Vulnerability identifier: #VU9323

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7836

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a local user to escalate privileges on the system.

The "pingsender" executable used by the Firefox Health Report dynamically loads a system copy of libcurl, which an attacker could replace. This allows for privilege escalation as the replaced libcurl code will run with Firefox's privileges.
Note: This attack requires an attacker have local system access and only affects OS X and Linux. Windows systems are not affected.

Mitigation
Update to version Firefox 57.

Vulnerable software versions

Mozilla Firefox: 53.0 - 56.0.1

---

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2017-24/

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.