CVE-2021-29951:Mozilla Maintenance Service on Windows granted excessive access permissions to users, allowing potential denial of service attacks and exposing additional attack surface.

splash
Back

Description Preview

The Mozilla Maintenance Service on Windows operating systems older than Windows 10 build 1709 was configured to grant SERVICE_START access to BUILTIN\Users. In a domain network environment, this permission allows normal remote users to start or stop the service. This vulnerability could be exploited by malicious actors to prevent the browser update service from functioning by repeatedly issuing stop commands, effectively creating a denial of service condition for updates. Additionally, this misconfiguration exposed unnecessary attack surface in the maintenance service. The vulnerability affects Firefox versions prior to 87, Firefox ESR versions prior to 78.10.1, and Thunderbird versions prior to 78.10.1.

Overview

CVE-2021-29951 is a privilege management vulnerability (CWE-269) in Mozilla's Maintenance Service on Windows systems. The service incorrectly granted SERVICE_START access permissions to the BUILTIN\Users group, which in domain network environments allows standard users to control the service. This could be exploited by attackers to prevent browser updates by continuously stopping the service or potentially to leverage the exposed attack surface for other attacks. The vulnerability only affects Windows systems older than Windows 10 build 1709, with other operating systems remaining unaffected. This security issue demonstrates the importance of proper service permission configuration, as overly permissive settings can lead to security risks even in trusted applications.

Remediation

To address this vulnerability, users should update their Mozilla applications to the following versions or newer:

  • Firefox: Update to version 87 or later
  • Firefox ESR: Update to version 78.10.1 or later
  • Thunderbird: Update to version 78.10.1 or later

System administrators should also consider:

  1. Reviewing service permissions on Windows systems, particularly in domain environments
  2. Implementing least privilege principles for all services
  3. Monitoring for unauthorized service control attempts
  4. Ensuring automatic updates are functioning properly after applying the fix

For users unable to update immediately, limiting domain user access to affected systems can help mitigate the risk until updates can be applied.

References

  1. Mozilla Foundation Security Advisory (MFSA2021-10): https://www.mozilla.org/security/advisories/mfsa2021-10/
  2. Mozilla Foundation Security Advisory (MFSA2021-18): https://www.mozilla.org/security/advisories/mfsa2021-18/
  3. Mozilla Foundation Security Advisory (MFSA2021-19): https://www.mozilla.org/security/advisories/mfsa2021-19/
  4. Mozilla Bugzilla Issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1690062
  5. Common Weakness Enumeration (CWE-269): Improper Privilege Management

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Transportation & Warehousing
    Transportation & Warehousing
  5. Educational Services
    Educational Services
  6. Finance and Insurance
    Finance and Insurance
  7. Retail Trade
    Retail Trade
  8. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  9. Management of Companies & Enterprises
    Management of Companies & Enterprises
  10. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  11. Utilities
    Utilities
  12. Other Services (except Public Administration)
    Other Services (except Public Administration)
  13. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  14. Construction
    Construction
  15. Wholesale Trade
    Wholesale Trade
  16. Accommodation & Food Services
    Accommodation & Food Services
  17. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  18. Information
    Information
  19. Mining
    Mining
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database