Vulnerabilities > CVE-2017-5381 - Path Traversal vulnerability in Mozilla Firefox

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
mozilla
CWE-22
nessus

Summary

The "export" function in the Certificate Viewer can force local filesystem navigation when the "common name" in a certificate contains slashes, allowing certificate content to be saved in unsafe locations with an arbitrary filename. This vulnerability affects Firefox < 51.

Vulnerable Configurations

Part Description Count
Application
Mozilla
335

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_51.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Windows host is prior to 51.0. It is, therefore, affected by multiple vulnerabilities : - Mozilla developers and community members Christian Holler, Gary Kwong, Andre Bargull, Jan de Mooij, Tom Schuster, and Oriol reported memory safety bugs present in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5373) - Mozilla developers and community members Gary Kwong, Olli Pettay, Tooru Fujisawa, Carsten Book, Andrew McCreight, Chris Pearce, Ronald Crane, Jan de Mooij, Julian Seward, Nicolas Pierron, Randell Jesup, Esther Monchari, Honza Bambas, and Philipp reported memory safety bugs present in Firefox 50.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5374) - JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5375) - Use-after-free while manipulating XSL in XSLT documents (CVE-2017-5376) - A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potentially exploitable crash. (CVE-2017-5377) - Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object
    last seen2020-06-01
    modified2020-06-02
    plugin id96776
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96776
    titleMozilla Firefox < 51.0 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96776);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-5373",
        "CVE-2017-5374",
        "CVE-2017-5375",
        "CVE-2017-5376",
        "CVE-2017-5377",
        "CVE-2017-5378",
        "CVE-2017-5379",
        "CVE-2017-5380",
        "CVE-2017-5381",
        "CVE-2017-5382",
        "CVE-2017-5383",
        "CVE-2017-5384",
        "CVE-2017-5385",
        "CVE-2017-5386",
        "CVE-2017-5387",
        "CVE-2017-5388",
        "CVE-2017-5389",
        "CVE-2017-5390",
        "CVE-2017-5391",
        "CVE-2017-5393",
        "CVE-2017-5396"
      );
      script_bugtraq_id(
        95757,
        95758,
        95759,
        95761,
        95762,
        95763,
        95769
      );
      script_xref(name:"MFSA", value:"2017-01");
    
      script_name(english:"Mozilla Firefox < 51.0 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a web browser that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Mozilla Firefox installed on the remote Windows host
    is prior to 51.0. It is, therefore, affected by multiple
    vulnerabilities :
    
      - Mozilla developers and community members Christian
        Holler, Gary Kwong, Andre Bargull, Jan de Mooij, Tom
        Schuster, and Oriol reported memory safety bugs present
        in Firefox 50.1 and Firefox ESR 45.6. Some of these
        bugs showed evidence of memory corruption and we
        presume that with enough effort that some of these
        could be exploited to run arbitrary code.
        (CVE-2017-5373)
    
      - Mozilla developers and community members Gary Kwong,
        Olli Pettay, Tooru Fujisawa, Carsten Book, Andrew
        McCreight, Chris Pearce, Ronald Crane, Jan de Mooij,
        Julian Seward, Nicolas Pierron, Randell Jesup, Esther
        Monchari, Honza Bambas, and Philipp reported memory
        safety bugs present in Firefox 50.1. Some of these bugs
        showed evidence of memory corruption and we presume
        that with enough effort that some of these could be
        exploited to run arbitrary code. (CVE-2017-5374)
    
      - JIT code allocation can allow for a bypass of ASLR and
        DEP protections leading to potential memory corruption
        attacks. (CVE-2017-5375)
    
      - Use-after-free while manipulating XSL in XSLT documents
        (CVE-2017-5376)
    
      - A memory corruption vulnerability in Skia that can
        occur when using transforms to make gradients,
        resulting in a potentially exploitable crash.
        (CVE-2017-5377)
    
