Bug 1748662 (CVE-2019-11736)

Summary: CVE-2019-11736 Mozilla: File manipulation and privilege escalation in Mozilla Maintenance Service
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jhorak, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 68.1 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-04 01:07:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1745825    

Description Doran Moppert 2019-09-04 00:48:22 UTC 
The Mozilla Maintenance Service does not guard against files being hardlinked to another file in the `updates` directory, allowing for the replacement of local files, including the Maintenance Service executable, which is run with privileged access. Additionally, there was a race condition during checks for junctions and symbolic links by the Maintenance Service, allowing for potential local file and directory manipulation to be undetected in some circumstances. This allows for potential privilege escalation by a user with unprivileged local access. 

*Note: These attacks requires local system access and only affects Windows. Other operating systems are not affected.*



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/#CVE-2019-11736
Comment 1 Doran Moppert 2019-09-04 00:48:25 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Seb Patane
Comment 2 Doran Moppert 2019-09-04 00:53:01 UTC 
Statement:

This vulnerability only affected Firefox on the Windows operating system.  Firefox on Red Hat Enterprise Linux is not affected.
Comment 3 Product Security DevOps Team 2019-09-04 01:07:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11736