CVE-2023-6861
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code via a heap buffer overflow in Firefox's nsWindow::PickerOpen method when running in headless mode. It affects Firefox ESR versions below 115.6, Thunderbird below 115.6, and Firefox below 121. Attackers could exploit this by tricking users into visiting malicious websites.
💻 Affected Systems
- Firefox ESR
- Thunderbird
- Firefox
📦 What is this software?
Firefox by Mozilla
Firefox Esr by Mozilla
Thunderbird by Mozilla
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Browser crash (denial of service) or limited code execution within browser sandbox boundaries.
If Mitigated
No impact if patched or if headless mode is disabled in vulnerable versions.
🎯 Exploit Status
Requires headless mode and specific conditions to trigger the buffer overflow. No public exploit code has been identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox ESR 115.6, Thunderbird 115.6, Firefox 121
Vendor Advisory: https://bugzilla.mozilla.org/show_bug.cgi?id=1864118
Restart Required: Yes
Instructions:
1. Update Firefox to version 121 or later. 2. Update Firefox ESR to version 115.6 or later. 3. Update Thunderbird to version 115.6 or later. 4. Restart the application after updating.
🔧 Temporary Workarounds
Disable headless mode
allPrevent exploitation by disabling headless mode in vulnerable versions
Not applicable - configure via application settings or command-line flags
🧯 If You Can't Patch
- Disable headless mode in all affected applications
- Implement network filtering to block access to untrusted websites
🔍 How to Verify
Check if Vulnerable:
Check application version against affected versions: Firefox ESR < 115.6, Thunderbird < 115.6, Firefox < 121Check Version:
Firefox/Thunderbird: Help → About Firefox/Thunderbird; Command line: firefox --version, thunderbird --versionVerify Fix Applied:
Confirm version is equal to or greater than patched versions: Firefox ESR >= 115.6, Thunderbird >= 115.6, Firefox >= 121📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected process termination in headless mode
Network Indicators:
- Unusual outbound connections from browser processes
- Traffic to known malicious domains
SIEM Query:
EventID=1000 OR EventID=1001 AND ProcessName contains 'firefox' OR ProcessName contains 'thunderbird' AND ExceptionCode=0xc0000005🔗 References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1864118
- https://lists.debian.org/debian-lts-announce/2023/12/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/12/msg00021.html
- https://security.gentoo.org/glsa/202401-10
- https://www.debian.org/security/2023/dsa-5581
- https://www.debian.org/security/2023/dsa-5582
- https://www.mozilla.org/security/advisories/mfsa2023-54/
- https://www.mozilla.org/security/advisories/mfsa2023-55/
- https://www.mozilla.org/security/advisories/mfsa2023-56/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1864118
- https://lists.debian.org/debian-lts-announce/2023/12/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/12/msg00021.html
- https://security.gentoo.org/glsa/202401-10
- https://www.debian.org/security/2023/dsa-5581
- https://www.debian.org/security/2023/dsa-5582
- https://www.mozilla.org/security/advisories/mfsa2023-54/
- https://www.mozilla.org/security/advisories/mfsa2023-55/
- https://www.mozilla.org/security/advisories/mfsa2023-56/
