Vulnerabilities > CVE-2015-2729 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
mozilla
oracle
CWE-119
nessus

Summary

The AudioParamTimeline::AudioNodeInputValue function in the Web Audio implementation in Mozilla Firefox before 39.0 and Firefox ESR 38.x before 38.1 does not properly calculate an oscillator rendering range, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Mozilla
546
OS
Oracle
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150703_FIREFOX_ON_SL5_X.NASL
    descriptionSeveral flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741) A flaw was discovered in Mozilla
    last seen2020-03-18
    modified2015-07-06
    plugin id84543
    published2015-07-06
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84543
    titleScientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150703)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84543);
      script_version("2.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743");
    
      script_name(english:"Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150703)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several flaws were found in the processing of malformed web content. A
    web page containing malicious content could cause Firefox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722,
    CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
    CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)
    
    It was found that Firefox skipped key-pinning checks when handling an
    error that could be overridden by the user (for example an expired
    certificate error). This flaw allowed a user to override a pinned
    certificate, which is an action the user should not be able to
    perform. (CVE-2015-2741)
    
    A flaw was discovered in Mozilla's PDF.js PDF file viewer. When
    combined with another vulnerability, it could allow execution of
    arbitrary code with the privileges of the user running Firefox.
    (CVE-2015-2743)
    
    After installing the update, Firefox must be restarted for the changes
    to take effect."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1507&L=scientific-linux-errata&F=&S=&P=75
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b38e0efa"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox and / or firefox-debuginfo packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL5", reference:"firefox-38.1.0-1.el5_11")) flag++;
    if (rpm_check(release:"SL5", reference:"firefox-debuginfo-38.1.0-1.el5_11")) flag++;
    
    if (rpm_check(release:"SL6", reference:"firefox-38.1.0-1.el6_6")) flag++;
    if (rpm_check(release:"SL6", reference:"firefox-debuginfo-38.1.0-1.el6_6")) flag++;
    
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"firefox-38.1.0-1.el7_1")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"firefox-debuginfo-38.1.0-1.el7_1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox / firefox-debuginfo");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2656-2.NASL
    descriptionUSN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and later releases. This update provides the corresponding update for Ubuntu 12.04 LTS. Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. (CVE-2015-2721) Looben Yan discovered 2 use-after-free issues when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2722, CVE-2015-2733) Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight, Terrence Cole, Steve Fink, Mats Palmgren, Wes Kocher, Andreas Pehrson, Tooru Fujisawa, Andrew Sutherland, and Gary Kwong discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2726) Armin Razmdjou discovered that opening hyperlinks with specific mouse and key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass security restrictions. (CVE-2015-2727) Paul Bandha discovered a type confusion bug in the Indexed DB Manager. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-2728) Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-2729) Watson Ladd discovered that NSS incorrectly handled Elliptical Curve Cryptography (ECC) multiplication. A remote attacker could possibly use this issue to spoof ECDSA signatures. (CVE-2015-2730) A use-after-free was discovered when a Content Policy modifies the DOM to remove a DOM object. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-2731) Ronald Crane discovered multiple security vulnerabilities. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) David Keeler discovered that key pinning checks can be skipped when an overridable certificate error occurs. This allows a user to manually override an error for a fake certificate, but cannot be exploited on its own. (CVE-2015-2741) Jonas Jenwald discovered that some internal workers were incorrectly executed with a high privilege. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this in combination with another security vulnerability, to execute arbitrary code in a privileged scope. (CVE-2015-2743) Matthew Green discovered a DHE key processing issue in NSS where a MITM could force a server to downgrade TLS connections to 512-bit export-grade cryptography. An attacker could potentially exploit this to impersonate the server. (CVE-2015-4000). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84794
    published2015-07-16
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84794
    titleUbuntu 12.04 LTS : firefox vulnerabilities (USN-2656-2) (Logjam)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2656-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84794);
      script_version("2.16");
      script_cvs_date("Date: 2019/09/18 12:31:44");
    
      script_cve_id("CVE-2015-2721", "CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2726", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2730", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743", "CVE-2015-4000");
      script_bugtraq_id(75541);
      script_xref(name:"USN", value:"2656-2");
    
      script_name(english:"Ubuntu 12.04 LTS : firefox vulnerabilities (USN-2656-2) (Logjam)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and
    later releases.
    
    This update provides the corresponding update for Ubuntu 12.04 LTS.
    
    Karthikeyan Bhargavan discovered that NSS incorrectly handled state
    transitions for the TLS state machine. If a remote attacker were able
    to perform a man-in-the-middle attack, this flaw could be exploited to
    skip the ServerKeyExchange message and remove the forward-secrecy
    property. (CVE-2015-2721)
    
    Looben Yan discovered 2 use-after-free issues when using
    XMLHttpRequest in some circumstances. If a user were tricked
    in to opening a specially crafted website, an attacker could
    potentially exploit these to cause a denial of service via
    application crash, or execute arbitrary code with the
    privileges of the user invoking Firefox. (CVE-2015-2722,
    CVE-2015-2733)
    
    Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight,
    Terrence Cole, Steve Fink, Mats Palmgren, Wes Kocher,
    Andreas Pehrson, Tooru Fujisawa, Andrew Sutherland, and Gary
    Kwong discovered multiple memory safety issues in Firefox.
    If a user were tricked in to opening a specially crafted
    website, an attacker could potentially exploit these to
    cause a denial of service via application crash, or execute
    arbitrary code with the privileges of the user invoking
    Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2726)
    
    Armin Razmdjou discovered that opening hyperlinks with
    specific mouse and key combinations could allow a Chrome
    privileged URL to be opened without context restrictions
    being preserved. If a user were tricked in to opening a
    specially crafted website, an attacker could potentially
    exploit this to bypass security restrictions.
    (CVE-2015-2727)
    
    Paul Bandha discovered a type confusion bug in the Indexed
    DB Manager. If a user were tricked in to opening a specially
    crafted website, an attacker could potentially exploit this
    to cause a denial of service via application crash or
    execute arbitrary code with the priviliges of the user
    invoking Firefox. (CVE-2015-2728)
    