      - Hashed codes of JavaScript objects are shared between
        pages. This allows for pointer leaks because an object's
        address can be discovered through hash codes, and also
        allows for data leakage of an object's content using
        these hash codes. (CVE-2017-5378)
    
      - Use-after-free vulnerability in Web Animations when
        interacting with cycle collection found through
        fuzzing. (CVE-2017-5379)
    
      - A potential use-after-free found through fuzzing during
        DOM manipulation of SVG content. (CVE-2017-5380)
    
      - The 'export' function in the Certificate Viewer can
        force local filesystem navigation when the 'common
        name' in a certificate contains slashes, allowing
        certificate content to be saved in unsafe locations
        with an arbitrary filename. (CVE-2017-5381)
    
      - Feed preview for RSS feeds can be used to capture
        errors and exceptions generated by privileged content,
        allowing for the exposure of internal information not
        meant to be seen by web content. (CVE-2017-5382)
    
      - URLs containing certain unicode glyphs for alternative
        hyphens and quotes do not properly trigger punycode
        display, allowing for domain name spoofing attacks in
        the location bar. (CVE-2017-5383)
    
      - Proxy Auto-Config (PAC) files can specify a JavaScript
        function called for all URL requests with the full URL
        path which exposes more information than would be sent
        to the proxy itself in the case of HTTPS. Normally the
        Proxy Auto-Config file is specified by the user or
        machine owner and presumed to be non-malicious, but if
        a user has enabled Web Proxy Auto Detect (WPAD) this
        file can be served remotely. (CVE-2017-5384)
    
      - Data sent with in multipart channels, such as the
        multipart/x-mixed-replace MIME type, will ignore the
        referrer-policy response header, leading to potential
        information disclosure for sites using this header.
        (CVE-2017-5385)
    
      - WebExtension scripts can use the 'data:' protocol to
        affect pages loaded by other web extensions using this
        protocol, leading to potential data disclosure or
        privilege escalation in affected extensions.
        (CVE-2017-5386)
    
      - The existence of a specifically requested local file
        can be found due to the double firing of the 'onerror'
        when the 'source' attribute on a <track> tag refers to
        a file that does not exist if the source page is loaded
        locally. (CVE-2017-5387)
    
      - A STUN server in conjunction with a large number of
        'webkitRTCPeerConnection' objects can be used to send
        large STUN packets in a short period of time due to a
        lack of rate limiting being applied on e10s systems,
        allowing for a denial of service attack. (CVE-2017-5388)
    
      - WebExtensions could use the 'mozAddonManager' API by
        modifying the CSP headers on sites with the appropriate
        permissions and then using host requests to redirect
        script loads to a malicious site. This allows a
        malicious extension to then install additional
        extensions without explicit user permission.
        (CVE-2017-5389)
    
      - The JSON viewer in the Developer Tools uses insecure
        methods to create a communication channel for copying
        and viewing JSON or HTTP headers data, allowing for
        potential privilege escalation. (CVE-2017-5390)
    
      - Special 'about:' pages used by web content, such as RSS
        feeds, can load privileged 'about:' pages in an iframe.
        If a content-injection bug were found in one of those
        pages this could allow for potential privilege
        escalation. (CVE-2017-5391)
    
      - The 'mozAddonManager' allows for the installation of
        extensions from the CDN for addons.mozilla.org, a
        publicly accessible site. This could allow malicious
        extensions to install additional extensions from the CDN
        in combination with an XSS attack on Mozilla AMO sites.
        (CVE-2017-5393)
    
