Google Chrome < 61.0.3163.79 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700345

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 61.0.3163.79, and is affected by multiple vulnerabilities :

- A use-after-free flaw exists in WebAssembly that is triggered when async compilation is enabled. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists that is triggered when handling the 'ExternalInterface.'addCallback'()' ActionScript method, as it works across isolated worlds. This may allow a context-dependent attacker to bypass intended security restrictions.
- A double-free condition exists in the 'celt_header()' function in 'libavformat/oggparsecelt.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially execute arbitrary code.
- A use-after-poison flaw exists in the 'LocalFrameView::ForAllNonThrottledLocalFrameViews()' function in 'frame/LocalFrameView.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists that is triggered when handling maximum stack space exceeded exceptions in the WritableStream and
- An flaw exists in the SSLCommonNameMismatchHandling feature that is triggered during redirect navigation and may result in using an HTTP URL. This may allow a MitM attacker to disclose the path of the original HTTPS URL.
- A flaw exists in the 'SkArithmeticImageFilter::Make()' function related to use of uninitialized memory. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists that is triggered as the Content Security Policy (CSP) is not inherited when inheriting the security origin during main window navigation. This may allow a context-dependent attacker to bypass the Content Security Policy.
- A flaw exists in the 'SkPathMeasure::getLength()' function in 'core/SkPathMeasure.cpp' related to use of uninitialized memory. This may allow a context-dependent attacker to crash a process linked against the library or potentially execute arbitrary code.
- An out-of-bounds write flaw exists in the 'GetFirstArgumentAsBytes()' function in '/wasm/wasm-js.cc' that is triggered when processing WebAssembly code. This may allow a context-dependent attacker to manipulate memory content and execute arbitrary code.
- A type confusion flaw exists in the 'VirtualObject::MergeFields()' function in 'compiler/escape-analysis.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitary code.
- A flaw exists in 'core/fxcodec/codec/fx_codec_jpx_opj.cpp' that is triggered when management memory lifecycles. This may allow an context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow condition exists in the SkArenaAlloc class in 'core/SkArenaAlloc.cpp' that is triggered when allocating memory. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing to execute arbitrary code.
- An overflow condition exists in the WebGL component that is triggered as certain input is not properly validated when handling ES3 pixel pack parameters. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists in the handling of CPWL_Wnd objects. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

Solution

Upgrade to Chrome version 61.0.3163.79 or later.

See Also

http://www.nessus.org/u?67b28931

Plugin Details

Severity: High

ID: 700345

Family: Web Clients

Published: 2018/08/23

Updated: 2019/03/06

Dependencies: 4645

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2017/09/05

Vulnerability Publication Date: 2017/09/05

Reference Information

CVE: CVE-2017-5111, CVE-2017-5112, CVE-2017-5113, CVE-2017-5114, CVE-2017-5115, CVE-2017-5116, CVE-2017-5117, CVE-2017-5118, CVE-2017-5119, CVE-2017-5120

BID: 100610