    Holger Fuhrmannek discovered an out-of-bounds read in Web
    Audio. If a user were tricked in to opening a specially
    crafted website, an attacker could potentially exploit this
    to obtain sensitive information. (CVE-2015-2729)
    
    Watson Ladd discovered that NSS incorrectly handled
    Elliptical Curve Cryptography (ECC) multiplication. A remote
    attacker could possibly use this issue to spoof ECDSA
    signatures. (CVE-2015-2730)
    
    A use-after-free was discovered when a Content Policy
    modifies the DOM to remove a DOM object. If a user were
    tricked in to opening a specially crafted website, an
    attacker could potentially exploit this to cause a denial of
    service via application crash or execute arbitrary code with
    the priviliges of the user invoking Firefox. (CVE-2015-2731)
    
    Ronald Crane discovered multiple security vulnerabilities.
    If a user were tricked in to opening a specially crafted
    website, an attacker could potentially exploit these to
    cause a denial of service via application crash, or execute
    arbitrary code with the privileges of the user invoking
    Firefox. (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
    CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)
    
    David Keeler discovered that key pinning checks can be
    skipped when an overridable certificate error occurs. This
    allows a user to manually override an error for a fake
    certificate, but cannot be exploited on its own.
    (CVE-2015-2741)
    
    Jonas Jenwald discovered that some internal workers were
    incorrectly executed with a high privilege. If a user were
    tricked in to opening a specially crafted website, an
    attacker could potentially exploit this in combination with
    another security vulnerability, to execute arbitrary code in
    a privileged scope. (CVE-2015-2743)
    
    Matthew Green discovered a DHE key processing issue in NSS
    where a MITM could force a server to downgrade TLS
    connections to 512-bit export-grade cryptography. An
    attacker could potentially exploit this to impersonate the
    server. (CVE-2015-4000).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2656-2/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/16");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"39.0+build5-0ubuntu0.12.04.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_39_0.NASL
    descriptionThe version of Firefox installed on the remote Windows host is prior to 39.0. It is, therefore, affected by multiple vulnerabilities : - A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721) - Multiple user-after-free errors exist when using an XMLHttpRequest object in concert with either shared or dedicated workers. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-2722, CVE-2015-2733) - Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725) - A security bypass vulnerability exists due to a failure to preserve context restrictions. A remote attacker can exploit this, via a crafted web site that is accessed with unspecified mouse and keyboard actions, to read arbitrary files or execute arbitrary JavaScript code. (CVE-2015-2727) - A type confusion flaw exists in the Indexed Database Manager
    last seen2020-06-01
    modified2020-06-02
    plugin id84581
    published2015-07-07
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84581
    titleFirefox < 39.0 Multiple Vulnerabilities (Logjam)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84581);
      script_version("1.13");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2015-2721",
        "CVE-2015-2722",
        "CVE-2015-2724",
        "CVE-2015-2727",
        "CVE-2015-2728",
        "CVE-2015-2729",
        "CVE-2015-2730",
        "CVE-2015-2731",
        "CVE-2015-2733",
        "CVE-2015-2734",
        "CVE-2015-2735",
        "CVE-2015-2736",
        "CVE-2015-2737",
        "CVE-2015-2738",
        "CVE-2015-2739",
        "CVE-2015-2740",
        "CVE-2015-2741",
        "CVE-2015-2743",
        "CVE-2015-4000"
      );
      script_bugtraq_id(74733);
    
      script_name(english:"Firefox < 39.0 Multiple Vulnerabilities (Logjam)");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a web browser that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Firefox installed on the remote Windows host is prior
    to 39.0. It is, therefore, affected by multiple vulnerabilities :
    
      - A security downgrade vulnerability exists due to a flaw
        in Network Security Services (NSS). When a client allows
        for a ECDHE_ECDSA exchange, but the server does not send 
        a ServerKeyExchange message, the NSS client will take
        the EC key from the ECDSA certificate. A remote attacker
        can exploit this to silently downgrade the exchange to a
        non-forward secret mixed-ECDH exchange. (CVE-2015-2721)
    
      - Multiple user-after-free errors exist when using an
        XMLHttpRequest object in concert with either shared or
        dedicated workers. A remote attacker can exploit this
        to cause a denial of service condition. (CVE-2015-2722,
        CVE-2015-2733)
    
      - Multiple memory corruption issues exist that allow an
        attacker to cause a denial of service condition or
        potentially execute arbitrary code. (CVE-2015-2724,
        CVE-2015-2725)
    
      - A security bypass vulnerability exists due to a failure
        to preserve context restrictions. A remote attacker can
        exploit this, via a crafted web site that is accessed
        with unspecified mouse and keyboard actions, to read
        arbitrary files or execute arbitrary JavaScript code.
        (CVE-2015-2727)
    
      - A type confusion flaw exists in the Indexed Database
        Manager's handling of IDBDatabase. A remote attacker can
        exploit this to cause a denial of service condition or
        to execute arbitrary code. (CVE-2015-2728)
    
      - An out-of-bounds read flaw exists in the
        AudioParamTimeline::AudioNodeInputValue() function when
        computing oscillator rending ranges. An attacker can
        exploit this to disclose the contents of four bytes of
        memory or cause a denial of service condition.
        (CVE-2015-2729)
    
      - A signature spoofing vulnerability exists due to a flaw
        in Network Security Services (NSS) in its Elliptic Curve
        Digital Signature Algorithm (ECDSA) signature
        validation. A remote attacker can exploit this to forge
        signatures. (CVE-2015-2730)
    
      - A use-after-free error exists in the
        CSPService::ShouldLoad() function when modifying the
        Document Object Model to remove a DOM object. An
        attacker can exploit this to dereference already freed
        memory, potentially resulting in the execution of
        arbitrary code. (CVE-2015-2731)
    
      - An uninitialized memory use issue exists in the
        CairoTextureClientD3D9::BorrowDrawTarget() function, the
        ::d3d11::SetBufferData() function, and the
        YCbCrImageDataDeserializer::ToDataSourceSurface()
        function. The impact is unspecified. (CVE-2015-2734,
        CVE-2015-2737, CVE-2015-2738)
    
