Security bypass in Mozilla Firefox



Published: 2017-03-07
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-5400
CWE-ID CWE-265
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor Mozilla

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Security bypass

EUVDB-ID: #VU5921

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5400

CWE-ID: CWE-265 - Privilege / Sandbox Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security mechanisms.

The vulnerability exists due to an error within asm.js. A remote attacker can perform a JIT-spray technique combined with a heap spray and bypass implemented ASLR and DEP protections.

Successful exploitation of the vulnerability may allow an attacker to leverage exploitation of other remote code execution vulnerabilities.

Mitigation

Update to Firefox 52.

Vulnerable software versions

Mozilla Firefox: 50.0 - 51.0.3

External links

http://www.mozilla.org/en-US/security/advisories/mfsa2017-05/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###