Bug 1510816 (CVE-2017-16541)
Summary: | CVE-2017-16541 Mozilla: Proxy bypass using automount and autofs | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cschalle, gecko-bugs-nobody, jhorak, lewk, mh, pwouters, rh-bugzilla, s, stransky |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
Firefox proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Content can be loaded from this mounted file system directly using a `file:` URI, bypassing configured proxy settings. This issue only affects OS X in default configuration; on Linux systems, autofs must also be installed for the vulnerability to occur.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-13 04:57:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1510817, 1510818, 1623016, 1623017, 1623037, 1623039, 1623040, 1625533, 1625535, 1636821 | ||
Bug Blocks: | 1623023, 1636820 |
Description
Andrej Nemec
2017-11-08 09:55:55 UTC
Created tor tracking bugs for this issue: Affects: epel-all [bug 1510817] Affects: fedora-all [bug 1510818] This was found to be a bug in Firefox ESR, fixed in 60.2: Browser proxy settings can be bypassed by using the automount feature with autofs to create a mount point on the local file system. Content can be loaded from this mounted file system directly using a `file:` URI, bypassing configured proxy settings. *Note: this issue only affects OS X in default configurations. On Linux systems, autofs must be installed for the vulnerability to occur and Windows is not affected.* External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2017-16541 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2692 https://access.redhat.com/errata/RHSA-2018:2692 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2693 https://access.redhat.com/errata/RHSA-2018:2693 Statement: This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:3403 https://access.redhat.com/errata/RHSA-2018:3403 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3458 https://access.redhat.com/errata/RHSA-2018:3458 |