CVE-2023-25742 - Crashing Mozilla Products When Importing SPKI RSA Public Key as ECDSA P-256

If you're using Firefox, Thunderbird or Firefox ESR, there exists a security vulnerability (CVE-2023-25742) that may expose you to potential harm. This vulnerability revolves around the improper handling of an RSA public key when imported as an ECDSA P-256 - which can lead to crashes or unexpected behaviors. We'll explore the details and potential consequences of this vulnerability and how to mitigate exposure.

Details

CVE-2023-25742 concerns a specific issue that arises when importing SPKI (Subject Public Key Info) RSA public key as ECDSA P-256. The problem lies in the way Mozilla products like Firefox (versions less than 110), Thunderbird (versions less than 102.8), and Firefox ESR (versions less than 102.8) handle the key, resulting in a crash of the affected tab or application.

This vulnerability becomes an issue when the following code snippet is executed

const spkiRsaPublicKey = /* RSA public key in SPKI format */;
const importedKey = crypto.subtle.importKey(
    'spki', spkiRsaPublicKey, { name: 'ECDSA', namedCurve: 'P-256' }, true, ['verify']
);

When the above code is executed, the vulnerability is exposed, allowing potential malicious actors to cause unexpected crashes or unauthorized access to sensitive information.

For more information on the vulnerability and its potential consequences, you can refer to the original security advisory from Mozilla: CVE-2023-25742.

Exploit Details

This vulnerability is exploitable by an attacker who can inject malicious JavaScript code into a webpage or email, loading it in the unsuspecting user's browser or email client. Once executed, the attacker's code potentially crashes the affected application or tab, resulting in a denial-of-service attack or exposure of sensitive user-made data for the attacker's gain.

Upon importing the RSA public key as ECDSA P-256, the key is not properly handled due to a deficiency in how the importKey function interprets the crytoKey object in the Mozilla products. This can lead to application crashes, unauthorized access to user data, or other unexpected behaviors - creating an opportunity for attackers.

Mitigation and Fix

To protect yourself from this vulnerability, it is crucial to keep your Firefox, Thunderbird, or Firefox ESR updated to their latest versions:

Firefox ESR: Update to version 102.8 or greater.

By keeping your applications up to date, you can ensure you're safeguarding your browsing and email activities against this vulnerability. Moreover, only visiting trusted websites and not clicking on suspicious links will further protect you from other potential vulnerabilities.

In Conclusion

CVE-2023-25742 is a notable vulnerability affecting Firefox, Thunderbird, and Firefox ESR. It results from the improper handling of RSA public keys when imported as ECDSA P-256, causing application crashes and unauthorized access. Ensuring that your Mozilla products are updated to their latest versions can help prevent this vulnerability from affecting you and keep your browsing and email activities secure.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 16:36:00 UTC