9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.4%
The version of Firefox installed on the remote macOS or Mac OS X host is prior to 114.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-20 advisory.
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site.
(CVE-2023-34414)
When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an open redirect. Firefox no longer follows HTTP redirects to data: URLs. (CVE-2023-34415)
Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in Firefox 113 and Firefox ESR 102.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2023-34416)
Mozilla developers and community members Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2023-34417)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Mozilla Foundation Security Advisory mfsa2023-20.
# The text itself is copyright (C) Mozilla Foundation.
##
include('compat.inc');
if (description)
{
script_id(176740);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/07");
script_cve_id(
"CVE-2023-34414",
"CVE-2023-34415",
"CVE-2023-34416",
"CVE-2023-34417"
);
script_xref(name:"IAVA", value:"2023-A-0277-S");
script_name(english:"Mozilla Firefox < 114.0");
script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Firefox installed on the remote macOS or Mac OS X host is prior to 114.0. It is, therefore, affected by
multiple vulnerabilities as referenced in the mfsa2023-20 advisory.
- The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to
protect prompts and permission dialogs from attacks that exploit human response time delays. If a
malicious page elicited user clicks in precise locations immediately before navigating to a site with a
certificate error and made the renderer extremely busy at the same time, it could create a gap between
when the error page was loaded and when the display actually refreshed. With the right timing the elicited
clicks could land in that gap and activate the button that overrides the certificate error for that site.
(CVE-2023-34414)
- When choosing a site-isolated process for a document loaded from a data: URL that was the result of a
redirect, Firefox would load that document in the same process as the site that issued the redirect. This
bypassed the site-isolation protections against Spectre-like attacks on sites that host an open
redirect. Firefox no longer follows HTTP redirects to data: URLs. (CVE-2023-34415)
- Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean
Feng, and Sebastian Hengst reported memory safety bugs present in Firefox 113 and Firefox ESR 102.11. Some
of these bugs showed evidence of memory corruption and we presume that with enough effort some of these
could have been exploited to run arbitrary code. (CVE-2023-34416)
- Mozilla developers and community members Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team
reported memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been exploited to run arbitrary
code. (CVE-2023-34417)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2023-20/");
script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 114.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-34417");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/06");
script_set_attribute(attribute:"patch_publication_date", value:"2023/06/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("macosx_firefox_installed.nasl");
script_require_keys("MacOSX/Firefox/Installed");
exit(0);
}
include('mozilla_version.inc');
var kb_base = 'MacOSX/Firefox';
get_kb_item_or_exit(kb_base+'/Installed');
var version = get_kb_item_or_exit(kb_base+'/Version', exit_code:1);
var path = get_kb_item_or_exit(kb_base+'/Path', exit_code:1);
var is_esr = get_kb_item(kb_base+'/is_esr');
if (is_esr) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');
mozilla_check_version(version:version, path:path, product:'firefox', esr:FALSE, fix:'114.0', severity:SECURITY_HOLE);