Google Chrome < 68.0.3440.75 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700361
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 68.0.3440.75, and is affected by multiple vulnerabilities :

- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A flaw exists in the 'ComputeRandomMagic()' function in 'blink/renderer/platform/heap/heap_page.cc' that is triggered as random numbers are not properly handled when generating heap magic values. This may lead to weaker heap object integrity checks than intended.
- A flaw exists in the safe browsing feature that is triggered when handling DMG file analysis. This may allow a context-dependent attacker to have an unspecified impact.
- A dangling reference flaw exists in the PDFiumEngine class in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling image data while paints are pending. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the CPDF_DIBSource class destructor in 'fpdfapi/render/cpdf_dibsource.cpp' that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- A type confusion flaw exists in multiple JS functions that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- A flaw exists in the HTMLMediaElement class in 'blink/renderer/core/html/media/html_media_element.cc' that is triggered when handling media files. This may allow a context-dependent attacker to gain cross-origin access to potentially sensitive information.
- A flaw exists in the 'ActiveTabPermissionGranter::GrantIfRequested()' function in 'browser/extensions/active_tab_permission_granter.cc' that is triggered as an extension has permission to the file-scheme of a file-URL loaded tab. This may allow a malicious extension to gain unauthorized access to page information 'e.g'. via the 'chrome.tabs'.executeScript API.
- A flaw exists that is triggered as it is possible to include web content in WebUI documents. This may allow a context-dependent attacker to bypass intended security restrictions.
- A flaw exists that is triggered as certain input is not properly validated when handling temporary registers during shader compilation. This may allow a context-dependent attacker to crash a process linked against the library.
- An unspecified flaw exists that is triggered when handling termination garbage collection. This may allow a context-dependent attacker to have an unspecified impact.
- A use-after-free error exists in the 'vp8_deblock()' function in 'vp8/common/postproc.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'PermissionServiceImpl::RequestPermissions()' function in 'content/browser/permissions/permission_service_impl.cc' that is triggered when handling permission types. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the HTMLMediaElement class in 'blink/renderer/core/html/media/html_media_element.cc' that is triggered when handling media files. This may allow a context-dependent attacker to bypass cross-origin resource sharing (CORS) configurations.
- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A type confusion flaw exists in the 'PacketBuffer::FindFrames()' function in 'modules/video_coding/packet_buffer.

Solution

Upgrade to Chrome version 68.0.3440.75 or later.

See Also

http://www.nessus.org/u?89d1144b

Plugin Details

Severity: High

ID: 700361

Family: Web Clients

Published: 8/23/2018

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

Patch Publication Date: 5/10/2018

Vulnerability Publication Date: 5/10/2018

Reference Information

CVE: CVE-2018-4117, CVE-2018-6153, CVE-2018-6154, CVE-2018-6155, CVE-2018-6156, CVE-2018-6157, CVE-2018-6158, CVE-2018-6159, CVE-2018-6162, CVE-2018-6163, CVE-2018-6164, CVE-2018-6165, CVE-2018-6166, CVE-2018-6168, CVE-2018-6170, CVE-2018-6173, CVE-2018-6174, CVE-2018-6175, CVE-2018-6177, CVE-2018-6179, CVE-2018-6160

BID: 104887