      - A memory corruption issue exists in the
        nsZipArchive::GetDataOffset() function due to improper
        string length checks. An attacker can exploit this, via
        a crafted ZIP archive, to potentially execute arbitrary
        code. (CVE-2015-2735)
    
      - A memory corruption issue exists in the
        nsZipArchive::BuildFileList() function due to improper
        validation of user-supplied input. An attacker can
        exploit this, via a crafted ZIP archive, to potentially
        execute arbitrary code. (CVE-2015-2736)
    
      - An unspecified memory corruption issue exists in the
        ArrayBufferBuilder::append() function due to improper
        validation of user-supplied input. An attacker can
        exploit this to potentially execute arbitrary code.
        (CVE-2015-2739)
    
      - A buffer overflow condition exists in the
        nsXMLHttpRequest::AppendToResponseText() function due to
        improper validation of user-supplied input. An attacker
        can exploit this to potentially execute arbitrary code.
        (CVE-2015-2740)
    
      - A security bypass vulnerability exists due to a flaw in
        certificate pinning checks. Key pinning is not enforced
        upon encountering an X.509 certificate problem that
        generates a user dialog. A man-in-the-middle attacker
        can exploit this to bypass intended access restrictions.
        (CVE-2015-2741)
    
      - A privilege escalation vulnerability exists in the PDF
        viewer (PDF.js) due to internal workers being executed
        insecurely. An attacker can exploit this, by leveraging
        a Same Origin Policy bypass, to execute arbitrary code.
        (CVE-2015-2743)
    
      - A man-in-the-middle vulnerability, known as Logjam,
        exists due to a flaw in the SSL/TLS protocol. A remote
        attacker can exploit this flaw to downgrade connections
        using ephemeral Diffie-Hellman key exchange to 512-bit
        export-grade cryptography. (CVE-2015-4000)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/");
      script_set_attribute(attribute:"see_also", value:"https://weakdh.org/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Firefox 39.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2740");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/07");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mozilla_org_installed.nasl");
      script_require_keys("Mozilla/Firefox/Version");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    port = get_kb_item("SMB/transport");
    if (!port) port = 445;
    
    installs = get_kb_list("SMB/Mozilla/Firefox/*");
    if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox");
    
    mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'39.0', severity:SECURITY_HOLE);
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_38_1_ESR.NASL
    descriptionThe version of Firefox ESR installed on the remote Mac OS X host is\ prior to 38.1. It is, therefore, affected by multiple vulnerabilities : - A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721) - Multiple user-after-free errors exist when using an XMLHttpRequest object in concert with either shared or dedicated workers. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-2722, CVE-2015-2733) - Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725) - A security bypass vulnerability exists due to a failure to preserve context restrictions. A remote attacker can exploit this, via a crafted web site that is accessed with unspecified mouse and keyboard actions, to read arbitrary files or execute arbitrary JavaScript code. (CVE-2015-2727) - A type confusion flaw exists in the Indexed Database Manager
    last seen2020-06-01
    modified2020-06-02
    plugin id84576
    published2015-07-07
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84576
    titleFirefox ESR < 38.1 Multiple Vulnerabilities (Mac OS X) (Logjam)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84576);
      script_version("1.13");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2015-2721",
        "CVE-2015-2722",
        "CVE-2015-2724",
        "CVE-2015-2727",
        "CVE-2015-2728",
        "CVE-2015-2729",
        "CVE-2015-2730",
        "CVE-2015-2731",
        "CVE-2015-2733",
        "CVE-2015-2734",
        "CVE-2015-2735",
        "CVE-2015-2736",
        "CVE-2015-2737",
        "CVE-2015-2738",
        "CVE-2015-2739",
        "CVE-2015-2740",
        "CVE-2015-2741",
        "CVE-2015-2743",
        "CVE-2015-4000"
      );
      script_bugtraq_id(74733);
    
      script_name(english:"Firefox ESR < 38.1 Multiple Vulnerabilities (Mac OS X) (Logjam)");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Mac OS X host contains a web browser that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Firefox ESR installed on the remote Mac OS X host is\
    prior to 38.1. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A security downgrade vulnerability exists due to a flaw
        in Network Security Services (NSS). When a client allows
        for a ECDHE_ECDSA exchange, but the server does not send 
        a ServerKeyExchange message, the NSS client will take
        the EC key from the ECDSA certificate. A remote attacker
        can exploit this to silently downgrade the exchange to a
        non-forward secret mixed-ECDH exchange. (CVE-2015-2721)
    
      - Multiple user-after-free errors exist when using an
        XMLHttpRequest object in concert with either shared or
        dedicated workers. A remote attacker can exploit this
        to cause a denial of service condition. (CVE-2015-2722,
        CVE-2015-2733)
    
      - Multiple memory corruption issues exist that allow an
        attacker to cause a denial of service condition or
        potentially execute arbitrary code. (CVE-2015-2724, 
        CVE-2015-2725)
    
      - A security bypass vulnerability exists due to a failure
        to preserve context restrictions. A remote attacker can
        exploit this, via a crafted web site that is accessed
        with unspecified mouse and keyboard actions, to read
        arbitrary files or execute arbitrary JavaScript code.
        (CVE-2015-2727)
    
      - A type confusion flaw exists in the Indexed Database
        Manager's handling of IDBDatabase. A remote attacker can
        exploit this to cause a denial of service condition or
        to execute arbitrary code. (CVE-2015-2728)
    
      - An out-of-bounds read flaw exists in the
        AudioParamTimeline::AudioNodeInputValue() function when
        computing oscillator rending ranges. An attacker can
        exploit this to disclose the contents of four bytes of
        memory or cause a denial of service condition.
        (CVE-2015-2729)
    
      - A signature spoofing vulnerability exists due to a flaw
        in Network Security Services (NSS) in its Elliptic Curve
        Digital Signature Algorithm (ECDSA) signature
        validation. A remote attacker can exploit this to forge
        signatures. (CVE-2015-2730)
    
