Vulnerabilities > CVE-2017-5468 - Improper Initialization vulnerability in Mozilla Firefox

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
mozilla
CWE-665
critical
nessus

Summary

An issue with incorrect ownership model of "privateBrowsing" information exposed through developer tools. This can result in a non-exploitable crash when manually triggered during debugging. This vulnerability affects Firefox < 53.

Vulnerable Configurations

Part Description Count
Application
Mozilla
513

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_53_0.NASL
    descriptionThe version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 53. It is, therefore, affected by the following vulnerabilities : - Multiple buffer overflow conditions exist in the FLEX generated code due to improper validation of certain input. An unauthenticated, remote attacker can exploit these to execute arbitrary code. (CVE-2016-6354, CVE-2017-5469) - Multiple flaws exist in the Libevent library, within files evdns.c and evutil.c, due to improper validation of input when handling IP address strings, empty base name strings, and DNS packets. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-10195, CVE-2016-10196, CVE-2016-10197, CVE-2017-5437) - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5429, CVE-2017-5430) - A use-after-free error exists in input text selection that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5432) - A use-after-free error exists in the SMIL animation functions when handling animation elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5433) - A use-after-free error exists when redirecting focus handling that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5434) - A use-after-free error exists in design mode interactions when handling transaction processing in the editor. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5435) - An out-of-bounds write error exists in the Graphite 2 library when handling specially crafted Graphite fonts. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5436) - A use-after-free error exists in the nsAutoPtr() function during XSLT processing due to the result handler being held by a freed handler. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5438) - A use-after-free error exists in the Length() function in nsTArray when handling template parameters during XSLT processing. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5439) - A use-after-free error exists in the txExecutionState destructor when processing XSLT content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5440) - A use-after-free error exists when holding a selection during scroll events. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5441) - A use-after-free error exists when changing styles in DOM elements that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5442) - An out-of-bounds write error exists while decoding improperly formed BinHex format archives that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5443) - A buffer overflow condition exists while parsing application/http-index-format format content due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via improperly formatted data, to disclose out-of-bounds memory content. (CVE-2017-5444) - A flaw exists in nsDirIndexParser.cpp when parsing application/http-index-format format content in which uninitialized values are used to create an array. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-5445) - An out-of-bounds read error exists when handling HTTP/2 DATA connections to a server that sends DATA frames with incorrect content. An unauthenticated, remote attacker can exploit to cause a denial of service condition or the disclosure of memory contents. (CVE-2017-5446) - An out-of-bounds read error exists when processing glyph widths during text layout. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2017-5447) - An out-of-bounds write error exists in the ClearKeyDecryptor::Decrypt() function within file ClearKeyDecryptionManager.cpp when decrypting Clearkey-encrypted media content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. This vulnerability can only be exploited if a secondary mechanism can be used to escape the Gecko Media Plugin (GMP) sandbox. (CVE-2017-5448) - A flaw exists when handling bidirectional Unicode text in conjunction with CSS animations that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution or arbitrary code. (CVE-2017-5449) - A flaw exists in the handling of specially crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id99629
    published2017-04-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99629
    titleMozilla Firefox < 53 Multiple Vulnerabilities (macOS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99629);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2016-6354",
        "CVE-2016-10195",
        "CVE-2016-10196",
        "CVE-2016-10197",
        "CVE-2017-5429",
        "CVE-2017-5430",
        "CVE-2017-5432",
        "CVE-2017-5433",
        "CVE-2017-5434",
        "CVE-2017-5435",
        "CVE-2017-5436",
        "CVE-2017-5437",
        "CVE-2017-5438",
        "CVE-2017-5439",
        "CVE-2017-5440",
        "CVE-2017-5441",
        "CVE-2017-5442",
        "CVE-2017-5443",
        "CVE-2017-5444",
        "CVE-2017-5445",
        "CVE-2017-5446",
        "CVE-2017-5447",
        "CVE-2017-5448",
        "CVE-2017-5449",
        "CVE-2017-5451",
        "CVE-2017-5453",
        "CVE-2017-5454",
        "CVE-2017-5455",
        "CVE-2017-5456",
        "CVE-2017-5458",
        "CVE-2017-5459",
        "CVE-2017-5460",
        "CVE-2017-5461",
        "CVE-2017-5462",
        "CVE-2017-5464",
        "CVE-2017-5465",
        "CVE-2017-5466",
        "CVE-2017-5467",
        "CVE-2017-5468",
        "CVE-2017-5469"
      );
      script_bugtraq_id(92141, 96014, 97940);
      script_xref(name:"MFSA", value:"2017-10");
    
