Google Chrome < 68.0.3440.75 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 700361

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 68.0.3440.75, and is affected by multiple vulnerabilities :

- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A flaw exists in the 'ComputeRandomMagic()' function in 'blink/renderer/platform/heap/heap_page.cc' that is triggered as random numbers are not properly handled when generating heap magic values. This may lead to weaker heap object integrity checks than intended.
- A flaw exists in the safe browsing feature that is triggered when handling DMG file analysis. This may allow a context-dependent attacker to have an unspecified impact.
- A dangling reference flaw exists in the PDFiumEngine class in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling image data while paints are pending. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the CPDF_DIBSource class destructor in 'fpdfapi/render/cpdf_dibsource.cpp' that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- A type confusion flaw exists in multiple JS functions that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- A flaw exists in the HTMLMediaElement class in 'blink/renderer/core/html/media/html_media_element.cc' that is triggered when handling media files. This may allow a context-dependent attacker to gain cross-origin access to potentially sensitive information.
- A flaw exists in the 'ActiveTabPermissionGranter::GrantIfRequested()' function in 'browser/extensions/active_tab_permission_granter.cc' that is triggered as an extension has permission to the file-scheme of a file-URL loaded tab. This may allow a malicious extension to gain unauthorized access to page information 'e.g'. via the 'chrome.tabs'.executeScript API.
- A flaw exists that is triggered as it is possible to include web content in WebUI documents. This may allow a context-dependent attacker to bypass intended security restrictions.
- A flaw exists that is triggered as certain input is not properly validated when handling temporary registers during shader compilation. This may allow a context-dependent attacker to crash a process linked against the library.
- An unspecified flaw exists that is triggered when handling termination garbage collection. This may allow a context-dependent attacker to have an unspecified impact.
- A use-after-free error exists in the 'vp8_deblock()' function in 'vp8/common/postproc.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'PermissionServiceImpl::RequestPermissions()' function in 'content/browser/permissions/permission_service_impl.cc' that is triggered when handling permission types. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the HTMLMediaElement class in 'blink/renderer/core/html/media/html_media_element.cc' that is triggered when handling media files. This may allow a context-dependent attacker to bypass cross-origin resource sharing (CORS) configurations.
- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A type confusion flaw exists in the 'PacketBuffer::FindFrames()' function in 'modules/video_coding/packet_buffer.cc' that is triggered as certain input in H264 NAL packets is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A flaw exists in the 'NavigationControllerImpl::Reload()' function in 'frame_host/navigation_controller_impl.cc' that is triggered when handling reloads in a new process. This may allow a context-dependent attacker to spoof Omnibox URLs.
- A flaw exists in Blink that is triggered when handling opaque CSS responses from service workers. This may allow a context-dependent attacker to bypass the same-origin policy.
- A flaw exists as it does not properly limit Georgian Letter Vin (U+10D5) characters before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an omnibox address.
- An overflow condition exists in the 'WebGLRenderingContextBase::TexImageHelperImageData()' function in 'webgl_rendering_context_base.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
- An overflow condition exists in the 'UlpfecReceiverImpl::AddReceivedRedPacket()' function in 'modules/rtp_rtcp/source/ulpfec_receiver_impl.cc' that is triggered when handling RED packets with a length that exceeds the maximum IP packet size. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A flaw exists in the 'runJavaScriptDialogOfType()' function in 'web/web_state/ui/crw_web_controller.mm' that is triggered when handling invalid request URLs. This may allow a context-dependent attacker to spoof a Javascript dialog.
- A flaw exists in the 'Performance::PassesTimingAllowCheck()' function in 'blink/renderer/core/timing/performance.cc' that is triggered when service workers change a same origin request. This may allow a context-dependent attacker to bypass the same-origin policy.
- A race condition exists in Blink that is triggered when handling concurrent access to the GCInfoTable class. This may allow a context-dependent attacker to cause a use-after-free and dereference already freed memory, potentially allowing the execution of arbitrary code.
- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- An overflow condition exists in the WebGL component that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A flaw exists in the 'IterableToList()' builtin in 'builtins/builtins-typed-array-gen.cc' related to incorrect optimization. This may allow a context-dependent attacker to have an unspecified impact.
- An overflow condition exists in the 'SkFindUnitQuadRoots()' function in 'core/SkGeometry.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a stack-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- A flaw exists in the 'V8HTMLConstructor::HtmlConstructor()' function in 'blink/renderer/bindings/core/v8/v8_html_constructor.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- A type confusion flaw exists in the 'WebFormElementObserverImpl::ObserverCallback::Deliver()' function in 'blink/renderer/core/exported/web_form_element_observer_impl.cc' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An integer overflow condition exists in the 'Surface::size()' function in 'Renderer/Surface.cpp' that is triggered as certain input is not properly validated when handling texture allocation. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the fetch API which may allow a context-dependent attacker to gain access to cross-origin information. No further details have been provided.

Solution

Upgrade to Chrome version 68.0.3440.75 or later.

See Also

http://www.nessus.org/u?89d1144b

Plugin Details

Severity: High

ID: 700361

Family: Web Clients

Published: 2018/08/23

Modified: 2018/08/23

Dependencies: 4645

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2018/05/10

Vulnerability Publication Date: 2018/05/10

Reference Information

CVE: CVE-2018-4117, CVE-2018-6153, CVE-2018-6154, CVE-2018-6155, CVE-2018-6156, CVE-2018-6157, CVE-2018-6158, CVE-2018-6159, CVE-2018-6160, CVE-2018-6162, CVE-2018-6163, CVE-2018-6164, CVE-2018-6165, CVE-2018-6166, CVE-2018-6168, CVE-2018-6170, CVE-2018-6173, CVE-2018-6174, CVE-2018-6175, CVE-2018-6177, CVE-2018-6179

BID: 104887