Vulnerabilities > CVE-2017-5418 - Out-of-bounds Read vulnerability in Mozilla Firefox
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random memory containing matches to specifically set patterns. This vulnerability affects Firefox < 52 and Thunderbird < 52.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_96ECA03113134DAF9BE29D6E1C4F1EB5.NASL description Mozilla Foundation reports : Please reference CVE/URL list for details last seen 2020-06-01 modified 2020-06-02 plugin id 97592 published 2017-03-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97592 title FreeBSD : mozilla -- multiple vulnerabilities (96eca031-1313-4daf-9be2-9d6e1c4f1eb5) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-545.NASL description This update to MozillaThunderbird 51.1.0 fixes security issues and bugs. In general, these flaws cannot be exploited through email because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. The following vulnerabilities were fixed: boo#1035082, MFSA 2017-13, boo#1028391, MFSA 2017-09) - CVE-2017-5443: Out-of-bounds write during BinHex decoding - CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 - CVE-2017-5464: Memory corruption with accessibility and DOM manipulation - CVE-2017-5465: Out-of-bounds read in ConvolvePixel - CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL - CVE-2017-5467: Memory corruption when drawing Skia content - CVE-2017-5460: Use-after-free in frame selection - CVE-2017-5449: Crash during bidirectional unicode manipulation with animation - CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data - CVE-2017-5447: Out-of-bounds read during glyph processing - CVE-2017-5444: Buffer overflow while parsing application/http-index-format content - CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content - CVE-2017-5442: Use-after-free during style changes - CVE-2017-5469: Potential Buffer overflow in flex-generated code - CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing - CVE-2017-5441: Use-after-free with selection during scroll events - CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing - CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing - CVE-2017-5437: Vulnerabilities in Libevent library - CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 - CVE-2017-5435: Use-after-free during transaction processing in the editor - CVE-2017-5434: Use-after-free during focus handling - CVE-2017-5433: Use-after-free in SMIL animation functions - CVE-2017-5432: Use-after-free in text input selection - CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 - CVE-2017-5459: Buffer overflow in WebGL - CVE-2017-5454; Sandbox escape allowing file system read access through file picker - CVE-2017-5451: Addressbar spoofing with onblur event - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP - CVE-2017-5401: Memory Corruption when handling ErrorResult - CVE-2017-5402: Use-after-free working with events in FontFace objects - CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object - CVE-2017-5404: Use-after-free working with ranges in selections - CVE-2017-5406: Segmentation fault in Skia with canvas operations - CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters - CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping - CVE-2017-5408: Cross-origin reading of video captions in violation of CORS - CVE-2017-5412: Buffer overflow read in SVG filters - CVE-2017-5413: Segmentation fault during bidirectional operations - CVE-2017-5414: File picker can choose incorrect default directory - CVE-2017-5416: Null dereference crash in HttpChannel - CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running - CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses - CVE-2017-5419: Repeated authentication prompts lead to DOS attack - CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports - CVE-2017-5421: Print preview spoofing - CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink - CVE-2017-5399: Memory safety bugs fixed in Thunderbird 52 - CVE-2017-5398: Memory safety bugs fixed in Thunderbird 52 and Thunderbird 45.8 The following non-security changes are included : - Background images not working and other issues related to embedded images when composing email have been fixed - Google Oauth setup can sometimes not progress to the next step - Clicking on a link in an email may not open this link in the external browser - addon blocklist updates - enable ALSA for systems without PulseAudio - Optionally remove corresponding data files when removing an account - Possibility to copy message filter - Calendar: Event can now be created and edited in a tab - Calendar: Processing of received invitation counter proposals - Chat: Support Twitter Direct Messages - Chat: Liking and favoriting in Twitter - Chat: Removed Yahoo! Messenger support last seen 2020-06-05 modified 2017-05-08 plugin id 100020 published 2017-05-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100020 title openSUSE Security Update : MozillaThunderbird (openSUSE-2017-545) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3216-2.NASL description USN-3216-1 fixed vulnerabilities in Firefox. The update resulted in a startup crash when Firefox is used with XRDP. This update fixes the problem. We apologize for the inconvenience. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99121 published 2017-03-31 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99121 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox regression (USN-3216-2) NASL family Windows NASL id MOZILLA_FIREFOX_52.NASL description The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities : - Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5398) - Mozilla developers and community members Carsten Book, Calixte Denizet, Christian Holler, Andrew McCreight, David Bolter, David Keeler, Jon Coppeard, Tyson Smith, Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed Davis, Julian Seward, Julian Hector, Philipp, Markus Stange, and Andre Bargull reported memory safety bugs present in Firefox 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5399) - JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5400) - A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable. (CVE-2017-5401) - A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. (CVE-2017-5402) - When adding a range to an object in the DOM, it is possible to use addRange to add the range to an incorrect root object. This triggers a use-after-free, resulting in a potentially exploitable crash. (CVE-2017-5403) - A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. (CVE-2017-5404) - Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. (CVE-2017-5405) - A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. (CVE-2017-5406) - Using SVG filters that don last seen 2020-06-01 modified 2020-06-02 plugin id 97639 published 2017-03-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97639 title Mozilla Firefox < 52.0 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-344.NASL description This update for MozillaFirefox and mozilla-nss fixes the following issues : MozillaFirefox was updated to Firefox 52.0 (boo#1028391) - requires NSS >= 3.28.3 - Pages containing insecure password fields now display a warning directly within username and password fields. - Send and open a tab from one device to another with Sync - Removed NPAPI support for plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. - Removed Battery Status API to reduce fingerprinting of users by trackers - MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404: Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters (bmo#1336622) CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of video captions in violation of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running (bmo#1257361) CVE-2017-5427: Non-existent chrome.manifest file loaded during startup (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses (bmo#1338876) CVE-2017-5419: Repeated authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420: Javascript: URLs can obfuscate addressbar location (bmo#1284395) CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 mozilla-nss was updated to NSS 3.28.3 - This is a patch release to fix binary compatibility issues. NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation with the NSS compatibility promise. ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to include an additional attribute. That size increase caused crashes or malfunctioning with applications that use that data structure directly, or indirectly through ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that reference ECParams. The change has been reverted to the original state in bug bmo#1334108. SECKEYECPublicKey had been extended with a new attribute, named last seen 2020-06-05 modified 2017-03-15 plugin id 97747 published 2017-03-15 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97747 title openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2017-344) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3216-1.NASL description Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97600 published 2017-03-08 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97600 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3216-1) NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_52.NASL description The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities : - Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5398) - Mozilla developers and community members Carsten Book, Calixte Denizet, Christian Holler, Andrew McCreight, David Bolter, David Keeler, Jon Coppeard, Tyson Smith, Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed Davis, Julian Seward, Julian Hector, Philipp, Markus Stange, and Andre Bargull reported memory safety bugs present in Firefox 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5399) - JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5400) - A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable. (CVE-2017-5401) - A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. (CVE-2017-5402) - When adding a range to an object in the DOM, it is possible to use addRange to add the range to an incorrect root object. This triggers a use-after-free, resulting in a potentially exploitable crash. (CVE-2017-5403) - A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. (CVE-2017-5404) - Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. (CVE-2017-5405) - A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. (CVE-2017-5406) - Using SVG filters that don last seen 2020-06-01 modified 2020-06-02 plugin id 97637 published 2017-03-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97637 title Mozilla Firefox < 52.0 Multiple Vulnerabilities (macOS)
References
- http://www.securityfocus.com/bid/96692
- http://www.securityfocus.com/bid/96692
- http://www.securitytracker.com/id/1037966
- http://www.securitytracker.com/id/1037966
- https://bugzilla.mozilla.org/show_bug.cgi?id=1338876
- https://bugzilla.mozilla.org/show_bug.cgi?id=1338876
- https://www.mozilla.org/security/advisories/mfsa2017-05/
- https://www.mozilla.org/security/advisories/mfsa2017-05/
- https://www.mozilla.org/security/advisories/mfsa2017-09/
- https://www.mozilla.org/security/advisories/mfsa2017-09/