CVE-2019-11708
Published: 23 July 2019
Summary
CVE-2019-11708 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an instance of insufficient input validation (CWE-20) affecting the Prompt:Open IPC message handler used for communication between sandboxed child processes and the non-sandboxed parent process. It impacts Firefox ESR prior to 60.7.2, Firefox prior to 67.0.4, and Thunderbird prior to 60.7.2, and carries a CVSS 3.1 base score of 10.0 reflecting its critical severity and network-exploitable nature without authentication or user interaction.
An attacker able to first compromise a child content process can supply malicious parameters via the IPC channel, causing the parent process to open attacker-chosen web content outside the sandbox. When chained with one or more additional vulnerabilities, this can lead to arbitrary code execution on the target system.
Mozilla addressed the issue in security advisories MFSA2019-19 and MFSA2019-20, with corresponding updates released for the affected Firefox and Thunderbird branches; Gentoo Linux also published GLSA-201908-12 describing the patched package versions. A publicly posted Windows 64-bit exploit chain referencing this CVE demonstrates practical chaining with other browser weaknesses.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-3378
Vulnerability details
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in…
more
executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including IPC parameters) before it is processed, preventing the malicious Prompt:Open message from a compromised child process.
Enforces process isolation so that a compromised sandboxed child process cannot influence or escape into the non-sandboxed parent process via IPC.
Enforces access-control policy on the IPC channel, limiting what actions the parent process will perform on behalf of a child process.