      - A use-after-free error exists in the
        CSPService::ShouldLoad() function when modifying the
        Document Object Model to remove a DOM object. An
        attacker can exploit this to dereference already freed
        memory, potentially resulting in the execution of
        arbitrary code. (CVE-2015-2731)
    
      - An uninitialized memory use issue exists in the
        CairoTextureClientD3D9::BorrowDrawTarget() function, the
        ::d3d11::SetBufferData() function, and the
        YCbCrImageDataDeserializer::ToDataSourceSurface()
        function. The impact is unspecified. (CVE-2015-2734,
        CVE-2015-2737, CVE-2015-2738)
    
      - A memory corruption issue exists in the
        nsZipArchive::GetDataOffset() function due to improper
        string length checks. An attacker can exploit this, via
        a crafted ZIP archive, to potentially execute arbitrary
        code. (CVE-2015-2735)
    
      - A memory corruption issue exists in the
        nsZipArchive::BuildFileList() function due to improper
        validation of user-supplied input. An attacker can
        exploit this, via a crafted ZIP archive, to potentially
        execute arbitrary code. (CVE-2015-2736)
    
      - An unspecified memory corruption issue exists in the
        ArrayBufferBuilder::append() function due to improper
        validation of user-supplied input. An attacker can
        exploit this to potentially execute arbitrary code.
        (CVE-2015-2739)
    
      - A buffer overflow condition exists in the
        nsXMLHttpRequest::AppendToResponseText() function due to
        improper validation of user-supplied input. An attacker
        can exploit this to potentially execute arbitrary code.
        (CVE-2015-2740)
    
      - A security bypass vulnerability exists due to a flaw in
        certificate pinning checks. Key pinning is not enforced
        upon encountering an X.509 certificate problem that
        generates a user dialog. A man-in-the-middle attacker
        can exploit this to bypass intended access restrictions.
        (CVE-2015-2741)
    
      - A privilege escalation vulnerability exists in the PDF
        viewer (PDF.js) due to internal workers being executed
        insecurely. An attacker can exploit this, by leveraging
        a Same Origin Policy bypass, to execute arbitrary code.
        (CVE-2015-2743)
    
      - A man-in-the-middle vulnerability, known as Logjam,
        exists due to a flaw in the SSL/TLS protocol. A remote
        attacker can exploit this flaw to downgrade connections
        using ephemeral Diffie-Hellman key exchange to 512-bit
        export-grade cryptography. (CVE-2015-4000)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/");
      script_set_attribute(attribute:"see_also", value:"https://weakdh.org/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Firefox 38.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2740");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/07");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_firefox_installed.nasl");
      script_require_keys("MacOSX/Firefox/Installed");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    kb_base = "MacOSX/Firefox";
    get_kb_item_or_exit(kb_base+"/Installed");
    
    version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
    path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
    
    is_esr = get_kb_item(kb_base+"/is_esr");
    if (isnull(is_esr)) audit(AUDIT_NOT_INST, "Mozilla Firefox ESR");
    
    mozilla_check_version(product:'firefox', version:version, path:path, esr:TRUE, fix:'38.1', min:'38.0', severity:SECURITY_HOLE);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-480.NASL
    descriptionMozillaFirefox was updated to version 39.0 to fix 21 security issues. These security issues were fixed : - CVE-2015-2724/CVE-2015-2725/CVE-2015-2726: Miscellaneous memory safety hazards (bsc#935979). - CVE-2015-2727: Local files or privileged URLs in pages can be opened into new tabs (bsc#935979). - CVE-2015-2728: Type confusion in Indexed Database Manager (bsc#935979). - CVE-2015-2729: Out-of-bound read while computing an oscillator rendering range in Web Audio (bsc#935979). - CVE-2015-2731: Use-after-free in Content Policy due to microtask execution error (bsc#935979). - CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly (bsc#935979). - CVE-2015-2722/CVE-2015-2733: Use-after-free in workers while using XMLHttpRequest (bsc#935979). - CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737/ CVE-2015-2738/CVE-2015-2739/CVE-2015-2740: Vulnerabilities found through code inspection (bsc#935979). - CVE-2015-2741: Key pinning is ignored when overridable errors are encountered (bsc#935979). - CVE-2015-2743: Privilege escalation in PDF.js (bsc#935979). - CVE-2015-4000: NSS accepts export-length DHE keys with regular DHE cipher suites (bsc#935979). - CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange (bsc#935979). New features : - Share Hello URLs with social networks - Support for
    last seen2020-06-05
    modified2015-07-14
    plugin id84720
    published2015-07-14
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84720
    titleopenSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2015-480) (Logjam)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-480.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84720);
      script_version("2.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-2721", "CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2726", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2730", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743", "CVE-2015-4000");
    
      script_name(english:"openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2015-480) (Logjam)");
      script_summary(english:"Check for the openSUSE-2015-480 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "MozillaFirefox was updated to version 39.0 to fix 21 security issues.
    
    These security issues were fixed :
    
      - CVE-2015-2724/CVE-2015-2725/CVE-2015-2726: Miscellaneous
        memory safety hazards (bsc#935979).
    
      - CVE-2015-2727: Local files or privileged URLs in pages
        can be opened into new tabs (bsc#935979).
    
      - CVE-2015-2728: Type confusion in Indexed Database
        Manager (bsc#935979).
    
      - CVE-2015-2729: Out-of-bound read while computing an
        oscillator rendering range in Web Audio (bsc#935979).
    
      - CVE-2015-2731: Use-after-free in Content Policy due to
        microtask execution error (bsc#935979).
    
      - CVE-2015-2730: ECDSA signature validation fails to
        handle some signatures correctly (bsc#935979).
    
      - CVE-2015-2722/CVE-2015-2733: Use-after-free in workers
        while using XMLHttpRequest (bsc#935979).
    
      -
        CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737/
        CVE-2015-2738/CVE-2015-2739/CVE-2015-2740:
        Vulnerabilities found through code inspection
        (bsc#935979).
    
      - CVE-2015-2741: Key pinning is ignored when overridable
        errors are encountered (bsc#935979).
    
      - CVE-2015-2743: Privilege escalation in PDF.js
        (bsc#935979).
    
