CVE-2021-29951: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2021-29951) affects the Mozilla Maintenance Service on Windows systems, which incorrectly granted SERVICE_START access to BUILTIN\Users. This security flaw was discovered in Firefox versions prior to 87, Firefox ESR versions prior to 78.10.1, and Thunderbird versions prior to 78.10.1. The vulnerability specifically impacts Windows operating systems older than Windows 10 build 1709, while other operating systems remain unaffected (Mozilla Advisory, NVD).

The vulnerability stems from a security descriptor configuration in the Mozilla Maintenance Service that granted SERVICESTART and SERVICESTOP access to the BUILTIN\Users group. In domain network environments, this misconfiguration allows normal remote users to authenticate and gain access to start or stop the service, potentially influencing the update operation through command-line arguments. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability could enable remote users in domain networks to start or stop the Mozilla Maintenance Service, potentially preventing the browser update service from operating through continuous 'Stop' command spam. More critically, it exposed attack surface in the maintenance service that could potentially be exploited if combined with other vulnerabilities to achieve system-level remote code execution (Mozilla Advisory, Bugzilla).

Mozilla addressed this vulnerability by changing the service permissions to use NT AUTHORITY\INTERACTIVE group instead of BUILTIN\Users, ensuring that only interactive logins (including RDP logins) can access the service. The fix was released in Firefox 87, Firefox ESR 78.10.1, and Thunderbird 78.10.1. Users should upgrade to these versions or later to mitigate the vulnerability (Mozilla Advisory).