Mozilla Firefox ESR < 60.1 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700341
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox ESR earlier than 60.1 are unpatched for the following vulnerabilities :

- An out-of-bounds read flaw exists in the 'qcms_modular_transform_data()' function in 'chain.c' that is triggered when handling an invalid grid size during QCMS transformations. This may allow a context-dependent attacker to potentially disclose memory contents.
- A flaw exists in 'dom/performance/PerformanceNavigationTiming.cpp' that is triggered as the Navigation APIs can be used as a precision timer. This may allow a context-dependent attacker to conduct timing attacks.
- A flaw exists in the 'nsLocalFile::IsExecutable()' function in 'xpcom/io/nsLocalFileWin.cpp', as 'settingcontent-ms' is not recognized as an executable file extension. This may allow a context-dependent attacker to more easily trick a user into opening a malicious file without a warning prompt being presented.
- A flaw exists in the WebExtension that is triggered as embedded experiments are not properly checked. This may allow a context-dependent attacker to bypass authorization mechanisms.
- An integer overflow flaw exists that is triggered as uninitialized memory is used when allocating memory for edge builders. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'ContentParent::RecvGetFilesRequest()' function in 'dom/ipc/ContentParent.cpp'. Combined with another vulnerability this may allow a context-dependent attacker to bypass the sandbox and enumerate file names.
- An overflow condition exists in the 'CanvasRenderingContext2D::SetDimensions()' function in 'dom/canvas/CanvasRenderingContext2D.cpp' that is triggered when handling '<canvas>' element dimensions. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists in the 'HTMLInputElement::Focus()' function in 'dom/html/HTMLInputElement.cpp' that is triggered when deleting input elements during a mutation event handler. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An integer overflow condition exists in 'gfx/2d/ssse3-scaler.c' within the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler that is triggered when handling graphics operations. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists that is triggered when capturing a media stream and the media source type is changed. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists that is triggered when using scripts to perform mutations to move DOM nodes between documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists when handling 307 redirects as HTTP requests to NPAPI plugins do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.
- An unspecified flaw exists in 'netwerk/sctp/datachannel/DataChannel.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An out-of-bounds access flaw exists in 'webrtc/modules/video_coding/rtp_frame_reference_finder.cc' that is triggered as certain input is not properly validated when handling VP9 missing frame processing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in 'js/src/gc/GC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'xpcom/ds/Observer.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'js/src/frontend/BytecodeEmitter.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GCMarker::markDelayedChildren()' function in 'js/src/gc/Marking.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'nsMozIconURI::Deserialize()' function in 'image/decoders/icon/nsIconURI.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered when managing physical audio devices. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'FromIPCSegment()' function in 'netwerk/base/nsStandardURL.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/base/StructuredCloneHolder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'JS::Rooted()' function in 'dom/xbl/nsXBLBinding.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/canvas/WebGLContextDraw.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/media/PeerConnection.js' that is triggered when handling ICE connection state changes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'hal/Hal.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

- Mutliple vulnerabilities in the following may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code:
- 'netwerk/sctp/datachannel/DataChannel.cpp'
- 'xpcom/ds/Observer.h'
- 'js/src/frontend/BytecodeEmitter.cpp'
- 'nsMozIconURI::Deserialize()'
- 'dom/base/StructuredCloneHolder.cpp'
- 'dom/xbl/nsXBLBinding.cpp'
- 'dom/canvas/WebGLContextDraw.cpp'
- 'dom/media/PeerConnection.js'
- 'hal/Hal.cpp'

Solution

Upgrade to Firefox ESR version 60.1 or later.

See Also

http://www.nessus.org/u?aa11dad9

Plugin Details

Severity: High

ID: 700341

Family: Web Clients

Published: 8/21/2018

Updated: 11/6/2019

Dependencies: 9131

Nessus ID: 110810

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Patch Publication Date: 6/26/2018

Vulnerability Publication Date: 11/29/2017

Reference Information

CVE: CVE-2018-12359, CVE-2018-12360, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12368, CVE-2018-5156, CVE-2018-5188, CVE-2018-12367, CVE-2018-12369, CVE-2018-12371, CVE-2018-5187

BID: 104246, 104555, 104556, 104558, 104560, 104561, 104562