NewStart CGSL MAIN 6.02 : firefox Multiple Vulnerabilities (NS-SA-2024-0066)

critical Nessus Plugin ID 206859

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has firefox packages installed that are affected by multiple vulnerabilities:

- crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. This has been fixed in crossbeam-deque 0.8.1 and 0.7.4. (CVE-2021-32810)

- Mozilla developers reported memory safety bugs present in Firefox 91 and Firefox ESR 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.14, Thunderbird < 78.14, and Firefox < 92. (CVE-2021-38493)

- During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. (CVE-2021-38496)

- Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. (CVE-2021-38497)

- During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 93, Thunderbird < 91.2, and Firefox ESR < 91.2. (CVE-2021-38498)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL firefox packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2024-0066

https://security.gd-linux.com/info/CVE-2021-32810

https://security.gd-linux.com/info/CVE-2021-38493

https://security.gd-linux.com/info/CVE-2021-38496

https://security.gd-linux.com/info/CVE-2021-38497

https://security.gd-linux.com/info/CVE-2021-38498

https://security.gd-linux.com/info/CVE-2021-38500

https://security.gd-linux.com/info/CVE-2021-38501

https://security.gd-linux.com/info/CVE-2021-38503

https://security.gd-linux.com/info/CVE-2021-38504

https://security.gd-linux.com/info/CVE-2021-38506

https://security.gd-linux.com/info/CVE-2021-38507

https://security.gd-linux.com/info/CVE-2021-38508

https://security.gd-linux.com/info/CVE-2021-38509

https://security.gd-linux.com/info/CVE-2021-4129

https://security.gd-linux.com/info/CVE-2021-4140

https://security.gd-linux.com/info/CVE-2021-43534

https://security.gd-linux.com/info/CVE-2021-43535

https://security.gd-linux.com/info/CVE-2021-43536

https://security.gd-linux.com/info/CVE-2021-43537

https://security.gd-linux.com/info/CVE-2021-43538

https://security.gd-linux.com/info/CVE-2021-43539

https://security.gd-linux.com/info/CVE-2021-43541

https://security.gd-linux.com/info/CVE-2021-43542

https://security.gd-linux.com/info/CVE-2021-43543

https://security.gd-linux.com/info/CVE-2021-43545

https://security.gd-linux.com/info/CVE-2021-43546

https://security.gd-linux.com/info/CVE-2022-1097

https://security.gd-linux.com/info/CVE-2022-1196

https://security.gd-linux.com/info/CVE-2022-1529

https://security.gd-linux.com/info/CVE-2022-1802

https://security.gd-linux.com/info/CVE-2022-2200

https://security.gd-linux.com/info/CVE-2022-22737

https://security.gd-linux.com/info/CVE-2022-22738

https://security.gd-linux.com/info/CVE-2022-22739

https://security.gd-linux.com/info/CVE-2022-22740

https://security.gd-linux.com/info/CVE-2022-22741

https://security.gd-linux.com/info/CVE-2022-22742

https://security.gd-linux.com/info/CVE-2022-22743

https://security.gd-linux.com/info/CVE-2022-22745

https://security.gd-linux.com/info/CVE-2022-22747

https://security.gd-linux.com/info/CVE-2022-22748

https://security.gd-linux.com/info/CVE-2022-22751

https://security.gd-linux.com/info/CVE-2022-22754

https://security.gd-linux.com/info/CVE-2022-22756

https://security.gd-linux.com/info/CVE-2022-22759

https://security.gd-linux.com/info/CVE-2022-22760

https://security.gd-linux.com/info/CVE-2022-22761

https://security.gd-linux.com/info/CVE-2022-22763

https://security.gd-linux.com/info/CVE-2022-22764

https://security.gd-linux.com/info/CVE-2022-24713

https://security.gd-linux.com/info/CVE-2022-2505

https://security.gd-linux.com/info/CVE-2022-25235

