===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.04.20.1400
Firefox: Multiple vulnerabilities
20th April 2021
===========================================================================
Mozilla Foundation Security Advisory 2021-16
Security Vulnerabilities fixed in Firefox 88
Announced: April 19, 2021
Impact: high
Products: Firefox
Fixed in: Firefox 88
# CVE-2021-23994: Out of bound write due to lazy initialization
Reporter: Abraruddin Khan and Omair
Impact: high
Description
A WebGL framebuffer was not initialized early enough, resulting in memory
corruption and an out of bound write.
References
o Bug 1699077
# CVE-2021-23995: Use-after-free in Responsive Design Mode
Reporter: Irvan Kurniawan
Impact: high
Description
When Responsive Design Mode was enabled, it used references to objects that
were previously freed. We presume that with enough effort this could have been
exploited to run arbitrary code.
References
o Bug 1699835
# CVE-2021-23996: Content rendered outside of webpage viewport
Reporter: Colin D. Munro
Impact: high
Description
By utilizing 3D CSS in conjunction with Javascript, content could have been
rendered outside the webpage's viewport, resulting in a spoofing attack that
could have been used for phishing or other attacks on a user.
References
o Bug 1701834
# CVE-2021-23997: Use-after-free when freeing fonts from cache
Reporter: Irvan Kurniawan
Impact: high
Description
Due to unexpected data type conversions, a use-after-free could have occurred
when interacting with the font cache. We presume that with enough effort this
could have been exploited to run arbitrary code.
References
o Bug 1701942
# CVE-2021-23998: Secure Lock icon could have been spoofed
Reporter: Jordi Chancel
Impact: moderate
Description
Through complicated navigations with new windows, an HTTP page could have
inherited a secure lock icon from an HTTPS page.
References
o Bug 1667456
# CVE-2021-23999: Blob URLs may have been granted additional privileges
Reporter: Nika Layzell
Impact: moderate
Description
If a Blob URL was loaded through some unusual user interaction, it could have
been loaded by the System Principal and granted additional privileges that
should not be granted to web content.
References
o Bug 1691153
# CVE-2021-24000: requestPointerLock() could be applied to a tab different from
the visible tab
Reporter: Irvan Kurniawan
Impact: moderate
Description
A race condition with requestPointerLock() and setTimeout() could have resulted
in a user interacting with one tab when they believed they were on a separate
tab. In conjunction with certain elements (such as ) this
could have led to an attack where a user was confused about the origin of the
webpage and potentially disclosed information they did not intend to.
References
o Bug 1694698
# CVE-2021-24001: Testing code could have enabled session history manipulations
by a compromised content process
Reporter: Andrew McCreight
Impact: moderate
Description
A compromised content process could have performed session history
manipulations it should not have been able to due to testing infrastructure
that was not restricted to testing-only configurations.
References
o Bug 1694727
# CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
Reporter: Daniel Santos
Impact: moderate
Description
When a user clicked on an FTP URL containing encoded newline characters (%0A
and %0D), the newlines would have been interpreted as such and allowed
arbitrary commands to be sent to the FTP server.
References
o Bug 1702374
# CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
null-reads
Reporter: Christian Holler
Impact: moderate
Description
The WebAssembly JIT could miscalculate the size of a return type, which could
lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are
unaffected.
References
o Bug 1700690
# CVE-2021-29944: HTML injection vulnerability in Firefox for Android's Reader
View
Reporter: Wladimir Palant working with Include Security
Impact: low
Description
Lack of escaping allowed HTML injection when a webpage was viewed in Reader
View. While a Content Security Policy prevents direct code execution, HTML
injection is still possible.
Note: This issue only affected Firefox for Android. Other operating systems are
unaffected.
References
o Bug 1697604
# CVE-2021-29946: Port blocking could be bypassed
Reporter: Frederik Braun
Impact: low
Description
Ports that were written as an integer overflow above the bounds of a 16-bit
integer could have bypassed port blocking restrictions when used in the Alt-Svc
header.
References
o Bug 1698503
# CVE-2021-29947: Memory safety bugs fixed in Firefox 88
Reporter: Mozilla developers and community
Impact: high
Description
Mozilla developers and community members Ryan VanderMeulen, Sean Feng, Tyson
Smith, Julian Seward, Christian Holler reported memory safety bugs present in
Firefox 87. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run
arbitrary code.
References
o Memory safety bugs fixed in Firefox 88
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT