Google Chrome < 66.0.3359.117 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700356

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 66.0.3359.117, and is affected by multiple vulnerabilities :

- A flaw exists in the 'DevToolsDownloadManagerDelegate::OnDownloadPathGenerated()' function in 'devtools/protocol/devtools_download_manager_delegate.cc' that is triggered when handling downloads. This may allow a malicious extension to write to arbitrary files and bypass the dangerous file check.
- A flaw exists in Oilpan during the handling of heap objects. This may allow an attacker to bypass the heap object integrity checks.
- A flaw exists in the 'MultipartImageResourceParser::ParseHeaders()' function in 'core/loader/resource/MultipartImageResourceParser.cpp' that is triggered when handling multipart image responses. This may allow a context-dependent attacker to bypass cross-origin resource sharing (CORS) configurations.
- An out-of-bounds read flaw exists in the 'Merge::Downsample()' function in 'modules/audio_coding/neteq/merge.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to disclose memory contents.
- A flaw exists that is triggered when handling opaque responses for WebVTT in service workers. This may allow a context-dependent attacker to bypass the cross-origin resource sharing (CORS) configurations.
- A flaw exists that is triggered as service workers do not handle media element requests properly. This may allow a context-dependent attacker to bypass the same origin policy.
- A flaw exists that is triggered when handling plug-ins via service workers. This may allow a context-dependent attacker to bypass the same origin policy.
- A use-after-free error exists that is triggered when handling paint layers during scroll updates. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'DeviceMediaToMojoAdapter::Start()' function in 'services/video_capture/device_media_to_mojo_adapter.cc' that is triggered during a Mojo connection error. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists as the password saving and autofill setting labels are misleading in the application settings. This may result in passwords still being automatically filled although the user has disabled all related settings.
- A flaw exists in the 'ImageLoader::DoUpdateFromElement()' function in 'core/loader/ImageLoader.cpp' that is triggered as the request context is not properly handled when an image is requested. This may allow a context-dependent attacker to bypass the same origin policy.
- A flaw exists in Navigation that is triggered when handling pending item URLs. This may allow a context-dependent to spoof the URL.
- A MIME type sniffing flaw exists that is triggered when handling files using the file protocol handler. This may allow a context-dependent attacker to cause the browser to interpret and render a file using a content type other than the intended content type.
- A flaw exists that is triggered as FileAPI does not check the modification time of files selected in 'input' elements. This may allow a context-dependent attacker to gain access to potentially sensitive information in changes to the file, applied after selection.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks (U+0454). With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks. With specially crafted IDN domains, a context-dependent attacker can spoof an omnibox address.
- A flaw exists as it does not restrict use of special characters with diacritic-like marks.

Solution

Upgrade to Chrome version 66.0.3359.117 or later.

See Also

http://www.nessus.org/u?db76b488

Plugin Details

Severity: High

ID: 700356

Family: Web Clients

Published: 2018/08/23

Updated: 2019/03/06

Nessus ID: 109396

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.1

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2018/04/17

Vulnerability Publication Date: 2017/02/15

Reference Information

CVE: CVE-2018-6085

BID: 103917