Google Chrome < 55.0.2883.75 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9829

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 55.0.2883.75, and is affected by multiple vulnerabilities :

- A flaw exists in the 'TIFFFetchDirectory()' function in 'tif_dirread.c' related to use of uninitialized memory. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (OSVDB 145058)
- An unspecified out-of-bounds write flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to potentially execute arbitrary code. (OSVDB 148065)
- A flaw exists that allows a universal cross-site scripting (UXSS) attack. This flaw exists because the 'V8EventListener::getListenerFunction()' function in 'bindings/core/v8/V8EventListener.cpp' allows running the 'handleEvent' getter on forbidden script. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website. (OSVDB 148066)
- A use-after-free error exists in the 'Document::removeField()' function in 'fpdfsdk/javascript/Document.cpp' that is triggered when handling the removal of fields within a document. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 148067)
- An unspecified use-after-free error exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 148068)
- An integer overflow condition exists in 'core/fpdfapi/page/cpdf_page.cpp' that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor. (OSVDB 148069)
- A use-after-free error exists in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling non-visible page unloading. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 148070)
- An out-of-bounds write flaw exists in the 'CWeightTable::GetPixelWeightSize()' function in 'core/fxge/dib/fx_dib_engine.cpp'. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (OSVDB 148071)
- A flaw exists that allows a UXSS attack. This flaw exists because the program permits frame swaps during frame detach. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website. (OSVDB 148072)
- A flaw exists in the DevTools component that is triggered as certain URLs are not properly validated. This may allow a context-dependent attacker to disclose the contents of arbitrary files. (OSVDB 148073)
- A flaw exists that allows a UXSS attack. The issue is triggered when handling triggered events during e.g. closing a color chooser for an input element. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website. (OSVDB 148074)
- A flaw exists that is triggered when handling 'chrome.tabs' API navigations and displaying the pending URL. This may allow a context-dependent attacker to spoof the omnibox address. (OSVDB 148075)
- A flaw exists in the 'NavigatorImpl::NavigateToEntry()' function in 'content/browser/frame_host/navigator_impl.cc' that is triggered when handling invalid URLs. This may allow a context-dependent attacker to spoof the omnibox address. (OSVDB 148076)
- A flaw exists that allows a UXSS attack. The issue is triggered when handling the 'use' SVG element and calling event listeners on a cloned node. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and any website. (OSVDB 148077)
- A flaw exists that is triggered when downloading files using e.g. data: URIs, unknown URL schemes, and overly long URLs. This may allow a context-dependent attacker to cause a file to be downloaded without the mark-of-the-web applied. (OSVDB 148078)
- A flaw exists in the 'HTMLFormElement::scheduleFormSubmission()' function in 'html/HTMLFormElement.cpp' that is triggered as form-action CSP (Content Security Policy) is not properly enforced. This may allow a context-dependent attacker to bypass intended restrictions. (OSVDB 148079)
- A flaw exists in the 'DocumentLoader::GetRequest()' function in 'pdf/document_loader.cc' that is triggered when handling redirects in the plugin. This may allow a context-dependent attacker to bypass the same-origin policy. (OSVDB 148080)
- An unspecified flaw exists related to the PDF helper extension using unvalidated data. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor. (OSVDB 148081)
- A flaw exists in 'ui/views/tabs/tab_strip.cc' that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when dropping JavaScript URLs on a tab. This may allow an attacker to execute arbitrary script code in the security context of the relevant tab. (OSVDB 148082)
- A use-after-free error exists in 'content/renderer/media/renderer_webaudiodevice_impl.cc' that is triggered when handling web audio. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code. (OSVDB 148083)
- A flaw exists related to denorm handling not being disabled before calling Skia filter code. This may allow a context-dependent attacker to bypass the same-origin policy. (OSVDB 148084)
- A flaw exists in the 'Range::createAdjustedToTreeScope()' function in 'dom/Range.cpp' that is triggered when improperly handling the shadow root at the end of the document tree. With a specially crafted web page, a context-dependent attacker can potentially execute arbitrary code. (OSVDB 148086)
- A use-after-free error exists in 'layout/FloatingObjects.cpp' that is triggered during handling of floating objects when detaching subtrees. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code. (OSVDB 148087)
- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor. (OSVDB 148088)
- An unspecified flaw exists that may allow a context-dependent attacker to disclose CSP referrers. No further details have been provided. (OSVDB 148104)
- An unspecified flaw exists related to its handling of 'file: navigation' that may allow a context-dependent attacker to disclose arbitrary files. No further details have been provided. (OSVDB 148105)
- An unspecified integer overflow condition exists that is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor. (OSVDB 148106)
- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified, medium severity, impact. No further details have been provided by the vendor. (OSVDB 148110)
- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified, low severity, impact. No further details have been provided by the vendor. (OSVDB 148111)
- An unspecified use-after-free flaw exists in the inspector code that may allow an attacker to potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 148133, OSVDB 148134)
- An unspecified flaw exists in 'lookup.cc' related to unauthorized private property access that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided by the vendor. (OSVDB 148135)
- A flaw exists in the 'It2Me host' plugin related to a missing confirmation dialog. This may allow a remote attacker to establish a connection without the user being able to accept or reject it. (OSVDB 148138)
- A double deletion flaw exists in 'device/battery/battery_monitor_impl.cc'. This may allow a context-dependent attacker to have an unspecified impact. (OSVDB 148139)
- A flaw exists in the 'PingLoader::sendLinkAuditPing()' function in 'loader/PingLoader.cpp', as the anchor HTML tag's 'ping' attribute is not covered by the 'connect-src' CSP directive. With a specially crafted web page, a context-dependent attacker can bypass the intended Content Security Policy (CSP). (OSVDB 148140)
- A flaw exits in the 'subdivide()' function in 'core/SkGeometry.cpp'. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided by the vendor. (OSVDB 148142)

Solution

Update the Chrome browser to 55.0.2883.75 or later.

See Also

https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html

Plugin Details

Severity: Critical

ID: 9829

File Name: 9829.prm

Family: Web Clients

Published: 2016/12/16

Modified: 2016/12/16

Dependencies: 4645

Nessus ID: 95480, 95481

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2016/12/01

Vulnerability Publication Date: 2016/10/09

Reference Information

CVE: CVE-2016-5203, CVE-2016-5204, CVE-2016-5205, CVE-2016-5206, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5210, CVE-2016-5211, CVE-2016-5212, CVE-2016-5213, CVE-2016-5214, CVE-2016-5215, CVE-2016-5216, CVE-2016-5217, CVE-2016-5218, CVE-2016-5219, CVE-2016-5220, CVE-2016-5221, CVE-2016-5222, CVE-2016-5223, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226, CVE-2016-9650, CVE-2016-9651, CVE-2016-9652

BID: 94633