      - A use-after-free vulnerability in the Media Decoder
        when working with media files when some events are
        fired after the media elements are freed from memory.
        (CVE-2017-5396)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Mozilla security advisories.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues.");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1017616");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1255474");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1281482");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1285833");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1285960");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1288561");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1293327");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1295023");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1295322");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1295747");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1295945");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1297361");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1297808");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1300145");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1302231");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1306883");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1307458");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1308688");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1309198");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1309282");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1309310");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1311319");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1311687");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1312001");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1313385");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1315447");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1317501");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1318766");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1319070");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1319456");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1319888");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1321374");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1322107");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1322305");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1322315");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1322420");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1323338");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1324716");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1324810");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1325200");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1325344");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1325877");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1325938");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1328251");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1328834");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1329403");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1329989");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1330769");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mozilla.org/show_bug.cgi?id=1331058");
      # https://www.contextis.com//resources/blog/leaking-https-urls-20-year-old-vulnerability/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d11b233");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mozilla Firefox version 51.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5396");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mozilla_org_installed.nasl");
      script_require_keys("Mozilla/Firefox/Version");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    port = get_kb_item("SMB/transport");
    if (!port) port = 445;
    
    installs = get_kb_list("SMB/Mozilla/Firefox/*");
    if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox");
    
    mozilla_check_version(installs:installs, product:'firefox', fix:'51.0', severity:SECURITY_HOLE);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-187.NASL
    descriptionThis update for MozillaFirefox to version 51.0.1 fixes security issues and bugs. These security issues were fixed : - CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) - CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) - CVE-2017-5378: Pointer and frame data leakage of JavaScript objects (bmo#1312001, bmo#1330769, boo#1021818) - CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) - CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) - CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) - CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) - CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) - CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) - CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) - CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) - CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) - CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) - CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) - CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) - CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) - CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) - CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) - CVE-2017-5374: Memory safety bugs (boo#1021841) - CVE-2017-5373: Memory safety bugs (boo#1021824) These non-security issues in MozillaFirefox were fixed : - Added support for FLAC (Free Lossless Audio Codec) playback - Added support for WebGL 2 - Added Georgian (ka) and Kabyle (kab) locales - Support saving passwords for forms without
    last seen2020-06-05
    modified2017-02-02
    plugin id96940
    published2017-02-02
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96940
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-2017-187)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-187.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96940);
      script_version("3.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-5373", "CVE-2017-5374", "CVE-2017-5375", "CVE-2017-5376", "CVE-2017-5377", "CVE-2017-5378", "CVE-2017-5379", "CVE-2017-5380", "CVE-2017-5381", "CVE-2017-5382", "CVE-2017-5383", "CVE-2017-5384", "CVE-2017-5385", "CVE-2017-5386", "CVE-2017-5387", "CVE-2017-5388", "CVE-2017-5389", "CVE-2017-5390", "CVE-2017-5391", "CVE-2017-5392", "CVE-2017-5393", "CVE-2017-5394", "CVE-2017-5395", "CVE-2017-5396");
    
      script_name(english:"openSUSE Security Update : MozillaFirefox (openSUSE-2017-187)");
      script_summary(english:"Check for the openSUSE-2017-187 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for MozillaFirefox to version 51.0.1 fixes security issues
    and bugs.
    
    These security issues were fixed :
    
      - CVE-2017-5375: Excessive JIT code allocation allows
        bypass of ASLR and DEP (bmo#1325200, boo#1021814)
    
      - CVE-2017-5376: Use-after-free in XSL (bmo#1311687,
        boo#1021817) CVE-2017-5377: Memory corruption with
        transforms to create gradients in Skia (bmo#1306883,
        boo#1021826)
    
      - CVE-2017-5378: Pointer and frame data leakage of
        JavaScript objects (bmo#1312001, bmo#1330769,
        boo#1021818)
    
      - CVE-2017-5379: Use-after-free in Web Animations
        (bmo#1309198,boo#1021827)
    
      - CVE-2017-5380: Potential use-after-free during DOM
        manipulations (bmo#1322107, boo#1021819)
    
      - CVE-2017-5390: Insecure communication methods in
        Developer Tools JSON viewer (bmo#1297361, boo#1021820)
    
      - CVE-2017-5389: WebExtensions can install additional
        add-ons via modified host requests (bmo#1308688,
        boo#1021828)
    
      - CVE-2017-5396: Use-after-free with Media Decoder
        (bmo#1329403, boo#1021821)
    
      - CVE-2017-5381: Certificate Viewer exporting can be used
        to navigate and save to arbitrary filesystem locations
        (bmo#1017616, boo#1021830)
    
      - CVE-2017-5382: Feed preview can expose privileged
        content errors and exceptions (bmo#1295322, boo#1021831)
    
      - CVE-2017-5383: Location bar spoofing with unicode
        characters (bmo#1323338, bmo#1324716, boo#1021822)
    
      - CVE-2017-5384: Information disclosure via Proxy
        Auto-Config (PAC) (bmo#1255474, boo#1021832)
    
      - CVE-2017-5385: Data sent in multipart channels ignores
        referrer-policy response headers (bmo#1295945,
        boo#1021833)
    
      - CVE-2017-5386: WebExtensions can use data: protocol to
        affect other extensions (bmo#1319070, boo#1021823)
    
      - CVE-2017-5391: Content about: pages can load privileged
        about: pages (bmo#1309310, boo#1021835)
    
      - CVE-2017-5393: Remove addons.mozilla.org CDN from
        whitelist for mozAddonManager (bmo#1309282, boo#1021837)
    
      - CVE-2017-5387: Disclosure of local file existence
        through TRACK tag error messages (bmo#1295023,
        boo#1021839)
    
      - CVE-2017-5388: WebRTC can be used to generate a large
        amount of UDP traffic for DDOS attacks (bmo#1281482,
        boo#1021840)
    
      - CVE-2017-5374: Memory safety bugs (boo#1021841)
    
      - CVE-2017-5373: Memory safety bugs (boo#1021824)
    
    These non-security issues in MozillaFirefox were fixed :
    
      - Added support for FLAC (Free Lossless Audio Codec)
        playback
    
      - Added support for WebGL 2
    
      - Added Georgian (ka) and Kabyle (kab) locales
    
      - Support saving passwords for forms without 'submit'
        events
    
      - Improved video performance for users without GPU
        acceleration
    
      - Zoom indicator is shown in the URL bar if the zoom level
        is not at default level
    
      - View passwords from the prompt before saving them
    
      - Remove Belarusian (be) locale
    
      - Use Skia for content rendering (Linux)
    
      - Improve recognition of LANGUAGE env variable
        (boo#1017174)
    
      - Multiprocess incompatibility did not correctly register
        with some add-ons (bmo#1333423)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1017174"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021814"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021817"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021818"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021819"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021820"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021821"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021822"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021824"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021826"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021827"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021828"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021830"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021831"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021832"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021833"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021835"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021837"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021839"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021841"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected MozillaFirefox packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1 / 42.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-branding-upstream-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-buildsymbols-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-debuginfo-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-debugsource-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-devel-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-translations-common-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaFirefox-translations-other-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-branding-upstream-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-buildsymbols-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-debuginfo-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-debugsource-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-devel-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-translations-common-51.0.1-50.2") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"MozillaFirefox-translations-other-51.0.1-50.2") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3175-2.NASL
    descriptionUSN-3175-1 fixed vulnerabilities in Firefox. The update caused a regression on systems where the AppArmor profile for Firefox is set to enforce mode. This update fixes the problem. We apologize for the inconvenience. Multiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374) JIT code allocation can allow a bypass of ASLR protections in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5375) Nicolas Gregoire discovered a use-after-free when manipulating XSL in XSLT documents in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5376) Atte Kettunen discovered a memory corruption issue in Skia in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5377) Jann Horn discovered that an object
    last seen2020-06-01
    modified2020-06-02
    plugin id97047
    published2017-02-07
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97047
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox regression (USN-3175-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3175-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97047);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2017-5373", "CVE-2017-5374", "CVE-2017-5375", "CVE-2017-5376", "CVE-2017-5377", "CVE-2017-5378", "CVE-2017-5379", "CVE-2017-5380", "CVE-2017-5381", "CVE-2017-5382", "CVE-2017-5383", "CVE-2017-5384", "CVE-2017-5385", "CVE-2017-5386", "CVE-2017-5387", "CVE-2017-5388", "CVE-2017-5389", "CVE-2017-5390", "CVE-2017-5391", "CVE-2017-5393", "CVE-2017-5396");
      script_xref(name:"USN", value:"3175-2");
    
      script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox regression (USN-3175-2)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3175-1 fixed vulnerabilities in Firefox. The update caused a
    regression on systems where the AppArmor profile for Firefox is set to
    enforce mode. This update fixes the problem.
    
