Vulnerabilities > CVE-2016-9066 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2780.NASL description An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, Andre Bargull, Samuel Gross, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters. last seen 2020-06-01 modified 2020-06-02 plugin id 94982 published 2016-11-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94982 title CentOS 5 / 6 : firefox (CESA-2016:2780) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:2780 and # CentOS Errata and Security Advisory 2016:2780 respectively. # include("compat.inc"); if (description) { script_id(94982); script_version("3.12"); script_cvs_date("Date: 2020/02/18"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066"); script_xref(name:"RHSA", value:"2016:2780"); script_name(english:"CentOS 5 / 6 : firefox (CESA-2016:2780)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, Andre Bargull, Samuel Gross, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters." ); # https://lists.centos.org/pipermail/centos-announce/2016-November/022156.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6397317a" ); # https://lists.centos.org/pipermail/centos-announce/2016-November/022157.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?61f97fdf" ); script_set_attribute( attribute:"solution", value:"Update the affected firefox package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5290"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x / 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"firefox-45.5.0-1.el5.centos", allowmaj:TRUE)) flag++; if (rpm_check(release:"CentOS-6", reference:"firefox-45.5.0-1.el6.centos", allowmaj:TRUE)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox"); }
NASL family Scientific Linux Local Security Checks NASL id SL_20161116_FIREFOX_ON_SL5_X.NASL description This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) - A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) last seen 2020-03-18 modified 2016-11-22 plugin id 95051 published 2016-11-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95051 title Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20161116) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(95051); script_version("2.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066"); script_name(english:"Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20161116)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) - A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1611&L=scientific-linux-errata&F=&S=&P=2914 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c9ebe451" ); script_set_attribute( attribute:"solution", value:"Update the affected firefox and / or firefox-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"firefox-45.5.0-1.el5_11")) flag++; if (rpm_check(release:"SL5", reference:"firefox-debuginfo-45.5.0-1.el5_11")) flag++; if (rpm_check(release:"SL6", reference:"firefox-45.5.0-1.el6_8")) flag++; if (rpm_check(release:"SL6", reference:"firefox-debuginfo-45.5.0-1.el6_8")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"firefox-45.5.0-1.el7_3")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"firefox-debuginfo-45.5.0-1.el7_3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox / firefox-debuginfo"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3730.NASL description Multiple security issues have been found in Icedove, Debian last seen 2020-06-01 modified 2020-06-02 plugin id 95666 published 2016-12-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95666 title Debian DSA-3730-1 : icedove - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3730. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(95666); script_version("3.13"); script_cvs_date("Date: 2019/07/15 14:20:30"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9066", "CVE-2016-9074", "CVE-2016-9079"); script_xref(name:"DSA", value:"3730"); script_name(english:"Debian DSA-3730-1 : icedove - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail client: Multiple memory safety errors, same-origin policy bypass issues, integer overflows, buffer overflows and use-after-frees may lead to the execution of arbitrary code or denial of service." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/icedove" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3730" ); script_set_attribute( attribute:"solution", value: "Upgrade the icedove packages. For the stable distribution (jessie), these problems have been fixed in version 1:45.5.1-1~deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:icedove"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"calendar-google-provider", reference:"1:45.5.1-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"icedove", reference:"1:45.5.1-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"icedove-dbg", reference:"1:45.5.1-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"icedove-dev", reference:"1:45.5.1-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceowl-extension", reference:"1:45.5.1-1~deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3105-1.NASL description This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bsc#1009026) : - CVE-2016-9079: Use-after-free in SVG Animation (bsc#1012964 MFSA 2016-92) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed : - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) - font warning messages would flood console, now using fontconfig configuration from firefox-fontconfig instead of the system one (bsc#1000751) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95797 published 2016-12-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95797 title SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3105-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:3105-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(95797); script_version("3.9"); script_cvs_date("Date: 2019/09/11 11:22:14"); script_cve_id("CVE-2016-5285", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074", "CVE-2016-9079"); script_name(english:"SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3105-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bsc#1009026) : - CVE-2016-9079: Use-after-free in SVG Animation (bsc#1012964 MFSA 2016-92) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed : - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) - font warning messages would flood console, now using fontconfig configuration from firefox-fontconfig instead of the system one (bsc#1000751) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1000751" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1009026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010395" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010401" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010402" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010410" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010422" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010517" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1012964" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=992549" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5285/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5290/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5291/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5296/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5297/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9064/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9066/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9074/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9079/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20163105-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1593bc97" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP2-LTSS:zypper in -t patch slessp2-mfs2016-90-12883=1 SUSE Linux Enterprise Debuginfo 11-SP2:zypper in -t patch dbgsp2-mfs2016-90-12883=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-translations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreebl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"2", cpu:"x86_64", reference:"libfreebl3-32bit-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", cpu:"x86_64", reference:"mozilla-nss-32bit-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", cpu:"s390x", reference:"libfreebl3-32bit-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", cpu:"s390x", reference:"mozilla-nss-32bit-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"MozillaFirefox-45.5.1esr-63.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"MozillaFirefox-translations-45.5.1esr-63.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"libfreebl3-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"mozilla-nss-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"mozilla-nss-devel-3.21.3-30.1")) flag++; if (rpm_check(release:"SLES11", sp:"2", reference:"mozilla-nss-tools-3.21.3-30.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / mozilla-nss"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3141-1.NASL description Christian Holler, Jon Coppeard, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5290) A same-origin policy bypass was discovered with local HTML files in some circumstances. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5291) A heap buffer-overflow was discovered in Cairo when processing SVG content. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5296) An error was discovered in argument length checking in JavaScript. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5297) A buffer overflow was discovered in nsScriptLoadHandler. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9066) A use-after-free was discovered in SVG animations. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9079). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95426 published 2016-12-01 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95426 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : thunderbird vulnerabilities (USN-3141-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3141-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(95426); script_version("3.13"); script_cvs_date("Date: 2019/09/18 12:31:46"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9066", "CVE-2016-9079"); script_xref(name:"USN", value:"3141-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : thunderbird vulnerabilities (USN-3141-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Christian Holler, Jon Coppeard, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5290) A same-origin policy bypass was discovered with local HTML files in some circumstances. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5291) A heap buffer-overflow was discovered in Cairo when processing SVG content. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5296) An error was discovered in argument length checking in JavaScript. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5297) A buffer overflow was discovered in nsScriptLoadHandler. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9066) A use-after-free was discovered in SVG animations. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9079). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3141-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected thunderbird package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:thunderbird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|16\.04|16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04 / 16.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"thunderbird", pkgver:"1:45.5.1+build1-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"thunderbird", pkgver:"1:45.5.1+build1-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"thunderbird", pkgver:"1:45.5.1+build1-0ubuntu0.16.04.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"thunderbird", pkgver:"1:45.5.1+build1-0ubuntu0.16.10.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2780.NASL description From Red Hat Security Advisory 2016:2780 : An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, Andre Bargull, Samuel Gross, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters. last seen 2020-05-31 modified 2016-11-17 plugin id 94928 published 2016-11-17 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94928 title Oracle Linux 5 / 6 / 7 : firefox (ELSA-2016-2780) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:2780 and # Oracle Linux Security Advisory ELSA-2016-2780 respectively. # include("compat.inc"); if (description) { script_id(94928); script_version("2.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/29"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066"); script_xref(name:"RHSA", value:"2016:2780"); script_name(english:"Oracle Linux 5 / 6 / 7 : firefox (ELSA-2016-2780)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:2780 : An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, Andre Bargull, Samuel Gross, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-November/006522.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-November/006523.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-November/006524.html" ); script_set_attribute( attribute:"solution", value:"Update the affected firefox package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5 / 6 / 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL5", reference:"firefox-45.5.0-1.0.1.el5_11", allowmaj:TRUE)) flag++; if (rpm_check(release:"EL6", reference:"firefox-45.5.0-1.0.1.el6_8", allowmaj:TRUE)) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"firefox-45.5.0-1.0.1.el7_3", allowmaj:TRUE)) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3124-1.NASL description Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5289, CVE-2016-5290) A same-origin policy bypass was discovered with local HTML files in some circumstances. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5291) A crash was discovered when parsing URLs in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code. (CVE-2016-5292) A heap buffer-overflow was discovered in Cairo when processing SVG content. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5296) An error was discovered in argument length checking in JavaScript. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5297) An integer overflow was discovered in the Expat library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2016-9063) It was discovered that addon updates failed to verify that the addon ID inside the signed package matched the ID of the addon being updated. An attacker that could perform a man-in-the-middle (MITM) attack could potentially exploit this to provide malicious addon updates. (CVE-2016-9064) A buffer overflow was discovered in nsScriptLoadHandler. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9066) 2 use-after-free bugs were discovered during DOM operations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9067, CVE-2016-9069) A heap use-after-free was discovered during web animations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9068) It was discovered that a page loaded in to the sidebar through a bookmark could reference a privileged chrome window. An attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-9070) An issue was discovered with Content Security Policy (CSP) in combination with HTTP to HTTPS redirection. An attacker could potentially exploit this to verify whether a site is within the user last seen 2020-06-01 modified 2020-06-02 plugin id 95025 published 2016-11-21 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95025 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3124-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3124-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(95025); script_version("3.10"); script_cvs_date("Date: 2019/09/18 12:31:46"); script_cve_id("CVE-2016-5289", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5292", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9063", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9067", "CVE-2016-9068", "CVE-2016-9069", "CVE-2016-9070", "CVE-2016-9071", "CVE-2016-9073", "CVE-2016-9075", "CVE-2016-9076", "CVE-2016-9077"); script_xref(name:"USN", value:"3124-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3124-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5289, CVE-2016-5290) A same-origin policy bypass was discovered with local HTML files in some circumstances. An attacker could potentially exploit this to obtain sensitive information. (CVE-2016-5291) A crash was discovered when parsing URLs in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code. (CVE-2016-5292) A heap buffer-overflow was discovered in Cairo when processing SVG content. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5296) An error was discovered in argument length checking in JavaScript. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5297) An integer overflow was discovered in the Expat library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2016-9063) It was discovered that addon updates failed to verify that the addon ID inside the signed package matched the ID of the addon being updated. An attacker that could perform a man-in-the-middle (MITM) attack could potentially exploit this to provide malicious addon updates. (CVE-2016-9064) A buffer overflow was discovered in nsScriptLoadHandler. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9066) 2 use-after-free bugs were discovered during DOM operations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9067, CVE-2016-9069) A heap use-after-free was discovered during web animations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9068) It was discovered that a page loaded in to the sidebar through a bookmark could reference a privileged chrome window. An attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-9070) An issue was discovered with Content Security Policy (CSP) in combination with HTTP to HTTPS redirection. An attacker could potentially exploit this to verify whether a site is within the user's browsing history. (CVE-2016-9071) An issue was discovered with the windows.create() WebExtensions API. If a user were tricked in to installing a malicious extension, an attacker could potentially exploit this to escape the WebExtensions sandbox. (CVE-2016-9073) It was discovered that WebExtensions can use the mozAddonManager API. An attacker could potentially exploit this to install additional extensions without user permission. (CVE-2016-9075) It was discovered that <select> element dropdown menus can cover location bar content when e10s is enabled. An attacker could potentially exploit this to conduct UI spoofing attacks. (CVE-2016-9076) It was discovered that canvas allows the use of the feDisplacementMap filter on cross-origin images. An attacker could potentially exploit this to conduct timing attacks. (CVE-2016-9077). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3124-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected firefox package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|16\.04|16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04 / 16.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"50.0+build2-0ubuntu0.12.04.2")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"50.0+build2-0ubuntu0.14.04.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"50.0+build2-0ubuntu0.16.04.2")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"firefox", pkgver:"50.0+build2-0ubuntu0.16.10.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-730.NASL description Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or bypass of the same-origin policy. A man-in-the-middle attack in the addon update mechanism has been fixed. A use-after-free vulnerability in the SVG Animation was discovered, allowing a remote attacker to cause a denial of service (application crash) or execute arbitrary code, if a user is tricked into opening a specially crafted website. For Debian 7 last seen 2020-03-17 modified 2016-12-02 plugin id 95456 published 2016-12-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95456 title Debian DLA-730-1 : firefox-esr security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-730-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(95456); script_version("3.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066"); script_name(english:"Debian DLA-730-1 : firefox-esr security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or bypass of the same-origin policy. A man-in-the-middle attack in the addon update mechanism has been fixed. A use-after-free vulnerability in the SVG Animation was discovered, allowing a remote attacker to cause a denial of service (application crash) or execute arbitrary code, if a user is tricked into opening a specially crafted website. For Debian 7 'Wheezy', these problems have been fixed in version 45.5.1esr-1~deb7u1. We recommend that you upgrade your firefox-esr packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/12/msg00000.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/firefox-esr" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ach"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-af"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-an"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-as"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ast"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-az"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-be"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-bg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-bn-bd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-bn-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-bs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-cs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-cy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-da"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-de"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-dsb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-el"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-en-gb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-en-za"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-eo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-es-ar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-es-cl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-es-es"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-es-mx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-et"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-eu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-fa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ff"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-fi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-fr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-fy-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ga-ie"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-gl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-gn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-gu-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-he"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-hi-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-hr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-hsb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-hu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-hy-am"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-id"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-is"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-it"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ja"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-kk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-km"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-kn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-lij"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-lt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-lv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-mai"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-mk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-mr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-nb-no"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-nn-no"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-or"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-pa-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-pl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-pt-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-pt-pt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-rm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ro"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ru"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-si"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-sk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-sl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-son"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-sq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-sr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-sv-se"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-ta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-te"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-th"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-tr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-uk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-uz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-vi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-xh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-zh-cn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr-l10n-zh-tw"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ach"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-af"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-an"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-as"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ast"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-az"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-be"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-bg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-bn-bd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-bn-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-bs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-cs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-cy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-da"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-de"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-dsb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-el"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-en-gb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-en-za"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-eo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-es-ar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-es-cl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-es-es"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-es-mx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-et"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-eu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-fa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ff"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-fi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-fr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-fy-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ga-ie"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-gl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-gn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-gu-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-he"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-hi-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-hr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-hsb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-hu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-hy-am"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-id"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-is"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-it"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ja"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-kk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-km"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-kn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ko"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-lij"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-lt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-lv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-mai"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-mk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-mr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-nb-no"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-nl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-nn-no"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-or"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-pa-in"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-pl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-pt-br"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-pt-pt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-rm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ro"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ru"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-si"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-sk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-sl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-son"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-sq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-sr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-sv-se"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-ta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-te"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-th"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-tr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-uk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-uz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-vi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-xh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-zh-cn"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceweasel-l10n-zh-tw"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"firefox-esr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-dbg", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-dev", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ach", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-af", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-all", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-an", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ar", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-as", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ast", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-az", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-be", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-bg", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-bn-bd", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-bn-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-br", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-bs", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ca", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-cs", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-cy", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-da", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-de", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-dsb", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-el", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-en-gb", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-en-za", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-eo", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-es-ar", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-es-cl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-es-es", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-es-mx", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-et", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-eu", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-fa", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ff", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-fi", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-fr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-fy-nl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ga-ie", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-gd", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-gl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-gn", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-gu-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-he", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-hi-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-hr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-hsb", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-hu", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-hy-am", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-id", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-is", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-it", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ja", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-kk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-km", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-kn", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ko", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-lij", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-lt", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-lv", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-mai", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-mk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ml", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-mr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ms", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-nb-no", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-nl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-nn-no", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-or", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-pa-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-pl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-pt-br", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-pt-pt", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-rm", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ro", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ru", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-si", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-sk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-sl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-son", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-sq", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-sr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-sv-se", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-ta", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-te", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-th", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-tr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-uk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-uz", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-vi", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-xh", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-zh-cn", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"firefox-esr-l10n-zh-tw", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-dbg", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-dev", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ach", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-af", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-all", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-an", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ar", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-as", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ast", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-az", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-be", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-bg", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-bn-bd", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-bn-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-br", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-bs", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ca", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-cs", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-cy", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-da", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-de", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-dsb", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-el", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-en-gb", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-en-za", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-eo", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-es-ar", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-es-cl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-es-es", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-es-mx", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-et", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-eu", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-fa", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ff", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-fi", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-fr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-fy-nl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ga-ie", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-gd", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-gl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-gn", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-gu-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-he", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-hi-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-hr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-hsb", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-hu", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-hy-am", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-id", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-is", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-it", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ja", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-kk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-km", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-kn", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ko", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-lij", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-lt", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-lv", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-mai", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-mk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ml", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-mr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ms", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-nb-no", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-nl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-nn-no", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-or", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-pa-in", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-pl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-pt-br", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-pt-pt", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-rm", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ro", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ru", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-si", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-sk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-sl", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-son", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-sq", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-sr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-sv-se", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-ta", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-te", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-th", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-tr", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-uk", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-uz", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-vi", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-xh", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-zh-cn", reference:"45.5.1esr-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceweasel-l10n-zh-tw", reference:"45.5.1esr-1~deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Windows NASL id MOZILLA_FIREFOX_50_0.NASL description The version of Mozilla Firefox installed on the remote Windows host is prior to 50.0. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 94960 published 2016-11-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94960 title Mozilla Firefox < 50.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94960); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-5289", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5292", "CVE-2016-5293", "CVE-2016-5294", "CVE-2016-5295", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9063", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9067", "CVE-2016-9068", "CVE-2016-9069", "CVE-2016-9070", "CVE-2016-9071", "CVE-2016-9072", "CVE-2016-9073", "CVE-2016-9074", "CVE-2016-9075", "CVE-2016-9076", "CVE-2016-9077" ); script_bugtraq_id( 94335, 94336, 94337, 94339, 94341 ); script_xref(name:"MFSA", value:"2016-89"); script_name(english:"Mozilla Firefox < 50.0 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Mozilla Firefox installed on the remote Windows host is prior to 50.0. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/"); script_set_attribute(attribute:"solution", value: "Upgrade to Mozilla Firefox version 50.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9075"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Firefox/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/Mozilla/Firefox/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox"); mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'50', severity:SECURITY_HOLE);
NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1407.NASL description This update to Mozilla Firefox 50.0.2, Thunderbird 45.5.1 and NSS 3.16.2 fixes a number of security issues. The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89) : - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) - CVE-2016-5292: URL parsing causes crash (bmo#1288482) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bmo#1303678) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) - CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) - CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) - CVE-2016-9073: windows.create schema doesn last seen 2020-06-05 modified 2016-12-07 plugin id 95590 published 2016-12-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95590 title openSUSE Security Update : Mozilla Firefox / Thunderbird and NSS (openSUSE-2016-1407) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-1407. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(95590); script_version("3.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5289", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5292", "CVE-2016-5293", "CVE-2016-5294", "CVE-2016-5295", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-5298", "CVE-2016-5299", "CVE-2016-9061", "CVE-2016-9062", "CVE-2016-9063", "CVE-2016-9064", "CVE-2016-9065", "CVE-2016-9066", "CVE-2016-9067", "CVE-2016-9068", "CVE-2016-9069", "CVE-2016-9070", "CVE-2016-9071", "CVE-2016-9072", "CVE-2016-9073", "CVE-2016-9074", "CVE-2016-9075", "CVE-2016-9076", "CVE-2016-9077", "CVE-2016-9078", "CVE-2016-9079"); script_name(english:"openSUSE Security Update : Mozilla Firefox / Thunderbird and NSS (openSUSE-2016-1407)"); script_summary(english:"Check for the openSUSE-2016-1407 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update to Mozilla Firefox 50.0.2, Thunderbird 45.5.1 and NSS 3.16.2 fixes a number of security issues. The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89) : - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) - CVE-2016-5292: URL parsing causes crash (bmo#1288482) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bmo#1303678) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) - CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) - CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) - CVE-2016-9073: windows.create schema doesn't specify 'format': 'relativeUrl' (bmo#1289273) - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) - CVE-2016-5289: Memory safety bugs fixed in Firefox 50 - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 The following vulnerabilities were fixed in Mozilla NSS 3.26.1 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) Mozilla Firefox now requires mozilla-nss 3.26.2. New features in Mozilla Firefox : - Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R - Added option to Find in page that allows users to limit search to whole words only - Added download protection for a large number of executable file types on Windows, Mac and Linux - Fixed rendering of dashed and dotted borders with rounded corners (border-radius) - Added a built-in Emoji set for operating systems without native Emoji fonts - Blocked versions of libavcodec older than 54.35.1 - additional locale mozilla-nss was updated to 3.26.2, incorporating the following changes : - the selfserv test utility has been enhanced to support ALPN (HTTP/1.1) and 0-RTT - The following CA certificate was added: CN = ISRG Root X1 - NPN is disabled and ALPN is enabled by default - MD5 signature algorithms sent by the server in CertificateRequest messages are now properly ignored" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1227538" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1245791" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1245795" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1246945" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1246972" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1247239" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1274777" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1276976" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1281071" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1285003" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1288482" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1289273" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1292159" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1292443" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1293334" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1294438" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1295324" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1298552" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1299686" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1300083" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1301777" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1302973" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1303418" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1303678" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1306696" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1308922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1317641" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1321066" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1009026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010401" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010410" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010411" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1012807" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1012964" ); script_set_attribute( attribute:"solution", value:"Update the affected Mozilla Firefox / Thunderbird and NSS packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-branding-upstream-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-buildsymbols-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debuginfo-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-debugsource-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-devel-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-common-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaFirefox-translations-other-50.0.2-131.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-buildsymbols-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-debuginfo-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-debugsource-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-devel-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-translations-common-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"MozillaThunderbird-translations-other-45.5.1-70.92.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libfreebl3-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libfreebl3-debuginfo-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsoftokn3-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libsoftokn3-debuginfo-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-certs-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-certs-debuginfo-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-debuginfo-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-debugsource-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-devel-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-sysinit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-sysinit-debuginfo-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-tools-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"mozilla-nss-tools-debuginfo-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libfreebl3-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libsoftokn3-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.26.2-94.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.26.2-94.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1085.NASL description According to the versions of the firefox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.(CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) - A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-05-01 plugin id 99844 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99844 title EulerOS 2.0 SP1 : firefox (EulerOS-SA-2016-1085) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99844); script_version("1.13"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066" ); script_name(english:"EulerOS 2.0 SP1 : firefox (EulerOS-SA-2016-1085)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the firefox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.(CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) - A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1085 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?04632b25"); script_set_attribute(attribute:"solution", value: "Update the affected firefox packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:firefox"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["firefox-45.5.0-1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg, allowmaj:TRUE)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3014-1.NASL description This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5 (bsc#1009026) : - CVE-2016-5297: Incorrect argument length checking in JavaScript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed : - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) The Mozilla Firefox changelog was amended to document patched dropped in a previous update. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95565 published 2016-12-06 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95565 title SUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3014-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:3014-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(95565); script_version("2.7"); script_cvs_date("Date: 2019/09/11 11:22:14"); script_cve_id("CVE-2016-5285", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074"); script_name(english:"SUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3014-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5 (bsc#1009026) : - CVE-2016-5297: Incorrect argument length checking in JavaScript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed : - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) The Mozilla Firefox changelog was amended to document patched dropped in a previous update. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1009026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010395" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010401" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010402" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010410" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010422" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010517" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=992549" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5285/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5290/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5291/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5296/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5297/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9064/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9066/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9074/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20163014-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d7fce6b6" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1754=1 SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1754=1 SUSE Linux Enterprise Server for SAP 12:zypper in -t patch SUSE-SLE-SAP-12-2016-1754=1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1754=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1754=1 SUSE Linux Enterprise Server 12-SP1:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1754=1 SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2016-1754=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1754=1 SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1754=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-translations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreebl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreebl3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreebl3-hmac"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsoftokn3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsoftokn3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsoftokn3-hmac"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-certs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-certs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-sysinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-sysinit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0|1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1/2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP1/2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"MozillaFirefox-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"MozillaFirefox-debuginfo-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"MozillaFirefox-debugsource-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"MozillaFirefox-translations-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libfreebl3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libfreebl3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libfreebl3-hmac-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libsoftokn3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libsoftokn3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libsoftokn3-hmac-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-certs-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-certs-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-debugsource-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-sysinit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-sysinit-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-tools-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-tools-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libfreebl3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libfreebl3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libfreebl3-hmac-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libsoftokn3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libsoftokn3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libsoftokn3-hmac-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-certs-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-sysinit-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"MozillaFirefox-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"MozillaFirefox-debuginfo-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"MozillaFirefox-debugsource-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"MozillaFirefox-translations-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libfreebl3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libfreebl3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libfreebl3-hmac-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libsoftokn3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libsoftokn3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libsoftokn3-hmac-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-certs-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-certs-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-debugsource-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-sysinit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-sysinit-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-tools-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-tools-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libfreebl3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libfreebl3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libfreebl3-hmac-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libsoftokn3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libsoftokn3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libsoftokn3-hmac-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-certs-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-sysinit-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-debuginfo-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-debugsource-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-translations-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libfreebl3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libfreebl3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libfreebl3-hmac-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-hmac-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-debugsource-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-tools-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-tools-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libfreebl3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libfreebl3-hmac-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-hmac-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"MozillaFirefox-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"MozillaFirefox-debuginfo-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"MozillaFirefox-debugsource-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"MozillaFirefox-translations-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libfreebl3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libfreebl3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libfreebl3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libsoftokn3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libsoftokn3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libsoftokn3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-certs-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-debugsource-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-sysinit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-tools-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"mozilla-nss-tools-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-debuginfo-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-debugsource-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"MozillaFirefox-translations-45.5.0esr-88.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libfreebl3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libfreebl3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libfreebl3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-debugsource-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-tools-3.21.3-50.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"mozilla-nss-tools-debuginfo-3.21.3-50.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / mozilla-nss"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3716.NASL description Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or bypass of the same-origin policy. Also, a man-in-the-middle attack in the addon update mechanism has been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 94922 published 2016-11-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94922 title Debian DSA-3716-1 : firefox-esr - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3716. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(94922); script_version("2.10"); script_cvs_date("Date: 2019/07/15 14:20:30"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074"); script_xref(name:"DSA", value:"3716"); script_name(english:"Debian DSA-3716-1 : firefox-esr - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or bypass of the same-origin policy. Also, a man-in-the-middle attack in the addon update mechanism has been fixed." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/firefox-esr" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3716" ); script_set_attribute( attribute:"solution", value: "Upgrade the firefox-esr packages. For the stable distribution (jessie), these problems have been fixed in version 45.5.0esr-1~deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firefox-esr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"firefox-esr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-dbg", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-dev", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ach", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-af", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-all", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-an", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ar", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-as", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ast", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-az", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-be", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-bg", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-bn-bd", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-bn-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-br", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-bs", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ca", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-cs", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-cy", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-da", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-de", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-dsb", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-el", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-en-gb", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-en-za", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-eo", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-es-ar", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-es-cl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-es-es", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-es-mx", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-et", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-eu", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-fa", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ff", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-fi", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-fr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-fy-nl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ga-ie", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-gd", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-gl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-gn", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-gu-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-he", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-hi-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-hr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-hsb", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-hu", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-hy-am", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-id", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-is", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-it", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ja", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-kk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-km", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-kn", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ko", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-lij", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-lt", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-lv", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-mai", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-mk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ml", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-mr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ms", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-nb-no", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-nl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-nn-no", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-or", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-pa-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-pl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-pt-br", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-pt-pt", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-rm", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ro", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ru", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-si", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-sk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-sl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-son", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-sq", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-sr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-sv-se", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-ta", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-te", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-th", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-tr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-uk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-uz", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-vi", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-xh", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-zh-cn", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"firefox-esr-l10n-zh-tw", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-dbg", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-dev", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ach", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-af", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-all", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-an", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ar", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-as", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ast", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-az", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-be", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-bg", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-bn-bd", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-bn-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-br", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-bs", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ca", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-cs", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-cy", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-da", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-de", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-dsb", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-el", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-en-gb", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-en-za", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-eo", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-es-ar", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-es-cl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-es-es", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-es-mx", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-et", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-eu", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-fa", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ff", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-fi", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-fr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-fy-nl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ga-ie", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-gd", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-gl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-gn", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-gu-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-he", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-hi-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-hr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-hsb", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-hu", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-hy-am", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-id", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-is", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-it", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ja", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-kk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-km", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-kn", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ko", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-lij", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-lt", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-lv", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-mai", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-mk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ml", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-mr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ms", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-nb-no", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-nl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-nn-no", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-or", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-pa-in", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-pl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-pt-br", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-pt-pt", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-rm", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ro", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ru", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-si", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-sk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-sl", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-son", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-sq", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-sr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-sv-se", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-ta", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-te", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-th", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-tr", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-uk", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-uz", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-vi", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-xh", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-zh-cn", reference:"45.5.0esr-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"iceweasel-l10n-zh-tw", reference:"45.5.0esr-1~deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_50_0.NASL description The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 50.0. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 94958 published 2016-11-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94958 title Mozilla Firefox < 50.0 Multiple Vulnerabilities (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94958); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-5289", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5292", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9063", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9067", "CVE-2016-9068", "CVE-2016-9069", "CVE-2016-9070", "CVE-2016-9071", "CVE-2016-9073", "CVE-2016-9074", "CVE-2016-9075", "CVE-2016-9076", "CVE-2016-9077" ); script_bugtraq_id( 94335, 94336, 94337, 94339, 94341 ); script_xref(name:"MFSA", value:"2016-89"); script_name(english:"Mozilla Firefox < 50.0 Multiple Vulnerabilities (macOS)"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote macOS or Mac OS X host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 50.0. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/"); script_set_attribute(attribute:"solution", value: "Upgrade to Mozilla Firefox version 50.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9075"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_firefox_installed.nasl"); script_require_keys("MacOSX/Firefox/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Firefox"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.'); mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'50', severity:SECURITY_HOLE);
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2780.NASL description An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, Andre Bargull, Samuel Gross, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters. last seen 2020-05-31 modified 2016-11-16 plugin id 94920 published 2016-11-16 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94920 title RHEL 5 / 6 / 7 : firefox (RHSA-2016:2780) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:2780. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(94920); script_version("2.18"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/29"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066"); script_xref(name:"RHSA", value:"2016:2780"); script_name(english:"RHEL 5 / 6 / 7 : firefox (RHSA-2016:2780)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.0 ESR. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290) * A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update. (CVE-2016-9064) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, Andre Bargull, Samuel Gross, Yuyang Zhou, Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup as the original reporters." ); # https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/# script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8b5eaff4" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:2780" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-9064" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-9066" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-5296" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-5297" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-5290" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-5291" ); script_set_attribute( attribute:"solution", value:"Update the affected firefox and / or firefox-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x / 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:2780"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", reference:"firefox-45.5.0-1.el5_11", allowmaj:TRUE)) flag++; if (rpm_check(release:"RHEL5", reference:"firefox-debuginfo-45.5.0-1.el5_11", allowmaj:TRUE)) flag++; if (rpm_check(release:"RHEL6", reference:"firefox-45.5.0-1.el6_8", allowmaj:TRUE)) flag++; if (rpm_check(release:"RHEL6", reference:"firefox-debuginfo-45.5.0-1.el6_8", allowmaj:TRUE)) flag++; if (rpm_check(release:"RHEL7", reference:"firefox-45.5.0-1.el7_3", allowmaj:TRUE)) flag++; if (rpm_check(release:"RHEL7", reference:"firefox-debuginfo-45.5.0-1.el7_3", allowmaj:TRUE)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox / firefox-debuginfo"); } }
NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_45_5_ESR.NASL description The version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is 45.x prior to 45.4. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 94957 published 2016-11-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94957 title Mozilla Firefox ESR 45.x < 45.5 Multiple Vulnerabilities (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94957); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074" ); script_bugtraq_id( 94335, 94336, 94339, 94341 ); script_xref(name:"MFSA", value:"2016-90"); script_name(english:"Mozilla Firefox ESR 45.x < 45.5 Multiple Vulnerabilities (macOS)"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote macOS or Mac OS X host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is 45.x prior to 45.4. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/"); script_set_attribute(attribute:"solution", value: "Upgrade to Mozilla Firefox ESR version 45.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5297"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_firefox_installed.nasl"); script_require_keys("MacOSX/Firefox/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Firefox"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); is_esr = get_kb_item(kb_base+"/is_esr"); if (isnull(is_esr)) audit(AUDIT_NOT_INST, "Mozilla Firefox ESR"); mozilla_check_version(product:'firefox', version:version, path:path, esr:TRUE, fix:'45.5', min:'45.0', severity:SECURITY_HOLE);
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-752.NASL description Multiple security issues have been found in Icedove, Debian last seen 2020-03-17 modified 2016-12-20 plugin id 96013 published 2016-12-20 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96013 title Debian DLA-752-1 : icedove security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-752-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(96013); script_version("3.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9066", "CVE-2016-9074", "CVE-2016-9079"); script_name(english:"Debian DLA-752-1 : icedove security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail client: Multiple memory safety errors, same-origin policy bypass issues, integer overflows, buffer overflows and use-after-frees may lead to the execution of arbitrary code or denial of service. For Debian 7 'Wheezy', these problems have been fixed in version 45.5.1-1~deb7u1. We recommend that you upgrade your icedove packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/12/msg00027.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/icedove" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:calendar-google-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:icedove"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:icedove-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:icedove-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:iceowl-extension"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"calendar-google-provider", reference:"45.5.1-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"icedove", reference:"45.5.1-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"icedove-dbg", reference:"45.5.1-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"icedove-dev", reference:"45.5.1-1~deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"iceowl-extension", reference:"45.5.1-1~deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_D185311007F44645895B6FD462AD0589.NASL description Mozilla Foundation reports : Please reference CVE/URL list for details last seen 2020-06-01 modified 2020-06-02 plugin id 94904 published 2016-11-16 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94904 title FreeBSD : mozilla -- multiple vulnerabilities (d1853110-07f4-4645-895b-6fd462ad0589) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(94904); script_version("2.9"); script_cvs_date("Date: 2019/07/10 16:04:13"); script_cve_id("CVE-2016-5289", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5292", "CVE-2016-5293", "CVE-2016-5294", "CVE-2016-5295", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-5298", "CVE-2016-5299", "CVE-2016-9061", "CVE-2016-9062", "CVE-2016-9063", "CVE-2016-9064", "CVE-2016-9065", "CVE-2016-9066", "CVE-2016-9067", "CVE-2016-9068", "CVE-2016-9070", "CVE-2016-9071", "CVE-2016-9072", "CVE-2016-9073", "CVE-2016-9074", "CVE-2016-9075", "CVE-2016-9076", "CVE-2016-9077"); script_name(english:"FreeBSD : mozilla -- multiple vulnerabilities (d1853110-07f4-4645-895b-6fd462ad0589)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Mozilla Foundation reports : Please reference CVE/URL list for details" ); # https://www.mozilla.org/security/advisories/mfsa2016-89/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/" ); # https://www.mozilla.org/security/advisories/mfsa2016-90/ script_set_attribute( attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/" ); # https://vuxml.freebsd.org/freebsd/d1853110-07f4-4645-895b-6fd462ad0589.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b7042961" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox-esr"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:libxul"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-thunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:seamonkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:thunderbird"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"firefox<50.0_1,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"seamonkey<2.47")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-seamonkey<2.47")) flag++; if (pkg_test(save_report:TRUE, pkg:"firefox-esr<45.5.0,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-firefox<45.5.0,2")) flag++; if (pkg_test(save_report:TRUE, pkg:"libxul<45.5.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"thunderbird<45.5.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-thunderbird<45.5.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-15.NASL description The remote host is affected by the vulnerability described in GLSA-201701-15 (Mozilla Firefox, Thunderbird: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox and Thunderbird. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition via multiple vectors. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96276 published 2017-01-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96276 title GLSA-201701-15 : Mozilla Firefox, Thunderbird: Multiple vulnerabilities (SWEET32) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201701-15. # # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(96276); script_version("3.9"); script_cvs_date("Date: 2019/08/12 17:35:39"); script_cve_id("CVE-2016-2804", "CVE-2016-2805", "CVE-2016-2806", "CVE-2016-2807", "CVE-2016-2808", "CVE-2016-2809", "CVE-2016-2810", "CVE-2016-2811", "CVE-2016-2812", "CVE-2016-2813", "CVE-2016-2814", "CVE-2016-2816", "CVE-2016-2817", "CVE-2016-2820", "CVE-2016-2827", "CVE-2016-2830", "CVE-2016-2835", "CVE-2016-2836", "CVE-2016-2837", "CVE-2016-2838", "CVE-2016-2839", "CVE-2016-5250", "CVE-2016-5251", "CVE-2016-5252", "CVE-2016-5253", "CVE-2016-5254", "CVE-2016-5255", "CVE-2016-5256", "CVE-2016-5257", "CVE-2016-5258", "CVE-2016-5259", "CVE-2016-5260", "CVE-2016-5261", "CVE-2016-5262", "CVE-2016-5263", "CVE-2016-5264", "CVE-2016-5265", "CVE-2016-5266", "CVE-2016-5267", "CVE-2016-5268", "CVE-2016-5270", "CVE-2016-5271", "CVE-2016-5272", "CVE-2016-5273", "CVE-2016-5274", "CVE-2016-5275", "CVE-2016-5276", "CVE-2016-5277", "CVE-2016-5278", "CVE-2016-5279", "CVE-2016-5280", "CVE-2016-5281", "CVE-2016-5282", "CVE-2016-5283", "CVE-2016-5284", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5293", "CVE-2016-5294", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074", "CVE-2016-9079", "CVE-2016-9893", "CVE-2016-9895", "CVE-2016-9897", "CVE-2016-9898", "CVE-2016-9899", "CVE-2016-9900", "CVE-2016-9901", "CVE-2016-9902", "CVE-2016-9904", "CVE-2016-9905"); script_xref(name:"GLSA", value:"201701-15"); script_name(english:"GLSA-201701-15 : Mozilla Firefox, Thunderbird: Multiple vulnerabilities (SWEET32)"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201701-15 (Mozilla Firefox, Thunderbird: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox and Thunderbird. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition via multiple vectors. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201701-15" ); script_set_attribute( attribute:"solution", value: "All Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/firefox-45.6.0' All Firefox-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/firefox-bin-45.6.0' All Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/thunderbird-45.6.0' All Thunderbird-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/thunderbird-bin-45.6.0'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firefox-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:thunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:thunderbird-bin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/04"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-client/firefox-bin", unaffected:make_list("ge 45.6.0"), vulnerable:make_list("lt 45.6.0"))) flag++; if (qpkg_check(package:"mail-client/thunderbird-bin", unaffected:make_list("ge 45.6.0"), vulnerable:make_list("lt 45.6.0"))) flag++; if (qpkg_check(package:"www-client/firefox", unaffected:make_list("ge 45.6.0"), vulnerable:make_list("lt 45.6.0"))) flag++; if (qpkg_check(package:"mail-client/thunderbird", unaffected:make_list("ge 45.6.0"), vulnerable:make_list("lt 45.6.0"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Mozilla Firefox / Thunderbird"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1334.NASL description This update to Mozilla Firefox 50.0 fixes a number of security issues. The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89) : - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) - CVE-2016-5292: URL parsing causes crash (bmo#1288482) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bmo#1303678) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) - CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) - CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) - CVE-2016-9073: windows.create schema doesn last seen 2020-06-05 modified 2016-11-21 plugin id 95022 published 2016-11-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95022 title openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-1334) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-1334. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(95022); script_version("3.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5289", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5292", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9063", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9067", "CVE-2016-9068", "CVE-2016-9069", "CVE-2016-9070", "CVE-2016-9071", "CVE-2016-9073", "CVE-2016-9074", "CVE-2016-9075", "CVE-2016-9076", "CVE-2016-9077"); script_name(english:"openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-1334)"); script_summary(english:"Check for the openSUSE-2016-1334 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update to Mozilla Firefox 50.0 fixes a number of security issues. The following vulnerabilities were fixed in Mozilla Firefox (MFSA 2016-89) : - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bmo#1292443) - CVE-2016-5292: URL parsing causes crash (bmo#1288482) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bmo#1303678) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bmo#1303418) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bmo#1299686) - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore (bmo#1301777, bmo#1308922 (CVE-2016-9069)) - CVE-2016-9068: heap-use-after-free in nsRefreshDriver (bmo#1302973) - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges (bmo#1295324) - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them (bmo#1298552) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bmo#1292159) - CVE-2016-9070: Sidebar bookmark can have reference to chrome window (bmo#1281071) - CVE-2016-9073: windows.create schema doesn't specify 'format': 'relativeUrl' (bmo#1289273) - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s (bmo#1276976) - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat (bmo#1274777) - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP (bmo#1285003) - CVE-2016-5289: Memory safety bugs fixed in Firefox 50 - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 The following vulnerabilities were fixed in Mozilla NSS 3.26.1 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bmo#1293334) Mozilla Firefox now requires mozilla-nss 3.26.2. New features in Mozilla Firefox : - Updates to keyboard shortcuts Set a preference to have Ctrl+Tab cycle through tabs in recently used order View a page in Reader Mode by using Ctrl+Alt+R - Added option to Find in page that allows users to limit search to whole words only - Added download protection for a large number of executable file types on Windows, Mac and Linux - Fixed rendering of dashed and dotted borders with rounded corners (border-radius) - Added a built-in Emoji set for operating systems without native Emoji fonts - Blocked versions of libavcodec older than 54.35.1 - additional locale mozilla-nss was updated to 3.26.2, incorporating the following changes : - the selfserv test utility has been enhanced to support ALPN (HTTP/1.1) and 0-RTT - The following CA certificate was added: CN = ISRG Root X1 - NPN is disabled and ALPN is enabled by default - MD5 signature algorithms sent by the server in CertificateRequest messages are now properly ignored" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1009026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010395" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010399" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010401" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010402" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010405" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010406" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010408" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010409" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010410" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010420" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010421" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010422" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010423" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010424" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010425" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010426" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1010427" ); script_set_attribute( attribute:"solution", value:"Update the affected MozillaFirefox / mozilla-nss packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.2|SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2 / 42.1 / 42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-branding-upstream-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-buildsymbols-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debuginfo-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-debugsource-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-devel-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-common-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"MozillaFirefox-translations-other-50.0-88.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libfreebl3-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libfreebl3-debuginfo-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libsoftokn3-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libsoftokn3-debuginfo-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-certs-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-certs-debuginfo-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-debuginfo-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-debugsource-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-devel-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-sysinit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-sysinit-debuginfo-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-tools-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"mozilla-nss-tools-debuginfo-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libfreebl3-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libsoftokn3-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.26.2-49.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-branding-upstream-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-buildsymbols-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-debuginfo-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-debugsource-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-devel-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-translations-common-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"MozillaFirefox-translations-other-50.0-39.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libfreebl3-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libfreebl3-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libsoftokn3-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libsoftokn3-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-certs-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-certs-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-debugsource-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-devel-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-sysinit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-sysinit-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-tools-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"mozilla-nss-tools-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libfreebl3-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libsoftokn3-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"mozilla-nss-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-branding-upstream-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-buildsymbols-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-debuginfo-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-debugsource-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-devel-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-translations-common-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-translations-other-50.0-39.2") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreebl3-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libfreebl3-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libsoftokn3-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libsoftokn3-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-certs-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-certs-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-debugsource-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-devel-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-sysinit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-sysinit-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-tools-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"mozilla-nss-tools-debuginfo-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libfreebl3-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libfreebl3-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libsoftokn3-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libsoftokn3-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"mozilla-nss-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"mozilla-nss-certs-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"mozilla-nss-certs-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"mozilla-nss-debuginfo-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"mozilla-nss-sysinit-32bit-3.26.2-32.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"mozilla-nss-sysinit-debuginfo-32bit-3.26.2-32.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3080-1.NASL description This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bsc#1009026 bsc#1012964) : - CVE-2016-9079: Use-after-free in SVG Animation (MFSA 2016-92 bsc#1012964) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed : - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) - font warning messages would flood console, now using fontconfig configuration from firefox-fontconfig instead of the system one (bsc#1000751) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95712 published 2016-12-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95712 title SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3080-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:3080-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(95712); script_version("3.11"); script_cvs_date("Date: 2019/09/11 11:22:14"); script_cve_id("CVE-2016-5285", "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074", "CVE-2016-9079"); script_name(english:"SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2016:3080-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for MozillaFirefox, mozilla-nss fixes security issues and bugs. The following vulnerabilities were fixed in Firefox ESR 45.5.1 (bsc#1009026 bsc#1012964) : - CVE-2016-9079: Use-after-free in SVG Animation (MFSA 2016-92 bsc#1012964) - CVE-2016-5297: Incorrect argument length checking in JavaScript (bsc#1010401) - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404) - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395) - CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402) - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427) - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410) The following vulnerabilities were fixed in mozilla-nss 3.21.3 : - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422) - CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517) The following bugs were fixed : - Firefox would fail to go into fullscreen mode with some window managers (bsc#992549) - font warning messages would flood console, now using fontconfig configuration from firefox-fontconfig instead of the system one (bsc#1000751) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1000751" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1009026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010395" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010401" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010402" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010410" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010422" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010517" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1012964" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=992549" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5285/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5290/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5291/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5296/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5297/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9064/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9066/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9074/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9079/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20163080-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4cc0686a" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 5:zypper in -t patch sleclo50sp3-mfsa2016-90-12882=1 SUSE Manager Proxy 2.1:zypper in -t patch slemap21-mfsa2016-90-12882=1 SUSE Manager 2.1:zypper in -t patch sleman21-mfsa2016-90-12882=1 SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-mfsa2016-90-12882=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-mfsa2016-90-12882=1 SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-mfsa2016-90-12882=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-mfsa2016-90-12882=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-mfsa2016-90-12882=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-mfsa2016-90-12882=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Firefox nsSMILTimeContainer::NotifyTimeChange() RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-translations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libfreebl3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libsoftokn3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:mozilla-nss-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"libfreebl3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"libsoftokn3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"mozilla-nss-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"libfreebl3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"libsoftokn3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"mozilla-nss-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"MozillaFirefox-45.5.1esr-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"MozillaFirefox-translations-45.5.1esr-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"libfreebl3-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"libsoftokn3-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"mozilla-nss-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"mozilla-nss-tools-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"libfreebl3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"libsoftokn3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"mozilla-nss-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"libfreebl3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"libsoftokn3-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"mozilla-nss-32bit-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"MozillaFirefox-45.5.1esr-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"MozillaFirefox-translations-45.5.1esr-59.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"libfreebl3-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"libsoftokn3-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"mozilla-nss-3.21.3-39.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"mozilla-nss-tools-3.21.3-39.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / mozilla-nss"); }
NASL family Windows NASL id MOZILLA_FIREFOX_45_5_ESR.NASL description The version of Mozilla Firefox ESR installed on the remote Windows host is 45.x prior to 45.5. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 94959 published 2016-11-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94959 title Mozilla Firefox ESR 45.x < 45.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94959); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-5290", "CVE-2016-5291", "CVE-2016-5293", "CVE-2016-5294", "CVE-2016-5296", "CVE-2016-5297", "CVE-2016-9064", "CVE-2016-9066", "CVE-2016-9074" ); script_bugtraq_id( 94335, 94336, 94339, 94341 ); script_xref(name:"MFSA", value:"2016-90"); script_name(english:"Mozilla Firefox ESR 45.x < 45.5 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Firefox."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Mozilla Firefox ESR installed on the remote Windows host is 45.x prior to 45.5. It is, therefore, affected by multiple vulnerabilities, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/"); script_set_attribute(attribute:"solution", value: "Upgrade to Mozilla Firefox ESR version 45.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5297"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Firefox/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/Mozilla/Firefox/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox"); mozilla_check_version(installs:installs, product:'firefox', esr:TRUE, fix:'45.5', min:'45.0', severity:SECURITY_HOLE);
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily exploit description This post will explore how [CVE-2016-9066](https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9066), a simple but quite interesting (from an exploitation perspective) vulnerability in Firefox, can be exploited to gain code execution. tl;dr an integer overflow in the code responsible for loading script tags leads to an out-of-bounds write past the end of an mmap chunk. One way to exploit this includes placing a JavaScript heap behind the buffer and subsequently overflowing into its meta data to create a fake free cell. It is then possible to place an ArrayBuffer instance inside another ArrayBuffer’s inline data. The inner ArrayBuffer can then be arbitrarily modified, yielding an arbitrary read/write primitive. From there it is quite easy to achieve code execution. The full exploit can be found [here](https://github.com/saelo/foxpwn) and was tested against Firefox 48.0.1 on macOS 10.11.6\. The bugzilla report can be found [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1299686) ## The Vulnerability The following [code](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/dom/base/nsScriptLoader.cpp#L2716) is used for loading the data for (external) script tags: ``` result nsScriptLoadHandler::TryDecodeRawData(const uint8_t* aData, uint32_t aDataLength, bool aEndOfStream) { int32_t srcLen = aDataLength; const char* src = reinterpret_cast<const char *>(aData); int32_t dstLen; nsresult rv = mDecoder->GetMaxLength(src, srcLen, &dstLen); NS_ENSURE_SUCCESS(rv, rv); uint32_t haveRead = mBuffer.length(); uint32_t capacity = haveRead + dstLen; if (!mBuffer.reserve(capacity)) { return NS_ERROR_OUT_OF_MEMORY; } rv = mDecoder->Convert(src, &srcLen, mBuffer.begin() + haveRead, &dstLen); NS_ENSURE_SUCCESS(rv, rv); haveRead += dstLen; MOZ_ASSERT(haveRead <= capacity, "mDecoder produced more data than expected"); MOZ_ALWAYS_TRUE(mBuffer.resizeUninitialized(haveRead)); return NS_OK; } ``` The code will be invoked by `OnIncrementalData` whenever new data has arrived from the server. The bug is a simple integer overflow, happening when the server sends more than 4GB of data. In that case, `capacity` will wrap around and the following call to `mBuffer.reserve` will not modify the buffer in any way. `mDecode->Convert` then writes data past the end of an 8GB buffer (data is stored as char16_t in the browser), which will be backed by an mmap chunk (a common practice for very large chunks). The patch is also similarly simple: ``` uint32_t haveRead = mBuffer.length(); - uint32_t capacity = haveRead + dstLen; - if (!mBuffer.reserve(capacity)) { + + CheckedInt<uint32_t> capacity = haveRead; + capacity += dstLen; + + if (!capacity.isValid() || !mBuffer.reserve(capacity.value())) { return NS_ERROR_OUT_OF_MEMORY; } ``` The bug doesn’t look too promising at first. For one, it requires sending and allocating multiple gigabytes of memory. As we will see however, the bug can be exploited fairly reliably and the exploit completes within about a minute after opening the page on my 2015 MacBook Pro. We will now first explore how this bug can be exploited to pop a calculator on macOS, then improve the exploit to be more reliable and use less bandwidth afterwards (spoiler: we will use HTTP compression). ## Exploitation Since the overflow happens past the end of an mmap region, our first concern is whether it is possible to reliably allocate something behind the overflown buffer. In contrast to some heap allocators, mmap (which can be thought of as a memory allocator provided by the kernel) is very deterministic: calling mmap twice will result in two consecutive mappings if there are no existing holes that could satisfy either of the two requests. You can try this for yourself using the following piece of code. Note that the result will be different depending on whether the code is run on Linux or macOS. The mmap region grows towards lower addresses on Linux while it grows towards higher ones on macOS. For the rest of this post we will focus on macOS. A similar exploit should be possible on Linux and Windows though. ``` #include <sys/mman.h> #include <stdio.h> const size_t MAP_SIZE = 0x100000; // 1 MB int main() { char* chunk1 = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); char* chunk2 = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); printf("chunk1: %p - %p\n", chunk1, chunk1 + MAP_SIZE); printf("chunk2: %p - %p\n", chunk2, chunk2 + MAP_SIZE); return 0; } ``` The output of the above program tells us that we should be able to allocate something behind the overflowing buffer by simply mmap’ing memory until all existing holes are filled, then allocating one more memory chunk through mmap. To verify this we will do the following: 1. Load a HTML document which includes a script (payload.js, which will trigger the overflow) and asynchronously executes some JavaScript code (code.js, which implements step 3 and 5) 2. When the browser requests payload.js, have the server reply with a Content-Length of 0x100000001 but only send the first 0xffffffff bytes of the data 3. Afterwards, let the JavaScript code allocate multiple large (1GB) ArrayBuffers (memory won’t necessarily be used until the buffers are actually written to) 4. Have the webserver send the remaining two bytes of payload.js 5. Check the first few bytes of every ArrayBuffer, one should contain the data sent by the webserver To implement this, we will need some kind of synchronization primitive between the JavaScript code running in the browser and the webserver. For that reason I wrote a [tiny webserver](https://github.com/saelo/foxpwn/blob/master/server.py) on top of python’s asyncio library which contains a handy [Event object](https://docs.python.org/3/library/asyncio-sync.html#event) for synchronization accross coroutines. Creating two global events makes it possible to signal the server that the client-side code has finished its current task and is now waiting for the server to perform the next step. The handler for `/sync` looks as follows: ``` async def sync(request, response): script_ready_event.set() await server_done_event.wait() server_done_event.clear() response.send_header(200, { 'Content-Type': 'text/plain; charset=utf-8', 'Content-Length': '2' }) response.write(b'OK') await response.drain() ``` On the client side, I used synchronous XMLHttpRequests to block script execution until the server has finished its part: ``` function synchronize() { var xhr = new XMLHttpRequest(); xhr.open('GET', location.origin + '/sync', false); // Server will block until the event has been fired xhr.send(); } ``` With that we can [implement](https://bugzilla.mozilla.org/show_bug.cgi?id=1299686#c2) the above scenario and we will see that indeed one of the ArrayBuffer objects now contains our payload byte at the start of its buffer. There is one small limitation though: we can only overflow with valid UTF-16, as that is what Firefox uses internally. We’ll have to keep this in mind. What remains now is to find something more interesting to allocate instead of the ArrayBuffer that was overflown into. ### Hunting for Target Objects Since `malloc` (and thus the `new` operator in C++) will at some point request more memory using mmap, anything allocated with those could potentially be of interest for our exploit. I went a different route though. I initially wanted to check whether it would be possible to overflow into JavaScript objects and for example corrupt the length of an array or something similar. I thus started to dig around the JavaScript allocators to see where JSObjects are stored. Spidermonkey (the JavaScript engine inside Firefox) stores JSObjects in two separate regions: 1. The tenured heap. Longer lived objects as well as a few selected object types are allocated here. This is a fairly classical heap that keeps track of free spots which it then reuses for future allocations. 2. The Nursery. This is a memory region that contains short-lived objects. Most JSObjects are first allocated here, then moved into the tenured heap if they are still alive during the next GC cycle (this includes updating all pointers to them and thus requires that the gargabe collector knows about all pointers to its objects). The nursery requires no free list or similar: after a GC cycle the nursery is simply declared free since all alive objects have been moved out of it. For a more in depth discussion of Spidermonkey internals see [this](http://phrack.com/issues/69/14.html#article) phrack article. Objects in the tenured heap are stored in containers called Arenas: ``` /* * Arenas are the allocation units of the tenured heap in the GC. An arena * is 4kiB in size and 4kiB-aligned. It starts with several header fields * followed by some bytes of padding. The remainder of the arena is filled * with GC things of a particular AllocKind. The padding ensures that the * GC thing array ends exactly at the end of the arena: * * <----------------------------------------------> = ArenaSize bytes * +---------------+---------+----+----+-----+----+ * | header fields | padding | T0 | T1 | ... | Tn | * +---------------+---------+----+----+-----+----+ * <-------------------------> = first thing offset */ class Arena { static JS_FRIEND_DATA(const uint32_t) ThingSizes[]; static JS_FRIEND_DATA(const uint32_t) FirstThingOffsets[]; static JS_FRIEND_DATA(const uint32_t) ThingsPerArena[]; /* * The first span of free things in the arena. Most of these spans are * stored as offsets in free regions of the data array, and most operations * on FreeSpans take an Arena pointer for safety. However, the FreeSpans * used for allocation are stored here, at the start of an Arena, and use * their own address to grab the next span within the same Arena. */ FreeSpan firstFreeSpan; // ... ``` The comment already gives a fairly good summary: [Arenas](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/gc/Heap.h#L450) are simply container objects inside which JavaScript objects of the [same size](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/gc/Heap.h#L83) are allocated. They are located inside a container object, the [Chunk structure](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/gc/Heap.h#L941), which is itself directly allocated through mmap. The interesting part is the `firstFreeSpan` member of the Arena class: it is the very first member of an Arena object (and thus lies at the beginning of an mmap-ed region), and essentially indicates the index of the first free cell inside this Arena. This is how a [FreeSpan](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/gc/Heap.h#L352) instance looks like: ``` class FreeSpan { uint16_t first; uint16_t last; // methods following } ``` Both `first` and `last` are byte indices into the Arena, indicating the head of the freelist. This opens up an interesting way to exploit this bug: by overflowing into the `firstFreeSpan` field of an Arena, we may be able to allocate an object inside another object, preferably inside some kind of accessible inline data. We would then be able to modify the “inner” object arbitrarily. This technique has a few benefits: * Being able to allocate a JavaScript object at a chosen offset inside an Arena directly yields a memory read/write primitive as we shall see * We only need to overflow 4 bytes of the following chunk and thus won’t corrupt any pointers or other sensitive data * Arenas/Chunks can be allocated fairly reliably just by allocating large numbers of JavaScript objects As it turns out, ArrayBuffer objects up to a size of 96 bytes will have their data stored inline after the object header. They will also [skip the nursery](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/vm/ArrayBufferObject.cpp#L667) and thus be located inside an Arena. This makes them ideal for our exploit. We will thus 1. Allocate lots of ArrayBuffers with 96 bytes of storage 2. Overflow and create a fake free cell inside the Arena following our buffer 3. Allocate more ArrayBuffer objects of the same size and see if one of them is placed inside another ArrayBuffer’s data (just scan all “old” ArrayBuffers for non-zero content) ### The Need for GC Unfortunately, it’s not quite that easy: in order for Spidermonkey to allocate an object in our target (corrupted) Arena, the Arena must have previously been marked as (partially) free. This means that we need to free at least one slot in each Arena. We can do this by deleting every 25th ArrayBuffer (since there are 25 per Arena), then forcing garbage collection. Spidermonkey triggers garbage collection for a [variety](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/gc/GCRuntime.h#L201) of [reasons](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/public/GCAPI.h#L52). It seems the easiest one to trigger is `TOO_MUCH_MALLOC`: it is simply triggered whenever a certain number of bytes have been allocated through malloc. Thus, the following code suffices to trigger a garbage collection: ``` function gc() { const maxMallocBytes = 128 * MB; for (var i = 0; i < 3; i++) { var x = new ArrayBuffer(maxMallocBytes); } } ``` Afterwards, our target arena will be put onto the free list and our subsequent overwrite will corrupt it. The next allocation from the corrupted arena will then return a (fake) cell inside the inline data of an ArrayBuffer object. ### (Optional Reading) Compacting GC Actually, it’s a little bit more complicated. There exists a GC mode called compacting GC, which will move objects from [multiple partially filled arenas](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/jsgc.cpp#L1828) to fill holes in other arenas. This reduces internal fragmentation and helps freeing up entire Chunks so they can be returned to the OS. For us however, a compacting GC would be troublesome since it might fill the hole we created in our target arena. The following code is used to determine whether a compacting GC should be run: ``` bool GCRuntime::shouldCompact() { // Compact on shrinking GC if enabled, but skip compacting in incremental // GCs if we are currently animating. return invocationKind == GC_SHRINK && isCompactingGCEnabled() && (!isIncremental || rt->lastAnimationTime + PRMJ_USEC_PER_SEC < PRMJ_Now()); } ``` Looking at the code there should be ways to prevent a compacting GC from happening (e.g. by performing some animations). It seems we are lucky though: our `gc` function from above will trigger the following code path in Spidermonkey, thus preventing a compacting GC since the invocationKind will be `GC_NORMAL` instead of `GC_SHRINK`. ``` bool GCRuntime::gcIfRequested() { // This method returns whether a major GC was performed. if (minorGCRequested()) minorGC(minorGCTriggerReason); if (majorGCRequested()) { if (!isIncrementalGCInProgress()) startGC(GC_NORMAL, majorGCTriggerReason); // <-- we trigger this code path else gcSlice(majorGCTriggerReason); return true; } return false; } ``` ### Writing an Exploit At this point we have all the pieces together and can actually write an exploit. Once we have created the fake free cell and allocated an ArrayBuffer inside of it, we will see that one of the previously allocated ArrayBuffers now contains data. An ArrayBuffer object in Spidermonkey looks roughly as follows: ``` // From JSObject GCPtrObjectGroup group_; // From ShapedObject GCPtrShape shape_; // From NativeObject HeapSlots* slots_; HeapSlots* elements_; // Slot offsets from ArrayBufferObject static const uint8_t DATA_SLOT = 0; static const uint8_t BYTE_LENGTH_SLOT = 1; static const uint8_t FIRST_VIEW_SLOT = 2; static const uint8_t FLAGS_SLOT = 3; ``` The `XXX_SLOT` constants determine the offset of the corresponding value from the start of the object. As such, the data pointer (`DATA_SLOT`) will be stored at `addrof(ArrayBuffer) + sizeof(ArrayBuffer)`. We can now construct the following exploit primitives: * Reading from an absolute memory address: we set the `DATA_SLOT` to the desired address and read from the inner ArrayBuffer * Writing to an absolute memory address: same as above, but this time we write to the inner ArrayBuffer * Leaking the address of a JavaScript Object: for that, we set the Object whose address we want to know as property of the inner ArrayBuffer, then read the address from the `slots_` pointer through our existing read primitive ### Process Continuation To avoid crashing the browser process during the next GC cycle, we have to repair a few things: * The ArrayBuffer following the _outer_ ArrayBuffer in our exploit, as that one will have been corrupted by the _inner_ ArrayBuffer’s data. To fix this, We can simply copy another ArrayBuffer object into that location * The Cell that was originally freed in our Arena now looks like a used Cell and will be treated as such by the collector, leading to a crash since it has been overwritten with other data (e.g. a FreeSpan instance). We can fix this by restoring the original firstFreeSpan field of our Arena to mark that Cell as free again. This suffices to keep the browser alive after the exploit finishes. ### Summary Putting everything together, the following steps will award us with an arbitrary read/write primitive: 1. Insert a script tag to load the payload and eventually trigger the bug. 2. Wait for the server to send up to 2GB + 1 bytes of data. The browser will now have allocated the final chunk that we will later overflow from. We try to fill the existing mmap holes using ArrayBuffer objects like we did for the very first PoC. 3. Allocate JavaScript Arenas (memory regions) containing ArrayBuffers of size 96 (largest size so the data is still allocated inline behind the object) and hope one of them is placed right after the buffer we are about to overflow. Mmap allocates contiguous regions, so this can only fail if we don’t allocate enough memory or if something else is allocated there. 4. Have the server send everything up to 0xffffffff bytes in total, completely filling the current chunk 5. Free one ArrayBuffer in every arena and try to trigger gargabe collection so the arenas are inserted into the free list. 6. Have the server send the remaining data. This will trigger the overflow and corrupt the internal free list (indicating which cells are unused) of one of the arenas. The freelist is modified such that the first free cell lies within the inline data of one of the ArrayBuffers contained in the Arena. 7. Allocate more ArrayBuffers. If everything worked so far, one of them will be allocated inside the inline data of another ArrayBuffer. Search for that ArrayBuffer. 8. If found, construct an arbitrary memory read/write primitive. We can now modify the data pointer of the inner ArrayBuffer, so this is quite easy. 9. Repair the corrupted objects to keep the process alive after our exploit is finished. ### Popping calc What remains now is to somehow pop a calculator. A simple way to run custom code is to [abuse the JIT region](https://github.com/saelo/jscpwn/blob/master/pwn.html#L45), however, this technique is (partially) [mitigated in Firefox](https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/). This can be bypassed given our exploitation primitives (e.g. by writing a small ROP chain and transferring control there), but this seemed to complicated for a simple PoC. There are other Firefox-specific techniques to obtain code execution by abusing privileged JavaScript, but these require non-trivial modifications to the browser state (e.g. adding the [turn_off_all_security_so_that_viruses_can_take_over_this_computer](https://bugzilla.mozilla.org/show_bug.cgi?id=984012) preference). I instead ended up using some standard CTF tricks to finish the exploit: looking for cross references to libc functions that accept a string as first argument (in this case strcmp), I found the implementation of [`Date.toLocalFormat`](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/jsdate.cpp#L2823) and noticed that it [converts its first argument from a JSString to a C-string](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/jsdate.cpp#L2849), which it then uses as [first argument for strcmp](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/js/src/jsdate.cpp#L2721). So we can simply replaced the GOT entry for `strcmp` with the address of `system` and execute `data_obj.toLocaleFormat("open -a /Applications/Calculator.app");`. Done :) ## Improving the Exploit At this point the basic exploit is already finished. This section will now describe how to make it more reliable and less bandwidth hungry. ### Adding Robustness Up until now our exploit simply allocated a few very large ArrayBuffer instances (1GB each) to fill existing mmap holes, then allocated roughly another GB of js::Arena instances to overflow into. It thus assumed that the browsers heap operations are more or less deterministic during exploitation. Since this isn’t necessarily the case, we’d like to make our exploit a little more robust. A quick look at then implementation of the mozilla::Vector class (which is used to hold the script buffer) shows us that it uses `realloc` to double the size of its buffer when needed. Since jemalloc directly uses mmap for larger chunks, this leaves us with the following allocation pattern: * mmap 1MB * mmap 2MB, munmap previous chunk * mmap 4MB, munmap previous chunk * mmap 8MB, munmap previous chunk * … * mmap 8GB, munmap previous chunk Because the current chunk size will always be larger than the sum of all previous chunks sizes, this will result in a lot of free space preceding our final buffer. In theory, we could simply calculate the total sum of the free space, then allocate a large ArrayBuffer afterwards. In practice, this doesn’t quite work since there will be other allocations after the server starts sending data and before the browser finishes decompressing the last chunk. Also jemalloc holds back a part of the freed memory for later usage. Instead we’ll try to allocate a chunk as soon as it is freed by the browser. Here’s what we’ll do: 1. JavaScript code waits for the server using `sync` 2. The server sends all data up to the next power of two (in MB) and thus triggers exactly one call to realloc at the end. The browser will now free a chunk of a known size 3. The server sets the `server_done_event`, causing the JavaScript code to continue 4. JavaScript code allocates an ArrayBuffer instance of the same size as the previous buffer, filling the free space 5. This is repeated until we have send 0x80000001 bytes (thus forced the allocation of the final buffer) This simple algorithm is implemented on the server side [here](https://github.com/saelo/foxpwn/blob/master/poc.py#L48) and on the client in [step 1](https://github.com/saelo/foxpwn/blob/master/code.js#L310). Using this algorithm, we can fairly reliably get an allocation behind our target buffer by spraying only a few megabytes of ArrayBuffer instances instead of multiple gigabytes. ### Reducing Network Load Our current exploit requires sending 4GB of data over the network. That’s easy to fix though: we’ll use HTTP compression. The nice part here is that e.g. zlip [supports](https://docs.python.org/3.5/library/zlib.html#zlib.Compress.flush) “streamed” compression, which makes it possible to incrementally compress the payload. With this we just have to add each part of the payload to the zlib stream, then call flush on it to obtain the next compressed chunk of the payload and send that to the server. The server will uncompress this chunk upon receiving it and perform the desired action (e.g. perform one realloc step). This is implemented in the `construct_payload` method in [poc.py](https://github.com/saelo/foxpwn/blob/master/poc.py#L30) and manages to reduce the size of the payload to about 18MB. ### About Resource Usage At least in theory, the exploit requires quite a lot of memory: * an 8GB buffer holding our “JavaScript” payload. Actually, it’s more like 12 GB, since during the final realloc, the content of a 4GB buffer must be copied to a new 8GB buffer * multiple (around 6GB) buffers allocated by JavaScript to fill the holes created by realloc * around 256 MB of ArrayBuffers However, since many of the buffers are never written to, they don’t necessarily consume any physical memory. Moreover, during the final realloc, only 4GB of the new buffer will be written to before the old buffer is freed, so really “only” 8 GB are required there. That’s still a lot of memory though. However, there are some technologies that will help reduce that number if physical memory becomes low: * Memory compression (macOS): large memory regions can be compressed and swapped out. This is perfect for our use case since the 8GB buffer will be completely filled with zeroes. This effect can be observed in the Activity Monitor.app, which at some point shows more than 6 GB of memory as “compressed” during the exploit. * Page deduplication (Windows, Linux): pages containing the same content are mapped copy-on-write (COW) and point to the same physical page (essentially reducing memory usage to 4KB). CPU usage will also be quite high during peek times (decompression). However, CPU pressure could further be reduced by sending the payload in smaller chunks with delays in between (which would obviously increase the time it takes for the exploit to work though). This would also give the OS more time to compress and/or deduplicate the large memory buffers. ### Further Possible Improvements There are a few sources of unreliability in the current exploit, mostly dealing with timing: * During the sending of the payload data, if JavaScript runs the allocation before the browser has fully processed the next chunk, the allocations will “desyncronize”. This would likely lead to a failed exploit. Ideally, JavaScript would perform the allocation as soon as the next chunk has been received and processed. Which may be possible to determine by observing CPU usage. * If a garbage collection cycle runs after we have corrupted the FreeSpan but before we have fixed it, we crash * If a compacting gargabe collection cycle runs after we have freed some of the ArrayBuffers but before we have triggered the overflow, the exploit fails as the Arena will be filled up again. * If the fake free Cell happens to be placed inside the freed ArrayBuffer’s cell, then our exploit will fail and the browser will crash during the next gargabe collection cycle. With 25 cells per arena this gives us a theoretical 1/25 chance to fail. However, in my experiments, the free cells were always located at the same offset (1216 bytes into the Arena), indicating that the state of the engine at the beginning of the exploit is fairly deterministic (at least regarding the state of the Arenas holding objects of size 160 bytes). From my experience, the exploit runs pretty reliable (>95%) if the browser is not under heavy usage. The exploit still works if 10+ other tabs are open, but might fail if for example a large web application is currently loading. ## Conclusion While the bug isn’t ideal from an attacker’s perspective, it still can be exploited fairly reliably and without too much bandwidth usage. It is interesting to see how various technologies (compression, same page merging, …) can make a bug such as this one easier to exploit. Thinking of ways to prevent exploitability of such a bug, a few things come to mind. One fairly generic mitigation are guard pages (a page leading to a segfault whenever accessed in some way). These would have to be allocated before or after every mmap allocated region and would thus protect against exploitation of linear overflows such as this one. They would, however, not protect against non-linear overflows such as [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1287266). Another possibility would be to introduce internal mmap randomization to scatter the allocated regions throughout the address space (likely only effective on 64-bit systems). This would best be performed by the kernel, but could also be done in userspace. id SSV:92794 last seen 2017-11-19 modified 2017-03-20 published 2017-03-20 reporter Root title Firefox Integer overflow leading to a buffer overflow in nsScriptLoadHandler (CVE-2016-9066) bulletinFamily exploit description This post will explore how [CVE-2016-9066](https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9066), a simple but quite interesting (from an exploitation perspective) vulnerability in Firefox, can be exploited to gain code execution. tl;dr an integer overflow in the code responsible for loading script tags leads to an out-of-bounds write past the end of an mmap chunk. One way to exploit this includes placing a JavaScript heap behind the buffer and subsequently overflowing into its meta data to create a fake free cell. It is then possible to place an ArrayBuffer instance inside another ArrayBuffer’s inline data. The inner ArrayBuffer can then be arbitrarily modified, yielding an arbitrary read/write primitive. From there it is quite easy to achieve code execution. The full exploit can be found [here](https://github.com/saelo/foxpwn) and was tested against Firefox 48.0.1 on macOS 10.11.6. The bugzilla report can be found [here](https://bugzilla.mozilla.org/show_bug.cgi?id=1299686) #### The Vulnerability The following [code](https://github.com/mozilla/gecko-dev/blob/40ae52a2c349f978a462a38f770e4e35d49f6563/dom/base/nsScriptLoader.cpp#L2716) is used for loading the data for (external) script tags: ``` result nsScriptLoadHandler::TryDecodeRawData(const uint8_t* aData, uint32_t aDataLength, bool aEndOfStream) { int32_t srcLen = aDataLength; const char* src = reinterpret_cast<const char *>(aData); int32_t dstLen; nsresult rv = mDecoder->GetMaxLength(src, srcLen, &dstLen); NS_ENSURE_SUCCESS(rv, rv); uint32_t haveRead = mBuffer.length(); uint32_t capacity = haveRead + dstLen; if (!mBuffer.reserve(capacity)) { return NS_ERROR_OUT_OF_MEMORY; } rv = mDecoder->Convert(src, &srcLen, mBuffer.begin() + haveRead, &dstLen); NS_ENSURE_SUCCESS(rv, rv); haveRead += dstLen; MOZ_ASSERT(haveRead <= capacity, "mDecoder produced more data than expected"); MOZ_ALWAYS_TRUE(mBuffer.resizeUninitialized(haveRead)); return NS_OK; } ``` The code will be invoked by `OnIncrementalData` whenever new data has arrived from the server. The bug is a simple integer overflow, happening when the server sends more than 4GB of data. In that case, `capacity` will wrap around and the following call to mBuffer.reserve will not modify the buffer in any way. `mDecode->Convert` then writes data past the end of an 8GB buffer (data is stored as char16_t in the browser), which will be backed by an mmap chunk (a common practice for very large chunks). The patch is also similarly simple: ``` uint32_t haveRead = mBuffer.length(); - uint32_t capacity = haveRead + dstLen; - if (!mBuffer.reserve(capacity)) { + + CheckedInt<uint32_t> capacity = haveRead; + capacity += dstLen; + + if (!capacity.isValid() || !mBuffer.reserve(capacity.value())) { return NS_ERROR_OUT_OF_MEMORY; } ``` The bug doesn’t look too promising at first. For one, it requires sending and allocating multiple gigabytes of memory. As we will see however, the bug can be exploited fairly reliably and the exploit completes within about a minute after opening the page on my 2015 MacBook Pro. We will now first explore how this bug can be exploited to pop a calculator on macOS, then improve the exploit to be more reliable and use less bandwidth afterwards (spoiler: we will use HTTP compression). #### Exploitation Since the overflow happens past the end of an mmap region, our first concern is whether it is possible to reliably allocate something behind the overflown buffer. In contrast to some heap allocators, mmap (which can be thought of as a memory allocator provided by the kernel) is very deterministic: calling mmap twice will result in two consecutive mappings if there are no existing holes that could satisfy either of the two requests. You can try this for yourself using the following piece of code. Note that the result will be different depending on whether the code is run on Linux or macOS. The mmap region grows towards lower addresses on Linux while it grows towards higher ones on macOS. For the rest of this post we will focus on macOS. A similar exploit should be possible on Linux and Windows though. ``` #include <sys/mman.h> #include <stdio.h> const size_t MAP_SIZE = 0x100000; // 1 MB int main() { char* chunk1 = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); char* chunk2 = mmap(NULL, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); printf("chunk1: %p - %p\n", chunk1, chunk1 + MAP_SIZE); printf("chunk2: %p - %p\n", chunk2, chunk2 + MAP_SIZE); return 0; } ``` The output of the above program tells us that we should be able to allocate something behind the overflowing buffer by simply mmap’ing memory until all existing holes are filled, then allocating one more memory chunk through mmap. To verify this we will do the following: 1. Load a HTML document which includes a script (payload.js, which will trigger the overflow) and asynchronously executes some JavaScript code (code.js, which implements step 3 and 5) 2. When the browser requests payload.js, have the server reply with a Content-Length of 0x100000001 but only send the first 0xffffffff bytes of the data 3. Afterwards, let the JavaScript code allocate multiple large (1GB) ArrayBuffers (memory won’t necessarily be used until the buffers are actually written to) 4. Have the webserver send the remaining two bytes of payload.js 5. Check the first few bytes of every ArrayBuffer, one should contain the data sent by the webserver To implement this, we will need some kind of synchronization primitive between the JavaScript code running in the browser and the webserver. For that reason I wrote a tiny webserver on top of python’s asyncio library which contains a handy Event object for synchronization accross coroutines. Creating two global events makes it possible to signal the server that the client-side code has finished its current task and is now waiting for the server to perform the next step. The handler for /sync looks as follows: ``` async def sync(request, response): script_ready_event.set() await server_done_event.wait() server_done_event.clear() response.send_header(200, { 'Content-Type': 'text/plain; charset=utf-8', 'Content-Length': '2' }) response.write(b'OK') await response.drain() ``` On the client side, I used synchronous XMLHttpRequests to block script execution until the server has finished its part: ``` function synchronize() { var xhr = new XMLHttpRequest(); xhr.open('GET', location.origin + '/sync', false); // Server will block until the event has been fired xhr.send(); } ``` With that we can implement the above scenario and we will see that indeed one of the ArrayBuffer objects now contains our payload byte at the start of its buffer. There is one small limitation though: we can only overflow with valid UTF-16, as that is what Firefox uses internally. We’ll have to keep this in mind. What remains now is to find something more interesting to allocate instead of the ArrayBuffer that was overflown into. #### Hunting for Target Objects Since `malloc` (and thus the `new` operator in C++) will at some point request more memory using mmap, anything allocated with those could potentially be of interest for our exploit. I went a different route though. I initially wanted to check whether it would be possible to overflow into JavaScript objects and for example corrupt the length of an array or something similar. I thus started to dig around the JavaScript allocators to see where JSObjects are stored. Spidermonkey (the JavaScript engine inside Firefox) stores JSObjects in two separate regions: 1. The tenured heap. Longer lived objects as well as a few selected object types are allocated here. This is a fairly classical heap that keeps track of free spots which it then reuses for future allocations. 2. The Nursery. This is a memory region that contains short-lived objects. Most JSObjects are first allocated here, then moved into the tenured heap if they are still alive during the next GC cycle (this includes updating all pointers to them and thus requires that the gargabe collector knows about all pointers to its objects). The nursery requires no free list or similar: after a GC cycle the nursery is simply declared free since all alive objects have been moved out of it. For a more in depth discussion of Spidermonkey internals see this phrack article. Objects in the tenured heap are stored in containers called Arenas: ``` /* * Arenas are the allocation units of the tenured heap in the GC. An arena * is 4kiB in size and 4kiB-aligned. It starts with several header fields * followed by some bytes of padding. The remainder of the arena is filled * with GC things of a particular AllocKind. The padding ensures that the * GC thing array ends exactly at the end of the arena: * * <----------------------------------------------> = ArenaSize bytes * +---------------+---------+----+----+-----+----+ * | header fields | padding | T0 | T1 | ... | Tn | * +---------------+---------+----+----+-----+----+ * <-------------------------> = first thing offset */ class Arena { static JS_FRIEND_DATA(const uint32_t) ThingSizes[]; static JS_FRIEND_DATA(const uint32_t) FirstThingOffsets[]; static JS_FRIEND_DATA(const uint32_t) ThingsPerArena[]; /* * The first span of free things in the arena. Most of these spans are * stored as offsets in free regions of the data array, and most operations * on FreeSpans take an Arena pointer for safety. However, the FreeSpans * used for allocation are stored here, at the start of an Arena, and use * their own address to grab the next span within the same Arena. */ FreeSpan firstFreeSpan; // ... ``` The comment already gives a fairly good summary: Arenas are simply container objects inside which JavaScript objects of the same size are allocated. They are located inside a container object, the Chunk structure, which is itself directly allocated through mmap. The interesting part is the firstFreeSpan member of the Arena class: it is the very first member of an Arena object (and thus lies at the beginning of an mmap-ed region), and essentially indicates the index of the first free cell inside this Arena. This is how a FreeSpan instance looks like: ``` class FreeSpan { uint16_t first; uint16_t last; // methods following } ``` Both `first` and `last` are byte indices into the Arena, indicating the head of the freelist. This opens up an interesting way to exploit this bug: by overflowing into the firstFreeSpan field of an Arena, we may be able to allocate an object inside another object, preferably inside some kind of accessible inline data. We would then be able to modify the “inner” object arbitrarily. This technique has a few benefits: * Being able to allocate a JavaScript object at a chosen offset inside an Arena directly yields a memory read/write primitive as we shall see * We only need to overflow 4 bytes of the following chunk and thus won’t corrupt any pointers or other sensitive data * Arenas/Chunks can be allocated fairly reliably just by allocating large numbers of JavaScript objects As it turns out, ArrayBuffer objects up to a size of 96 bytes will have their data stored inline after the object header. They will also skip the nursery and thus be located inside an Arena. This makes them ideal for our exploit. We will thus 1. Allocate lots of ArrayBuffers with 96 bytes of storage 2. Overflow and create a fake free cell inside the Arena following our buffer 3. Allocate more ArrayBuffer objects of the same size and see if one of them is placed inside another ArrayBuffer’s data (just scan all “old” ArrayBuffers for non-zero content) #### The Need for GC Unfortunately, it’s not quite that easy: in order for Spidermonkey to allocate an object in our target (corrupted) Arena, the Arena must have previously been marked as (partially) free. This means that we need to free at least one slot in each Arena. We can do this by deleting every 25th ArrayBuffer (since there are 25 per Arena), then forcing garbage collection. Spidermonkey triggers garbage collection for a variety of reasons. It seems the easiest one to trigger is TOO_MUCH_MALLOC: it is simply triggered whenever a certain number of bytes have been allocated through malloc. Thus, the following code suffices to trigger a garbage collection: ``` function gc() { const maxMallocBytes = 128 * MB; for (var i = 0; i < 3; i++) { var x = new ArrayBuffer(maxMallocBytes); } } ``` Afterwards, our target arena will be put onto the free list and our subsequent overwrite will corrupt it. The next allocation from the corrupted arena will then return a (fake) cell inside the inline data of an ArrayBuffer object. #### (Optional Reading) Compacting GC Actually, it’s a little bit more complicated. There exists a GC mode called compacting GC, which will move objects from multiple partially filled arenas to fill holes in other arenas. This reduces internal fragmentation and helps freeing up entire Chunks so they can be returned to the OS. For us however, a compacting GC would be troublesome since it might fill the hole we created in our target arena. The following code is used to determine whether a compacting GC should be run: ``` bool GCRuntime::shouldCompact() { // Compact on shrinking GC if enabled, but skip compacting in incremental // GCs if we are currently animating. return invocationKind == GC_SHRINK && isCompactingGCEnabled() && (!isIncremental || rt->lastAnimationTime + PRMJ_USEC_PER_SEC < PRMJ_Now()); } ``` Looking at the code there should be ways to prevent a compacting GC from happening (e.g. by performing some animations). It seems we are lucky though: our gc function from above will trigger the following code path in Spidermonkey, thus preventing a compacting GC since the invocationKind will be `GC_NORMAL` instead of `GC_SHRINK`. ``` bool GCRuntime::gcIfRequested() { // This method returns whether a major GC was performed. if (minorGCRequested()) minorGC(minorGCTriggerReason); if (majorGCRequested()) { if (!isIncrementalGCInProgress()) startGC(GC_NORMAL, majorGCTriggerReason); // <-- we trigger this code path else gcSlice(majorGCTriggerReason); return true; } return false; } ``` #### Writing an Exploit At this point we have all the pieces together and can actually write an exploit. Once we have created the fake free cell and allocated an ArrayBuffer inside of it, we will see that one of the previously allocated ArrayBuffers now contains data. An ArrayBuffer object in Spidermonkey looks roughly as follows: ``` // From JSObject GCPtrObjectGroup group_; // From ShapedObject GCPtrShape shape_; // From NativeObject HeapSlots* slots_; HeapSlots* elements_; // Slot offsets from ArrayBufferObject static const uint8_t DATA_SLOT = 0; static const uint8_t BYTE_LENGTH_SLOT = 1; static const uint8_t FIRST_VIEW_SLOT = 2; static const uint8_t FLAGS_SLOT = 3; ``` The `XXX_SLOT` constants determine the offset of the corresponding value from the start of the object. As such, the data pointer (`DATA_SLOT`) will be stored at `addrof(ArrayBuffer) + sizeof(ArrayBuffer)`. We can now construct the following exploit primitives: * Reading from an absolute memory address: we set the DATA_SLOT to the desired address and read from the inner ArrayBuffer * Writing to an absolute memory address: same as above, but this time we write to the inner ArrayBuffer * Leaking the address of a JavaScript Object: for that, we set the Object whose address we want to know as property of the inner ArrayBuffer, then read the address from the slots_ pointer through our existing read primitive #### Process Continuation To avoid crashing the browser process during the next GC cycle, we have to repair a few things: * The ArrayBuffer following the outer ArrayBuffer in our exploit, as that one will have been corrupted by the inner ArrayBuffer’s data. To fix this, We can simply copy another ArrayBuffer object into that location * The Cell that was originally freed in our Arena now looks like a used Cell and will be treated as such by the collector, leading to a crash since it has been overwritten with other data (e.g. a FreeSpan instance). We can fix this by restoring the original firstFreeSpan field of our Arena to mark that Cell as free again. This suffices to keep the browser alive after the exploit finishes. #### Summary Putting everything together, the following steps will award us with an arbitrary read/write primitive: Insert a script tag to load the payload and eventually trigger the bug. Wait for the server to send up to 2GB + 1 bytes of data. The browser will now have allocated the final chunk that we will later overflow from. We try to fill the existing mmap holes using ArrayBuffer objects like we did for the very first PoC. Allocate JavaScript Arenas (memory regions) containing ArrayBuffers of size 96 (largest size so the data is still allocated inline behind the object) and hope one of them is placed right after the buffer we are about to overflow. Mmap allocates contiguous regions, so this can only fail if we don’t allocate enough memory or if something else is allocated there. Have the server send everything up to 0xffffffff bytes in total, completely filling the current chunk Free one ArrayBuffer in every arena and try to trigger gargabe collection so the arenas are inserted into the free list. Have the server send the remaining data. This will trigger the overflow and corrupt the internal free list (indicating which cells are unused) of one of the arenas. The freelist is modified such that the first free cell lies within the inline data of one of the ArrayBuffers contained in the Arena. Allocate more ArrayBuffers. If everything worked so far, one of them will be allocated inside the inline data of another ArrayBuffer. Search for that ArrayBuffer. If found, construct an arbitrary memory read/write primitive. We can now modify the data pointer of the inner ArrayBuffer, so this is quite easy. Repair the corrupted objects to keep the process alive after our exploit is finished. #### Popping calc What remains now is to somehow pop a calculator. A simple way to run custom code is to abuse the JIT region, however, this technique is (partially) mitigated in Firefox. This can be bypassed given our exploitation primitives (e.g. by writing a small ROP chain and transferring control there), but this seemed to complicated for a simple PoC. There are other Firefox-specific techniques to obtain code execution by abusing privileged JavaScript, but these require non-trivial modifications to the browser state (e.g. adding the turn_off_all_security_so_that_viruses_can_take_over_this_computer preference). I instead ended up using some standard CTF tricks to finish the exploit: looking for cross references to libc functions that accept a string as first argument (in this case strcmp), I found the implementation of Date.toLocalFormat and noticed that it converts its first argument from a JSString to a C-string, which it then uses as first argument for strcmp. So we can simply replaced the GOT entry for strcmp with the address of system and execute data_obj.toLocaleFormat("open -a /Applications/Calculator.app");. Done :) #### Improving the Exploit At this point the basic exploit is already finished. This section will now describe how to make it more reliable and less bandwidth hungry. #### Adding Robustness Up until now our exploit simply allocated a few very large ArrayBuffer instances (1GB each) to fill existing mmap holes, then allocated roughly another GB of js::Arena instances to overflow into. It thus assumed that the browsers heap operations are more or less deterministic during exploitation. Since this isn’t necessarily the case, we’d like to make our exploit a little more robust. A quick look at then implementation of the mozilla::Vector class (which is used to hold the script buffer) shows us that it uses realloc to double the size of its buffer when needed. Since jemalloc directly uses mmap for larger chunks, this leaves us with the following allocation pattern: mmap 1MB mmap 2MB, munmap previous chunk mmap 4MB, munmap previous chunk mmap 8MB, munmap previous chunk … mmap 8GB, munmap previous chunk Because the current chunk size will always be larger than the sum of all previous chunks sizes, this will result in a lot of free space preceding our final buffer. In theory, we could simply calculate the total sum of the free space, then allocate a large ArrayBuffer afterwards. In practice, this doesn’t quite work since there will be other allocations after the server starts sending data and before the browser finishes decompressing the last chunk. Also jemalloc holds back a part of the freed memory for later usage. Instead we’ll try to allocate a chunk as soon as it is freed by the browser. Here’s what we’ll do: JavaScript code waits for the server using sync The server sends all data up to the next power of two (in MB) and thus triggers exactly one call to realloc at the end. The browser will now free a chunk of a known size The server sets the server_done_event, causing the JavaScript code to continue JavaScript code allocates an ArrayBuffer instance of the same size as the previous buffer, filling the free space This is repeated until we have send 0x80000001 bytes (thus forced the allocation of the final buffer) This simple algorithm is implemented on the server side here and on the client in step 1. Using this algorithm, we can fairly reliably get an allocation behind our target buffer by spraying only a few megabytes of ArrayBuffer instances instead of multiple gigabytes. #### Reducing Network Load Our current exploit requires sending 4GB of data over the network. That’s easy to fix though: we’ll use HTTP compression. The nice part here is that e.g. zlip supports “streamed” compression, which makes it possible to incrementally compress the payload. With this we just have to add each part of the payload to the zlib stream, then call flush on it to obtain the next compressed chunk of the payload and send that to the server. The server will uncompress this chunk upon receiving it and perform the desired action (e.g. perform one realloc step). This is implemented in the construct_payload method in poc.py and manages to reduce the size of the payload to about 18MB. #### About Resource Usage At least in theory, the exploit requires quite a lot of memory: an 8GB buffer holding our “JavaScript” payload. Actually, it’s more like 12 GB, since during the final realloc, the content of a 4GB buffer must be copied to a new 8GB buffer multiple (around 6GB) buffers allocated by JavaScript to fill the holes created by realloc around 256 MB of ArrayBuffers However, since many of the buffers are never written to, they don’t necessarily consume any physical memory. Moreover, during the final realloc, only 4GB of the new buffer will be written to before the old buffer is freed, so really “only” 8 GB are required there. That’s still a lot of memory though. However, there are some technologies that will help reduce that number if physical memory becomes low: Memory compression (macOS): large memory regions can be compressed and swapped out. This is perfect for our use case since the 8GB buffer will be completely filled with zeroes. This effect can be observed in the Activity Monitor.app, which at some point shows more than 6 GB of memory as “compressed” during the exploit. Page deduplication (Windows, Linux): pages containing the same content are mapped copy-on-write (COW) and point to the same physical page (essentially reducing memory usage to 4KB). CPU usage will also be quite high during peek times (decompression). However, CPU pressure could further be reduced by sending the payload in smaller chunks with delays in between (which would obviously increase the time it takes for the exploit to work though). This would also give the OS more time to compress and/or deduplicate the large memory buffers. #### Further Possible Improvements There are a few sources of unreliability in the current exploit, mostly dealing with timing: During the sending of the payload data, if JavaScript runs the allocation before the browser has fully processed the next chunk, the allocations will “desyncronize”. This would likely lead to a failed exploit. Ideally, JavaScript would perform the allocation as soon as the next chunk has been received and processed. Which may be possible to determine by observing CPU usage. If a garbage collection cycle runs after we have corrupted the FreeSpan but before we have fixed it, we crash If a compacting gargabe collection cycle runs after we have freed some of the ArrayBuffers but before we have triggered the overflow, the exploit fails as the Arena will be filled up again. If the fake free Cell happens to be placed inside the freed ArrayBuffer’s cell, then our exploit will fail and the browser will crash during the next gargabe collection cycle. With 25 cells per arena this gives us a theoretical 1/25 chance to fail. However, in my experiments, the free cells were always located at the same offset (1216 bytes into the Arena), indicating that the state of the engine at the beginning of the exploit is fairly deterministic (at least regarding the state of the Arenas holding objects of size 160 bytes). From my experience, the exploit runs pretty reliable (>95%) if the browser is not under heavy usage. The exploit still works if 10+ other tabs are open, but might fail if for example a large web application is currently loading. #### Conclusion While the bug isn’t ideal from an attacker’s perspective, it still can be exploited fairly reliably and without too much bandwidth usage. It is interesting to see how various technologies (compression, same page merging, …) can make a bug such as this one easier to exploit. Thinking of ways to prevent exploitability of such a bug, a few things come to mind. One fairly generic mitigation are guard pages (a page leading to a segfault whenever accessed in some way). These would have to be allocated before or after every mmap allocated region and would thus protect against exploitation of linear overflows such as this one. They would, however, not protect against non-linear overflows such as this bug. Another possibility would be to introduce internal mmap randomization to scatter the allocated regions throughout the address space (likely only effective on 64-bit systems). This would best be performed by the kernel, but could also be done in userspace. id SSV:93093 last seen 2017-11-19 modified 2017-05-11 published 2017-05-11 reporter Root title Firefox Integer overflow leading to a buffer overflow in nsScriptLoadHandler (CVE-2016-9066)
References
- http://rhn.redhat.com/errata/RHSA-2016-2780.html
- http://rhn.redhat.com/errata/RHSA-2016-2780.html
- http://www.securityfocus.com/bid/94336
- http://www.securityfocus.com/bid/94336
- http://www.securitytracker.com/id/1037298
- http://www.securitytracker.com/id/1037298
- https://bugzilla.mozilla.org/show_bug.cgi?id=1299686
- https://bugzilla.mozilla.org/show_bug.cgi?id=1299686
- https://security.gentoo.org/glsa/201701-15
- https://security.gentoo.org/glsa/201701-15
- https://www.debian.org/security/2016/dsa-3730
- https://www.debian.org/security/2016/dsa-3730
- https://www.mozilla.org/security/advisories/mfsa2016-89/
- https://www.mozilla.org/security/advisories/mfsa2016-89/
- https://www.mozilla.org/security/advisories/mfsa2016-90/
- https://www.mozilla.org/security/advisories/mfsa2016-90/
- https://www.mozilla.org/security/advisories/mfsa2016-93/
- https://www.mozilla.org/security/advisories/mfsa2016-93/