-0ubuntu0.16.04.1 | 54.0+build3-0ubuntu0.16.04.1 |
| mozilla | firefox | >= unspecified < 54 | 54 |
| mozilla | firefox_esr | >= unspecified < 52.2 | 52.2 |
| mozilla | thunderbird | < 52.2.0 | 52.2.0 |
| mozilla | thunderbird | >= 0 < 1:52.2.1+build1-0ubuntu0.14.04.1 | 1:52.2.1+build1-0ubuntu0.14.04.1 |
| mozilla | thunderbird | >= 0 < 1:52.2.1+build1-0ubuntu0.16.04.1 | 1:52.2.1+build1-0ubuntu0.16.04.1 |
| mozilla | thunderbird | >= unspecified < 52.2 | 52.2 |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mc3w-fw7x-qrw7: Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rende
ghsa_unreviewed·2022-05-14
CVE-2017-7764 [MEDIUM] CWE-20 GHSA-mc3w-fw7x-qrw7: Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rende
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
OSV
CVE-2017-7764: Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rende
osv·2018-06-11·CVSS 5.3
CVE-2017-7764 [MEDIUM] CVE-2017-7764: Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rende
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
OSV
thunderbird vulnerabilities
osv·2017-07-05·CVSS 9.8
CVE-2017-5470 [CRITICAL] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
read uninitialized memory, obtain sensitive information or execute
arbitrary code. (CVE-2017-5470, CVE-2017-5472,
CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754,
CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7764)
Multiple security issues were discovered in the Graphite 2 library used
by Thunderbird. If a user were tricked in to opening a specially crafted
message, an attacker could potentially exploit these to cause a denial of
service, read uninitialized memory, or execute arbitrary code.
(CVE-2017-7771, CVE-
OSV
firefox vulnerabilities
osv·2017-06-15·CVSS 9.8
CVE-2017-5470 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, spoof the addressbar contents, or
execute arbitrary code. (CVE-2017-5470, CVE-2017-5471, CVE-2017-5472,
CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754,
CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7762, CVE-2017-7764)
Multiple security issues were discovered in the Graphite 2 library used by
Firefox. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service,
read uninitialized memory, or execute arbitrar
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2017-07-05·CVSS 9.8
CVE-2017-5470 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
read uninitialized memory, obtain sensitive information or execute
arbitrary code. (CVE-2017-5470, CVE-2017-5472,
CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754,
CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7764)
Multiple security issues were discovered in the Graphite 2 library used
by Thunderbird. If a user were tricked in to opening a specially crafted
message, an attacker could potentially exploit these to cause a denial of
service, read u
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2017-06-15·CVSS 9.8
CVE-2017-5470 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, spoof the addressbar contents, or
execute arbitrary code. (CVE-2017-5470, CVE-2017-5471, CVE-2017-5472,
CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754,
CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7762, CVE-2017-7764)
Multiple security issues were discovered in the Graphite 2 library used by
Firefox. If a user were tricked in to opening a specially crafted website,
an attac
Red Hat
Mozilla: Domain spoofing with combination of Canadian Syllabics and other unicode blocks (MFSA 2017-16)
vendor_redhat·2017-06-14·CVSS 5.3
CVE-2017-7764 [MEDIUM] Mozilla: Domain spoofing with combination of Canadian Syllabics and other unicode blocks (MFSA 2017-16)
Mozilla: Domain spoofing with combination of Canadian Syllabics and other unicode blocks (MFSA 2017-16)
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Debian
CVE-2017-7764: firefox - Characters from the "Canadian Syllabics" unicode block can be mixed with charact...
vendor_debian·2017·CVSS 5.3
CVE-2017-7764 [MEDIUM] CVE-2017-7764: firefox - Characters from the "Canadian Syllabics" unicode block can be mixed with charact...
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
Scope: local
sid: resolved (fixed in 54.0-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7764 Mozilla: Domain spoofing with combination of Canadian Syllabics and other unicode blocks (MFSA 2017-16)
bugzilla·2017-06-14·CVSS 5.3
CVE-2017-7764 [MEDIUM] CVE-2017-7764 Mozilla: Domain spoofing with combination of Canadian Syllabics and other unicode blocks (MFSA 2017-16)
CVE-2017-7764 Mozilla: Domain spoofing with combination of Canadian Syllabics and other unicode blocks (MFSA 2017-16)
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts."
External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-
Bugzilla
Security: disallow "Canadian Syllabics" unicode block from IDN domains
bugzilla·2017-05-12
[MEDIUM] Security: disallow "Canadian Syllabics" unicode block from IDN domains
Security: disallow "Canadian Syllabics" unicode block from IDN domains
Created attachment 8867025
1-domain_list_sorted_by_alexa.txt
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
Steps to reproduce:
VULNERABILITY DETAILS
Firefox should prevent the “Canadian Syllabics” unicode block from rendering in domain names with characters from other unicode blocks. This was observed in data found in the Certificate Transparency log while seeking to quantify the IDN impersonation/phishing problem (raw data attached).
REPRODUCTION CASE
There are a series of characters in the “CANADIAN SYLLABICS” unicode block which can be used to impersonate other domains. I believe mixing this block with other unicode blocks should be
http://www.securityfocus.com/bid/99057http://www.securitytracker.com/id/1038689http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scriptshttps://access.redhat.com/errata/RHSA-2017:1440https://access.redhat.com/errata/RHSA-2017:1561https://bugzilla.mozilla.org/show_bug.cgi?id=1364283https://www.debian.org/security/2017/dsa-3881https://www.debian.org/security/2017/dsa-3918https://www.mozilla.org/security/advisories/mfsa2017-15/https://www.mozilla.org/security/advisories/mfsa2017-16/https://www.mozilla.org/security/advisories/mfsa2017-17/http://www.securityfocus.com/bid/99057http://www.securitytracker.com/id/1038689http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scriptshttps://access.redhat.com/errata/RHSA-2017:1440https://access.redhat.com/errata/RHSA-2017:1561https://bugzilla.mozilla.org/show_bug.cgi?id=1364283https://www.debian.org/security/2017/dsa-3881https://www.debian.org/security/2017/dsa-3918https://www.mozilla.org/security/advisories/mfsa2017-15/https://www.mozilla.org/security/advisories/mfsa2017-16/https://www.mozilla.org/security/advisories/mfsa2017-17/
2018-06-11
Published