    We apologize for the inconvenience.
    
    Multiple memory safety issues were discovered in Firefox. If a user
    were tricked in to opening a specially crafted website, an attacker
    could potentially exploit these to cause a denial of service via
    application crash, or execute arbitrary code. (CVE-2017-5373,
    CVE-2017-5374)
    
    JIT code allocation can allow a bypass of ASLR protections
    in some circumstances. If a user were tricked in to opening
    a specially crafted website, an attacker could potentially
    exploit this to cause a denial of service via application
    crash, or execute arbitrary code. (CVE-2017-5375)
    
    Nicolas Gregoire discovered a use-after-free when
    manipulating XSL in XSLT documents in some circumstances. If
    a user were tricked in to opening a specially crafted
    website, an attacker could potentially exploit this to cause
    a denial of service via application crash, or execute
    arbitrary code. (CVE-2017-5376)
    
    Atte Kettunen discovered a memory corruption issue in Skia
    in some circumstances. If a user were tricked in to opening
    a specially crafted website, an attacker could potentially
    exploit this to cause a denial of service via application
    crash, or execute arbitrary code. (CVE-2017-5377)
    
    Jann Horn discovered that an object's address could be
    discovered through hashed codes of JavaScript objects shared
    between pages. If a user were tricked in to opening a
    specially crafted website, an attacker could potentially
    exploit this to obtain sensitive information.
    (CVE-2017-5378)
    
    A use-after-free was discovered in Web Animations in some
    circumstances. If a user were tricked in to opening a
    specially crafted website, an attacker could potentially
    exploit this to cause a denial of service via application
    crash, or execute arbitrary code. (CVE-2017-5379)
    
    A use-after-free was discovered during DOM manipulation of
    SVG content in some circumstances. If a user were tricked in
    to opening a specially crafted website, an attacker could
    potentially exploit this to cause a denial of service via
    application crash, or execute arbitrary code.
    (CVE-2017-5380)
    
    Jann Horn discovered that the 'export' function in the
    Certificate Viewer can force local filesystem navigation
    when the Common Name contains slashes. If a user were
    tricked in to exporting a specially crafted certificate, an
    attacker could potentially exploit this to save content with
    arbitrary filenames in unsafe locations. (CVE-2017-5381)
    
    Jerri Rice discovered that the Feed preview for RSS feeds
    can be used to capture errors and exceptions generated by
    privileged content. An attacker could potentially exploit
    this to obtain sensitive information. (CVE-2017-5382)
    
    Armin Razmjou discovered that certain unicode glyphs do not
    trigger punycode display. An attacker could potentially
    exploit this to spoof the URL bar contents. (CVE-2017-5383)
    
    Paul Stone and Alex Chapman discovered that the full URL
    path is exposed to JavaScript functions specified by Proxy
    Auto-Config (PAC) files. If a user has enabled Web Proxy
    Auto Detect (WPAD), an attacker could potentially exploit
    this to obtain sensitive information. (CVE-2017-5384)
    
    Muneaki Nishimura discovered that data sent in multipart
    channels will ignore the Referrer-Policy response headers.
    An attacker could potentially exploit this to obtain
    sensitive information. (CVE-2017-5385)
    
    Muneaki Nishimura discovered that WebExtensions can affect
    other extensions using the data: protocol. If a user were
    tricked in to installing a specially crafted addon, an
    attacker could potentially exploit this to obtain sensitive
    information or gain additional privileges. (CVE-2017-5386)
    
    Mustafa Hasan discovered that the existence of local files
    can be determined using the <track> element. An attacker
    could potentially exploit this to obtain sensitive
    information. (CVE-2017-5387)
    
    Cullen Jennings discovered that WebRTC can be used to
    generate large amounts of UDP traffic. An attacker could
    potentially exploit this to conduct Distributed
    Denial-of-Service (DDOS) attacks. (CVE-2017-5388)
    
    Kris Maglione discovered that WebExtensions can use the
    mozAddonManager API by modifying the CSP headers on sites
    with the appropriate permissions and then using host
    requests to redirect script loads to a malicious site. If a
    user were tricked in to installing a specially crafted
    addon, an attacker could potentially exploit this to install
    additional addons without user permission. (CVE-2017-5389)
    
    Jerri Rice discovered insecure communication methods in the
    Dev Tools JSON Viewer. An attacker could potentially exploit
    this to gain additional privileges. (CVE-2017-5390)
    
    Jerri Rice discovered that about: pages used by content can
    load privileged about: pages in iframes. An attacker could
    potentially exploit this to gain additional privileges, in
    combination with a content-injection bug in one of those
    about: pages. (CVE-2017-5391)
    
    Stuart Colville discovered that mozAddonManager allows for
    the installation of extensions from the CDN for
    addons.mozilla.org, a publicly accessible site. If a user
    were tricked in to installing a specially crafted addon, an
    attacker could potentially exploit this, in combination with
    a cross-site scripting (XSS) attack on Mozilla's AMO sites,
    to install additional addons. (CVE-2017-5393)
    
    Filipe Gomes discovered a use-after-free in the media
    decoder in some circumstances. If a user were tricked in to
    opening a specially crafted website, an attacker could
    potentially exploit this to cause a denial of service via
    application crash, or execute arbitrary code.
    (CVE-2017-5396).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3175-2/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04|14\.04|16\.04|16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04 / 16.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"firefox", pkgver:"51.0.1+build2-0ubuntu0.12.04.2")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"51.0.1+build2-0ubuntu0.14.04.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"51.0.1+build2-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"firefox", pkgver:"51.0.1+build2-0ubuntu0.16.10.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E60169C4AA8646B08AE20D81F683DF09.NASL
    descriptionMozilla Foundation reports : Please reference CVE/URL list for details
    last seen2020-06-01
    modified2020-06-02
    plugin id96743
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96743
    titleFreeBSD : mozilla -- multiple vulnerabilities (e60169c4-aa86-46b0-8ae2-0d81f683df09)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_51.NASL
    descriptionThe version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 51. It is, therefore, affected by the following vulnerabilities : - Mozilla developers and community members Christian Holler, Gary Kwong, Andre Bargull, Jan de Mooij, Tom Schuster, and Oriol reported memory safety bugs present in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5373) - Mozilla developers and community members Gary Kwong, Olli Pettay, Tooru Fujisawa, Carsten Book, Andrew McCreight, Chris Pearce, Ronald Crane, Jan de Mooij, Julian Seward, Nicolas Pierron, Randell Jesup, Esther Monchari, Honza Bambas, and Philipp reported memory safety bugs present in Firefox 50.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5374) - JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5375) - Use-after-free while manipulating XSL in XSLT documents (CVE-2017-5376) - A memory corruption vulnerability in Skia that can occur when using transforms to make gradients, resulting in a potentially exploitable crash. (CVE-2017-5377) - Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object
    last seen2020-06-01
    modified2020-06-02
    plugin id96774
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96774
    titleMozilla Firefox < 51 Multiple Vulnerabilities (macOS)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3175-1.NASL
    descriptionMultiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374) JIT code allocation can allow a bypass of ASLR protections in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5375) Nicolas Gregoire discovered a use-after-free when manipulating XSL in XSLT documents in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5376) Atte Kettunen discovered a memory corruption issue in Skia in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5377) Jann Horn discovered that an object
    last seen2020-06-01
    modified2020-06-02
    plugin id96872
    published2017-01-30
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96872
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3175-1)