#VU69331 Security features bypass in Mozilla products - CVE-2022-45416


Vulnerability identifier: #VU69331

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-45416

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers
Firefox for Android
Mobile applications / Apps for mobile phones

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to keystroke side-channel leakage. Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 100.0 - 106.0.5

Firefox for Android: 100.1.0 - 106.1.0

Firefox ESR: 102.0 - 102.4.0

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for firefox
Anolis OS update for thunderbird
Ubuntu update for thunderbird
Multiple vulnerabilities in IBM Application Performance Management
Red Hat Enterprise Linux 9.0 Extended Update Support update for thunderbird
Red Hat Enterprise Linux 9.0 Extended Update Support update for firefox
CentOS 7 update for firefox
CentOS 7 update for thunderbird
SUSE update for MozillaFirefox
Anolis OS update for thunderbird