Mozilla Firefox < 57 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 700322

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 57 are unpatched for the following vulnerabilities :

- A race condition exists in 'dom/media/systemservices/MediaParent.cpp' that is triggered when getting deviceId keys. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'js/src/proxy/DeadObjectProxy.cpp' that is triggered when handling object proxies. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'xpcom/threads/SystemGroup.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An overflow condition exists in the 'nr_transport_addr_fmt_ifname_addr_string()' function in 'media/mtransport/third_party/nICEr/src/net/transport_addr.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a stack-based buffer overflow and potentially execute arbitrary code.
- A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GPUProcessHost::OnChannelClosed()' function in 'gfx/ipc/GPUProcessHost.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'gfx/layers/AtomicRefCountedWithFinalize.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'NewReactionRecord()' function in 'js/src/builtin/Promise.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'VerifyCMSDetachedSignatureIncludingCertificate()' function in 'security/manager/ssl/nsDataSignatureVerifier.cpp' that is triggered when handling PKCS#7 signedData content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'ContainerLayerComposite::mPrepared()' function in 'gfx/layers/composite/ContainerLayerComposite.cpp' that is triggered when handling layers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'MArgumentsLength::computeRange()' function in 'js/src/jit/RangeAnalysis.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in 'widget/windows/AudioSession.cpp' that is triggered when handling AudioSession objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered when handling WebGL texture images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free flaw exists in the 'nsDocShell::~nsDocShell()' function in 'docshell/base/nsDocShell.cpp' that is triggered when notifying observers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'CleanupOSFileConstants()' function in 'dom/system/OSFileConstants.cpp' related to use of uninitialized memory. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'ApplicationReputationService::~ApplicationReputationService()' function in 'toolkit/components/downloads/ApplicationReputation.cpp' that is triggered as certain pointers are not properly cleared. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'EnumerableOwnProperties()' function in 'js/src/builtin/Object.cpp' that is triggered when rooting objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free flaw exists in the 'CompositorBridgeChild::RecvDidComposite()' function in 'gfx/layers/ipc/CompositorBridgeChild.cpp' that is triggered when handling texture pools. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'nsViewManager::~nsViewManager()' function in 'view/nsViewManager.cpp' that is triggered as the PresShell object is not properly handled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'TLSFilterTransaction::Close()' function in 'netwerk/protocol/http/TunnelUtils.cpp' that is triggered as timers are not properly handled when a transaction is canceled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'EventStateManager::DispatchCrossProcessEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling drag events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered when handling properties of adopted nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'PropertyReadNeedsTypeBarrier()' function in 'jit/MIR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A logic flaw exists in the 'IsMarkedBlack()' function in 'js/src/gc/Barrier.cpp' that is triggered during gray marking asserts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that triggered when flushing and resizing the layout, which may cause the PressShell object to be freed while still in use. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as navigations in cross-origin iframes are revealed. Using the Resource Timing API, a context-dependent attacker to gain access to cross-origin URL information.
- A flaw exists that is triggered as the security wrapper fails to deny access to certain exposed properties using the deprecated exposedProps mechanism on proxy objects. This may allow a context-dependent attacker to gain access to potentially sensitive information.
- A flaw exists in the 'nsIDNService::isLabelSafe()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered during the handling of the combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave. This combinations do not display properly in punycode. With a specially crafted domain including a dotless version of 'i', a context-dependent attacker can spoof a domain.
