Mozilla Firefox < 55 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700182

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 55 are unpatched for the following vulnerabilities :

- A flaw exists that is triggered as the HTTP Strict-Transport-Security (HSTS) header is ignored when processing a response containing multiple HSTS headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to bypass HSTS protection and downgrade the HTTP communication.
- A flaw exists in the 'Key::EncodeAsString()' function in 'dom/indexedDB/Key.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'SelectionManager::SetControlSelectionListener()' and 'SelectionManager::ClearControlSelectionListener()' functions in 'accessible/base/SelectionManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
- A flaw exists in the 'DocAccessible::MoveChild()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in 'xpcom/threads/MozPromise.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling edit transactions. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists related to the Android UI thread. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CanonicalizeLanguageTag()' function in 'js/src/builtin/Intl.js' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered as certain input is not properly validated when handling freezing of dense elements. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Module::instantiate()' function in 'js/src/wasm/WasmModule.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Accessible::RemoveChild()' function in 'accessible/generic/Accessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'IonBuilder::build()' and 'IonBuilder::buildInline()' functions in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsContentUtils::ConvertStringFromEncoding()' function in 'dom/base/nsContentUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'jit::JitActivation::getRematerializedFrame()' function in 'js/src/vm/Stack.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsMIMEHeaderParamImpl::DecodeRFC5987Param()' function in 'netwerk/mime/nsMIMEHeaderParamImpl.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'nsWindow::SetParent()' function in 'widget/windows/nsWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in 'media/webrtc/trunk/webrtc/modules/desktop_capture/screen_capturer_mac.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists related to missing thread safety that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'NotifyTrackRemoved()' function in 'dom/media/MediaRecorder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'InitGlobalLexicalOperation()' function in 'js/src/vm/Interpreter-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::FinishCompilation()' function in 'js/src/vm/TypeInference.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'TypedArrayObjectTemplate::makeTemplateObject()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsFTPDirListingConv::DigestBufferLines()' function in 'netwerk/streamconv/converters/nsFTPDirListingConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'TraceSelf()' function in 'dom/bindings/TypedArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'WebSocket::Send()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'ExpressionDecompiler::decompilePC()' function in 'js/src/jsopcode.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'IonBuilder::addOsrValueTypeBarrier()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists related to response header name interning not having same-origin protections. This may allow a context-dependent attacker to disclose stored header names.
- A flaw exists in the Developer Tools feature that is triggered as web page source code is not properly validated. This may allow a context-dependent attacker to inject and execute arbitrary XUL code.
- A use-after-free error exists in the 'WebSocketImpl::Disconnect()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when re-computing the layout for marquee elements during window resizing. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when deleting attached editor DOM nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsImageLoadingContent::Notify()' function in 'dom/base/nsImageLoadingContent.cpp' that is triggered when reading image observers during frame reconstruction. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when resizing image elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- An overflow condition exists that is triggered as certain input is not properly validated when manipulation Accessible Rich Internet Applications (ARIA) attributes. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- An overflow condition exists that is triggered as certain input is not properly validated when painting non-displayable SVG elements. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling the layer manager while rendering SVG content. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds read flaw exists that is triggered when handling cached style data and pseudo-elements. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
- A flaw exists in the 'nsDocShell::OnNewURI()' function in 'docshell/base/nsDocShell.cpp' that is triggered when handling pages with embedded iframes during page reloads. With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy.
- A flaw exists in the AppCache feature related to handling of websites under a subdirectory adding fallback pages. With a specially crafted website, a context-dependent attacker can hijack a domain.
- A flaw exists in the 'openTabPrompt()' and 'openRemotePrompt()' functions in 'toolkit/components/prompts/src/nsPrompter.js' that is triggered when handling page navigations with data: protocols and modal alerts. This may allow a context-dependent attacker to conduct spoofing attacks.
- A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as WindowsDllDetourPatcher may allocate memory with RWX permissions. This may allow a context-dependent attacker to bypass intended DEP protection and more easily exploit another vulnerability that allows code execution.
- A flaw exists in the 'AllowOpen()' function in 'security/sandbox/linux/broker/SandboxBroker.cpp'. This may allow a context-dependent attacker to bypass the sandbox restrictions and truncate files on the system.
- A flaw exists in the elliptic curve point addition algorithm that is triggered when using mixed Jacobian-affine coordinates. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to interfere with a connection and cause the calculation of an incorrect shared secret.
- A flaw exists that is triggered when handling frame-ancestors directives containing origins with paths. This may allow a context-dependent attacker to bypass the content security policy (CSP).
- A sandbox directive. This may result in other directives being ignored and incorrect enforcement of the content security policy (CSP).
- A flaw exists in the 'ExecuteServiceCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp' that is triggered when handling patch directory paths. Combined with another local vulnerability this may allow an attacker to have the Windows updater delete any file named 'update.log'.
- A flaw exists in 'toolkit/content/aboutwebrtc/aboutWebrtc.js' that is triggered as certain input to about:webrtc is not properly validated. This may allow an attacker to create a specially crafted request that executes arbitrary script code in a user's browser session within the trust relationship between their browser and the server or inject XUL code.
- A flaw exists in the 'nsHttpChannelAuthProvider::ConfirmAuth()' function in 'netwerk/protocol/http/nsHttpChannelAuthProvider.cpp' that is triggered when handling long usernames in URLs. This may allow a context-dependent attacker to cause a denial of service.
- A flaw exists in 'toolkit/crashreporter/client/crashreporter_win.cpp' that is triggered as the Windows crash reporter may read extra memory for certain non-null-terminated registry values. This may allow an attacker to disclose potentially sensitive memory contents.
- A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as the WindowsDllDetourPatcher class destructor may be re-purposed by malicious code. This may allow a context-dependent attacker to bypass memory protections.
- A flaw exists that is triggered as sandboxed about:srcdoc iframes do not inherit content security policy (CSP) directives. This may allow a context-dependent attacker to bypass the content security policy (CSP).
- An overflow condition exists in 'security/manager/ssl/nsNSSCertHelper.cpp' that is triggered when viewing certificates with overly long OIDs. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.

Solution

Upgrade to Firefox version 55 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18

https://www.mozilla.org/en-US/security/advisories/mfsa2017-19

http://www.nessus.org/u?72a63c9b

Plugin Details

Severity: High

ID: 700182

Family: Web Clients

Published: 2017/08/21

Modified: 2018/09/16

Dependencies: 9131

Nessus ID: 102359

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 2016/08/08

Vulnerability Publication Date: 2017/08/08

Reference Information

CVE: CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, CVE-2017-7781, CVE-2017-7782, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7790, CVE-2017-7791, CVE-2017-7792, CVE-2017-7794, CVE-2017-7796, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7804, CVE-2017-7806, CVE-2017-7807, CVE-2017-7808, CVE-2017-7809

BID: 100196, 100197, 100198, 100199, 100201, 100202, 100203, 100206, 100234, 100240, 100242, 100243, 100315, 100373, 100374, 100379, 100383, 100389, 100401