CVE-2022-22747 - Crashing Firefox, ESR, and Thunderbird with Empty pkcs7 Certificate Data — What You Should Know

Mozilla products are no strangers to vulnerability reports, but sometimes the technical details don’t make it clear what’s really dangerous and what’s not. In January 2022, a new flaw surfaced — CVE-2022-22747. Here’s a simple, exclusive deep dive into what this bug actually is, how it works, and why you shouldn’t worry too much, even though it crashes important software.

What is CVE-2022-22747?

CVE-2022-22747 is a security issue that affected Firefox before version 96, Firefox ESR before 91.5, and Thunderbird before 91.5. In plain English, this bug happens when the browser or email client tries to handle certificates that are broken in a specific way — they contain an *empty pkcs7 sequence* after the user has already accepted an *untrusted certificate*.

pkcs7: A format for storing cryptographic data, usually certificates.

- Untrusted certificate: A certificate the browser doesn’t automatically trust, maybe because it’s self-signed or from an unknown authority.

What Actually Happens?

If someone presents a certificate chain that is *not* trusted, and the user clicks through the warning (“I trust anyway!”), Firefox/Thunderbird would sometimes try to process a pkcs7 structure that was present in the certificate data. If this piece of data is completely empty, the code would crash.

This happens because the browser’s code expected there to be some certificate data inside the pkcs7 container. When it was empty, the software didn’t handle the situation properly, leading to a crash.

You can't use this bug to run code on the victim’s computer.

- An attacker could crash your browser or email client if they convinced you to accept a suspicious certificate — not easy in practice.

Here’s a simplified version in C++-style pseudocode showing what went wrong

// Pseudocode for handling pkcs7 certificate data, simplified

if (certificate.isUntrusted() && userAcceptedAnyway()) {
    CertificateChain pkcs7chain = parsePKCS7(certData);

    if (pkcs7chain.isEmpty()) {
        // The code didn't check this case properly
        // ... and would crash here if pkcs7chain is empty!
    }
    // Rest of the certificate handling logic...
}

A proper fix checks whether the parsed pkcs7 certificate chain is empty before trying to use it.

Proof of Concept (PoC)

If you want to see this crash in action (in a safe, test environment only!), you’d need a web server with a purposely untrusted certificate that contains an empty pkcs7 structure.

Patch and Workaround

Mozilla fixed the problem by making sure the code can safely handle empty pkcs7 sequences. The vulnerability was addressed in:

References

- Mozilla Foundation Security Advisory 2022-01
- NIST NVD CVE-2022-22747 Entry
- Bugzilla Report #1748835

Bottom Line

CVE-2022-22747 is more disruptive than dangerous. If you (or your users) update Mozilla software regularly, you’re already protected. If not, it’s time to patch up — even though this one’s unlikely to bite. And remember: don’t accept untrusted certificates unless you really, really have to!

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 23:17:00 UTC