CVE-2023-37201 – This vulnerability allows an attacker to trigge... (How to Fix)

Q: How do I fix CVE-2023-37201?

1. Open the browser/email client. 2. Go to Settings/Preferences > General/About. 3. Allow the application to check for and install updates. 4. Restart the application when prompted.

Q: What is the severity of CVE-2023-37201?

CVE-2023-37201 has a CVSS score of 8.8 (HIGH). This vulnerability allows an attacker to trigger a use-after-free condition when establishing a WebRTC connection over HTTPS, potentially leading to arbitrary code execution. It affects Firefox versions below 115, Firefox ESR below 102.13, and Thunderbird below 102.13. Users of these outdated browsers and email clients are at risk.

📋 TL;DR

This vulnerability allows an attacker to trigger a use-after-free condition when establishing a WebRTC connection over HTTPS, potentially leading to arbitrary code execution. It affects Firefox versions below 115, Firefox ESR below 102.13, and Thunderbird below 102.13. Users of these outdated browsers and email clients are at risk.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 115, Firefox ESR < 102.13, Thunderbird < 102.13

Operating Systems: All platforms (Windows, Linux, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WebRTC and HTTPS to be enabled (default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the browser process, potentially leading to full system compromise.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if patched versions are used or if WebRTC/HTTPS connections are blocked.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious websites or emails.

🏢 Internal Only: MEDIUM - Requires user interaction (visiting a malicious site or opening a malicious email).

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires tricking a user into visiting a malicious website or opening a malicious email with WebRTC content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 115, Firefox ESR 102.13, Thunderbird 102.13

Vendor Advisory: https://bugzilla.mozilla.org/show_bug.cgi?id=1826002

Restart Required: Yes

Instructions:

1. Open the browser/email client. 2. Go to Settings/Preferences > General/About. 3. Allow the application to check for and install updates. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable WebRTC

all

Prevents the vulnerable component from being used.

In Firefox/Thunderbird: about:config > set media.peerconnection.enabled to false

Block HTTPS connections to untrusted sites

all

Reduces attack surface by limiting WebRTC over HTTPS.

Use browser extensions or network policies to restrict HTTPS access

🧯 If You Can't Patch

Restrict user access to untrusted websites and email content.
Implement application whitelisting to prevent execution of malicious code.

🔍 How to Verify

Check if Vulnerable:

Check the version in the browser/email client: Firefox/Thunderbird > Help > About.

Check Version:

On Linux: firefox --version | thunderbird --version

Verify Fix Applied:

Confirm the version is Firefox 115+, Firefox ESR 102.13+, or Thunderbird 102.13+.

📡 Detection & Monitoring

Log Indicators:

Browser/email client crash logs with memory corruption errors
Unexpected WebRTC connection attempts in application logs

Network Indicators:

Unusual HTTPS traffic to/from browser on WebRTC ports (e.g., 443, 3478)

SIEM Query:

source="browser_logs" AND (event="crash" OR event="memory_error")

📊 Metadata

CVE ID: CVE-2023-37201

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 5, 2023

Last Updated: November 21, 2024

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1826002 Issue Tracking,Permissions Required
https://lists.debian.org/debian-lts-announce/2023/07/msg00006.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/07/msg00015.html
https://www.debian.org/security/2023/dsa-5450 Third Party Advisory
https://www.debian.org/security/2023/dsa-5451 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2023-22/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-23/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-24/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1826002 Issue Tracking,Permissions Required
https://lists.debian.org/debian-lts-announce/2023/07/msg00006.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/07/msg00015.html
https://www.debian.org/security/2023/dsa-5450 Third Party Advisory
https://www.debian.org/security/2023/dsa-5451 Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2023-22/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-23/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2023-24/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37201, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Firefox by Mozilla

Firefox Esr by Mozilla

Thunderbird by Mozilla

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebRTC

Block HTTPS connections to untrusted sites

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities