Vulnerabilities > CVE-2015-2706 - Race Condition vulnerability in Mozilla Firefox
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Race condition in the AsyncPaintWaitEvent::AsyncPaintWaitEvent function in Mozilla Firefox before 37.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted plugin that does not properly complete initialization.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_738FC80D5F134CCBAA9A7965699E5A10.NASL description The Mozilla Project reports : MFSA 2015-45 Memory corruption during failed plugin initialization last seen 2020-06-01 modified 2020-06-02 plugin id 82906 published 2015-04-21 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82906 title FreeBSD : mozilla -- use-after-free (738fc80d-5f13-4ccb-aa9a-7965699e5a10) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(82906); script_version("1.8"); script_cvs_date("Date: 2018/11/10 11:49:44"); script_cve_id("CVE-2015-2706"); script_name(english:"FreeBSD : mozilla -- use-after-free (738fc80d-5f13-4ccb-aa9a-7965699e5a10)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The Mozilla Project reports : MFSA 2015-45 Memory corruption during failed plugin initialization" ); script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2015-45/" ); # https://vuxml.freebsd.org/freebsd/738fc80d-5f13-4ccb-aa9a-7965699e5a10.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2514056e" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/20"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"firefox<37.0.2,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-firefox<37.0.2,1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-325.NASL description Mozilla Firefox was updated to 37.0.2 to fix one security issue. The following vulnerability was fixed : - CVE-2015-2706 Memory corruption during failed plugin initialization (bmo#1141081 MFSA 2015-45 bnc#928116) last seen 2020-06-05 modified 2015-04-27 plugin id 83084 published 2015-04-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83084 title openSUSE Security Update : Mozille Firefox (openSUSE-2015-325) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-325. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(83084); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-2706"); script_name(english:"openSUSE Security Update : Mozille Firefox (openSUSE-2015-325)"); script_summary(english:"Check for the openSUSE-2015-325 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Mozilla Firefox was updated to 37.0.2 to fix one security issue. The following vulnerability was fixed : - CVE-2015-2706 Memory corruption during failed plugin initialization (bmo#1141081 MFSA 2015-45 bnc#928116)" ); script_set_attribute( attribute:"solution", value:"Update the affected Mozille Firefox packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-37.0.2-71.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-37.0.2-71.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-326.NASL description Mozilla Firefox was updated to 37.0.2 to fix one security issue. The following vulnerability was fixed : - CVE-2015-2706: Memory corruption during failed plugin initialization (bmo#1141081 MFSA 2015-45 bnc#928116) last seen 2020-06-05 modified 2015-04-27 plugin id 83085 published 2015-04-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83085 title openSUSE Security Update : Mozille Firefox (openSUSE-2015-326) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2015-326. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(83085); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-2706"); script_name(english:"openSUSE Security Update : Mozille Firefox (openSUSE-2015-326)"); script_summary(english:"Check for the openSUSE-2015-326 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Mozilla Firefox was updated to 37.0.2 to fix one security issue. The following vulnerability was fixed : - CVE-2015-2706: Memory corruption during failed plugin initialization (bmo#1141081 MFSA 2015-45 bnc#928116)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=928116" ); script_set_attribute( attribute:"solution", value:"Update the affected Mozille Firefox packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-branding-upstream-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-buildsymbols-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debuginfo-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debugsource-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-devel-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-common-37.0.2-27.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-other-37.0.2-27.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc"); }NASL family Windows NASL id MOZILLA_FIREFOX_37_0_2.NASL description The version of Firefox installed on the remote Windows host is prior to 37.0.2. It is, therefore, affected by a use-after-free error, related to the AsyncPaintWaitEvent() method, due to a race condition caused when plugin initialization fails. A remote attacker, using a crafted web page, can exploit this to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 82998 published 2015-04-22 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82998 title Firefox < 37.0.2 Failed Plugin Memory Corruption NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2571-1.NASL description Robert Kaiser discovered a use-after-free during plugin initialization in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2706). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83086 published 2015-04-27 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83086 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : firefox vulnerability (USN-2571-1) NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_37_0_2.NASL description The version of Firefox installed on the remote Mac OS X host is prior to 37.0.2. It is, therefore, affected by a use-after-free error, related to the AsyncPaintWaitEvent() method, due to a race condition caused when plugin initialization fails. A remote attacker, using a crafted web page, can exploit this to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 82997 published 2015-04-22 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82997 title Firefox < 37.0.2 Failed Plugin Memory Corruption (Mac OS X) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201512-10.NASL description The remote host is affected by the vulnerability described in GLSA-201512-10 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Thunderbird. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 87710 published 2016-01-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87710 title GLSA-201512-10 : Mozilla Products: Multiple vulnerabilities (Bar Mitzvah) (Logjam)
References
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00044.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00046.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-45.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/74247
- http://www.securitytracker.com/id/1032171
- http://www.ubuntu.com/usn/USN-2571-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1141081
- https://security.gentoo.org/glsa/201512-10