CVE-2024-1551: Set-Cookie Response Headers Security Vulnerability in Firefox and Thunderbird

A recently discovered security vulnerability, tagged as CVE-2024-1551, in Mozilla's Firefox browser and Thunderbird email client, involves the incorrect handling of Set-Cookie response headers in multipart HTTP responses. This article will delve into the details of this vulnerability, possible exploit scenarios, and provide code snippets to illustrate the issue. Furthermore, it will provide original reference links and guide you on how to protect your system against this vulnerability.

Background

Before discussing the vulnerability itself, it is essential to understand what a Set-Cookie header and multipart HTTP response are. A Set-Cookie response header is used by a server to send data to a user's browser, which then stores the data as a cookie file. The browser sends this cookie back to the server in subsequent requests.

Multipart HTTP responses are used when the server must send different content types in a single response. It consists of multiple chunks of potentially varying content types, separated by a boundary string.

Vulnerability Details

The security flaw, CVE-2024-1551, arises when Set-Cookie response headers are being incorrectly honored in multipart HTTP responses. If an attacker can control the Content-Type response header and manipulate a part of the response body, they can inject rogue Set-Cookie response headers. An unsuspecting browser could honor these headers, enabling the attacker to execute further exploits.

This vulnerability affects the following software versions

* Firefox - versions earlier than 123
* Firefox ESR - versions earlier than 115.8
* Thunderbird - versions earlier than 115.8

Exploit Scenario and Code Snippet

Consider a web application that serves files and allows users to upload them as well. An attacker could upload a malicious file with a crafted Content-Type response header and the inclusion of a rogue Set-Cookie header. When another user downloads this file, the browser might honor the injected Set-Cookie header and store the malicious cookie.

Example code snippet showcasing an injected Set-Cookie response header in a multipart HTTP response

HTTP/1.1 200 OK
Content-Type: multipart/mixed; boundary="randomboundarystring"

--randomboundarystring
Content-Type: text/html

<html>
<head></head>
<body>
  <h1>Download your file:</h1>
  <a href="/download/evil-file">Click Here</a>
</body>
</html>
--randomboundarystring
Content-Type: text/plain
Set-Cookie: sessionid=malicious_session; path=/;

Download this file.
--randomboundarystring--

In this example, the rogue Set-Cookie header contains a malicious session ID. When a user downloads the file, their browser might store the malicious cookie, allowing the attacker to hijack their session.

Original References and Patch Information

* Mozilla's official advisory on the vulnerability
* CVE-2024-1551 official record in the CVE database

To protect yourself from this vulnerability, users are advised to update their Firefox or Thunderbird installations to the latest versions:

* Update Firefox to version 123 or later
* Update Firefox ESR to version 115.8 or later
* Update Thunderbird to version 115.8 or later

By keeping your software updated, you can help mitigate the potential risks posed by this and other security vulnerabilities. Stay safe and secure online!

Timeline

Published on: 02/20/2024 14:15:08 UTC
Last modified on: 03/04/2024 09:15:37 UTC