Firefox < 39.0 Multiple Vulnerabilities (Logjam)

critical Nessus Plugin ID 84581

Synopsis

The remote Windows host contains a web browser that is affected by multiple vulnerabilities.

Description

The version of Firefox installed on the remote Windows host is prior to 39.0. It is, therefore, affected by multiple vulnerabilities :

- A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721)

- Multiple user-after-free errors exist when using an XMLHttpRequest object in concert with either shared or dedicated workers. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-2722, CVE-2015-2733)

- Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725)

- A security bypass vulnerability exists due to a failure to preserve context restrictions. A remote attacker can exploit this, via a crafted web site that is accessed with unspecified mouse and keyboard actions, to read arbitrary files or execute arbitrary JavaScript code.
(CVE-2015-2727)

- A type confusion flaw exists in the Indexed Database Manager's handling of IDBDatabase. A remote attacker can exploit this to cause a denial of service condition or to execute arbitrary code. (CVE-2015-2728)

- An out-of-bounds read flaw exists in the AudioParamTimeline::AudioNodeInputValue() function when computing oscillator rending ranges. An attacker can exploit this to disclose the contents of four bytes of memory or cause a denial of service condition.
(CVE-2015-2729)

- A signature spoofing vulnerability exists due to a flaw in Network Security Services (NSS) in its Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation. A remote attacker can exploit this to forge signatures. (CVE-2015-2730)

- A use-after-free error exists in the CSPService::ShouldLoad() function when modifying the Document Object Model to remove a DOM object. An attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the CairoTextureClientD3D9::BorrowDrawTarget() function, the ::d3d11::SetBufferData() function, and the YCbCrImageDataDeserializer::ToDataSourceSurface() function. The impact is unspecified. (CVE-2015-2734, CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the nsZipArchive::GetDataOffset() function due to improper string length checks. An attacker can exploit this, via a crafted ZIP archive, to potentially execute arbitrary code. (CVE-2015-2735)

- A memory corruption issue exists in the nsZipArchive::BuildFileList() function due to improper validation of user-supplied input. An attacker can exploit this, via a crafted ZIP archive, to potentially execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the ArrayBufferBuilder::append() function due to improper validation of user-supplied input. An attacker can exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the nsXMLHttpRequest::AppendToResponseText() function due to improper validation of user-supplied input. An attacker can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in certificate pinning checks. Key pinning is not enforced upon encountering an X.509 certificate problem that generates a user dialog. A man-in-the-middle attacker can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A privilege escalation vulnerability exists in the PDF viewer (PDF.js) due to internal workers being executed insecurely. An attacker can exploit this, by leveraging a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000)

Solution

Upgrade to Firefox 39.0 or later.

See Also

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/

https://weakdh.org/

Plugin Details

Severity: Critical

ID: 84581

File Name: mozilla_firefox_39_0.nasl

Version: 1.14

Type: local

Agent: windows

Family: Windows

Published: 7/7/2015

Updated: 12/5/2022

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-2740

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Required KB Items: Mozilla/Firefox/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 7/2/2015

Vulnerability Publication Date: 5/19/2015

Reference Information

CVE: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743, CVE-2015-4000

BID: 74733