#VU95501 Cryptographic issues in Mozilla products - CVE-2024-7531
Published: August 7, 2024
Vulnerability identifier: #VU95501
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-7531
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Mozilla Firefox
Firefox ESR
Firefox for Android
Mozilla Firefox
Firefox ESR
Firefox for Android
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.
Remediation
Install updates from vendor's website.