CVE-2019-17024
8.8 HIGH
📋 TL;DR
This CVE describes memory safety bugs in Firefox and Firefox ESR that could lead to memory corruption. With sufficient effort, attackers could potentially exploit these vulnerabilities to execute arbitrary code on affected systems. The vulnerability impacts Firefox versions below 72 and Firefox ESR versions below 68.4.
💻 Affected Systems
Products:
- Mozilla Firefox
- Mozilla Firefox ESR
Versions: Firefox < 72, Firefox ESR < 68.4
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable:
⚠️ Yes
Notes: All default configurations are vulnerable. Thunderbird may also be affected as it shares codebase with Firefox.
📦 What is this software?
Firefox by Mozilla
Firefox Esr by Mozilla
Leap by Opensuse
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Browser crash or instability, with potential for limited code execution in targeted attacks.
If Mitigated
No impact if systems are patched or workarounds are implemented.
🌐 Internet-Facing: HIGH - Web browsers are directly exposed to internet content and malicious websites.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites.
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
⚠️ Yes
Complexity:
HIGH
Memory corruption bugs require sophisticated exploitation techniques. No public exploits were reported at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox 72, Firefox ESR 68.4
Vendor Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/
Restart Required: Yes
Instructions:
1. Open Firefox/Firefox ESR. 2. Click menu → Help → About Firefox. 3. Allow browser to check for updates and install. 4. Restart browser when prompted.
🔧 Temporary Workarounds
Disable JavaScript
allTemporarily disable JavaScript to reduce attack surface while patching.
about:config → javascript.enabled = false
Use Alternative Browser
allSwitch to updated browser until Firefox is patched.
🧯 If You Can't Patch
- Restrict browser usage to trusted websites only.
- Implement application whitelisting to prevent unauthorized code execution.
🔍 How to Verify
Check if Vulnerable:
Check Firefox version via about:support or Help → About Firefox.Check Version:
firefox --version (Linux) or check About Firefox dialogVerify Fix Applied:
Confirm version is Firefox ≥72 or Firefox ESR ≥68.4.📡 Detection & Monitoring
Log Indicators:
- Browser crash reports
- Unexpected process termination
- Memory access violation errors
Network Indicators:
- Connections to known malicious domains serving exploit code
SIEM Query:
source="firefox.log" AND ("crash" OR "segmentation fault" OR "access violation")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
- http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
- https://access.redhat.com/errata/RHSA-2020:0085
- https://access.redhat.com/errata/RHSA-2020:0086
- https://access.redhat.com/errata/RHSA-2020:0111
- https://access.redhat.com/errata/RHSA-2020:0120
- https://access.redhat.com/errata/RHSA-2020:0123
- https://access.redhat.com/errata/RHSA-2020:0127
- https://access.redhat.com/errata/RHSA-2020:0292
- https://access.redhat.com/errata/RHSA-2020:0295
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1507180%2C1595470%2C1598605%2C1601826
- https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
- https://seclists.org/bugtraq/2020/Jan/12
- https://seclists.org/bugtraq/2020/Jan/18
- https://seclists.org/bugtraq/2020/Jan/26
- https://security.gentoo.org/glsa/202003-02
- https://usn.ubuntu.com/4234-1/
- https://usn.ubuntu.com/4241-1/
- https://usn.ubuntu.com/4335-1/
- https://www.debian.org/security/2020/dsa-4600
- https://www.debian.org/security/2020/dsa-4603
- https://www.mozilla.org/security/advisories/mfsa2020-01/
- https://www.mozilla.org/security/advisories/mfsa2020-02/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00043.html
- http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html
- https://access.redhat.com/errata/RHSA-2020:0085
- https://access.redhat.com/errata/RHSA-2020:0086
- https://access.redhat.com/errata/RHSA-2020:0111
- https://access.redhat.com/errata/RHSA-2020:0120
- https://access.redhat.com/errata/RHSA-2020:0123
- https://access.redhat.com/errata/RHSA-2020:0127
- https://access.redhat.com/errata/RHSA-2020:0292
- https://access.redhat.com/errata/RHSA-2020:0295
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1507180%2C1595470%2C1598605%2C1601826
- https://lists.debian.org/debian-lts-announce/2020/01/msg00005.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00016.html
- https://seclists.org/bugtraq/2020/Jan/12
- https://seclists.org/bugtraq/2020/Jan/18
- https://seclists.org/bugtraq/2020/Jan/26
- https://security.gentoo.org/glsa/202003-02
- https://usn.ubuntu.com/4234-1/
- https://usn.ubuntu.com/4241-1/
- https://usn.ubuntu.com/4335-1/
- https://www.debian.org/security/2020/dsa-4600
- https://www.debian.org/security/2020/dsa-4603
- https://www.mozilla.org/security/advisories/mfsa2020-01/
- https://www.mozilla.org/security/advisories/mfsa2020-02/
