Bug 1625531 (CVE-2018-12383) - CVE-2018-12383 Mozilla: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords
Summary: CVE-2018-12383 Mozilla: Setting a master password post-Firefox 58 does not de...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1623040 1623037 1623039 1625533 1625535 1632064 1632065 1632532 1632968 1636821
Blocks: 1623023 1632061 1636820
TreeView+ depends on / blocked
 
Reported: 2018-09-05 07:15 UTC by Doran Moppert
Modified: 2019-09-29 14:57 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-28 01:23:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2834 None None None 2018-09-27 20:38:48 UTC
Red Hat Product Errata RHSA-2018:2835 None None None 2018-09-27 20:44:41 UTC
Red Hat Product Errata RHSA-2018:3403 None None None 2018-10-30 16:58:33 UTC
Red Hat Product Errata RHSA-2018:3458 None None None 2018-11-05 10:44:20 UTC

Description Doran Moppert 2018-09-05 07:15:19 UTC
If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12383

Comment 1 Doran Moppert 2018-09-05 07:15:23 UTC
Acknowledgments:

Name: the Mozilla project
Upstream: Jurgen Gaeremyn

Comment 6 Doran Moppert 2018-09-17 00:42:30 UTC
More information including wontfix decision in the upstream ticket:

https://bugzilla.mozilla.org/show_bug.cgi?id=1475775

Comment 8 Doran Moppert 2018-09-17 00:42:44 UTC
Mitigation:

To mitigate against this flaw, examine user profile directories for the presence of both `key3.db` and `key4.db` files.  If both are present, `key3.db` should be deleted.

Comment 11 errata-xmlrpc 2018-09-27 20:38:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2834 https://access.redhat.com/errata/RHSA-2018:2834

Comment 12 errata-xmlrpc 2018-09-27 20:44:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2835 https://access.redhat.com/errata/RHSA-2018:2835

Comment 14 Doran Moppert 2018-10-09 01:59:01 UTC
Statement:

Upstream decided to not fix this issue in Firefox ESR 60.2 given the low impact.  A future ESR update may correct this flaw.

This flaw would impact users who had saved passwords from Firefox 58 or earlier that were not protected by a master password (resulting in an un-encrypted `key3.db`), but set a master password when using Firefox 59 or newer (resulting in an encrypted `key4.db`).  The old key file was kept around to facilitate downgrading to Firefox 58.

This flaw cannot be exploited through email in Thunderbird as scripting is disabled in this for email content. It may be possible to exploit through Feeds (Atom or RSS) or other browser-like contexts.

Comment 15 errata-xmlrpc 2018-10-30 16:58:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3403 https://access.redhat.com/errata/RHSA-2018:3403

Comment 16 errata-xmlrpc 2018-11-05 10:44:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3458 https://access.redhat.com/errata/RHSA-2018:3458


Note You need to log in before you can comment on or make changes to this bug.