Mozilla Firefox ESR < 52.5 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700332

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 52.5 are unpatched for the following vulnerabilities :

 - A flaw exists in the 'NewReactionRecord()' function in 'js/src/builtin/Promise.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'VerifyCMSDetachedSignatureIncludingCertificate()' function in 'security/manager/ssl/nsDataSignatureVerifier.cpp' that is triggered when handling PKCS#7 signedData content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ContainerLayerComposite::mPrepared()' function in 'gfx/layers/composite/ContainerLayerComposite.cpp' that is triggered when handling layers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'MArgumentsLength::computeRange()' function in 'js/src/jit/RangeAnalysis.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'widget/windows/AudioSession.cpp' that is triggered when handling AudioSession objects. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered when handling WebGL texture images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free flaw exists in the 'nsDocShell::~nsDocShell()' function in 'docshell/base/nsDocShell.cpp' that is triggered when notifying observers. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'CleanupOSFileConstants()' function in 'dom/system/OSFileConstants.cpp' related to use of uninitialized memory. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'ApplicationReputationService::~ApplicationReputationService()' function in 'toolkit/components/downloads/ApplicationReputation.cpp' that is triggered as certain pointers are not properly cleared. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'EnumerableOwnProperties()' function in 'js/src/builtin/Object.cpp' that is triggered when rooting objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free flaw exists in the 'CompositorBridgeChild::RecvDidComposite()' function in 'gfx/layers/ipc/CompositorBridgeChild.cpp' that is triggered when handling texture pools. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsViewManager::~nsViewManager()' function in 'view/nsViewManager.cpp' that is triggered as the PresShell object is not properly handled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TLSFilterTransaction::Close()' function in 'netwerk/protocol/http/TunnelUtils.cpp' that is triggered as timers are not properly handled when a transaction is canceled. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'EventStateManager::DispatchCrossProcessEvent()' function in 'dom/events/EventStateManager.cpp' that is triggered when handling drag events. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered when handling properties of adopted nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A type confusion flaw exists in the 'PropertyReadNeedsTypeBarrier()' function in 'jit/MIR.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A logic flaw exists in the 'IsMarkedBlack()' function in 'js/src/gc/Barrier.cpp' that is triggered during gray marking asserts. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists that triggered when flushing and resizing the layout, which may cause the PressShell object to be freed while still in use. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'HttpBaseChannel::GetPerformance()' function in 'netwerk/protocol/http/HttpBaseChannel.cpp' that is triggered as navigations in cross-origin iframes are revealed. Using the Resource Timing API, a context-dependent attacker to gain access to cross-origin URL information.

Solution

Upgrade to Firefox ESR version 52.5 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-25

Plugin Details

Severity: High

ID: 700332

Family: Web Clients

Published: 2018/08/21

Updated: 2019/03/06

Dependencies: 9131

Nessus ID: 104637

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2017/11/14

Vulnerability Publication Date: 2017/10/25

Reference Information

CVE: CVE-2017-7826, CVE-2017-7828, CVE-2017-7830

BID: 101832