The CVE-2024-11704 vulnerability is a critical security flaw that specifically pertains to the way Firefox and Thunderbird handle certain error paths. Under particular conditions, this can lead to memory corruption, potentially causing data loss, denial of service attacks, or unauthorized access to sensitive information. This issue affects Firefox versions below 133 and Thunderbird versions below 133. In this post, we will discuss the details of the vulnerability, code snippets that illustrate the problem, links to original references, and potential exploitation methods.

Vulnerability Overview

The main issue stems from a double-free error in the sec_pkcs7_decoder_start_decrypt() function. Double-free vulnerabilities occur when a program mistakenly frees the same memory block more than once. This can cause unpredictable behavior, as the freed memory might be allocated for other purposes, leading to potential memory corruption, crashes, and data loss. In this specific case, the same symmetric key is being erroneously freed twice.

Here is a code snippet that demonstrates the double-free vulnerability

SECStatus
sec_pkcs7_decoder_start_decrypt (sec_pkcs7_decoder_context *p7dcx)
{
    /* ... */
    if (errorHappens) {
        /* The symmetric key is freed without setting the pointer to NULL */
        PK11_FreeSymKey(symKey);
        /* ... */
        return SECFailure;
    }

    /* ... */
    PK11_FreeSymKey(symKey); // The same symmetric key is freed again
    return SECSuccess;
}

As shown in the code snippet above, when an error occurs in the function, the symmetric key (symKey) is freed without setting the pointer to NULL. This causes another call to free the same symKey later on in the function, which leads to the double-free vulnerability. The proper fix should involve setting the pointer to NULL after the first free operation to prevent subsequent freeing of the same memory block. Here's the corrected code snippet:

SECStatus
sec_pkcs7_decoder_start_decrypt (sec_pkcs7_decoder_context *p7dcx)
{
    /* ... */
    if (errorHappens) {
        /* The symmetric key is freed and the pointer is set to NULL */
        PK11_FreeSymKey(symKey);
        symKey = NULL;

        /* ... */
        return SECFailure;
    }

    /* ... */
    if (symKey) {
        PK11_FreeSymKey(symKey); // The symmetric key is freed only if it's not NULL
}
    return SECSuccess;
}

Original References

1. Mozilla Security Advisory - MFSA2024-42
2. Mozilla Foundation Security Advisory 2024-43: Security Vulnerabilities fixed in Thunderbird 133

Exploit Details

While there are no known public exploits for this specific vulnerability at this time, it is crucial for users to update their Firefox and Thunderbird software to the latest versions to protect against potential attacks. Attackers could potentially develop an exploit that leverages this double-free vulnerability to execute arbitrary code, gain unauthorized access to sensitive information, or cause denial of service attacks by crashing the affected applications.

In Conclusion

The CVE-2024-11704 double-free vulnerability in the sec_pkcs7_decoder_start_decrypt() function poses a serious security concern for users of Firefox and Thunderbird, as it can lead to memory corruption and other unintended consequences. To protect themselves from potential attacks, users should promptly update their software to Firefox 133 or Thunderbird 133, which contain the necessary patches to mitigate the issue.

Timeline

Published on: 11/26/2024 14:15:19 UTC
Last modified on: 11/27/2024 16:15:13 UTC