CVE-2019-9812 - OpenCVE

Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox Esr Firefox

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1538008	Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1538015	Permissions Required
https://www.mozilla.org/security/advisories/mfsa2019-25/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-26/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2019-27/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2020-01-08T21:41:06

Updated: 2020-01-08T21:41:06

Reserved: 2019-03-14T00:00:00

Link: CVE-2019-9812

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-08T22:15:13.310

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-9812

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 60.9"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 68.1"}]}, {"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "affected", "version": "before 69"}]}], "descriptions": [{"lang": "en", "value": "Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69."}], "problemTypes": [{"descriptions": [{"description": "Sandbox escape through Firefox Sync", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-08T21:41:06", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-25/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-27/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-26/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538015"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538008"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2019-9812", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox ESR", "version": {"version_data": [{"version_value": "before 60.9"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_value": "before 68.1"}]}}, {"product_name": "Firefox", "version": {"version_data": [{"version_value": "before 69"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Sandbox escape through Firefox Sync"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2019-25/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-25/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-27/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-27/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2019-26/", "refsource": "CONFIRM", "url": "https://www.mozilla.org/security/advisories/mfsa2019-26/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538015", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538015"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538008", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538008"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2019-9812", "datePublished": "2020-01-08T21:41:06", "dateReserved": "2019-03-14T00:00:00", "dateUpdated": "2020-01-08T21:41:06", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "299AA921-46BD-4E9F-8D74-F304F44C6EB4", "versionEndExcluding": "69.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF946E25-3903-4910-AE6B-E3533F3999FB", "versionEndExcluding": "60.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "216100D1-90E9-40FD-AD33-0DEEF767FDF3", "versionEndExcluding": "68.1", "versionStartIncluding": "61.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Given a compromised sandboxed content process due to a separate vulnerability, it is possible to escape that sandbox by loading accounts.firefox.com in that process and forcing a log-in to a malicious Firefox Sync account. Preference settings that disable the sandbox are then synchronized to the local machine and the compromised browser would restart without the sandbox if a crash is triggered. This vulnerability affects Firefox ESR < 60.9, Firefox ESR < 68.1, and Firefox < 69."}, {"lang": "es", "value": "Dado un proceso de contenido comprometido dentro del sandbox debido a una vulnerabilidad separada, es posible escapar de ese sandbox cargando accounts.firefox.com en ese proceso y forzando un inicio de sesi\u00f3n en una cuenta de Firefox Sync maliciosa. La configuraci\u00f3n de preferencias que deshabilita el sandbox es sincronizada con la m\u00e1quina local y el navegador comprometido se reiniciar\u00e1 sin el sandbox si es activado un bloqueo. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 60.9, Firefox ESR versiones anteriores a la versi\u00f3n 68.1 y Firefox versiones anteriores a la versi\u00f3n 69."}], "id": "CVE-2019-9812", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-08T22:15:13.310", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538008"}, {"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1538015"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-25/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-26/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2019-27/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}