Mozilla Firefox < 58 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 700326

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox earlier than 58 are unpatched for the following vulnerabilities :

- An out-of-bounds read flaw exists in the 'js::WasmTableObject::getImpl()' function. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An overflow condition exists in the 'ShiftFromList()' function in 'js/src/vm/List-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A flaw exists in 'gfx/2d/Filters.h' related to missing thread safety. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the JavaScript just-in-time (JIT) compiler that is triggered when handling call stacks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated when handling TypeScripts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'AppendToList()' function in 'js/src/vm/List-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'CalcTableChecksum()' function in 'gfx/2d/ScaledFontMac.cpp' that is triggered when handling checksums that are not 4-byte aligned. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'HttpChannelChild::Release()' function in 'netwerk/protocol/http/HttpChannelChild.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'WebrtcVideoConduit::VideoStreamFactory::CreateEncoderStreams()' function in 'media/webrtc/signaling/src/media-conduit/VideoConduit.cpp' that is triggered as certain input is not properly validated when handling temporal layers for screencasts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'dom/media/MediaDecoderStateMachine.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'ParseFTPList()' function in 'netwerk/streamconv/converters/ParseFTPList.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the accessibility component related to use of uninitialized memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists related to use of uninitialized memory when handling cocoa widgets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the security manager component related to use of uninitialized memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow that is triggered when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists that is triggered when the source document for XSL transformation is manipulated by script content during the transformation. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'layout/forms/nsNumberControlFrame.cpp' that is triggered when handling form input elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the widget listener. The issue is triggered when holding strong references to browser objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsIDocument::IsPotentiallyScrollable()' function in 'dom/base/nsDocument.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsCSSFrameConstructor::CreateLetterFrame()' function in 'layout/base/nsCSSFrameConstructor.cpp' that is triggered when manipulating floating first-letter style elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'dom/html/HTMLMediaElement.cpp' that is triggered when handling specially crafted HTML media elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'EventStateManager::DispatchMouseOrPointerEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling mouse events. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling font faces. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in WebExtensions that may allow a context-dependent attacker to bypass user prompts and save and execute downloaded files without user confirmation.
- A flaw exists that is triggered when a user selects error exists links when tools are open. This may allow a context-dependent attacker to cause style editor traffic in the Developer Tools to be routed through a service worker hosted on a third party website, potentially disclosing sensitive cross-origin information.
- A flaw exists as the printing process creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against a file to cause the program to unexpectedly disclose arbitrary files.
- A flaw exists in 'dom/file/nsHostObjectProtocolHandler.cpp' that is triggered during the handling of certain manually entered blob URLs. This may allow a context-dependent attacker to gain access to potentially sensitive information from private browsing.
- A flaw exists in the 'MediaManager::GetUserMedia()' function in 'dom/media/MediaManager.cpp'. This may allow a context-dependent attacker to spoof the origin of audio prompts.
- A flaw exists that is triggered when cursor visibility is toggled back and forth from 'none' to an image via a script. This may allow a context-dependent attacker to cause the cursor to be rendered invisibly.
- A flaw exists that is triggered during the handling of a specially formatted URL that is dragged to the address bar from page content. This may allow a context-dependent attacker to spoof the URL bar.
- A flaw exists in the developement tool panels of an extension that may allow a context-dependent attacker to bypass restrictions and load non-relative URLS, which may potentially include privileged pages.
- A flaw exists in the 'browser.identity'.'launchWebAuthFlow()' function in WebExtensions that is triggered as HTTPS content loading restrictions are not properly honored. This may allow a context-dependent attacker to load content over an HTTP connection.
- A flaw exists that is triggered when changing a cookie to HttpOnly when a document is open. This can cause the cookie to remain accessible until the document is closed.
- A flaw exists that is due to program displaying HTTP authentication prompts from background pages over the currently loaded foreground page. This may allow a context-dependent attacker to potentially spoof the originating page of an authentication prompt.
- A flaw exists in WebExtensions with the ActiveTab permission that may allow a context-dependent attacker to inject frames from arbitrary origins into the loaded page and gain access to arbitrary frame content.
- A flaw exists in 'browser/base/content/browser.js' that is triggered when right-to-left text is used in the address bar with left-to-right alignment. This may allow a context-dependent attacker to spoof the URL bar.
- A flaw exists in the Activity Stream page that is triggered as it may improperly create images via the file: URL. This may allow a context-dependent attacker to gain access to potentially sensitive local information.
- A flaw exists in the reader view that can allow a context-dependent attacker to bypass CORS header restrictions and view cross-origin content that should be prohibited from loading.
- A flaw exists in 'browser/themes/osx/browser.css' that is triggered when rendering Tibetan characters in several unspecified fonts. This may allow a context-dependent attacker to spoof a valid domain name.
- An integer overflow in the 'DoCrypt()' function in 'dom/crypto/WebCryptoTask.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when WebRTC connections interact with DTMF timers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling threads for web workers. This may allowa context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when editing events in form elements on a page. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'JSStructuredCloneReader::readV1ArrayBuffer()' function in 'js/src/vm/StructuredClone.cpp' that is triggered when deserializing invalid typed arrays. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsCookieService::RemoveCookiesWithOriginAttributes()' function in 'netwerk/cookie/nsCookieService.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'WebrtcGmpVideoDecoder::ReleaseGmp()' function in 'media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsCookieService::PurgeCookies()' function in 'netwerk/cookie/nsCookieService.cpp' that is triggered when handling cookie expiry. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified race condition exists in 'modules/libjar/nsJAR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified race condition exists in 'netwerk/base/AutoClose.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the browser UI that is triggered when handling specially crafted HTML fragments. This may allow a context-dependent attacker to potentially execute arbitrary code.

- Mutliple vulnerabilities in the following may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code:
- 'media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp'
- 'gfx/thebes/gfxPlatformFontList.cpp'
- 'dom/media/systemservices/CamerasChild.cpp'
- 'dom/media/MediaDecoder.cpp'
- 'js/src/gc/Zone.h'
- 'js/src/jsfun.h'
- 'dom/plugins/ipc/PluginMessageUtils.cpp'
- 'ipc/glue/IPCMessageUtils.h'
- 'dom/media/webrtc/MediaEngineDefault.cpp'
- 'toolkit/components/places/History.cpp'
- 'startupcache/StartupCache.cpp'
- 'dom/media/GraphDriver.cpp'
- 'media/webrtc/signaling/src/media-conduit/WebrtcGmpVideoCodec.h'
- 'dom/base/DirectionalityUtils.cpp'
- 'media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp'
- 'js/src/vm/StructuredClone.cpp'

Solution

Upgrade to Firefox version 58 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2018-02

Plugin Details

Severity: Critical

ID: 700326

Family: Web Clients

Published: 2018/08/21

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 106303

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2018/01/23

Vulnerability Publication Date: 2017/10/09

Reference Information

CVE: CVE-2018-5013, CVE-2018-5089, CVE-2018-5090, CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5105, CVE-2018-5106, CVE-2018-5107, CVE-2018-5108, CVE-2018-5109, CVE-2018-5110, CVE-2018-5111, CVE-2018-5112, CVE-2018-5113, CVE-2018-5114, CVE-2018-5115, CVE-2018-5116, CVE-2018-5117, CVE-2018-5118, CVE-2018-5119, CVE-2018-5121, CVE-2018-5122, CVE-2018-5124

BID: 102783