Vulnerabilities > CVE-2017-5055 - Use After Free vulnerability in Google Chrome

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
google
CWE-416
nessus

Summary

A use after free in printing in Google Chrome prior to 57.0.2987.133 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

Vulnerable Configurations

Part Description Count
Application
Google
3798
OS
Linux
1
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201704-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201704-02 (Chromium: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the Chromium web browser. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id99275
    published2017-04-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99275
    titleGLSA-201704-02 : Chromium: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201704-02.
    #
    # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99275);
      script_version("3.9");
      script_cvs_date("Date: 2019/12/06");
    
      script_cve_id("CVE-2017-5030", "CVE-2017-5031", "CVE-2017-5032", "CVE-2017-5033", "CVE-2017-5034", "CVE-2017-5035", "CVE-2017-5036", "CVE-2017-5037", "CVE-2017-5038", "CVE-2017-5039", "CVE-2017-5040", "CVE-2017-5041", "CVE-2017-5042", "CVE-2017-5043", "CVE-2017-5044", "CVE-2017-5045", "CVE-2017-5046", "CVE-2017-5052", "CVE-2017-5053", "CVE-2017-5054", "CVE-2017-5055", "CVE-2017-5056");
      script_xref(name:"GLSA", value:"201704-02");
    
      script_name(english:"GLSA-201704-02 : Chromium: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201704-02
    (Chromium: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in the Chromium web
          browser. Please review the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could possibly execute arbitrary code with the
          privileges of the process, cause a Denial of Service condition, obtain
          sensitive information, or bypass security restrictions.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201704-02"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Chromium users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=www-client/chromium-57.0.2987.133'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:chromium");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-client/chromium", unaffected:make_list("ge 57.0.2987.133"), vulnerable:make_list("lt 57.0.2987.133"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Chromium");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GOOGLE_CHROME_57_0_2987_133.NASL
    descriptionThe version of Google Chrome installed on the remote macOS or Mac OS X host is prior to 57.0.2987.133. It is, therefore, affected by the following vulnerabilities : - A type cast error exists in Blink in the LayoutInline::absoluteVisualRect() function within file layout/LayoutInline.cpp that allows an unauthenticated, remote attacker to cause an unspecified impact. (CVE-2017-5052) - An out-of-bounds read error exists in V8 in the IndexOfValueImpl() function template within file builtins/builtins-array.cc when handling arrays. An unauthenticated, remote attacker can exploit this to disclose memory content. (CVE-2017-5053) - A heap buffer overflow condition exists in V8 that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5054) - A use-after-free error exists in the PrintViewManager class within file printing/print_view_manager.cc when handling previews. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution arbitrary code. (CVE-2017-5055) - A use-after-free error exists in the Blink that allows an unauthenticated, remote attacker to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-5056) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id99137
    published2017-03-31
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99137
    titleGoogle Chrome < 57.0.2987.133 Multiple Vulnerabilities (macOS)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-E83C26A8C9.NASL
    descriptionThis update updates QtWebEngine to the 5.9.0 release. QtWebEngine 5.9.0 is part of the Qt 5.9.0 release, but only the QtWebEngine component is included in this update. The update fixes the following security issues in QtWebEngine 5.8.0: CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012, CVE-2017-5013, CVE-2017-5014, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5018, CVE-2017-5019, CVE-2017-5020, CVE-2017-5021, CVE-2017-5022, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5032, CVE-2017-5033, CVE-2017-5034, CVE-2017-5036, CVE-2017-5039, CVE-2017-5040, CVE-2017-5044, CVE-2017-5045, CVE-2017-5046, CVE-2017-5052, CVE-2017-5053, CVE-2017-5055, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5068, and CVE-2017-5069. Other important changes include : - Based on Chromium 56.0.2924.122 with security fixes from Chromium up to version 58.0.3029.96. (5.8.0 was based on Chromium 53.0.2785.148 with security fixes from Chromium up to version 55.0.2883.75.) - [QTBUG-54650, QTBUG-59922] Accessibility is now disabled by default on Linux, like it is in Chrome, due to poor options for enabling it conditionally and its heavy performance impact. Set the environment variable `QTWEBENGINE_ENABLE_LINUX_ACCESSIBILITY` to enable it again. - [QTBUG-56531] Enabled `filesystem:` protocol handler. - [QTBUG-57720] Optimized incremental scene-graph rendering in particular for software rendering. - [QTBUG-60049] Enabled brotli support. - Many bug fixes, see https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/cha nges-5.9.0?h=5.9 for details. In addition, this build includes a fix for https://bugreports.qt.io/browse/QTBUG-61521 , a binary incompatibility in QtWebEngine 5.9.0 compared to 5.8.0. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101740
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101740
    titleFedora 26 : qt5-qtwebengine (2017-e83c26a8c9)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0860.NASL
    descriptionAn update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Chromium is an open source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 57.0.2987.133. Security Fix(es) : * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2017-5055, CVE-2017-5052, CVE-2017-5053, CVE-2017-5054, CVE-2017-5056)
    last seen2020-05-31
    modified2017-04-13
    plugin id99336
    published2017-04-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99336
    titleRHEL 6 : chromium-browser (RHSA-2017:0860)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-49F828D4B1.NASL
    descriptionSecurity fix for CVE-2017-5055, CVE-2017-5054, CVE-2017-5052, CVE-2017-5056, CVE-2017-5053 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101624
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101624
    titleFedora 26 : chromium (2017-49f828d4b1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-7D698EBA8B.NASL
    descriptionUpdate to chromium 58. Move chrome-remote-desktop to user systemd service. Security fixes for CVE-2017-5068, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5063, CVE-2017-5064, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5069 ---- Security fix for CVE-2017-5055, CVE-2017-5054, CVE-2017-5052, CVE-2017-5056, CVE-2017-5053 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-05
    plugin id100606
    published2017-06-05
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100606
    titleFedora 24 : 1:chromium-native_client / chromium (2017-7d698eba8b)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-420.NASL
    descriptionThis update to Chromium 57.0.2987.133 fixes the following issues (boo#1031677) : - CVE-2017-5055: Use after free in printing - CVE-2017-5054: Heap buffer overflow in V8 - CVE-2017-5052: Bad cast in Blink - CVE-2017-5056: Use after free in Blink - CVE-2017-5053: Out of bounds memory access in V8 The following packaging changes are included : - No longer claim to provide browser(npapi)
    last seen2020-06-05
    modified2017-04-03
    plugin id99158
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99158
    titleopenSUSE Security Update : Chromium (openSUSE-2017-420)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-58CDE32413.NASL
    descriptionThis update updates QtWebEngine to the 5.9.0 release. QtWebEngine 5.9.0 is part of the Qt 5.9.0 release, but only the QtWebEngine component is included in this update. The update fixes the following security issues in QtWebEngine 5.8.0: CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012, CVE-2017-5013, CVE-2017-5014, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5018, CVE-2017-5019, CVE-2017-5020, CVE-2017-5021, CVE-2017-5022, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5032, CVE-2017-5033, CVE-2017-5034, CVE-2017-5036, CVE-2017-5039, CVE-2017-5040, CVE-2017-5044, CVE-2017-5045, CVE-2017-5046, CVE-2017-5052, CVE-2017-5053, CVE-2017-5055, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5068, and CVE-2017-5069. Other important changes include : - Based on Chromium 56.0.2924.122 with security fixes from Chromium up to version 58.0.3029.96. (5.8.0 was based on Chromium 53.0.2785.148 with security fixes from Chromium up to version 55.0.2883.75.) - [QTBUG-54650, QTBUG-59922] Accessibility is now disabled by default on Linux, like it is in Chrome, due to poor options for enabling it conditionally and its heavy performance impact. Set the environment variable `QTWEBENGINE_ENABLE_LINUX_ACCESSIBILITY` to enable it again. - [QTBUG-56531] Enabled `filesystem:` protocol handler. - [QTBUG-57720] Optimized incremental scene-graph rendering in particular for software rendering. - [QTBUG-60049] Enabled brotli support. - Many bug fixes, see https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/cha nges-5.9.0?h=5.9 for details. In addition, this build includes a fix for https://bugreports.qt.io/browse/QTBUG-61521 , a binary incompatibility in QtWebEngine 5.9.0 compared to 5.8.0. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-13
    plugin id101504
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101504
    titleFedora 25 : qt5-qtwebengine (2017-58cde32413)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7CF058D8158D11E7BA2CE8E0B747A45A.NASL
    descriptionGoogle Chrome Releases reports : 5 security fixes in this release, including : - [698622] Critical CVE-2017-5055: Use after free in printing. Credit to Wadih Matar - [699166] High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs - [662767] High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin - [705445] High CVE-2017-5056: Use after free in Blink. Credit to anonymous - [702058] High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)
    last seen2020-06-01
    modified2020-06-02
    plugin id99109
    published2017-03-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99109
    titleFreeBSD : chromium -- multiple vulnerabilities (7cf058d8-158d-11e7-ba2c-e8e0b747a45a)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-FF6940BF63.NASL
    descriptionSecurity fix for CVE-2017-5055, CVE-2017-5054, CVE-2017-5052, CVE-2017-5056, CVE-2017-5053 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-04-03
    plugin id99149
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99149
    titleFedora 25 : chromium (2017-ff6940bf63)
  • NASL familyWindows
    NASL idGOOGLE_CHROME_57_0_2987_133.NASL
    descriptionThe version of Google Chrome installed on the remote Windows host is prior to 57.0.2987.133. It is, therefore, affected by the following vulnerabilities : - A type cast error exists in Blink in the LayoutInline::absoluteVisualRect() function within file layout/LayoutInline.cpp that allows an unauthenticated, remote attacker to cause an unspecified impact. (CVE-2017-5052) - An out-of-bounds read error exists in V8 in the IndexOfValueImpl() function template within file builtins/builtins-array.cc when handling arrays. An unauthenticated, remote attacker can exploit this to disclose memory content. (CVE-2017-5053) - A heap buffer overflow condition exists in V8 that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5054) - A use-after-free error exists in the PrintViewManager class within file printing/print_view_manager.cc when handling previews. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution arbitrary code. (CVE-2017-5055) - A use-after-free error exists in the Blink that allows an unauthenticated, remote attacker to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2017-5056) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id99136
    published2017-03-31
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99136
    titleGoogle Chrome < 57.0.2987.133 Multiple Vulnerabilities

Redhat

advisories
rhsa
idRHSA-2017:0860
rpms
  • chromium-browser-0:57.0.2987.133-1.el6_9
  • chromium-browser-debuginfo-0:57.0.2987.133-1.el6_9