Google Chrome < 57.0.2987.98 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9991

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 57.0.2987.98, and is affected by multiple vulnerabilities :

- An unspecified flaw exists that may allow a context-dependent attacker to have an unspecified, high severity impact. No further details have been provided by the vendor.
- Integer overflow conditions exist in the 'TrackFragmentRun::Parse()' function in 'media/formats/mp4/box_definitions.cc' that are triggered when parsing track fragments in MP4 content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free condition exists that is triggered as GuestView objects inherit the prototypes from the global JS object. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'guest_view_internal_custom_bindings.cc' that is triggered when handling the GuestViewContainer pointer during a GuestView attach operation. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists in the XSS auditor that may allow a context-dependent attacker to disclose information. No further details have been provided by the vendor.
- A flaw exists in the 'Document::initContentSecurityPolicy()' function in 'dom/Document.cpp' that is triggered as local schemes do not inherit the content security policy when using e.g. 'window.open()'. This may allow a context-dependent attacker to bypass the content security policy.
- A flaw exists in 'bindings/templates/interface_base.cpp.tmpl' that is triggered when handling author scripts interacting with 'Symbol.toPrimitive' properties of Location objects. This may allow a context-dependent attacker to disclose information.
- A flaw exists in the Omnibox address bar that may allow a context-dependent attacker to spoof an address. No further details have been provided by the vendor.
- An unspecified flaw exists in the Cast feature that is triggered when handling cookies. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the 'SVGInlineTextBoxPainter::shouldPaintSelection()' function in 'paint/SVGInlineTextBoxPainter.cpp' that is triggered when painting selections and rendering a mask, clip-path, pattern, or feImage. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists that is triggered as wrapper objects are shared across window contexts when handling InputDeviceCapabilities objects. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the 'DOMWindow' class in 'frame/DOMWindow.cpp' that is triggered as wrappers for external APIs are shared between window contexts. This may allow a context-dependent attacker to have an unspecified impact.
- A use-after-free condition exists in the handling of ShaderDiskCache entries in 'gpu/ipc/host/shader_disk_cache.cc' that is triggered when deleting an entry before the backend has finished opening the entry. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in 'layout/FloatingObjects.cpp' that is triggered when handling the 'shouldPaint' property in the 'FloatingObject' class. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in a 'TraceInCollectionTrait' class template in 'TraceTraits.h' that is triggered when handling container sizes during HeapVectorBacking tracing. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'NavigationControllerImpl::RendererDidNavigateToExistingPage()' function in 'navigation_controller_impl.cc' that is triggered when handling data from the renderer process. This may allow a context-dependent attacker to have an unspecified impact on the security UI.
- A race condition exists that is triggered as the 'PlayStateUpdateScope' destructor resolves promises synchronously inside a forbidden scope. This may allow a context-dependent attacker to execute script code in a forbidden scope.
- A flaw exists that is triggered when handling 'childBrowsingContexts' upon named window access. This may allow a context-dependent attacker to have an unspecified impact on the same-origin restriction.
- A flaw exists related to the sandbox Content Security Policy that is triggered when web content is being loaded. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the handling of timeout limits for foreign fetch events that are triggered by another service worker. This may allow a context-dependent attacker to have an unspecified impact.

Solution

Update the Chrome browser to 57.0.2987.98 or later.

See Also

https://chromium.googlesource.com/chromium/src/+/90824416d3eeae5ec6013b250123df65e9d48032

Plugin Details

Severity: Critical

ID: 9991

Family: Web Clients

Published: 2017/03/10

Updated: 2019/03/06

Dependencies: 4645

Nessus ID: 97724, 97725

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2017/03/09

Vulnerability Publication Date: 2016/12/22

Reference Information

CVE: CVE-2017-5033, CVE-2017-5035, CVE-2017-5037, CVE-2017-5038, CVE-2017-5041, CVE-2017-5042, CVE-2017-5043, CVE-2017-5045, CVE-2017-5046

BID: 96767