- A flaw exists in the 'nsIDNService::isLabelSafe()' function in 'netwerk/dns/nsIDNService.cpp' that is triggered during the handling of Arabic and Indic vowel marker characters that are combined with Latin characters in a domain name, which can cause the non-latin characters to be eclipsed in the address bar. This may allow a context-dependent attacker to spoof a domain.
- A flaw exists that is triggered as data: URLs loaded into new tabs do not properly inherit the Content Security Policy (CSP) of the original page. This may allow a context-dependent attacker to bypass protection mechanisms.
- A flaw exists in the 'nsMixedContentBlocker::AsyncOnChannelRedirect()' function in 'dom/security/nsMixedContentBlocker.cpp' that is triggered as mixed content blocking was not properly applied to resources when being redirected from an HTTPS environment to an HTTP environment. This may allow a context-dependent attacker to bypass restricts and load blocked content on pages.
- A flaw exists in the 'CurlWrapper::Init()' function in 'toolkit/components/telemetry/pingsender/pingsender_unix_common.cpp' that is triggered as it fails to validate the libcurl library before loading it. This may allow a local attacker to replace libcurl files and gain elevated privileges.
- A flaw exists in the 'nsContentSink::ProcessMETATag()' function in 'dom/base/nsContentSink.cpp' that is triggered during the handling of <meta> tags in SVG passed via <img> tags. This may allow a context-dependent attacker to set cookies for a page.
- A flaw exists in 'netwerk/dns/nsIDNService.cpp' that is triggered as Punycode format text is not properly displayed in international domain names when triggered by a sub-domain. This may allow a context-dependent attacker to conduct a limited spoofing attack.
- A flaw exists in the 'stripUnsafeProtocolOnPaste()' function in 'base/content/browser.js' that is triggered during the handling of control characters before javascript: URLs. This may allow a context-dependent attacker to bypass self-XSS protection mechanisms.
- A flaw exists in the '_writeItem()' function in 'toolkit/components/places/BookmarkHTMLUtils.jsm' that allows a cross-site scripting (self-XSS) attack. This flaw exists exists because the program does not validate input to exported bookmarks before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in their own browser.
- A flaw exists that is triggered as the referrer policy is not always honored when handling <link> elements. This may allow a context-dependent attacker to bypass the referrer policy.
- A flaw exists in the 'PerDocumentStyleDataImpl::visited_styles_enabled()' function in 'servo/components/style/gecko/data.rs'. The issue is triggered when handling the CSS ':visited' selector for a document being used as an SVG image. With a specially crafted web page, a context-dependent attacker disclose visited history information.
- A flaw exists in the 'FactoryOp::CheckPermission()' function in 'dom/indexedDB/ActorsParent.cpp' that is triggered as a web worker in Private Browsing mode can write to IndexedDB. With a specially crafted web page, a context-dependent attacker can uniquely fingerprint a user even when browsing in Private Browsing mode.
- An overflow condition exists that is triggered as certain input is not properly validated when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A flaw exists related to speculative execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached during conditional branches handling out-of-bounds checks. Using a vulnerable code pattern, or a JIT engine or interpreter to generate such a pattern, an attacker can perform a Flush+Reload or Evict+Reload side-channel attack on the cache and disclose parts of the privileged kernel memory.
- A flaw exists in the fundamental design related to out-of-order process execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached before exceptions are raised for restricted memory access. Using transient instructions in combination with a Flush+Reload side-channel attack a local attacker can disclose parts of the privileged kernel memory.
- A flaw exists related to speculative execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached during indirect branch prediction. This may allow a local attacker to train the Branch Target Buffer (BTB) to trigger a false prediction to a specially crafted memory location, causing a speculative execution of a crafted gadget and the caching of arbitrary memory. Using a side-channel attack on the cache the attacker can disclose parts of the privileged kernel memory.

Solution

Upgrade to Firefox version 57 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-27

Plugin Details

Severity: Critical

ID: 700322

Family: Web Clients

Published: 2018/08/21

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 105040

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2017/11/14

Vulnerability Publication Date: 2017/10/24

Reference Information

CVE: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834, CVE-2017-7835, CVE-2017-7836, CVE-2017-7837, CVE-2017-7838, CVE-2017-7839, CVE-2017-7840, CVE-2017-7842, CVE-2017-7843, CVE-2017-7844, CVE-2017-7845

BID: 102039