CVE-2019-17026
Published: 02 March 2020
Summary
CVE-2019-17026 is a high-severity Type Confusion (CWE-843) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
The vulnerability CVE-2019-17026 is a type confusion flaw (CWE-843) caused by incorrect alias information in Mozilla's IonMonkey JIT compiler when setting array elements. It affects Firefox versions prior to 72.0.1, Firefox ESR versions prior to 68.4.1, and Thunderbird versions prior to 68.4.1, and carries a CVSS 3.1 score of 8.8.
An attacker can trigger the flaw by serving a malicious web page that causes the JIT compiler to mis-track object types, enabling subsequent memory corruption. Successful exploitation grants arbitrary code execution in the context of the browser process; the issue has already been used in targeted attacks observed in the wild.
Mozilla's security advisory MFSA2020-03 and downstream notices from Ubuntu (USN-4335-1) and Gentoo (GLSA-202003-02) state that the only mitigation is to upgrade to the patched releases (Firefox 72.0.1 / ESR 68.4.1 and Thunderbird 68.4.1). No configuration workarounds are provided.
Packet Storm has published a public proof-of-concept that reproduces the type confusion in IonMonkey.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-7500
Vulnerability details
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and…
more
Firefox < 72.0.1.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant patches, which is the only remediation stated for CVE-2019-17026.
Requires mechanisms to detect and block malicious code delivered via web content that triggers the IonMonkey type-confusion flaw.
Mandates memory-protection safeguards that can block the unauthorized code execution resulting from the type-confusion memory corruption.