      - CVE-2015-4000: NSS accepts export-length DHE keys with
        regular DHE cipher suites (bsc#935979).
    
      - CVE-2015-2721: NSS incorrectly permits skipping of
        ServerKeyExchange (bsc#935979).
    
    New features :
    
      - Share Hello URLs with social networks
    
      - Support for 'switch' role in ARIA 1.1 (web
        accessibility)
    
      - SafeBrowsing malware detection lookups enabled for
        downloads (Mac OS X and Linux)
    
      - Support for new Unicode 8.0 skin tone emoji
    
      - Removed support for insecure SSLv3 for network
        communications
    
      - Disable use of RC4 except for temporarily whitelisted
        hosts
    
      - NPAPI Plug-in performance improved via asynchronous
        initialization
    
    mozilla-nss was updated to version 3.19.2 to fix some of the security
    issues listed above."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=932142"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=933439"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=935979"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected MozillaFirefox / mozilla-nss packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/03");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-39.0-78.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libfreebl3-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libfreebl3-debuginfo-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libsoftokn3-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libsoftokn3-debuginfo-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-certs-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-certs-debuginfo-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-debuginfo-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-debugsource-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-devel-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-sysinit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-sysinit-debuginfo-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-tools-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-tools-debuginfo-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libfreebl3-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libsoftokn3-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.19.2-59.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-branding-upstream-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-buildsymbols-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debuginfo-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debugsource-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-devel-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-common-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-other-39.0-34.2") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libfreebl3-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libfreebl3-debuginfo-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libsoftokn3-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libsoftokn3-debuginfo-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-certs-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-certs-debuginfo-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-debuginfo-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-debugsource-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-devel-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-sysinit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-sysinit-debuginfo-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-tools-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-tools-debuginfo-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libfreebl3-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libsoftokn3-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.19.2-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.19.2-16.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1207.NASL
    descriptionUpdated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741) A flaw was discovered in Mozilla
    last seen2020-05-31
    modified2015-07-06
    plugin id84535
    published2015-07-06
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84535
    titleRHEL 5 / 6 / 7 : firefox (RHSA-2015:1207)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:1207. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84535);
      script_version("2.22");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/29");
    
      script_cve_id("CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743");
      script_bugtraq_id(75541);
      script_xref(name:"RHSA", value:"2015:1207");
    
      script_name(english:"RHEL 5 / 6 / 7 : firefox (RHSA-2015:1207)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Updated firefox packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 5, 6, and 7.
    
    Red Hat Product Security has rated this update as having Critical
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    Mozilla Firefox is an open source web browser. XULRunner provides the
    XUL Runtime environment for Mozilla Firefox.
    
    Several flaws were found in the processing of malformed web content. A
    web page containing malicious content could cause Firefox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722,
    CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
    CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)
    
    It was found that Firefox skipped key-pinning checks when handling an
    error that could be overridden by the user (for example an expired
    certificate error). This flaw allowed a user to override a pinned
    certificate, which is an action the user should not be able to
    perform. (CVE-2015-2741)
    
    A flaw was discovered in Mozilla's PDF.js PDF file viewer. When
    combined with another vulnerability, it could allow execution of
    arbitrary code with the privileges of the user running Firefox.
    (CVE-2015-2743)
    
    Red Hat would like to thank the Mozilla project for reporting these
    issues. Upstream acknowledges Bob Clary, Christian Holler, Bobby
    Holley, Andrew McCreight, Terrence Cole, Steve Fink, Mats Palmgren,
    Wes Kocher, Andreas Pehrson, Jann Horn, Paul Bandha, Holger
    Fuhrmannek, Herre, Looben Yan, Ronald Crane, and Jonas Jenwald as the
    original reporters of these issues.
    
    All Firefox users should upgrade to these updated packages, which
    contain Firefox version 38.1 ESR, which corrects these issues. After
    installing the update, Firefox must be restarted for the changes to
    take effect."
      );
      # https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8b5eaff4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2015:1207"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2737"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2733"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2743"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2740"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2728"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2729"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2739"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2738"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2735"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2736"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2722"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2734"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2724"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2725"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2731"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-2727"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected firefox and / or firefox-debuginfo packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2015:1207";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", reference:"firefox-38.1.0-1.el5_11", allowmaj:TRUE)) flag++;
    
      if (rpm_check(release:"RHEL5", reference:"firefox-debuginfo-38.1.0-1.el5_11", allowmaj:TRUE)) flag++;
    
    
      if (rpm_check(release:"RHEL6", reference:"firefox-38.1.0-1.el6_6", allowmaj:TRUE)) flag++;
    
      if (rpm_check(release:"RHEL6", reference:"firefox-debuginfo-38.1.0-1.el6_6", allowmaj:TRUE)) flag++;
    
    
      if (rpm_check(release:"RHEL7", reference:"firefox-38.1.0-1.el7_1", allowmaj:TRUE)) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"firefox-debuginfo-38.1.0-1.el7_1", allowmaj:TRUE)) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox / firefox-debuginfo");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1207.NASL
    descriptionUpdated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741) A flaw was discovered in Mozilla
    last seen2020-06-01
    modified2020-06-02
    plugin id84550
    published2015-07-07
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84550
    titleCentOS 5 / 6 / 7 : firefox (CESA-2015:1207)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:1207 and 
    # CentOS Errata and Security Advisory 2015:1207 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84550);
      script_version("2.14");
      script_cvs_date("Date: 2020/02/18");
    
      script_cve_id("CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743");
      script_bugtraq_id(75541);
      script_xref(name:"RHSA", value:"2015:1207");
    
      script_name(english:"CentOS 5 / 6 / 7 : firefox (CESA-2015:1207)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated firefox packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 5, 6, and 7.
    
    Red Hat Product Security has rated this update as having Critical
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    Mozilla Firefox is an open source web browser. XULRunner provides the
    XUL Runtime environment for Mozilla Firefox.
    
