Mozilla Firefox < 51 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9927

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 51 are unpatched for the following vulnerabilities :

- A flaw exists in JIT code allocation that may allow a context-dependent attacker to bypass the Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) protection mechanisms.
- A use-after-free error exists in the 'txExecutionState::getVariable()' function in 'dom/xslt/xslt/txExecutionState.cpp' that is triggered when handling XSL in XSLT documents. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists that is due to the program sharing hashed codes of JavaScript objects between pages. This may allow a context-dependent to gain access to potentially sensitive data by discovering the object's address through a pointer leak.
- A use-after-free error exists in the 'nsDocument::GetAnimations()' function in 'dom/base/nsDocument.cpp' that is triggered when handling web animations. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'PresShell::FlushPendingNotifications()' function in 'layout/base/PresShell.cpp' that is triggered during DOM manipulation of SVG content. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists that is due to the JSON viewer in the Developer Tools insecurely creating communication channels for copying and viewing JSON or HTTP headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
- A flaw exists in the 'mozAddonManager' API that may allow a WebExtension attacker to modify CSP headers. This may allow a context-dependent attacker to use a host request to redirect script load to a malicious site, where it will install additional extensions without the user's consent.
- A flaw exists in the 'RangeAnalysis::addBetaNodes()' function in 'js/src/jit/RangeAnalysis.cpp' related to improper comparisons being performed when adding beta nodes. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'dom/media/DOMMediaStream.cpp' that is triggered when handling media stream tracks. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Library::Create()' function in 'js/src/ctypes/Library.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'Library::Create()' function in 'js/src/ctypes/Library.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/workers/ServiceWorkerRegistration.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsAttrAndChildArray::GrowBy()' function in 'dom/base/nsAttrAndChildArray.cpp' related to a missing return value check. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'AppendUTF16toUTF8()' function in 'xpcom/string/nsReadableUtils.cpp' that is triggered when handling certain size calculations. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'xpcom/string/nsTSubstringTuple.cpp' that is triggered when handling substring tuble lengths. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow condition exists in the 'RTCPPacketInformation::AddApplicationData()' function in 'webrtc/modules/rtp_rtcp/source/rtcp_receiver_help.cc' that is triggered when handling RTCP APP packets. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GetDatabaseFileURL()' function in 'dom/indexedDB/ActorsParent.cpp' that is triggered when handling file: URIs. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'gfx/2d/PathRecording.h' that is triggered when handling event recorders. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'ICCallStubCompiler::guardFunApply()' function in 'js/src/jit/BaselineIC.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'IonBuilder::createThisScriptedSingleton()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'AddLazyFunctionsForCompartment()' function in 'js/src/jscompartment.cpp' that is triggered when handling references to a compartment's lazy functions. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'js::DefineTypedArrayElement()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'DataViewObject::create()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'IonBuilder::initEnvironmentChain()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in the JavaScript JIT compiler that is triggered when handling windows. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsDOMConstructor::HasInstance()' function in 'dom/base/nsDOMClassInfo.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free flaw exists in the 'nsDocument::SetScriptGlobalObject()' function in 'dom/base/nsDocument.cpp' that is triggered when handling specially crafted media files. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'security/manager/pki/resources/content/pippki.js' that allows traversing outside of a restricted path. The issue is due to the export functions in the certificate viewer not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). This may allow a context-dependent attacker to make changes to the save destination for certificate content.
- A flaw exists that may allow a remote attacker to use the preview feature for RSS feeds to view potentially sensitive privileged content errors and exceptions.
- A flaw exists that is triggered during the handling of a specially crafted URL that contains certain unicode glyphs for alternative hyphens and quotes. This may allow a context-dependent attacker to spoof the location bar.
- A flaw exists that is triggered during the handling of a specially crafted Proxy Auto-Config (PAC) file. This file may potentially specify which JavaScript function is called for URL requests, allowing a context-dependent attacker to gain access to potentially sensitive information.
- A flaw exists in 'dom/base/nsDocument.cpp' that is triggered as data sent with multipart channels, such as the multipart/x-mixed-replace MIME type, ignores the bypass referrer-policy response header. This may allow a context-dependent attacker to and gain access to sensitive information related to sites using the header.
- A flaw exists that may allow WebExtension scripts to use the 'data: protocol' to affect pages loaded by other extensions. This may allow a context-dependent attacker to potentially disclose sensitive information or gain elevated privileges related to other extensions.
- A flaw exists in 'mobile/android/chrome/content/browser.js' that is triggered when handling a series of JavaScript events in fullscreen mode. This may allow a context-dependent attacker to spoof the location bar.
- A flaw exists that is triggered as certain 'about: pages' used by web content may load other privileged 'about: pages' within an iframe. This may potentially allow a context-dependent attacker to gain elevated privileges.
- A flaw exists that is triggered as weak proxy objects may have weak references on multiple threads, instead of only one. This may potentially allow a context-dependent attacker to corrupt memory and execute arbitrary code.
- A flaw exists in 'toolkit/mozapps/extensions/AddonManager.jsm' that is triggered as mozAddonManager allows for extension installation from the CDN for addons.mozilla.org. This may potentially allow a malicious extension to install additional extensions.
- A flaw exists that is triggered when the location bar of a new page has been scrolled out of view. This may potentially allow a context-dependent attacker to spoof the location bar.
- A flaw exists in the 'HTMLTrackElement::SetReadyState()' function in 'dom/html/HTMLTrackElement.cpp' that is triggered when handling TRACK tag error messages. This may allow a context-dependent attacker to enumerate the existence of local files.
- A flaw exists in 'media/mtransport/nr_socket_prsock.cpp' that is triggered when a STUN server is used in conjunction with a saturation of webkitRTCPeerConnection objects, which may in turn produce a high volume of STUN packets. This may allow a remote attacker to generate significant UDP traffic, resulting in an amplification denial-of-service attack. When performed by multiple machines, a distributed denial-of-service (DDoS) attack can be carried out very effectively.

Solution

Upgrade to Firefox version 51 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-01

https://www.mozilla.org/en-US/security/advisories/mfsa2017-02

https://www.mozilla.org/en-US/security/advisories/mfsa2017-03

Plugin Details

Severity: High

ID: 9927

Family: Web Clients

Published: 1/31/2017

Updated: 3/6/2019

Nessus ID: 96776

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 1/24/2016

Vulnerability Publication Date: 1/18/2017

Reference Information

CVE: CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5392, CVE-2017-5393, CVE-2017-5394, CVE-2017-5395, CVE-2017-5396

BID: 95757, 95758, 95759, 95762, 95763, 95769