Google Chrome OS < 43.0.2357.132 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 8886

Synopsis

The remote mobile host was detected using an outdated version of the Chrome OS.

Description

The version of Google Chrome OS on the remote mobile host is prior to 43.0.2357.132 and thus unpatched for the following vulnerabilities :

- A use-after-free error exists in the opaqueBackground class in the ActionScript 3 (AS3) implementation. A remote attacker, via specially crafted Flash content, can dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-5122)
- A use-after-free error exists in the BitmapData class in the ActionScript 3 (AS3) implementation. A remote attacker, via specially crafted Flash content, can dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-5123)
- A flaw exists due to user-supplied input not being properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-5124)
- An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)
- Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)
- Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)
- Multiple NULL pointer dereference flaws exist. (CVE-2015-3126, CVE-2015-4429)
- A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)
- Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)
- Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)
- Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)
- A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)

Solution

Update Chrome OS to version 43.0.2357.132 or later.

See Also

http://googlechromereleases.blogspot.com/2015/07/stable-channel-update-for-chrome-os.html

https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

Plugin Details

Severity: Critical

ID: 8886

Published: 2015/09/25

Modified: 2016/01/25

Dependencies: 6754

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:ND/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:google:chrome_os

Patch Publication Date: 2015/07/14

Vulnerability Publication Date: 2015/07/10

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Adobe Flash opaqueBackground Use After Free)

Reference Information

CVE: CVE-2015-3097, CVE-2014-0578, CVE-2015-3114, CVE-2015-3115, CVE-2015-3116, CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3125, CVE-2015-3126, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131, CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431, CVE-2015-4432, CVE-2015-4433, CVE-2015-5116, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119, CVE-2015-5122, CVE-2015-5123, CVE-2015-5124

BID: 75090, 75568, 75590, 75591, 75592, 75593, 75594, 75595, 75596, 75710, 75712