    Several flaws were found in the processing of malformed web content. A
    web page containing malicious content could cause Firefox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722,
    CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
    CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)
    
    It was found that Firefox skipped key-pinning checks when handling an
    error that could be overridden by the user (for example an expired
    certificate error). This flaw allowed a user to override a pinned
    certificate, which is an action the user should not be able to
    perform. (CVE-2015-2741)
    
    A flaw was discovered in Mozilla's PDF.js PDF file viewer. When
    combined with another vulnerability, it could allow execution of
    arbitrary code with the privileges of the user running Firefox.
    (CVE-2015-2743)
    
    Red Hat would like to thank the Mozilla project for reporting these
    issues. Upstream acknowledges Bob Clary, Christian Holler, Bobby
    Holley, Andrew McCreight, Terrence Cole, Steve Fink, Mats Palmgren,
    Wes Kocher, Andreas Pehrson, Jann Horn, Paul Bandha, Holger
    Fuhrmannek, Herre, Looben Yan, Ronald Crane, and Jonas Jenwald as the
    original reporters of these issues.
    
    All Firefox users should upgrade to these updated packages, which
    contain Firefox version 38.1 ESR, which corrects these issues. After
    installing the update, Firefox must be restarted for the changes to
    take effect."
      );
      # https://lists.centos.org/pipermail/centos-announce/2015-July/021232.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5166f949"
      );
      # https://lists.centos.org/pipermail/centos-announce/2015-July/021233.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?afcd2fb5"
      );
      # https://lists.centos.org/pipermail/centos-announce/2015-July/021234.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f2ae3151"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2722");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x / 6.x / 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-5", reference:"firefox-38.1.0-1.el5.centos", allowmaj:TRUE)) flag++;
    
    if (rpm_check(release:"CentOS-6", reference:"firefox-38.1.0-1.el6.centos", allowmaj:TRUE)) flag++;
    
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"firefox-38.1.0-1.el7.centos", allowmaj:TRUE)) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-495.NASL
    descriptionMozillaThunderbird was updated to fix 20 security issues. These security issues were fixed : - CVE-2015-2727: Mozilla Firefox 38.0 and Firefox ESR 38.0 allowed user-assisted remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges via a crafted website that is accessed with unspecified mouse and keyboard actions. NOTE: this vulnerability exists because of a CVE-2015-0821 regression (bsc#935979). - CVE-2015-2725: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (bsc#935979). - CVE-2015-2736: The nsZipArchive::BuildFileList function in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 accesses unintended memory locations, which allowed remote attackers to have an unspecified impact via a crafted ZIP archive (bsc#935979). - CVE-2015-2724: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (bsc#935979). - CVE-2015-2730: Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, did not properly perform Elliptical Curve Cryptography (ECC) multiplications, which made it easier for remote attackers to spoof ECDSA signatures via unspecified vectors (bsc#935979). - CVE-2015-2743: PDF.js in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 enables excessive privileges for internal Workers, which might allowed remote attackers to execute arbitrary code by leveraging a Same Origin Policy bypass (bsc#935979). - CVE-2015-2740: Buffer overflow in the nsXMLHttpRequest::AppendToResponseText function in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 might allowed remote attackers to cause a denial of service or have unspecified other impact via unknown vectors (bsc#935979). - CVE-2015-2741: Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allowed user-assisted man-in-the-middle attackers to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled (bsc#935979). - CVE-2015-2728: The IndexedDatabaseManager class in the IndexedDB implementation in Mozilla Firefox before 39.0 and Firefox ESR 31.x before 31.8 and 38.x before 38.1 misinterprets an unspecified IDBDatabase field as a pointer, which allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors, related to a
    last seen2020-06-05
    modified2015-07-20
    plugin id84864
    published2015-07-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84864
    titleopenSUSE Security Update : MozillaThunderbird (openSUSE-2015-495) (Logjam)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-495.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84864);
      script_version("2.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-0821", "CVE-2015-2721", "CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2730", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743", "CVE-2015-4000");
    
      script_name(english:"openSUSE Security Update : MozillaThunderbird (openSUSE-2015-495) (Logjam)");
      script_summary(english:"Check for the openSUSE-2015-495 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "MozillaThunderbird was updated to fix 20 security issues.
    
    These security issues were fixed :
    
      - CVE-2015-2727: Mozilla Firefox 38.0 and Firefox ESR 38.0
        allowed user-assisted remote attackers to read arbitrary
        files or execute arbitrary JavaScript code with chrome
        privileges via a crafted website that is accessed with
        unspecified mouse and keyboard actions. NOTE: this
        vulnerability exists because of a CVE-2015-0821
        regression (bsc#935979).
    
      - CVE-2015-2725: Multiple unspecified vulnerabilities in
        the browser engine in Mozilla Firefox before 39.0,
        Firefox ESR 38.x before 38.1, and Thunderbird before
        38.1 allowed remote attackers to cause a denial of
        service (memory corruption and application crash) or
        possibly execute arbitrary code via unknown vectors
        (bsc#935979).
    
      - CVE-2015-2736: The nsZipArchive::BuildFileList function
        in Mozilla Firefox before 39.0, Firefox ESR 31.x before
        31.8 and 38.x before 38.1, and Thunderbird before 38.1
        accesses unintended memory locations, which allowed
        remote attackers to have an unspecified impact via a
        crafted ZIP archive (bsc#935979).
    
      - CVE-2015-2724: Multiple unspecified vulnerabilities in
        the browser engine in Mozilla Firefox before 39.0,
        Firefox ESR 31.x before 31.8 and 38.x before 38.1, and
        Thunderbird before 38.1 allowed remote attackers to
        cause a denial of service (memory corruption and
        application crash) or possibly execute arbitrary code
        via unknown vectors (bsc#935979).
    
      - CVE-2015-2730: Mozilla Network Security Services (NSS)
        before 3.19.1, as used in Mozilla Firefox before 39.0,
        Firefox ESR 31.x before 31.8 and 38.x before 38.1, and
        other products, did not properly perform Elliptical
        Curve Cryptography (ECC) multiplications, which made it
        easier for remote attackers to spoof ECDSA signatures
        via unspecified vectors (bsc#935979).
    
