Google Chrome < 64.0.3282.119 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700352

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 64.0.3282.119, and is affected by multiple vulnerabilities :

 - An integer overflow condition exists in the 'Runtime_RegExpReplace()' function in 'runtime/runtime-regexp.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An out-of-bounds read flaw exists in the 'JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid()' function in 'interpreter/bytecode-array-accessor.cc' that is triggered when accessing a bytecode jump table. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - An out-of-bounds read flaw exists in the 'parse_opus_ts_header()' function in 'libavcodec/opus_parser.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A flaw exists in the 'WebUsbDetector::OnDeviceAdded()' function in 'usb/web_usb_detector.cc' that is triggered when displaying RTL languages in WebUSB notifications. This may allow a context-dependent attacker to cause the URL to be somewhat improperly displayed.- An assertion flaw exists in the 'DateFormat::format()' function that is triggered when handling Nan and Infinity dates. This may allow a context-dependent attacker to cause a process linked against the library to terminate.
 - A flaw exists as it does not properly limit certain problematic characters 'e.g'. Malaylam U+0D1F letters before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can more easily spoof an omnibox address.
 - A flaw exists in the 'NavigationControllerImpl::RendererDidNavigateToExistingPage()' function in 'frame_host/navigation_controller_impl.cc' that is triggered when managing SSL state while navigating to an existing insecure page that redirected to a secure page. This may allow a context-dependent attacker to cause the SSL state to be lost.
 - A flaw exists in the 'TopSitesImpl::SetTopSites()' function in 'components/history/core/browser/top_sites_impl.cc' that is triggered as clearing all browsing data retains page thumbnails in New Tab Page. This may allow a local attacker to disclose visited pages even when such information should have been deleted.
 - A flaw exists that is triggered when handling IP addresses from mDNS / cast channel requests. This may allow an attacker to gain unauthorized access to a cast device.
 - An out-of-bounds read flaw exists in the 'TemplateURLParsingContext::ProcessURLParams()' function in 'components/search_engines/template_url_parser.cc' that is triggered when handling invalid template URLs. This may allow a context-dependent attacker to potentially disclose memory contents.
 - A flaw exists that is triggered when handling frames. This may allow a context-dependent attacker to bypass HTML sandbox restrictions.
 - A flaw exists in the 'Event::Deserialize()' function in 'mojo/edk/system/ports/event.cc' that is triggered when calculating mojo event message data sizes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A type confusion flaw exists in the 'JSBuiltinReducer::ReduceObjectCreate()' function in 'compiler/js-builtin-reducer.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - An overflow condition exists that is triggered when handling bitstream audio in the IPC layer. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An optimization flaw exists in the 'RepresentationSelector::VisitNode()' function in 'compiler/simplified-lowering.cc' that is triggered when handling the IrOpcode::kStoreField and IrOpcode::kStoreElement simplified operators. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the catalog mojo service that is triggered as bindings to the 'filesystem::mojom::Directory' interface are added and initialized with the module directory. This may allow a context-dependent attacker to bypass the sandbox restrictions.
 - An integer overflow condition exists that is triggered as certain input is not properly validated when handling PropertyArray objects. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A double-destruction flaw exists in 'core/SkBlitter.cpp' that is triggered when handling Sk3DShaderContext-wrapped objects. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'TranslatedState::MaterializeCapturedObjectAt()' function in 'deoptimizer.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - An integer overflow condition exists in the 'CPDF_ShadingPattern::Load()' function in 'core/fpdfapi/page/cpdf_shadingpattern.cpp' that is triggered as certain input is not properly validated when handling shading patterns. With a specially crafted PDF file, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.
 - A flaw exists related to the rewritable expressions scope handling. This may allow a context-dependent attacker to potentially execute arbitrary code.
 - A flaw exists in the 'Document::open()' function in 'dom/Document.cpp'. This may allow a context-dependent attacker to bypass the referrer policy.
 - A flaw exists in 'browser/ui/views/permission_bubble/permission_prompt_impl.cc' that is triggered when handling overly long URLs. This may allow a context-dependent attacker to more easily spoof other origins in the permission bubble title.
 - A flaw exists in the 'XSSAuditor::Init()' function in 'html/parser/XSSAuditor.cpp' that is triggered as XSS audit reports URLs are not restricted to the same origin. This may allow a context-dependent attacker to potentially disclose referrer information.
 - A flaw exists in the 'SecurityPolicy::ReferrerPolicyFromString()' function in 'platform/weborigin/SecurityPolicy.cpp' that is triggered when handling a legacy 'none' referrer policy. This may allow a context-dependent attacker to disclose referrer information against the intended referrer policy.
 - A use-after-free error exists in the 'PDFiumEngine::HandleEvent()' function in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling page unloading. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the autofill feature that is triggered due to insufficient user gesture requirements. This may allow a context-dependent attacker to potentially disclose autocomplete data.
 - A flaw exists as it does not restrict use of a dotless i (U+0131) followed by a combining mark before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can somewhat spoof an omnibox address.
 - A flaw exists in the 'Document::InitContentSecurityPolicy()' function in 'dom/Document.cpp'. The issue is triggered when inheriting the CSP from a parent document to a local-scheme CSP, as it may not get propagated to the PlzNavigate CSP. This may allow a context-dependent attacker to bypass the content security policy (CSP).
 - A flaw exists in the shared worker functionality. This may allow a context-dependent attacker to bypass the same-origin policy.
 - A flaw exists as it does not properly limit certain problematic characters 'e.g'. Cyrillic letters before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an omnibox address.