https://security.gd-linux.com/info/CVE-2022-25236

https://security.gd-linux.com/info/CVE-2022-25315

https://security.gd-linux.com/info/CVE-2022-26381

https://security.gd-linux.com/info/CVE-2022-26383

https://security.gd-linux.com/info/CVE-2022-26384

https://security.gd-linux.com/info/CVE-2022-26386

https://security.gd-linux.com/info/CVE-2022-26387

https://security.gd-linux.com/info/CVE-2022-26485

https://security.gd-linux.com/info/CVE-2022-26486

https://security.gd-linux.com/info/CVE-2023-23605

https://security.gd-linux.com/info/CVE-2023-25728

https://security.gd-linux.com/info/CVE-2023-25729

https://security.gd-linux.com/info/CVE-2023-25730

https://security.gd-linux.com/info/CVE-2023-25732

https://security.gd-linux.com/info/CVE-2023-25735

https://security.gd-linux.com/info/CVE-2023-25737

https://security.gd-linux.com/info/CVE-2023-25739

https://security.gd-linux.com/info/CVE-2023-25742

https://security.gd-linux.com/info/CVE-2023-25743

https://security.gd-linux.com/info/CVE-2023-25744

https://security.gd-linux.com/info/CVE-2023-25746

https://security.gd-linux.com/info/CVE-2023-25751

https://security.gd-linux.com/info/CVE-2023-25752

https://security.gd-linux.com/info/CVE-2023-28162

https://security.gd-linux.com/info/CVE-2023-28164

https://security.gd-linux.com/info/CVE-2023-28176

https://security.gd-linux.com/info/CVE-2023-29533

https://security.gd-linux.com/info/CVE-2023-29535

https://security.gd-linux.com/info/CVE-2023-29536

https://security.gd-linux.com/info/CVE-2023-29539

https://security.gd-linux.com/info/CVE-2023-29541

https://security.gd-linux.com/info/CVE-2023-29548

https://security.gd-linux.com/info/CVE-2023-29550

https://security.gd-linux.com/info/CVE-2023-32205

https://security.gd-linux.com/info/CVE-2023-32206

https://security.gd-linux.com/info/CVE-2023-32207

https://security.gd-linux.com/info/CVE-2023-32211

https://security.gd-linux.com/info/CVE-2023-32212

https://security.gd-linux.com/info/CVE-2023-32213

https://security.gd-linux.com/info/CVE-2023-32215

https://security.gd-linux.com/info/CVE-2023-34414

https://security.gd-linux.com/info/CVE-2023-34416

https://security.gd-linux.com/info/CVE-2023-37201

https://security.gd-linux.com/info/CVE-2023-37202

https://security.gd-linux.com/info/CVE-2023-37207

https://security.gd-linux.com/info/CVE-2023-37208

https://security.gd-linux.com/info/CVE-2023-37211

https://security.gd-linux.com/info/CVE-2023-4045

https://security.gd-linux.com/info/CVE-2023-4046

https://security.gd-linux.com/info/CVE-2023-4047

https://security.gd-linux.com/info/CVE-2023-4048

https://security.gd-linux.com/info/CVE-2023-4049

https://security.gd-linux.com/info/CVE-2023-4050

https://security.gd-linux.com/info/CVE-2023-4051

https://security.gd-linux.com/info/CVE-2023-4053

https://security.gd-linux.com/info/CVE-2023-4055

https://security.gd-linux.com/info/CVE-2023-4056

https://security.gd-linux.com/info/CVE-2023-4057

https://security.gd-linux.com/info/CVE-2023-4573

https://security.gd-linux.com/info/CVE-2023-4574

https://security.gd-linux.com/info/CVE-2023-4575

https://security.gd-linux.com/info/CVE-2023-4577

https://security.gd-linux.com/info/CVE-2023-4578

https://security.gd-linux.com/info/CVE-2023-4580

https://security.gd-linux.com/info/CVE-2023-4581

https://security.gd-linux.com/info/CVE-2023-4583

https://security.gd-linux.com/info/CVE-2023-4584

https://security.gd-linux.com/info/CVE-2023-4585

https://security.gd-linux.com/info/CVE-2023-4863

https://security.gd-linux.com/info/CVE-2023-5129

https://security.gd-linux.com/info/CVE-2022-28281

