Severity Rating: High
Software Affected
· Mozilla Thunderbird versions prior to 78
Overview
Multiple vulnerabilities have been reported in Mozilla Thunderbird which
could allow a remote attacker to execute arbitrary code, access sensitive
information, bypass security restrictions or perform other unauthorized
activities on a targeted system.
Description
AppCache manifest poisoning ( CVE-2020-12415 )
This vulnerability exists in Mozilla Thunderbird due to improper processing
of AppCache manifest URL.
Successful exploitation of this vulnerability could cause the AppCache to
be used for servicing requests for the top level directory.
Use after free errors ( CVE-2020-12416 CVE-2020-12419 CVE-2020-12420 )
These vulnerabilities exist in Mozilla Thunderbird due to use-after free
errors in WebRTC VideoBroadcaster, nsGlobalWindowInner and when attempting
connection to a STUN server.
Successful exploitation of these vulnerabilities could allow a remote
attacker to execute arbitrary code on a targeted system.
Memory corruption ( CVE-2020-12417 )
This vulnerability exists in Mozilla Thunderbird due to missing
sign-extension for ValueTags on ARM64.
Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on a targeted system.
Information disclosure ( CVE-2020-12418 )
This vulnerability exists in Mozilla Thunderbird due improper processing of
crafted URL object.
Successful exploitation of this vulnerability could allow a remote attacker
to disclose process memory on a targeted system by causing an out-of-bounds
read.
X-Frame-Options bypass ( CVE-2020-15648 )
This vulnerability exists in Mozilla Thunderbird due to a logical error
related to X-Frame-Options.
Successful exploitation of this vulnerability could allow bypassing of
X-Frame-Options restrictions.
Side channel attack ( CVE-2020-12402 )
This vulnerability exists in Mozilla Thunderbird due to improper algorithm
implementation for RSA key generation.
Successful exploitation of this vulnerability could allow a remote attacker
to obtain sensitive information on a targeted system by performing side
channel attacks
Improper Certificate Validation ( CVE-2020-12421 )
This vulnerability exists in Mozilla Thunderbird due to a logical error
related to certificate trust rules.
The vulnerability could cause add-ons to become out-of-date silently
without notification to the user.
Integer Overflow ( CVE-2020-12422 )
This vulnerability exists in Mozilla Thunderbird due to an Integer overflow
error in nsJPEGEncoder::emptyOutputBuffer.
Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on a targeted system.
DLL Hijacking ( CVE-2020-12423 )
This vulnerability exists in Mozilla Thunderbird due to potential loading
of "webauthn.dll" from non-default path.
Successful exploitation of this vulnerability could allow a local attacker
to execute arbitrary code on a targeted system.
Security Control Bypass ( CVE-2020-12424 )
This vulnerability exists in Mozilla Thunderbird due to a logical error
related to permission prompt for WebRTC.
Successful exploitation of this vulnerability could allow a remote attacker
to bypass security controls on a targeted system.
Out-of-bounds read ( CVE-2020-12425 )
This vulnerability exists in Mozilla Thunderbird due to a one byte
Out-of-bounds read error in Date.parse().
Successful exploitation of this vulnerability could allow a remote attacker
to obtain sensitive information on a targeted system.
Memory Corruption ( CVE-2020-12426 )
This vulnerability exists in Mozilla Thunderbird due to memory safety bugs.
Successful exploitation of this vulnerability could allow a remote attacker
to execute arbitrary code on a targeted system.
Solution
Update to Mozilla Thunderbird version 78
Vendor Information
Mozilla
References
Vulmon
CVE Name
CVE-2020-12415
CVE-2020-12416
CVE-2020-12417
CVE-2020-12418
CVE-2020-12419
CVE-2020-12420
CVE-2020-15648
CVE-2020-12402
CVE-2020-12421
CVE-2020-12422
CVE-2020-12423
CVE-2020-12424
CVE-2020-12425
CVE-2020-12426
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.