      - CVE-2015-2743: PDF.js in Mozilla Firefox before 39.0 and
        Firefox ESR 31.x before 31.8 and 38.x before 38.1
        enables excessive privileges for internal Workers, which
        might allowed remote attackers to execute arbitrary code
        by leveraging a Same Origin Policy bypass (bsc#935979).
    
      - CVE-2015-2740: Buffer overflow in the
        nsXMLHttpRequest::AppendToResponseText function in
        Mozilla Firefox before 39.0, Firefox ESR 31.x before
        31.8 and 38.x before 38.1, and Thunderbird before 38.1
        might allowed remote attackers to cause a denial of
        service or have unspecified other impact via unknown
        vectors (bsc#935979).
    
      - CVE-2015-2741: Mozilla Firefox before 39.0, Firefox ESR
        38.x before 38.1, and Thunderbird before 38.1 do not
        enforce key pinning upon encountering an X.509
        certificate problem that generates a user dialog, which
        allowed user-assisted man-in-the-middle attackers to
        bypass intended access restrictions by triggering a (1)
        expired certificate or (2) mismatched hostname for a
        domain with pinning enabled (bsc#935979).
    
      - CVE-2015-2728: The IndexedDatabaseManager class in the
        IndexedDB implementation in Mozilla Firefox before 39.0
        and Firefox ESR 31.x before 31.8 and 38.x before 38.1
        misinterprets an unspecified IDBDatabase field as a
        pointer, which allowed remote attackers to execute
        arbitrary code or cause a denial of service (memory
        corruption and application crash) via unspecified
        vectors, related to a 'type confusion' issue
        (bsc#935979).
    
      - CVE-2015-2729: The
        AudioParamTimeline::AudioNodeInputValue function in the
        Web Audio implementation in Mozilla Firefox before 39.0
        and Firefox ESR 38.x before 38.1 did not properly
        calculate an oscillator rendering range, which allowed
        remote attackers to obtain sensitive information from
        process memory or cause a denial of service
        (out-of-bounds read) via unspecified vectors
        (bsc#935979).
    
      - CVE-2015-2739: The ArrayBufferBuilder::append function
        in Mozilla Firefox before 39.0, Firefox ESR 31.x before
        31.8 and 38.x before 38.1, and Thunderbird before 38.1
        accesses unintended memory locations, which has
        unspecified impact and attack vectors (bsc#935979).
    
      - CVE-2015-2738: The
        YCbCrImageDataDeserializer::ToDataSourceSurface function
        in the YCbCr implementation in Mozilla Firefox before
        39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1,
        and Thunderbird before 38.1 reads data from
        uninitialized memory locations, which has unspecified
        impact and attack vectors (bsc#935979).
    
      - CVE-2015-2737: The rx::d3d11::SetBufferData function in
        the Direct3D 11 implementation in Mozilla Firefox before
        39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1,
        and Thunderbird before 38.1 reads data from
        uninitialized memory locations, which has unspecified
        impact and attack vectors (bsc#935979).
    
      - CVE-2015-2721: Mozilla Network Security Services (NSS)
        before 3.19, as used in Mozilla Firefox before 39.0,
        Firefox ESR 31.x before 31.8 and 38.x before 38.1,
        Thunderbird before 38.1, and other products, did not
        properly determine state transitions for the TLS state
        machine, which allowed man-in-the-middle attackers to
        defeat cryptographic protection mechanisms by blocking
        messages, as demonstrated by removing a forward-secrecy
        property by blocking a ServerKeyExchange message, aka a
        'SMACK SKIP-TLS' issue (bsc#935979).
    
      - CVE-2015-2735: nsZipArchive.cpp in Mozilla Firefox
        before 39.0, Firefox ESR 31.x before 31.8 and 38.x
        before 38.1, and Thunderbird before 38.1 accesses
        unintended memory locations, which allowed remote
        attackers to have an unspecified impact via a crafted
        ZIP archive (bsc#935979).
    
      - CVE-2015-2734: The
        CairoTextureClientD3D9::BorrowDrawTarget function in the
        Direct3D 9 implementation in Mozilla Firefox before
        39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1,
        and Thunderbird before 38.1 reads data from
        uninitialized memory locations, which has unspecified
        impact and attack vectors (bsc#935979).
    
      - CVE-2015-2733: Use-after-free vulnerability in the
        CanonicalizeXPCOMParticipant function in Mozilla Firefox
        before 39.0 and Firefox ESR 31.x before 31.8 and 38.x
        before 38.1 allowed remote attackers to execute
        arbitrary code via vectors involving attachment of an
        XMLHttpRequest object to a dedicated worker
        (bsc#935979).
    
      - CVE-2015-2722: Use-after-free vulnerability in the
        CanonicalizeXPCOMParticipant function in Mozilla Firefox
        before 39.0 and Firefox ESR 31.x before 31.8 and 38.x
        before 38.1 allowed remote attackers to execute
        arbitrary code via vectors involving attachment of an
        XMLHttpRequest object to a shared worker (bsc#935979).
    
      - CVE-2015-2731: Use-after-free vulnerability in the
        CSPService::ShouldLoad function in the microtask
        implementation in Mozilla Firefox before 39.0, Firefox
        ESR 38.x before 38.1, and Thunderbird before 38.1
        allowed remote attackers to execute arbitrary code by
        leveraging client-side JavaScript that triggers removal
        of a DOM object on the basis of a Content Policy
        (bsc#935979).
    
