Vulnerabilities > CVE-2015-2730 - Cryptographic Issues vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(84575);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2015-2721",
    "CVE-2015-2722",
    "CVE-2015-2724",
    "CVE-2015-2728",
    "CVE-2015-2730",
    "CVE-2015-2733",
    "CVE-2015-2734",
    "CVE-2015-2735",
    "CVE-2015-2736",
    "CVE-2015-2737",
    "CVE-2015-2738",
    "CVE-2015-2739",
    "CVE-2015-2740",
    "CVE-2015-2743",
    "CVE-2015-4000"
  );
  script_bugtraq_id(74733);

  script_name(english:"Firefox ESR < 31.8 Multiple Vulnerabilities (Mac OS X) (Logjam)");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Firefox ESR installed on the remote Mac OS X host i
prior to 31.8. It is, therefore, affected by multiple
vulnerabilities :

  - A security downgrade vulnerability exists due to a flaw
    in Network Security Services (NSS). When a client allows
    for a ECDHE_ECDSA exchange, but the server does not send 
    a ServerKeyExchange message, the NSS client will take
    the EC key from the ECDSA certificate. A remote attacker
    can exploit this to silently downgrade the exchange to a
    non-forward secret mixed-ECDH exchange. (CVE-2015-2721)

  - Multiple user-after-free errors exist when using an
    XMLHttpRequest object in concert with either shared or
    dedicated workers. A remote attacker can exploit this
    to cause a denial of service condition. (CVE-2015-2722,
    CVE-2015-2733)

  - Multiple memory corruption issues exist that allow an
    attacker to cause a denial of service condition or
    potentially execute arbitrary code. (CVE-2015-2724)

  - A type confusion flaw exists in the Indexed Database
    Manager's handling of IDBDatabase. A remote attacker can
    exploit this to cause a denial of service condition or
    to execute arbitrary code. (CVE-2015-2728)

  - A signature spoofing vulnerability exists due to a flaw
    in Network Security Services (NSS) in its Elliptic Curve
    Digital Signature Algorithm (ECDSA) signature
    validation. A remote attacker can exploit this to forge
    signatures. (CVE-2015-2730)

  - An uninitialized memory use issue exists in the
    CairoTextureClientD3D9::BorrowDrawTarget() function, the
    ::d3d11::SetBufferData() function, and the
    YCbCrImageDataDeserializer::ToDataSourceSurface()
    function. The impact is unspecified. (CVE-2015-2734,
    CVE-2015-2737, CVE-2015-2738)

  - A memory corruption issue exists in the
    nsZipArchive::GetDataOffset() function due to improper
    string length checks. An attacker can exploit this, via
    a crafted ZIP archive, to potentially execute arbitrary
    code. (CVE-2015-2735)

  - A memory corruption issue exists in the
    nsZipArchive::BuildFileList() function due to improper
    validation of user-supplied input. An attacker can
    exploit this, via a crafted ZIP archive, to potentially
    execute arbitrary code. (CVE-2015-2736)

  - An unspecified memory corruption issue exists in the
    ArrayBufferBuilder::append() function due to improper
    validation of user-supplied input. An attacker can
    exploit this to potentially execute arbitrary code.
    (CVE-2015-2739)

  - A buffer overflow condition exists in the
    nsXMLHttpRequest::AppendToResponseText() function due to
    improper validation of user-supplied input. An attacker
    can exploit this to potentially execute arbitrary code.
    (CVE-2015-2740)

  - A privilege escalation vulnerability exists in the PDF
    viewer (PDF.js) due to internal workers being executed
    insecurely. An attacker can exploit this, by leveraging
    a Same Origin Policy bypass, to execute arbitrary code.
    (CVE-2015-2743)

  - A man-in-the-middle vulnerability, known as Logjam,
    exists due to a flaw in the SSL/TLS protocol. A remote
    attacker can exploit this flaw to downgrade connections
    using ephemeral Diffie-Hellman key exchange to 512-bit
    export-grade cryptography. (CVE-2015-4000)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/");
  script_set_attribute(attribute:"see_also", value:"https://weakdh.org/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Firefox ESR 31.8 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2740");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

is_esr = get_kb_item(kb_base+"/is_esr");
if (isnull(is_esr)) audit(AUDIT_NOT_INST, "Mozilla Firefox ESR");

mozilla_check_version(product:'firefox', version:version, path:path, esr:TRUE, fix:'31.8', min:'31.0', severity:SECURITY_HOLE);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2656-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(84794);
  script_version("2.16");
  script_cvs_date("Date: 2019/09/18 12:31:44");

  script_cve_id("CVE-2015-2721", "CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2726", "CVE-2015-2727", "CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2730", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734", "CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739", "CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743", "CVE-2015-4000");
  script_bugtraq_id(75541);
  script_xref(name:"USN", value:"2656-2");

  script_name(english:"Ubuntu 12.04 LTS : firefox vulnerabilities (USN-2656-2) (Logjam)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"USN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and
later releases.

This update provides the corresponding update for Ubuntu 12.04 LTS.

Karthikeyan Bhargavan discovered that NSS incorrectly handled state
transitions for the TLS state machine. If a remote attacker were able
to perform a man-in-the-middle attack, this flaw could be exploited to
skip the ServerKeyExchange message and remove the forward-secrecy
property. (CVE-2015-2721)

Looben Yan discovered 2 use-after-free issues when using
XMLHttpRequest in some circumstances. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-2722,
CVE-2015-2733)

Bob Clary, Christian Holler, Bobby Holley, Andrew McCreight,
Terrence Cole, Steve Fink, Mats Palmgren, Wes Kocher,
Andreas Pehrson, Tooru Fujisawa, Andrew Sutherland, and Gary
Kwong discovered multiple memory safety issues in Firefox.
If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2726)

Armin Razmdjou discovered that opening hyperlinks with
specific mouse and key combinations could allow a Chrome
privileged URL to be opened without context restrictions
being preserved. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit this to bypass security restrictions.
(CVE-2015-2727)

Paul Bandha discovered a type confusion bug in the Indexed
DB Manager. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash or
execute arbitrary code with the priviliges of the user
invoking Firefox. (CVE-2015-2728)

Holger Fuhrmannek discovered an out-of-bounds read in Web
Audio. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2015-2729)

Watson Ladd discovered that NSS incorrectly handled
Elliptical Curve Cryptography (ECC) multiplication. A remote
attacker could possibly use this issue to spoof ECDSA
signatures. (CVE-2015-2730)

A use-after-free was discovered when a Content Policy
modifies the DOM to remove a DOM object. If a user were
tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of
service via application crash or execute arbitrary code with
the priviliges of the user invoking Firefox. (CVE-2015-2731)

Ronald Crane discovered multiple security vulnerabilities.
If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)

David Keeler discovered that key pinning checks can be
skipped when an overridable certificate error occurs. This
allows a user to manually override an error for a fake
certificate, but cannot be exploited on its own.
(CVE-2015-2741)

Jonas Jenwald discovered that some internal workers were
incorrectly executed with a high privilege. If a user were
tricked in to opening a specially crafted website, an
attacker could potentially exploit this in combination with
another security vulnerability, to execute arbitrary code in
a privileged scope. (CVE-2015-2743)

Matthew Green discovered a DHE key processing issue in NSS
where a MITM could force a server to downgrade TLS
connections to 512-bit export-grade cryptography. An
attacker could potentially exploit this to impersonate the
server. (CVE-2015-4000).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2656-2/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected firefox package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/16");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"39.0+build5-0ubuntu0.12.04.2")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
}