Vulnerability Details : CVE-2016-5284
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2016-5284
Probability of exploitation activity in the next 30 days: 0.24%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-5284
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
|
7.4
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
2.8
|
4.0
|
NIST |
CWE ids for CVE-2016-5284
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5284
-
https://www.mozilla.org/security/advisories/mfsa2016-88/
Security vulnerabilities fixed in Thunderbird 45.4 — Mozilla
-
https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/
Update on add-on pinning vulnerability | Mozilla Security BlogThird Party Advisory;VDB Entry
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1303127
1303127 - (CVE-2016-5284) ESR-45/Tor Browser certificate pinning bypass for addons.mozilla.org and other built-in sitesIssue Tracking;Third Party Advisory;VDB Entry
-
https://security.gentoo.org/glsa/201701-15
Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security
-
http://seclists.org/dailydave/2016/q3/51
Dailydave: Deep down the certificate pinning rabbit hole of "Tor Browser Exposed"Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Linux Bulletin - October 2016
-
http://www.debian.org/security/2016/dsa-3674
Debian -- Security Information -- DSA-3674-1 firefox-esr
-
http://www.mozilla.org/security/announce/2016/mfsa2016-85.html
Security vulnerabilities fixed in Firefox 49 — MozillaRelease Notes
-
http://rhn.redhat.com/errata/RHSA-2016-1912.html
RHSA-2016:1912 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/93049
Mozilla Firefox Multiple Security Vulnerabilities
-
https://www.mozilla.org/security/advisories/mfsa2016-86/
Security vulnerabilities fixed in Firefox ESR 45.4 — Mozilla
-
http://www.securitytracker.com/id/1036852
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Bypass Security Restrictions, Determine File Paths, and Obtain Potentially Sensitive Information - SecurityTracker
-
https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95
Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale - ByTechnical Description
Products affected by CVE-2016-5284
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:45.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:45.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:45.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:45.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:45.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:45.0:*:*:*:*:*:*:*