Improper validation of integrity check value in Mozilla Firefox

#VU20822 Improper validation of integrity check value in Mozilla Firefox

Published: 2019-09-03

Vulnerability identifier: #VU20822

Vulnerability risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11753

CWE-ID: CWE-354

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the Mozilla Maintenance Service does not check integrity of the binary files that were installed into a custom and unprotected folder on the system. A local user can manipulate the Mozilla Maintenance Service to update this unprotected location and escalate privilege on the system.

Note, the vulnerability affects Windows installation only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 66.0.2 - 68.0.2

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper validation of integrity check value in firefox-esr (Alpine package)

Multiple vulnerabilities in Mozilla Firefox ESR

Multiple vulnerabilities in Mozilla Firefox