cbcvebase.
CVE-2019-11707
published 2019-07-23

CVE-2019-11707: A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware…

PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
37.95%
98.4th percentile
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 67.0.3-1 (sid)firefox 67.0.3-1 (sid)
debianfirefox-esr< firefox 67.0.3-1 (sid)firefox 67.0.3-1 (sid)
debianthunderbird< firefox 67.0.3-1 (sid)firefox 67.0.3-1 (sid)
mozillafirefox< 60.7.160.7.1
mozillafirefox< 67.0.367.0.3
mozillafirefox>= unspecified < 67.0.367.0.3
mozillafirefox_esr>= unspecified < 60.7.160.7.1
mozillathunderbird< 60.7.260.7.2
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2+build2-0ubuntu0.16.04.11:60.7.2+build2-0ubuntu0.16.04.1
mozillathunderbird>= 0 < 1:60.7.2+build2-0ubuntu0.18.04.11:60.7.2+build2-0ubuntu0.18.04.1
mozillathunderbird>= unspecified < 60.7.260.7.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://hg.mozilla.org/releases/mozilla-beta/rev/109cefe117fbdd1764097e06796960082f4fee4e
  • OSX.Mokes.B drops a zero-byte tracking file under ~/Library/Application Support/ with a hardcoded MD5 hash as the filename to record which of six hardcoded malware name sets has been used for persistence; presence of any of these six files is a host-based indicator of compromise.
  • OSX.Mokes.B installs a LaunchAgent under ~/Library/LaunchAgents/ using one of six hardcoded name pairs (e.g. storeaccountd, Spotlightd, soagent, quicklookd, accountd, trustd); monitor LaunchAgents directory for unexpected entries matching these names.
  • The CVE-2019-11707 exploit abuses IonMonkey JIT inlining of Array.pop; detection of exploit attempts can focus on JavaScript that sets a custom prototype on a sparse array and then calls Array.pop in a tight JIT-compiled loop, causing type confusion between Uint32Array and Uint8Array element access.
  • CVE-2019-11707 was chained with CVE-2019-11708 (sandbox escape) in the wild; detections should consider both vulnerabilities being exploited together as part of the 'Hydseven' exploit chain.
  • The exploit targets Firefox content (child) processes running at Low Integrity in an AppContainer; sandbox level security.sandbox.content.level must be at 2 or lower for the standalone payload to execute — monitor for about:config changes lowering this value.
  • ·Thunderbird is not exploitable via email delivery of this CVE because JavaScript execution is disabled when reading mail; the vulnerability only applies to Thunderbird in non-email contexts.
  • ·The standalone exploit (EDB-50691) only compromises the sandboxed Firefox content process and cannot by itself perform file I/O, network connections, or process execution; a secondary sandbox-escape exploit (CVE-2019-11708) is required for full system compromise.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.