      - CVE-2015-4000: The TLS protocol 1.2 and earlier, when a
        DHE_EXPORT ciphersuite is enabled on a server but not on
        a client, did not properly convey a DHE_EXPORT choice,
        which allowed man-in-the-middle attackers to conduct
        cipher-downgrade attacks by rewriting a ClientHello with
        DHE replaced by DHE_EXPORT and then rewriting a
        ServerHello with DHE_EXPORT replaced by DHE, aka the
        'Logjam' issue (bsc#931600)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=931600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=935979"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected MozillaThunderbird packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/14");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-buildsymbols-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-debuginfo-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-debugsource-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-devel-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-translations-common-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-translations-other-38.1.0-70.57.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-38.1.0-22.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-buildsymbols-38.1.0-22.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-debuginfo-38.1.0-22.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-debugsource-38.1.0-22.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-devel-38.1.0-22.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-translations-common-38.1.0-22.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"MozillaThunderbird-translations-other-38.1.0-22.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaThunderbird / MozillaThunderbird-buildsymbols / etc");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_39_0.NASL
    descriptionThe version of Firefox installed on the remote Mac OS X host is prior to 39.0. It is, therefore, affected by multiple vulnerabilities : - A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721) - Multiple user-after-free errors exist when using an XMLHttpRequest object in concert with either shared or dedicated workers. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-2722, CVE-2015-2733) - Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725) - A security bypass vulnerability exists due to a failure to preserve context restrictions. A remote attacker can exploit this, via a crafted web site that is accessed with unspecified mouse and keyboard actions, to read arbitrary files or execute arbitrary JavaScript code. (CVE-2015-2727) - A type confusion flaw exists in the Indexed Database Manager
    last seen2020-06-01
    modified2020-06-02
    plugin id84577
    published2015-07-07
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84577
    titleFirefox < 39.0 Multiple Vulnerabilities (Mac OS X) (Logjam)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1207.NASL
    descriptionFrom Red Hat Security Advisory 2015:1207 : Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) It was found that Firefox skipped key-pinning checks when handling an error that could be overridden by the user (for example an expired certificate error). This flaw allowed a user to override a pinned certificate, which is an action the user should not be able to perform. (CVE-2015-2741) A flaw was discovered in Mozilla
    last seen2020-05-31
    modified2015-07-06
    plugin id84534
    published2015-07-06
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84534
    titleOracle Linux 5 / 6 / 7 : firefox (ELSA-2015-1207)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201512-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201512-10 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Thunderbird. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id87710
    published2016-01-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87710
    titleGLSA-201512-10 : Mozilla Products: Multiple vulnerabilities (Bar Mitzvah) (Logjam)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2656-1.NASL
    descriptionKarthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. (CVE-2015-2721) Looben Yan discovered 2 use-after-free issues when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2722, CVE-2015-2733) Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight, Terrence Cole, Steve Fink, Mats Palmgren, Wes Kocher, Andreas Pehrson, Tooru Fujisawa, Andrew Sutherland, and Gary Kwong discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2726) Armin Razmdjou discovered that opening hyperlinks with specific mouse and key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass security restrictions. (CVE-2015-2727) Paul Bandha discovered a type confusion bug in the Indexed DB Manager. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-2728) Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-2729) Watson Ladd discovered that NSS incorrectly handled Elliptical Curve Cryptography (ECC) multiplication. A remote attacker could possibly use this issue to spoof ECDSA signatures. (CVE-2015-2730) A use-after-free was discovered when a Content Policy modifies the DOM to remove a DOM object. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the priviliges of the user invoking Firefox. (CVE-2015-2731) Ronald Crane discovered multiple security vulnerabilities. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740) David Keeler discovered that key pinning checks can be skipped when an overridable certificate error occurs. This allows a user to manually override an error for a fake certificate, but cannot be exploited on its own. (CVE-2015-2741) Jonas Jenwald discovered that some internal workers were incorrectly executed with a high privilege. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this in combination with another security vulnerability, to execute arbitrary code in a privileged scope. (CVE-2015-2743) Matthew Green discovered a DHE key processing issue in NSS where a MITM could force a server to downgrade TLS connections to 512-bit export-grade cryptography. An attacker could potentially exploit this to impersonate the server. (CVE-2015-4000). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84664
    published2015-07-13
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84664
    titleUbuntu 14.04 LTS / 14.10 / 15.04 : firefox vulnerabilities (USN-2656-1) (Logjam)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_44D9DAEE940C417986BB6E3FFD617869.NASL
    descriptionThe Mozilla Project reports : MFSA 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1) MFSA 2015-60 Local files or privileged URLs in pages can be opened into new tabs MFSA 2015-61 Type confusion in Indexed Database Manager MFSA 2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio MFSA 2015-63 Use-after-free in Content Policy due to microtask execution error MFSA 2015-64 ECDSA signature validation fails to handle some signatures correctly MFSA 2015-65 Use-after-free in workers while using XMLHttpRequest MFSA 2015-66 Vulnerabilities found through code inspection MFSA 2015-67 Key pinning is ignored when overridable errors are encountered MFSA 2015-68 OS X crash reports may contain entered key press information MFSA 2015-69 Privilege escalation through internal workers MFSA 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites MFSA 2015-71 NSS incorrectly permits skipping of ServerKeyExchange
    last seen2020-06-01
    modified2020-06-02
    plugin id84780
    published2015-07-16
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84780
    titleFreeBSD : mozilla -- multiple vulnerabilities (44d9daee-940c-4179-86bb-6e3ffd617869) (Logjam)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_38_1_ESR.NASL
    descriptionThe version of Firefox ESR installed on the remote Windows host is prior to 38.1. It is, therefore, affected by multiple vulnerabilities : - A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721) - Multiple user-after-free errors exist when using an XMLHttpRequest object in concert with either shared or dedicated workers. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-2722, CVE-2015-2733) - Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725) - A security bypass vulnerability exists due to a failure to preserve context restrictions. A remote attacker can exploit this, via a crafted web site that is accessed with unspecified mouse and keyboard actions, to read arbitrary files or execute arbitrary JavaScript code. (CVE-2015-2727) - A type confusion flaw exists in the Indexed Database Manager
    last seen2020-06-01
    modified2020-06-02
    plugin id84580
    published2015-07-07
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84580
    titleFirefox ESR < 38.1 Multiple Vulnerabilities (Logjam)

Redhat

advisories
rhsa
idRHSA-2015:1207
rpms
  • firefox-0:38.1.0-1.ael7b_1
  • firefox-0:38.1.0-1.el5_11
  • firefox-0:38.1.0-1.el6_6
  • firefox-0:38.1.0-1.el7_1
  • firefox-debuginfo-0:38.1.0-1.ael7b_1
  • firefox-debuginfo-0:38.1.0-1.el5_11
  • firefox-debuginfo-0:38.1.0-1.el6_6
  • firefox-debuginfo-0:38.1.0-1.el7_1