https://security.gd-linux.com/info/CVE-2022-28282

https://security.gd-linux.com/info/CVE-2022-28285

https://security.gd-linux.com/info/CVE-2022-28286

https://security.gd-linux.com/info/CVE-2022-28289

https://security.gd-linux.com/info/CVE-2022-29909

https://security.gd-linux.com/info/CVE-2022-29911

https://security.gd-linux.com/info/CVE-2022-29912

https://security.gd-linux.com/info/CVE-2022-29914

https://security.gd-linux.com/info/CVE-2022-29916

https://security.gd-linux.com/info/CVE-2022-29917

https://security.gd-linux.com/info/CVE-2022-31736

https://security.gd-linux.com/info/CVE-2022-31737

https://security.gd-linux.com/info/CVE-2022-31738

https://security.gd-linux.com/info/CVE-2022-31740

https://security.gd-linux.com/info/CVE-2022-31741

https://security.gd-linux.com/info/CVE-2022-31742

https://security.gd-linux.com/info/CVE-2022-31744

https://security.gd-linux.com/info/CVE-2022-31747

https://security.gd-linux.com/info/CVE-2022-34468

https://security.gd-linux.com/info/CVE-2022-34470

https://security.gd-linux.com/info/CVE-2022-34472

https://security.gd-linux.com/info/CVE-2022-34479

https://security.gd-linux.com/info/CVE-2022-34481

https://security.gd-linux.com/info/CVE-2022-34484

https://security.gd-linux.com/info/CVE-2022-36318

https://security.gd-linux.com/info/CVE-2022-36319

https://security.gd-linux.com/info/CVE-2022-38472

https://security.gd-linux.com/info/CVE-2022-38473

https://security.gd-linux.com/info/CVE-2022-38476

https://security.gd-linux.com/info/CVE-2022-38477

https://security.gd-linux.com/info/CVE-2022-38478

https://security.gd-linux.com/info/CVE-2022-40674

https://security.gd-linux.com/info/CVE-2022-40956

https://security.gd-linux.com/info/CVE-2022-40957

https://security.gd-linux.com/info/CVE-2022-40958

https://security.gd-linux.com/info/CVE-2022-40959

https://security.gd-linux.com/info/CVE-2022-40960

https://security.gd-linux.com/info/CVE-2022-40962

https://security.gd-linux.com/info/CVE-2022-42927

https://security.gd-linux.com/info/CVE-2022-42928

https://security.gd-linux.com/info/CVE-2022-42929

https://security.gd-linux.com/info/CVE-2022-42932

https://security.gd-linux.com/info/CVE-2022-43680

https://security.gd-linux.com/info/CVE-2022-45403

https://security.gd-linux.com/info/CVE-2022-45404

https://security.gd-linux.com/info/CVE-2022-45405

https://security.gd-linux.com/info/CVE-2022-45406

https://security.gd-linux.com/info/CVE-2022-45408

https://security.gd-linux.com/info/CVE-2022-45409

https://security.gd-linux.com/info/CVE-2022-45410

https://security.gd-linux.com/info/CVE-2022-45411

https://security.gd-linux.com/info/CVE-2022-45412

https://security.gd-linux.com/info/CVE-2022-45416

https://security.gd-linux.com/info/CVE-2022-45418

https://security.gd-linux.com/info/CVE-2022-45420

https://security.gd-linux.com/info/CVE-2022-45421

https://security.gd-linux.com/info/CVE-2022-46871

https://security.gd-linux.com/info/CVE-2022-46872

https://security.gd-linux.com/info/CVE-2022-46874

https://security.gd-linux.com/info/CVE-2022-46877

https://security.gd-linux.com/info/CVE-2022-46878

https://security.gd-linux.com/info/CVE-2022-46880

https://security.gd-linux.com/info/CVE-2022-46881

https://security.gd-linux.com/info/CVE-2022-46882

https://security.gd-linux.com/info/CVE-2023-1945

https://security.gd-linux.com/info/CVE-2023-1999

https://security.gd-linux.com/info/CVE-2023-23598

https://security.gd-linux.com/info/CVE-2023-23599

https://security.gd-linux.com/info/CVE-2023-23601

https://security.gd-linux.com/info/CVE-2023-23602

https://security.gd-linux.com/info/CVE-2023-23603

