CVE-2020-12421 Explained : Impact and Mitigation
Learn about CVE-2020-12421 affecting Firefox ESR, Firefox, and Thunderbird. Find out how add-ons could become out-of-date silently and steps to mitigate the vulnerability.
A vulnerability in Firefox ESR, Firefox, and Thunderbird could allow add-ons to become out-of-date without user notification.
Understanding CVE-2020-12421
What is CVE-2020-12421?
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected, potentially causing add-ons to become out-of-date without user notification.
The Impact of CVE-2020-12421
This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
Technical Details of CVE-2020-12421
Vulnerability Description
Add-on updates did not respect the same certificate trust rules as software updates.
Affected Systems and Versions
- Firefox ESR < 68.10
- Firefox < 78
- Thunderbird < 68.10.0
Exploitation Mechanism
The vulnerability could allow malicious actors to exploit add-on updates to make them out-of-date without user awareness.
Mitigation and Prevention
Immediate Steps to Take
- Update Firefox ESR, Firefox, and Thunderbird to versions higher than the specified vulnerable versions.
- Regularly check for add-on updates and verify their authenticity.
Long-Term Security Practices
- Implement a robust software update policy that includes add-ons.
- Educate users on the importance of updating add-ons promptly.
Patching and Updates
Apply the latest patches and updates provided by Mozilla to address this vulnerability.