Mozilla Thunderbird < 38.4 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9151
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host has an email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Thunderbird prior to 38.4 are outdated and thus unpatched for the following vulnerabilities :

- Multiple memory corruption issues exist due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these issues, via a specially crafted web page, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4513, CVE-2015-4514)
- An unspecified use-after-poison flaw exists in the 'sec_asn1d_parse_leaf()' function in Mozilla Network Security Services (NSS) due to improper restriction of access to an unspecified data structure. A remote attacker can exploit this, via crafted OCTET STRING data, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-7181)
- A heap buffer overflow condition exists in the ASN.1 decoder in Mozilla Network Security Services (NSS) due to improper validation of user-supplied input. A remote attacker can exploit this, via crafted OCTET STRING data, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-7182)
- An integer overflow condition exists in the 'PL_ARENA_ALLOCATE' macro in the Netscape Portable Runtime (NSPR) due to improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-7183)
- A same-origin bypass vulnerability exists due to improper handling of trailing whitespaces in the IP address hostname. A remote attacker can exploit this, by appending whitespace characters to an IP address string, to bypass the same-origin policy and conduct a cross-site scripting attack. (CVE-2015-7188)
- A race condition exists in the 'JPEGEncoder()' function due to improper validation of user-supplied input when handling canvas elements. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-7189)
- A cross-origin resource sharing (CORS) request bypass vulnerability exists due to improper implementation of the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation. A remote attacker can exploit this to perform a simple request instead of a 'preflight' request. (CVE-2015-7193)
- A buffer underflow condition exists in libjar due to improper validation of user-supplied input when handling ZIP archives. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-7194)
- A security bypass vulnerability exists due to improperly controlling the ability of a web worker to create a WebSocket object in the 'WebSocketImpl::Init()' method. A remote attacker can exploit this to bypass intended mixed-content restrictions. (CVE-2015-7197)
- A buffer overflow condition exists in 'TextureStorage11' in ANGLE due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-7198)
- A flaw exists in the 'AddWeightedPathSegLists()' function due to missing return value checks during SVG rendering. A remote attacker can exploit this, via a crafted SVG document, to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-7199)
- A flaw exists in the CryptoKey interface implementation due to missing status checks. A remote attacker can exploit this to make changes to cryptographic keys and execute arbitrary code. (CVE-2015-7200)

Solution

Upgrade to Thunderbird 38.4 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2015-116

https://www.mozilla.org/en-US/thunderbird/38.4.0/releasenotes

https://www.mozilla.org/en-US/security/advisories/mfsa2015-122

https://www.mozilla.org/en-US/security/advisories/mfsa2015-123

https://www.mozilla.org/en-US/security/advisories/mfsa2015-127

https://www.mozilla.org/en-US/security/advisories/mfsa2015-128

https://www.mozilla.org/en-US/security/advisories/mfsa2015-131

https://www.mozilla.org/en-US/security/advisories/mfsa2015-132

https://www.mozilla.org/en-US/security/advisories/mfsa2015-133

Plugin Details

Severity: High

ID: 9151

Family: SMTP Clients

Published: 3/17/2016

Updated: 3/6/2019

Dependencies: 5558

Nessus ID: 87110

Risk Information

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Patch Publication Date: 11/23/2015

Vulnerability Publication Date: 11/23/2015

Reference Information

CVE: CVE-2015-4513, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7188, CVE-2015-7189, CVE-2015-7193, CVE-2015-7194, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200, CVE-2015-4514

BID: 77411, 77416, 77415