Google Chrome < 62.0.3202.62 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700346

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 62.0.3202.62, and is affected by multiple vulnerabilities :

- A flaw exists in the 'JSNativeContextSpecialization::ExtractReceiverMaps()' function in 'compiler/js-native-context-specialization.cc' that is triggered when looking for root maps. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A use-after-free error exists in the CPDF_Document class that is triggered when parsing PDF documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the download observer class that is triggered when handling downloaded items. This may allow a context-dependent attacker to have an unspecified impact.
- An out-of-bounds read flaw exists in the 'TextRunHarfBuzz::GetClusterAt()' function in 'ui/gfx/render_text_harfbuzz.cc' that is triggered when handling glyph maps. This may allow a context-dependent attacker to potentially disclose memory contents.
- A flaw exists in the 'AsmJs::InstantiateAsmWasm()' function in 'asmjs/asm-js.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in 'devtools/front_end/inspector.html' that is triggered when handling DevTools links. This may allow a context-dependent attacker to disclose referrer information.
- An out-of-bounds read flaw exists related to the lcms fast floor function configuration. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A use-after-free error exists in the content_shell component that is triggered when handling URLRequestContext object destruction. This may allow a context-dependent attacker to dereference already freed memory and have an unspecified impact.
- A flaw exists in the 'MarkupFormatter::AppendQuotedURLAttributeValue()' function in 'editing/serializers/MarkupFormatter.cpp' related to transparent removal of certain white-space characters in certain contexts of HTML elements. This may allow a context-dependent attacker to conduct a mutation cross-site scripting (mXSS) attack.
- A flaw exists that is triggered as it is possible for a renderer to send a ViewHostMsg_ShowValidationMessage request to display a form validation bubble over an omnibox. This may allow a context-dependent attacker to spoof web page contents.
- A race condition exists in 'frame_host/navigation_controller_impl.cc' that is triggered when handling frame navigations. With a specially crafted web page, a context-dependent attacker can potentially execute arbitrary code.
- An out-of-bounds access flaw exists that is triggered when handling trap handlers. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists as it does not properly limit certain problematic characters 'e.g'. dot above (U+0307) after certain characters before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an omnibox address.
- An infinite loop condition exists in the 'DoReplaceSubstringsAfterOffset()' function template in 'base/strings/string_util.cc' that is triggered when handling specially crafted strings. This may allow a context-dependent attacker to cause the process to hang.
- An out-of-bounds read flaw exists in the 'nt::QueryRegValueSZ()' function in 'chrome_elf
t_registry
t_registry.cc' that is triggered when handling registry keys that are not NULL terminated. This may allow a local attacker to disclose potentially sensitive memory contents.
- A flaw exists related to the holding of compositor locks that results in content not being cleared. This may allow a context-dependent attacker to spoof the URL of an omnibox.
- A flaw exists in the 'CreateWindow()' function in 'core/page/CreateWindow.cpp' that is triggered when handling javascript URLs. This may allow a context-dependent attacker to bypass the content security policy (CSP).
- An out-of-bounds read flaw exists in the 'SkPathRef::Iter::setPathRef()' function in 'core/SkPathRef.cpp' that is triggered when handling iterations through non-finite points. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An off-by-one flaw exists in the 'TIFF_PredictLine()' function in 'core/fxcodec/codec/fx_codec_flate.cpp' that is triggered as certain input is not properly validated when handling TIFF image flate decoding. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A signedness flaw exists in the 'allocObject()' function in 'core/SkArenaAlloc.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the WebAssembly functionality related to incorrect stack manipulation. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A race condition exists in the 'WebContentsImpl::CreateNewWindow()' function in 'web_contents/web_contents_impl.cc'. The issue is triggered when handling switches to fullscreen mode and popups. This may allow a context-dependent attacker to spoof the UI and conduct phishing attacks.
- A use-after-free error exists in the 'ScriptProcessorHandler::Process()' function in 'modules/webaudio/ScriptProcessorNode.cpp'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An overflow condition exists in the WebGL functionality that is triggered in certain cases when handling invalid format/type combinations during texture uploading. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists in the 'CFFL_InteractiveFormFiller::OnBeforeKeyStroke()' function in 'fpdfsdk/formfiller/cffl_interactiveformfiller.cpp'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'CPWL_Edit::OnKillFocus()' function in 'fpdfsdk/pwl/cpwl_edit.cpp'. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An integer overflow condition exists in the 'SkMaskBlurFilter::blur()' function in 'core/SkMaskBlurFilter.cpp' that is triggered as certain input is not properly validated when handling blur filtering. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library and potentially allowing the execution of arbitrary code.
- A flaw exists that allows a universal cross-site scripting (UXSS) attack. This flaw exists exists because sandbox flags are not properly set on documents transformed by XSLT. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and a server.
- A flaw exists in the 'ImageCapture::SetMediaTrackConstraints()' function in 'modules/imagecapture/ImageCapture.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash the browser.

Solution

Upgrade to Chrome version 62.0.3202.62 or later.

See Also

http://www.nessus.org/u?441fea3d

Plugin Details

Severity: High

ID: 700346

Family: Web Clients

Published: 2018/08/23

Updated: 2019/03/06

Dependencies: 4645

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2017/10/13

Vulnerability Publication Date: 2017/04/19

Reference Information

CVE: CVE-2017-5124, CVE-2017-5125, CVE-2017-5126, CVE-2017-5127, CVE-2017-5128, CVE-2017-5129, CVE-2017-5131, CVE-2017-5132, CVE-2017-5133, CVE-2017-15386, CVE-2017-15387, CVE-2017-15388, CVE-2017-15389, CVE-2017-15390, CVE-2017-15392, CVE-2017-15393, CVE-2017-15395

BID: 101482