 - An integer underflow condition exists in the 'DecodeCustomSections()' function in 'wasm/module-decoder.cc' that is triggered when handling custom sections. This may allow a context-dependent attacker to potentially disclose memory contents.
 - An out-of-bounds read flaw exists in the WebGL component that is triggered as certain input is not properly validated when handling 2D/3D textures. This may allow a context-dependent attacker to potentially disclose memory contents.
 - A flaw exists in 'content/browser/frame_host/render_frame_host_manager.cc' that is triggered when handling endless loops of JavaScript cross-process navigations. With a specially crafted web page, a context-dependent attacker can spoof the URL.
 - An integer overflow condition exists in 'modules/webgl/WebGLRenderingContextBase.cpp' that is triggered when handling image sizes. This may allow a context-dependent attacker to cause an out-of-bounds read and potentially disclose memory contents.
 - A race condition exists in the download manager component. The issue is triggered when opening downloaded files, as one download may overwrite another completed download, which causes the new download to be opened when intending to open the old download. This may allow a context-dependent attacker to execute arbitrary code.
 - A flaw exists that allows a privileged cross-site scripting (XSS) attack. This flaw exists exists because the 'SanitizeFrontendURL()' function in 'browser/devtools/devtools_ui_bindings.cc' does not properly sanitize input. This may allow a malicious extension to execute arbitrary script code with elevated privileges.
 - A flaw exists in the 'WebGLRenderingContextBase::ValidateHTMLImageElement()' function in 'modules/webgl/WebGLRenderingContextBase.cpp' that is triggered when handling image elements containing blocked cross-origin data. This may allow a context-dependent attacker to disclose the full URL of a blocked cross-origin resource.
 - A flaw exists that is triggered as the DevTools frontend is insufficiently isolated from the webRequest API by allowing extensions to modify chrome-devtools://devtools/remote/. This may allow a malicious extension to observe requests and read arbitrary data from local files and websites.
 - A flaw exists that is triggered as the DevTools frontend is insufficiently isolated from the webRequest API by manipulating chrome-devtools://devtools. This may allow a malicious extension to observe requests for remote DevTools frontends.
 - A flaw exists that allows conducting a cross-site scripting (XSS) attack, as the DevTools frontend does not validate certain input before returning it to users. This may allow a context-dependent attacker to execute arbitrary script code within the trust relationship between the browser and a web server.
 - A flaw exists in the 'ExternalProtocolHandler::LaunchUrlWithDelegate()' function in 'browser/external_protocol/external_protocol_handler.cc' related to insufficient escaping with external URL handlers. This may allow a context-dependent attacker to inject command-line arguments in programs called by invoking an URL handler.
 - An overflow condition exists in the 'Calendar::operator=()' operator in 'i18n/calendar.cpp' that is triggered as certain input is not properly validated when handling locales. This may allow a context-dependent attacker to cause a buffer overflow, crashing a proces linked against the library or potentially allowing the execution of arbitrary code.
 - A flaw exists in 'crypto/bn/asm/rsaz-avx2.pl' within the AVX2 Montgomery multiplication procedure (rsaz_1024_mul_avx2 used in exponentiation with 1024-bit moduli). The issue is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially derive information regarding private keys.
 - A flaw exists that is triggered when handling history navigations. This may allow a context-dependent attacker to spoof an omnibox URL.
 - An out-of-bounds read flaw exists in the usbhid_parse function in 'drivers/hid/usbhid/hid-core.c' that is triggered during the handling of a specially crafted system call. This may allow a local attacker to crash the system.
 - A use-after-free error exists in 'sound/core/seq_device.c'. The issue is triggered when handling a specially crafted system call. This may allow a local attacker to dereference already freed memory and crash the system.
 - A flaw exists in 'drivers/uwb/uwbd.c' that is triggered during the handling of a specially crafted system call. This may allow a local attacker to cause a denial of service.
 - A use-after-free error exists in the 'usb_console_setup()' function in 'drivers/usb/serial/console.c' that is triggered when a USB serial console setup fails. This may allow a local attacker to crash the kernel, resulting in a denial of service.
 - A use-after-free error exists in the 'usb_serial_console_disconnect()' function in 'drivers/usb/serial/console.c' that is triggered when handling USB devices. This may allow a local attacker to crash the kernel, resulting in a denial of service.
 - An out-of-bounds read flaw exists in the USB Attached SCSI driver that is triggered when handling alternate settings. This may allow a local attacker to crash the kernel, resulting in a denial of service.
 - An invalid read flaw exists in 'drivers/media/usb/dvb-usb-v2/lmedm04.c' that is triggered during tuner configuration. With a specially crafted USB device, a physically present attacker can crash the kernel, resulting in a denial of service.
 - A NULL pointer dereference flaw exists in the 'get_endpoints()' function in 'drivers/usb/misc/usbtest.c' that is triggered when handling devices with an IN bulk endpoint but
 - An out-of-bounds read flaw exists in the 'usb_parse_configuration()' function in 'drivers/usb/core/config.c' that is triggered when handling a specially crafted USB interface
 - An out-of-bounds read flaw exists in the 'snd_usb_create_streams()' function in 'sound/usb/card.c' that is triggered when a USB-audio device receives specially crafted buffer descriptor. This may allow a local attacker to crash the kernel, resulting in a denial of service.
 - An out-of-bounds read flaw exists in the 'cdc_parse_cdc_header()' function in 'drivers/usb/core/message.c' that is triggered when handling very small descriptor buffer lengths. This may allow a local attacker to crash the system.
 - A NULL pointer dereference flaw exists in the 'imon_probe()' function in 'drivers/media/rc/imon.c' that is triggered when handling USB API calls. This may allow a local attacker to crash the kernel, resulting in a denial of service.
 - An out-of-bounds read flaw exists in the 'usb_get_bos_descriptor()' function in 'drivers/usb/core/config.c' that is triggered when handling Binary Device Object Store (BOS) descriptors. This may allow a local attacker to crash the kernel, resulting in a denial of service.
 - A use-after-free error exists in the 'snd_usb_mixer_disconnect()' function in 'sound/usb/mixer.c' that is triggered when handling USB Request Blocks (URB). This may allow a local attacker to crash the kernel or potentially execute arbitrary code with elevated privileges.

