CVE-2023-29532: 
NixOS vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2023-29532) was discovered in the Mozilla Maintenance Service affecting Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10 on Windows systems. The vulnerability was reported by Holger Fuhrmannek and disclosed on April 11, 2023. The issue allows a local attacker to bypass signature verification of update files by exploiting a write-lock bypass vulnerability when using a malicious SMB server (Mozilla Advisory).

The vulnerability exists in the Mozilla Maintenance Service's update verification process. When updating, the service loads update data from a user-controlled path pointing to a MAR archive. Although signature verification is performed, the file is read twice - once for signature checking and once for the actual update. While the service attempts to write-lock the file to prevent modifications between reads, this lock is ineffective when the file is hosted on an SMB server. This allows an attacker to serve a legitimate signed file during verification and swap it with malicious content before the actual update process (Mozilla Bug).

The vulnerability allows a local attacker with system access to bypass signature verification and trick the Mozilla Maintenance Service into applying an unsigned malicious update. Since the Maintenance Service runs with SYSTEM privileges on Windows, this can lead to privilege escalation and arbitrary code execution at the highest privilege level. The vulnerability is rated as High severity with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) (NVD).

The vulnerability was fixed in Firefox 112, Firefox ESR 102.10, and Thunderbird 102.10. The fix involves loading the update file into RAM and verifying its integrity there rather than relying on file system locks. Users should update to these or later versions to mitigate the vulnerability (Mozilla Advisory).