CVE-2023-34414

Mozilla: Click-jacking certificate exceptions through rendering lag

Severity Score

3.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

The error page for sites with invalid TLS certificates was missing the
activation-delay Firefox uses to protect prompts and permission dialogs
from attacks that exploit human response time delays. If a malicious
page elicited user clicks in precise locations immediately before
navigating to a site with a certificate error and made the renderer
extremely busy at the same time, it could create a gap between when
the error page was loaded and when the display actually refreshed.
With the right timing the elicited clicks could land in that gap and
activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.

The Mozilla Foundation Security Advisory describes this flaw as:

The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site.

*Credits: Irvan Kurniawan

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-06-05 CVE Reserved
2023-06-07 CVE Published
2024-08-02 CVE Updated
2024-09-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation
CWE-449: The UI Performs the Wrong Action

CAPEC

References (7)

URL	Tag	Source
https://security.gentoo.org/glsa/202312-03
https://security.gentoo.org/glsa/202401-10

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.mozilla.org/security/advisories/mfsa2023-19	2024-01-07
https://www.mozilla.org/security/advisories/mfsa2023-20	2024-01-07
https://www.mozilla.org/security/advisories/mfsa2023-21	2024-01-07
https://access.redhat.com/security/cve/CVE-2023-34414	2023-06-14
https://bugzilla.redhat.com/show_bug.cgi?id=2212841	2023-06-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				< 114.0 Search vendor "Mozilla" for product "Firefox" and version " < 114.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				< 102.12 Search vendor "Mozilla" for product "Firefox Esr" and version " < 102.12"		-		Affected
Mozilla Search vendor "Mozilla"		Thunderbird Search vendor "Mozilla" for product "Thunderbird"				< 102.12 Search vendor "Mozilla" for product "Thunderbird" and version " < 102.12"		-		Affected