SUSE update for MozillaThunderbird
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-29950 CVE-2021-29951 CVE-2021-29956 CVE-2021-29957 |
| CWE-ID | CWE-312 CWE-264 CWE-693 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SUSE Linux Enterprise Workstation Extension Operating systems & Components / Operating system MozillaThunderbird-translations-other Operating systems & Components / Operating system package or component MozillaThunderbird-translations-common Operating systems & Components / Operating system package or component MozillaThunderbird-debugsource Operating systems & Components / Operating system package or component MozillaThunderbird-debuginfo Operating systems & Components / Operating system package or component MozillaThunderbird Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU52375
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29950
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the way Thunderbird handles secret OpenPGP keys. The application unprotects a secret OpenPGP key prior to using it for a decryption,
signing or key import task. If the task runs into a failure, the secret
key may remain in memory in its unprotected state. A local user or malicious application can read the key and use it to decrypt email messages.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 78.10.2-8.27.1
MozillaThunderbird-translations-common: before 78.10.2-8.27.1
MozillaThunderbird-debugsource: before 78.10.2-8.27.1
MozillaThunderbird-debuginfo: before 78.10.2-8.27.1
MozillaThunderbird: before 78.10.2-8.27.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU52852
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29951
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to the way Mozilla Maintenance Service is installed in the Windows operating system. After installation the Mozilla Maintenance Service is granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. A local domain user can spam the "Stop" command and prevent the browser update service from operating.
The vulnerability affects only Firefox ESR installed on operating system Windows 10 build 1709 and older.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 78.10.2-8.27.1
MozillaThunderbird-translations-common: before 78.10.2-8.27.1
MozillaThunderbird-debugsource: before 78.10.2-8.27.1
MozillaThunderbird-debuginfo: before 78.10.2-8.27.1
MozillaThunderbird: before 78.10.2-8.27.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cleartext storage of sensitive information
EUVDB-ID: #VU53308
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29956
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to OpenPGP secret keys that were imported using Thunderbird. were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. A local user can gain access to sensitive information.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 78.10.2-8.27.1
MozillaThunderbird-translations-common: before 78.10.2-8.27.1
MozillaThunderbird-debugsource: before 78.10.2-8.27.1
MozillaThunderbird-debuginfo: before 78.10.2-8.27.1
MozillaThunderbird: before 78.10.2-8.27.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Protection Mechanism Failure
EUVDB-ID: #VU53307
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29957
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 78.10.2-8.27.1
MozillaThunderbird-translations-common: before 78.10.2-8.27.1
MozillaThunderbird-debugsource: before 78.10.2-8.27.1
MozillaThunderbird-debuginfo: before 78.10.2-8.27.1
MozillaThunderbird: before 78.10.2-8.27.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211854-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
