CVE-2024-0753: 
NixOS vulnerability analysis and mitigation

CVE-2024-0753 is a security vulnerability discovered in Mozilla Firefox's HSTS (HTTP Strict Transport Security) implementation. The vulnerability affects Firefox versions prior to 122, Firefox ESR versions before 115.7, and Thunderbird versions before 115.7. The issue was discovered by security researcher Hanno Böck and was publicly disclosed in January 2024 (Mozilla Advisory).

The vulnerability stems from an incorrect interpretation of HSTS policies in Firefox's security implementation. When a subdomain has an HSTS policy without includeSubDomains flag, it could incorrectly override the HSTS policy of the parent domain that has includeSubDomains enabled, effectively bypassing the intended security restrictions. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow an attacker to bypass HSTS protections on subdomains, potentially enabling man-in-the-middle attacks. In scenarios where a domain has HSTS enabled with includeSubDomains and sets cookies without the secure flag, an attacker could potentially steal login cookies by exploiting this vulnerability (Mozilla Bug).

The vulnerability has been fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Users are advised to update their software to these versions or newer. The fix involves correcting the HSTS implementation to properly consider all superdomain HSTS policies when determining if a subdomain should be HSTS-enabled (Mozilla Advisory).