Bug 1748659 (CVE-2019-11753)

Summary: CVE-2019-11753 Mozilla: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jhorak, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: firefox 60.9, firefox 68.1 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-04 01:07:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1745825    

Description Doran Moppert 2019-09-04 00:47:34 UTC
The Firefox installer allows Firefox to be installed to a custom user writable location, leaving it unprotected from manipulation by unprivileged users or malware. If the Mozilla Maintenance Service is manipulated to update this unprotected location and the updated maintenance service in the unprotected location has been altered, the altered maintenance service can run with elevated privileges during the update process due to a lack of integrity checks. This allows for privilege escalation if the executable has been replaced locally. 

*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.*

External Reference:


Comment 1 Doran Moppert 2019-09-04 00:47:36 UTC

Name: the Mozilla project
Upstream: Holger Fuhrmannek

Comment 2 Doran Moppert 2019-09-04 00:52:55 UTC

This vulnerability only affected Firefox on the Windows operating system.  Firefox on Red Hat Enterprise Linux is not affected.

Comment 3 Product Security DevOps Team 2019-09-04 01:07:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):