Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3175-1)

Ubuntu Security Notice (C) 2017 Canonical, Inc. / NASL script (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Multiple memory safety issues were discovered in Firefox. If a user
were tricked in to opening a specially crafted website, an attacker
could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2017-5373,
CVE-2017-5374)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5375)

Nicolas Gregoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5376)

Atte Kettunen discovered a memory corruption issue in Skia in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5377)

Jann Horn discovered that an object's address could be discovered
through hashed codes of JavaScript objects shared between pages. If a
user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered in Web Animations in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5379)

A use-after-free was discovered during DOM manipulation of SVG content
in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2017-5380)

Jann Horn discovered that the 'export' function in the Certificate
Viewer can force local filesystem navigation when the Common Name
contains slashes. If a user were tricked in to exporting a specially
crafted certificate, an attacker could potentially exploit this to
save content with arbitrary filenames in unsafe locations.
(CVE-2017-5381)

Jerri Rice discovered that the Feed preview for RSS feeds can be used
to capture errors and exceptions generated by privileged content. An
attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5382)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof
the URL bar contents. (CVE-2017-5383)

Paul Stone and Alex Chapman discovered that the full URL path is
exposed to JavaScript functions specified by Proxy Auto-Config (PAC)
files. If a user has enabled Web Proxy Auto Detect (WPAD), an attacker
could potentially exploit this to obtain sensitive information.
(CVE-2017-5384)

Muneaki Nishimura discovered that data sent in multipart channels will
ignore the Referrer-Policy response headers. An attacker could
potentially exploit this to obtain sensitive information.
(CVE-2017-5385)

Muneaki Nishimura discovered that WebExtensions can affect other
extensions using the data: protocol. If a user were tricked in to
installing a specially crafted addon, an attacker could potentially
exploit this to obtain sensitive information or gain additional
privileges. (CVE-2017-5386)

Mustafa Hasan discovered that the existence of local files can be
determined using the <track> element. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5387)

Cullen Jennings discovered that WebRTC can be used to generate large
amounts of UDP traffic. An attacker could potentially exploit this to
conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)

Kris Maglione discovered that WebExtensions can use the
mozAddonManager API by modifying the CSP headers on sites with the
appropriate permissions and then using host requests to redirect
script loads to a malicious site. If a user were tricked in to
installing a specially crafted addon, an attacker could potentially
exploit this to install additional addons without user permission.
(CVE-2017-5389)

Jerri Rice discovered insecure communication methods in the Dev Tools
JSON Viewer. An attacker could potentially exploit this to gain
additional privileges. (CVE-2017-5390)

Jerri Rice discovered that about: pages used by content can load
privileged about: pages in iframes. An attacker could potentially
exploit this to gain additional privileges, in combination with a
content-injection bug in one of those about: pages. (CVE-2017-5391)

Stuart Colville discovered that mozAddonManager allows for the
installation of extensions from the CDN for addons.mozilla.org, a
publicly accessible site. If a user were tricked in to installing a
specially crafted addon, an attacker could potentially exploit this,
in combination with a cross-site scripting (XSS) attack on Mozilla's
AMO sites, to install additional addons. (CVE-2017-5393)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5396).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected firefox package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now