Plugin Details

Severity: Critical

ID: 206859

File Name: newstart_cgsl_NS-SA-2024-0066_firefox.nasl

Version: 1.3

Type: local

Published: 9/10/2024

Updated: 9/17/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-25315

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2021-4140

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:firefox

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/3/2024

Vulnerability Publication Date: 8/2/2021

CISA Known Exploited Vulnerability Due Dates: 3/21/2022, 10/4/2023

Reference Information

CVE: CVE-2021-32810, CVE-2021-38493, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501, CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509, CVE-2021-4129, CVE-2021-4140, CVE-2021-43534, CVE-2021-43535, CVE-2021-43536, CVE-2021-43537, CVE-2021-43538, CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543, CVE-2021-43545, CVE-2021-43546, CVE-2022-1097, CVE-2022-1196, CVE-2022-1529, CVE-2022-1802, CVE-2022-2200, CVE-2022-22737, CVE-2022-22738, CVE-2022-22739, CVE-2022-22740, CVE-2022-22741, CVE-2022-22742, CVE-2022-22743, CVE-2022-22745, CVE-2022-22747, CVE-2022-22748, CVE-2022-22751, CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, CVE-2022-22764, CVE-2022-24713, CVE-2022-2505, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2022-26381, CVE-2022-26383, CVE-2022-26384, CVE-2022-26386, CVE-2022-26387, CVE-2022-26485, CVE-2022-26486, CVE-2022-28281, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-28289, CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29914, CVE-2022-29916, CVE-2022-29917, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31744, CVE-2022-31747, CVE-2022-34468, CVE-2022-34470, CVE-2022-34472, CVE-2022-34479, CVE-2022-34481, CVE-2022-34484, CVE-2022-36318, CVE-2022-36319, CVE-2022-38472, CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, CVE-2022-38478, CVE-2022-40674, CVE-2022-40956, CVE-2022-40957, CVE-2022-40958, CVE-2022-40959, CVE-2022-40960, CVE-2022-40962, CVE-2022-42927, CVE-2022-42928, CVE-2022-42929, CVE-2022-42932, CVE-2022-43680, CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45412, CVE-2022-45416, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421, CVE-2022-46871, CVE-2022-46872, CVE-2022-46874, CVE-2022-46877, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881, CVE-2022-46882, CVE-2023-1945, CVE-2023-1999, CVE-2023-23598, CVE-2023-23599, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23605, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25732, CVE-2023-25735, CVE-2023-25737, CVE-2023-25739, CVE-2023-25742, CVE-2023-25743, CVE-2023-25744, CVE-2023-25746, CVE-2023-25751, CVE-2023-25752, CVE-2023-28162, CVE-2023-28164, CVE-2023-28176, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29548, CVE-2023-29550, CVE-2023-32205, CVE-2023-32206, CVE-2023-32207, CVE-2023-32211, CVE-2023-32212, CVE-2023-32213, CVE-2023-32215, CVE-2023-34414, CVE-2023-34416, CVE-2023-37201, CVE-2023-37202, CVE-2023-37207, CVE-2023-37208, CVE-2023-37211, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4051, CVE-2023-4053, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585, CVE-2023-4863, CVE-2023-5129

IAVA: 2021-A-0405, 2021-A-0450-S, 2021-A-0461-S, 2021-A-0527-S, 2021-A-0569-S, 2022-A-0017-S, 2022-A-0079-S, 2022-A-0103-S, 2022-A-0134-S, 2022-A-0188-S, 2022-A-0190-S, 2022-A-0217-S, 2022-A-0226-S, 2022-A-0256-S, 2022-A-0298-S, 2022-A-0339-S, 2022-A-0384-S, 2022-A-0435-S, 2022-A-0491-S, 2022-A-0517-S, 2023-A-0048-S, 2023-A-0081-S, 2023-A-0132-S, 2023-A-0182-S, 2023-A-0242-S, 2023-A-0277-S, 2023-A-0328-S, 2023-A-0388-S, 2023-A-0449-S, 2023-A-0491-S