CVE-2023-29539 – This vulnerability allows attackers to perform ... (How to Fix)

Q: How do I fix CVE-2023-29539?

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart application when prompted.

Q: What is the severity of CVE-2023-29539?

CVE-2023-29539 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to perform reflected file download attacks by exploiting NULL character truncation in Firefox's Content-Disposition header filename handling. Attackers can trick users into downloading malicious files that appear legitimate, potentially leading to malware installation. Affected users include those running Firefox, Firefox ESR, Thunderbird, Firefox for Android, and Focus for Android below specified versions.

📋 TL;DR

This vulnerability allows attackers to perform reflected file download attacks by exploiting NULL character truncation in Firefox's Content-Disposition header filename handling. Attackers can trick users into downloading malicious files that appear legitimate, potentially leading to malware installation. Affected users include those running Firefox, Firefox ESR, Thunderbird, Firefox for Android, and Focus for Android below specified versions.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird
Firefox for Android
Focus for Android

Versions: Firefox < 112, Firefox ESR < 102.10, Thunderbird < 102.10, Firefox for Android < 112, Focus for Android < 112

Operating Systems: Windows, Linux, macOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users download and execute malicious files disguised as legitimate downloads, leading to full system compromise, data theft, or ransomware infection.

🟠

Likely Case

Users download malicious executables or documents that appear to be safe files, leading to malware infection on their systems.

🟢

If Mitigated

With proper security controls like web filtering, email scanning, and user education, the risk reduces to occasional successful phishing attempts with limited impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking/downloading) but the technical barrier is low. The vulnerability is well-documented in Mozilla advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 112, Firefox ESR 102.10, Thunderbird 102.10, Firefox for Android 112, Focus for Android 112

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-13/

Restart Required: Yes

Instructions:

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart application when prompted.

🔧 Temporary Workarounds

Disable automatic downloads

all

Configure browser to prompt before downloading any files

about:preferences#general (Firefox) > Applications > Set all file types to 'Always ask'

Use alternative browser temporarily

all

Switch to a non-vulnerable browser until patched

🧯 If You Can't Patch

Implement web filtering to block malicious download URLs
Deploy endpoint protection with file reputation checking

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About menu and compare against affected versions

Check Version:

firefox --version (Linux), about:support (Firefox GUI), thunderbird --version (Linux)

Verify Fix Applied:

Verify version is equal to or greater than patched versions: Firefox 112+, Firefox ESR 102.10+, Thunderbird 102.10+, Firefox for Android 112+, Focus for Android 112+

📡 Detection & Monitoring

Log Indicators:

Unusual Content-Disposition header patterns with NULL characters
Multiple failed download attempts from same source

Network Indicators:

HTTP responses with Content-Disposition headers containing unusual filename patterns
Downloads from untrusted sources with executable extensions

SIEM Query:

http.content_disposition CONTAINS "%00" OR http.filename CONTAINS NULL

📊 Metadata

CVE ID: CVE-2023-29539

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-476

Published: June 2, 2023

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1784348 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2023-13/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-14/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-15/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1784348 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2023-13/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-14/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-15/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29539, you might also want to check these: