CVE-2017-7804 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-7804?

CVE-2017-7804 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-7804?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird, Microsoft Windows.

Vulnerability Description

The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Mozilla	Firefox	< 52.3.0
Mozilla	Thunderbird	< 52.3.0
Microsoft	Windows	-

Related Weaknesses (CWE)

CWE-20

References

http://www.securityfocus.com/bid/100234Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039124Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1372849Issue TrackingThird Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-18/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-19/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-20/Vendor Advisory
http://www.securityfocus.com/bid/100234Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039124Third Party AdvisoryVDB Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1372849Issue TrackingThird Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-18/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-19/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-20/Vendor Advisory

FAQ

What is CVE-2017-7804?

CVE-2017-7804 is a vulnerability with a CVSS score of 7.5 (HIGH). The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in...

How severe is CVE-2017-7804?

CVE-2017-7804 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-7804?

Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird, Microsoft Windows.