Google Chrome < 66.0.3359.117 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700356

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 66.0.3359.117, and is affected by multiple vulnerabilities :

- A flaw exists in the 'DevToolsDownloadManagerDelegate::OnDownloadPathGenerated()' function in 'devtools/protocol/devtools_download_manager_delegate.cc' that is triggered when handling downloads. This may allow a malicious extension to write to arbitrary files and bypass the dangerous file check.
- A flaw exists in Oilpan during the handling of heap objects. This may allow an attacker to bypass the heap object integrity checks.
- A flaw exists in the 'MultipartImageResourceParser::ParseHeaders()' function in 'core/loader/resource/MultipartImageResourceParser.cpp' that is triggered when handling multipart image responses. This may allow a context-dependent attacker to bypass cross-origin resource sharing (CORS) configurations.
- An out-of-bounds read flaw exists in the 'Merge::Downsample()' function in 'modules/audio_coding/neteq/merge.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to disclose memory contents.
- A flaw exists that is triggered when handling opaque responses for WebVTT in service workers. This may allow a context-dependent attacker to bypass the cross-origin resource sharing (CORS) configurations.
- A flaw exists that is triggered as service workers do not handle media element requests properly. This may allow a context-dependent attacker to bypass the same origin policy.
- A flaw exists that is triggered when handling plug-ins via service workers. This may allow a context-dependent attacker to bypass the same origin policy.
- A use-after-free error exists that is triggered when handling paint layers during scroll updates. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'DeviceMediaToMojoAdapter::Start()' function in 'services/video_capture/device_media_to_mojo_adapter.cc' that is triggered during a Mojo connection error. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists as the password saving and autofill setting labels are misleading in the application settings. This may result in passwords still being automatically filled although the user has disabled all related settings.
- A flaw exists in the 'ImageLoader::DoUpdateFromElement()' function in 'core/loader/ImageLoader.cpp' that is triggered as the request context is not properly handled when an image is requested. This may allow a context-dependent attacker to bypass the same origin policy.
- A flaw exists in Navigation that is triggered when handling pending item URLs. This may allow a context-dependent to spoof the URL.
- A MIME type sniffing flaw exists that is triggered when handling files using the file protocol handler. This may allow a context-dependent attacker to cause the browser to interpret and render a file using a content type other than the intended content type.
- A flaw exists that is triggered as FileAPI does not check the modification time of files selected in 'input' elements. This may allow a context-dependent attacker to gain access to potentially sensitive information in changes to the file, applied after selection.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks (U+0454). With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists in the 'SetState()' function in 'content/browser/renderer_host/media/media_stream_manager.cc' that is triggered as certain stream type are not properly handled. This may allow a context-dependent attacker to spoof the Permissions UI.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists in the 'ServerWrapper::OnHttpRequest()' function in 'content/browser/devtools/devtools_http_handler.cc' that is triggered as the HTTP Host header is not properly validated when connecting over RDP. This may allow a remote attacker to gain unauthorized access to the debugging protocol in DevTools.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A race condition exists that is triggered when transitioning to fullscreen mode. This may allow a context-dependent attacker to spoof the UI.
- A flaw exists that is triggered when handling Javascript 'window.'focus'()' invocations in fullscreen mode. This may allow a context-dependent attacker to spoof the UI.
- A flaw exists in the UI that is triggered when handling uploads of directories. This may allow a context-dependent attacker to trick a user into inadvertently uploading files.
- An integer overflow condition exists in the 'DecodeLocals()' function in 'wasm/function-body-decoder-impl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'MimeHandlerViewContainer::OnReady()' function in 'extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc' that is triggered as service workers are not handled properly when processing plugin resource requests. This may allow a context-dependent attacker to bypass the same origin policy.
- A use-after-free error exists in the 'PDFiumEngine::GetVisiblePageIndex()' function in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling visible pages. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'GrowMemoryBuffer()' function in 'wasm/wasm-objects.cc' that is triggered when handling WebAssembly backing stores. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'MemBackendImpl::EvictIfNeeded()' function in | 'net/disk_cache/memory/mem_backend_impl.cc' that is triggered when handling LRU list entries. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'BackendImpl::OnEntryDestroyEnd()' function in 'net/disk_cache/blockfile/backend_impl.cc' that is triggered when handling disk caches. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An overflow condition exists in the 'AAHairlineOp::onPrepareDraws()' function in 'gpu/ops/GrAAHairLinePathRenderer.cpp' that is triggered as certain input is not properly validated when rendering hair line path vertex counts. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- An out-of-bounds read flaw exists in the 'xmlParseNCNameComplex()' function in 'parser.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.

Solution

Upgrade to Chrome version 66.0.3359.117 or later.

See Also

http://www.nessus.org/u?db76b488

Plugin Details

Severity: High

ID: 700356

Family: Web Clients

Published: 2018/08/23

Updated: 2019/03/06

Dependencies: 4645

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2018/04/17

Vulnerability Publication Date: 2017/02/15

Reference Information

CVE: CVE-2018-6085, CVE-2018-6086, CVE-2018-6087, CVE-2018-6088, CVE-2018-6089, CVE-2018-6090, CVE-2018-6091, CVE-2018-6092, CVE-2018-6093, CVE-2018-6094, CVE-2018-6095, CVE-2018-6096, CVE-2018-6097, CVE-2018-6098, CVE-2018-6099, CVE-2018-6100, CVE-2018-6101, CVE-2018-6102, CVE-2018-6103, CVE-2018-6104, CVE-2018-6105, CVE-2018-6106, CVE-2018-6107, CVE-2018-6108, CVE-2018-6109, CVE-2018-6110, CVE-2018-6111, CVE-2018-6112, CVE-2018-6113, CVE-2018-6114, CVE-2018-6115, CVE-2018-6116, CVE-2018-6117, CVE-2018-6152

BID: 103917