SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mozilla Thunderbird Vendors:   Mozilla.org
(Ubuntu Issues Fix) Mozilla Thunderbird Multiple Flaws Let Remote Users Spoof Filenames, Obtain Decrypted Information, and Deny Service
SecurityTracker Alert ID:  1040985
SecurityTracker URL:  http://securitytracker.com/id/1040985
CVE Reference:   CVE-2018-5161, CVE-2018-5162, CVE-2018-5170, CVE-2018-5184, CVE-2018-5185   (Links to External Site)
Date:  May 26 2018
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 52.8
Description:   Multiple vulnerabilities were reported in Mozilla Thunderbird. A remote user can cause denial of service conditions on the target system. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof filenames.

A remote user with access to a target user's S/MIME encrypted email message can create a specially crafted multipart email message that includes a modified version of the encrypted content. When the target user decrypts and views the email message, the target user's mail client will disclose the plaintext to a remote URL.

The 'src' attribute of remote images or links is an exploit vector [CVE-2018-5162].

Remote content is an exploit vector [CVE-2018-5184].

Embedded HTML forms are an exploit vector [CVE-2018-5185].

These exploits are the direct exfiltration attack method of the vulnerability referred to as "EFAIL".

The original advisory is available at:

https://efail.de/efail-attack-paper.pdf

A remote user can create an email message with specially crafted message headers that, when received by the target user, will cause a Thunderbird process to hang [CVE-2018-5161].

A remote user can spoof the filename of an email attachment and cause an arbitrary attachment name to be displayed [CVE-2018-5170].

cure53, Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jorg Schwenk reported these vulnerabilities.

Impact:   A remote user can cause the target application to hang.

A remote user can obtain decrypted information on the target user's system.

A remote user can spoof a filename.

Solution:   Ubuntu has issued a fix.

The Ubuntu advisory is available at:

https://usn.ubuntu.com/usn/usn-3660-1

Vendor URL:  usn.ubuntu.com/usn/usn-3660-1 (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error, State error
Underlying OS:  Linux (Ubuntu)
Underlying OS Comments:  14.04 LTS, 16.04 LTS, 17.10, 18.04 LTS

Message History:   This archive entry is a follow-up to the message listed below.
May 20 2018 Mozilla Thunderbird Multiple Flaws Let Remote Users Spoof Filenames, Obtain Decrypted Information, and Deny Service



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC