Mozilla has released a security patch to address two zero-day vulnerabilities (CVE-2022-1802 and CVE-2022-1529) exploited during the Pwn2Own Vancouver 2022 hacking contest. Successful exploitation of these vulnerabilities allows attackers to get JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.
The ability to inject properties into existing JavaScript language construct prototypes, such as objects, is referred to as prototype pollution. JavaScript lets you modify all Object attributes, including magical attributes like __proto__, constructor, and proto. An attacker might alter these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Through the prototype chain, all JavaScript objects inherit properties from the Object.prototype. This change of attributes can cause a denial of service by causing JavaScript exceptions tampering with the application source code to force the attacker’s code path, resulting in remote code execution.
Mozilla fixed these flaws two days after a security researcher named Manfred Paul exploited and reported them during the Pwn2Own hacking contest. Threat actors could leverage these security flaws to “take control of an affected system,” according to the Cybersecurity and Infrastructure Security Agency (CISA), which urged administrators and users to patch these vulnerabilities.
CVE-2022-1802: Prototype pollution in Top-Level Await implementation
This vulnerability could allow an attacker to corrupt the methods of an Array object in JavaScript via prototype pollution and execute attacker-controlled JavaScript code in a privileged context.
CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
This vulnerability allows an attacker to execute attacker-controlled JavaScript in the privileged parent process. This can be done by an attacker delivering a message to the privileged parent process, which is then used to double-index into a JavaScript object, resulting in prototype pollution.
Affected versions
-
- Firefox versions prior to 100.0.2
- Firefox ESR versions prior to 91.9.1
- Thunderbird versions prior to 91.9.1
- Firefox for Android versions prior to 100.3
Mitigation
Customers are advised to upgrade to the latest versions mentioned below:
- Firefox 100.0.2
- Firefox ESR 91.9.1
- Thunderbird 91.9.1
- Firefox for Android 100.3
For more information, please refer to the Mozilla Foundation security advisory (MFSA2022-19).
Qualys Detection
Qualys customers can scan their devices with QID 376625 & 376626 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://github.com/Kirill89/prototype-pollution-explained
https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-thunderbird-zero-days-exploited-at-pwn2own/