Google Chrome < 63.0.3239.84 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700351

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 63.0.3239.84, and is affected by multiple vulnerabilities :

- An out-of-bounds read flaw exists in the 'StoreFrame()' function in 'demux/demux.c' that is triggered when handling animated WebP images with small frames. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw exists related to cache storage. This may allow a context-dependent attacker to disclose service worker response sizes.
- An out-of-bounds read flaw exists that is triggered when rendering the P4_INTARRAY argument to the OP_IntegrityCk opcode in the output of EXPLAIN. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds read flaw exists in 'net/dns/dns_transaction.cc' that is triggered when handling asynchronous DNS exchanges. With specially crafted DNS responses, a context-dependent attacker can potentially disclose memory contents.
- A flaw exists in the 'PreParser::RewriteCatchPattern()' function in 'parsing/preparser.h' that is triggered as catch variables are not properly handled during block function hoisting. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'MediaElementEventListener::handleEvent()' function in 'modules/mediacapturefromelement/HTMLMediaElementCapture.cpp' that is triggered when handling media streams. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists that is triggered when handling calls to the 'Reflect.'construct'()' JavaScript method. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in 'chrome/android/java/src/org/chromium/chrome/browser/omnibox/UrlBar.java' and 'chrome/android/java/src/org/chromium/chrome/browser/toolbar/ToolbarPhone.java' that is triggered when handling omnibox URL eliding / positioning. This may allow a context-dependent attacker to conduct a spoofing attack.
- A type confusion flaw exists in the 'TranslatedState::CapturedObjectMaterializer()' function in 'deoptimizer.cc' that is triggered when mutable heap numbers are used in an object field. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in 'chrome/browser/resources/chromeos/login/oobe_screen_terms_of_service.js' that is triggered as content from the web is loaded within the privileged WebUI process when displaying the Terms of Service text. This may allow a context-dependent attacker to potentially execute code with elevated privileges.
- An overflow condition exists in the 'InputScalesValid()' function in 'browser/themes/browser_theme_pack.cc' that is triggered as certain input is not properly validated when handling browser theme packs. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing to execute arbitrary code.
- A type confusion flaw exists in the 'AXARIAGrid::AddRow()' function in 'modules/accessibility/AXARIAGrid.cpp' that is triggered when handling table rows. This may allow a context-dependent attacker to execute arbitrary code.
- An overflow condition exists in 'core/fxcodec/codec/fx_codec_jpx_opj.cpp' that is triggered as improper allocate and free functions of OpenJPEG are used. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing to execute arbitrary code.
- A flaw exists in the 'OmniboxViewViews::OnDrop()' function in 'chrome/browser/ui/views/omnibox/omnibox_view_views.cc' that allows a cross-site scripting (self-XSS) attack. This flaw exists exists because the function does not properly validate text dropped in an omnibox before displaying it to users. This may allow a user to execute arbitrary script code in their own browser.
- A flaw exists that is triggered as the script mixing policy permits mixing Latin-ASCII and certain non-Latin scripts. This may allow a context-dependent attacker to spoof an omnibox URL.
- A flaw exists that is triggered as the script mixing policy permits mixing Latin-ASCII and certain non-Latin scripts. This may allow a context-dependent attacker to spoof an omnibox URL.
- A flaw exists that is triggered as the script mixing policy permits mixing Latin-ASCII and certain non-Latin scripts. This may allow a context-dependent attacker to spoof an omnibox URL.
- A flaw exists in the 'SPAKE2_generate_msg()' function in 'crypto/curve25519/spake25519.c' that is triggered when reducing the password scalar in SPAKE2. This may allow a context-dependent attacker to disclose up to three bits of a password from a message.
- An integer overflow condition exists in the 'PersianCalendar::handleComputeFields()' function in 'i18n/persncal.cpp' that is triggered when handling Persian calendars. This may allow a context-dependent attacker to cause an out-of-bounds read, crashing a process linked against the library or disclosing arbitrary memory contents.
- A flaw exists that is triggered when handling subframe navigations. This may allow a context-dependent attacker to disclose cross-origin redirect URLs.
- An out-of-bounds read flaw exists in the 'BlobStorageContext::BlobFlattener::BlobFlattener()' function in 'storage/browser/blob/blob_storage_context.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially disclose memory contents.
- A flaw exists in 'content/browser/sandbox_ipc_linux.cc' and 'content/zygote/zygote_main_linux.cc' related to unsafe serialization of a time structure when handling IPC calls. This may allow a context-dependent attacker to disclose certain information.
- A type confusion flaw exists in 'compiler/wasm-compiler.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'xmlXPathCompOpEvalPositionalPredicate()' function in 'xpath.c' related to the XPath stack frame logic. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'CPWL_Wnd::SetVisible()' function in 'fpdfsdk/pwl/cpwl_wnd.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when setting focus on a widget. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'SkMask::AllocImage()' function in 'core/SkMask.cpp' that is triggered when allocating memory. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An out-of-bounds write flaw exists in the 'QuicStreamSequencerBuffer::OnStreamData()' function in 'net/quic/core/quic_stream_sequencer_buffer.cc' that is triggered as certain input is not properly validated when handling received stream data. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

Solution

Upgrade to Chrome version 63.0.3239.84 or later.

See Also

http://www.nessus.org/u?98a7b4bd

Plugin Details

Severity: High

ID: 700351

Family: Web Clients

Published: 2018/08/23

Updated: 2019/03/06

Dependencies: 4645

Nessus ID: 106485, 106486

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2017/10/05

Vulnerability Publication Date: 2017/10/05

Reference Information

CVE: CVE-2017-15407, CVE-2017-15408, CVE-2017-15409, CVE-2017-15410, CVE-2017-15411, CVE-2017-15412, CVE-2017-15413, CVE-2017-15415, CVE-2017-15416, CVE-2017-15417, CVE-2017-15418, CVE-2017-15419, CVE-2017-15422, CVE-2017-15423, CVE-2017-15424, CVE-2017-15425, CVE-2017-15426, CVE-2017-15427

BID: 102098