Mozilla Thunderbird < 38.1 Multiple Vulnerabilities (Mac OS X) (Logjam)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a mail client that is affected by
multiple vulnerabilities.

Description :

The version of Thunderbird installed on the remote Mac OS X host is
prior to 38.1. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the NSS client will take
the EC key from the ECDSA certificate. A remote attacker
can exploit this to silently downgrade the exchange to a
non-forward secret mixed-ECDH exchange. (CVE-2015-2721)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Thunderbird 38.1 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now