Google Chrome < 64.0.3282.119 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700352
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 64.0.3282.119, and is affected by multiple vulnerabilities :

- An integer overflow condition exists in the 'Runtime_RegExpReplace()' function in 'runtime/runtime-regexp.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- An out-of-bounds read flaw exists in the 'JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid()' function in 'interpreter/bytecode-array-accessor.cc' that is triggered when accessing a bytecode jump table. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds read flaw exists in the 'parse_opus_ts_header()' function in 'libavcodec/opus_parser.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw exists in the 'WebUsbDetector::OnDeviceAdded()' function in 'usb/web_usb_detector.cc' that is triggered when displaying RTL languages in WebUSB notifications. This may allow a context-dependent attacker to cause the URL to be somewhat improperly displayed.- An assertion flaw exists in the 'DateFormat::format()' function that is triggered when handling Nan and Infinity dates. This may allow a context-dependent attacker to cause a process linked against the library to terminate.
- A flaw exists as it does not properly limit certain problematic characters 'e.g'. Malaylam U+0D1F letters before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can more easily spoof an omnibox address.
- A flaw exists in the 'NavigationControllerImpl::RendererDidNavigateToExistingPage()' function in 'frame_host/navigation_controller_impl.cc' that is triggered when managing SSL state while navigating to an existing insecure page that redirected to a secure page. This may allow a context-dependent attacker to cause the SSL state to be lost.
- A flaw exists in the 'TopSitesImpl::SetTopSites()' function in 'components/history/core/browser/top_sites_impl.cc' that is triggered as clearing all browsing data retains page thumbnails in New Tab Page. This may allow a local attacker to disclose visited pages even when such information should have been deleted.
- A flaw exists that is triggered when handling IP addresses from mDNS / cast channel requests. This may allow an attacker to gain unauthorized access to a cast device.
- An out-of-bounds read flaw exists in the 'TemplateURLParsingContext::ProcessURLParams()' function in 'components/search_engines/template_url_parser.cc' that is triggered when handling invalid template URLs. This may allow a context-dependent attacker to potentially disclose memory contents.
- A flaw exists that is triggered when handling frames. This may allow a context-dependent attacker to bypass HTML sandbox restrictions.
- A flaw exists in the 'Event::Deserialize()' function in 'mojo/edk/system/ports/event.cc' that is triggered when calculating mojo event message data sizes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A type confusion flaw exists in the 'JSBuiltinReducer::ReduceObjectCreate()' function in 'compiler/js-builtin-reducer.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An overflow condition exists that is triggered when handling bitstream audio in the IPC layer.

Solution

Upgrade to Chrome version 64.0.3282.119 or later.

See Also

http://www.nessus.org/u?26e44d0b

https://spectreattack.com

http://www.nessus.org/u?26e44d0b,https://spectreattack.com

Plugin Details

Severity: High

ID: 700352

Family: Web Clients

Published: 8/23/2018

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Patch Publication Date: 1/24/2018

Vulnerability Publication Date: 10/16/2017

Reference Information

CVE: CVE-2017-16534, CVE-2017-16538, CVE-2017-16525, CVE-2017-16527, CVE-2017-16529, CVE-2017-16531, CVE-2017-16535, CVE-2017-16537, CVE-2017-3738, CVE-2017-16533, CVE-2017-16528, CVE-2017-16526, CVE-2017-16530, CVE-2017-16532, CVE-2017-15420, CVE-2018-6031, CVE-2018-6032, CVE-2018-6033, CVE-2018-6034, CVE-2018-6035, CVE-2018-6036, CVE-2018-6037, CVE-2018-6038, CVE-2018-6039, CVE-2018-6040, CVE-2018-6041, CVE-2018-6042, CVE-2018-6043, CVE-2018-6045, CVE-2018-6046, CVE-2018-6047, CVE-2018-6048, CVE-2018-6049, CVE-2018-6050, CVE-2018-6051, CVE-2018-6052, CVE-2018-6053, CVE-2018-6055

BID: 102118, 102028, 102797