Solution

Upgrade to Chrome version 64.0.3282.119 or later.

See Also

http://www.nessus.org/u?26e44d0b

https://spectreattack.com

Plugin Details

Severity: High

ID: 700352

Family: Web Clients

Published: 2018/08/23

Updated: 2019/03/06

Dependencies: 4645

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 5.8

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2018/01/24

Vulnerability Publication Date: 2017/10/16

Reference Information

CVE: CVE-2017-3738, CVE-2018-6031, CVE-2018-6032, CVE-2018-6033, CVE-2018-6034, CVE-2018-6035, CVE-2018-6036, CVE-2018-6037, CVE-2018-6038, CVE-2018-6039, CVE-2018-6040, CVE-2018-6041, CVE-2018-6042, CVE-2018-6043, CVE-2018-6045, CVE-2018-6046, CVE-2018-6047, CVE-2018-6048, CVE-2018-6049, CVE-2018-6050, CVE-2018-6051, CVE-2018-6052, CVE-2018-6053, CVE-2018-6055, CVE-2017-15420, CVE-2017-16525, CVE-2017-16526, CVE-2017-16527, CVE-2017-16528, CVE-2017-16529, CVE-2017-16530, CVE-2017-16531, CVE-2017-16532, CVE-2017-16533, CVE-2017-16534, CVE-2017-16535, CVE-2017-16537, CVE-2017-16538

BID: 102028, 102118, 102797