Firefox 0-day CVE-2019-17026: What you can do to prepare and remediate
On January 8, 2020 Mozilla announced a critical update to fix an exploitable vulnerability seen targeting computers in the wild. Firefox released an update (version 72.0.1) to remediate the vulnerability, however, older versions are at risk. For more details please reference Mozilla’s bulletin.
Tanium users can quickly find and remediate this vulnerability at enterprise scale; the following article will show some common examples using out-of-the-box solutions.
With Tanium Interact, quickly identify vulnerable endpoints
Tanium’s real-time visibility provides customers the most up-to-date and accurate view of their environment. The following Interact query can be used to quickly search online endpoints for the vulnerability:
Vulnerable Mozilla Firefox Installations:
Get Installed Applications having Installed Applications:Name contains Mozilla Firefox from all machines with ( Installed Application Version[Mozilla Firefox] < 72.0.1 and Installed Applications matches “^Mozilla Firefox(?!.ESR.).*$” )
Vulnerable Mozilla Firefox ESR Installations:
Get Installed Applications having Installed Applications:Name contains Mozilla Firefox from all machines with ( Installed Application Version[Mozilla Firefox] < 68.4.1 and Installed Applications matches “^Mozilla Firefox.ESR.$” )
To report on assets that may be offline, you may use Tanium Asset or you can save a question and issue it periodically. For more information, please see this Tanium Community post:
Easily create complete and detailed reports with Asset
Tanium Asset reports on comprehensive endpoint data and includes data for both online and offline hosts. To report on this vulnerability using Asset, add Installed Applications as a simple attribute to Asset and create a custom report to display version. You can then report on vulnerable versions of Firefox in your environment.
For additional information on reporting using Asset, see here.
For information on creating a report in Asset, see here.
Use Tanium Comply to identify vulnerable Firefox instances
Once a CVE is officially published in the National Vulnerability Database, the Tanium Vulnerability Library (TVL), used by Comply, is automatically updated with the appropriate checks to identify the exposure and remediation information needed to address the issue. It is identified by running a standard vulnerability scan in the Comply service.
NOTE: As of January 9,/2020, the referenced CVEs remain in a “Reserved” status and have not yet been officially reviewed and published to the NVD.
For more information on creating a report based on a vulnerability or a specific CVE, please refer here.
Use Tanium Threat Response to identify and investigate exploited endpoints
Any time there is an exploitable vulnerability there is a need to hunt for compromised machines and investigate any findings. Here are a few examples of how users can look for potentially exploited systems:
- Suspicious process ancestry: Tanium can alert in real time, or search historically, for suspicious processes spawning from firefox.exe.
- Process memory analysis: Tanium can list loaded DLLs, identify injected threads, list suspicious mutexes and enumerate other in-memory artifacts to help determine compromise.
- Persistence mechanisms: A common post-exploitation activity is to establish a persistent foothold on a system. Tanium can enumerate all persistence mechanisms in an environment to determine anomalous entries.
- Tanium Signals: Tanium’s threat intelligence feeds, Tanium Signals, are designed to identify initial or subsequent activity, indicative of a breach. Signals provide real time monitoring for attack behaviors that map to the MITRE ATT&CK framework.
Respond with Tanium
Tanium users can prevent infection or remediate vulnerable hosts. Here are some of the ways you might consider responding to this vulnerability:
- Upgrade with Tanium Deploy. Use Tanium Deploy to manage Firefox and upgrade to the latest available for Windows operating systems. Deploy has a Gallery available with Firefox preconfigured for installation, upgrade, or removal.
- Upgrade with Core. With Tanium Core, you can create a custom Package to deliver the updated software to your vulnerable endpoints. More information on creating a custom Package go here.
- Quarantine infected systems. If a system(s) is suspected to be compromised, consider quarantining the system(s) until it’s been remediated. More information on quarantining a system can be found here. Network quarantine information can be found here.
- Block vulnerable versions with Tanium Protect. Tanium Protect can be used to block or alert on vulnerable versions of Firefox from executing until they are remediated.
- Kill vulnerable versions using Core. Tanium can be set to run a Kill Process action against hosts running vulnerable versions of Firefox on a regular basis.
By their very nature, zero-days often begin with limited information being available; we will keep updating this post if additional pertinent information becomes available. If you have any questions, please contact your Technical Account Manager.