      script_name(english:"Mozilla Firefox < 53 Multiple Vulnerabilities (macOS)");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote macOS or Mac OS X host contains a web browser that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Mozilla Firefox installed on the remote macOS or Mac
    OS X host is prior to 53. It is, therefore, affected by the following
    vulnerabilities :
    
      - Multiple buffer overflow conditions exist in the FLEX
        generated code due to improper validation of certain
        input. An unauthenticated, remote attacker can exploit
        these to execute arbitrary code. (CVE-2016-6354,
        CVE-2017-5469)
    
      - Multiple flaws exist in the Libevent library, within
        files evdns.c and evutil.c, due to improper validation
        of input when handling IP address strings, empty base
        name strings, and DNS packets. An unauthenticated,
        remote attacker can exploit these to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2016-10195, CVE-2016-10196, CVE-2016-10197,
        CVE-2017-5437)
    
      - Multiple memory corruption issues exist that allow an
        unauthenticated, remote attacker to execute arbitrary
        code. (CVE-2017-5429, CVE-2017-5430)
    
      - A use-after-free error exists in input text selection
        that allows an unauthenticated, remote attacker to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-5432)
    
      - A use-after-free error exists in the SMIL animation
        functions when handling animation elements. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-5433)
    
      - A use-after-free error exists when redirecting focus
        handling that allows an unauthenticated, remote attacker
        to cause a denial of service condition or the execution
        of arbitrary code. (CVE-2017-5434)
    
      - A use-after-free error exists in design mode
        interactions when handling transaction processing in
        the editor. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2017-5435)
    
      - An out-of-bounds write error exists in the Graphite 2
        library when handling specially crafted Graphite fonts.
        An unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-5436)
    
      - A use-after-free error exists in the nsAutoPtr()
        function during XSLT processing due to the result
        handler being held by a freed handler. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-5438)
    
      - A use-after-free error exists in the Length() function
        in nsTArray when handling template parameters during
        XSLT processing. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2017-5439)
    
      - A use-after-free error exists in the txExecutionState
        destructor when processing XSLT content. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-5440)
    
      - A use-after-free error exists when holding a selection
        during scroll events. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition or the execution of arbitrary code.
        (CVE-2017-5441)
    
      - A use-after-free error exists when changing styles in
        DOM elements that allows an unauthenticated, remote
        attacker to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2017-5442)
    
      - An out-of-bounds write error exists while decoding
        improperly formed BinHex format archives that allows an
        unauthenticated, remote attacker to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-5443)
    
      - A buffer overflow condition exists while parsing
        application/http-index-format format content due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this, via
        improperly formatted data, to disclose out-of-bounds
        memory content. (CVE-2017-5444)
    
      - A flaw exists in nsDirIndexParser.cpp when parsing
        application/http-index-format format content in which
        uninitialized values are used to create an array. An
        unauthenticated, remote attacker can exploit this to
        disclose memory contents. (CVE-2017-5445)
    
      - An out-of-bounds read error exists when handling HTTP/2
        DATA connections to a server that sends DATA frames with
        incorrect content. An unauthenticated, remote attacker
        can exploit to cause a denial of service condition or
        the disclosure of memory contents. (CVE-2017-5446)
    
      - An out-of-bounds read error exists when processing glyph
        widths during text layout. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition or the disclosure of memory contents.
        (CVE-2017-5447)
    
      - An out-of-bounds write error exists in the
        ClearKeyDecryptor::Decrypt() function within file
        ClearKeyDecryptionManager.cpp when decrypting
        Clearkey-encrypted media content. An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        This vulnerability can only be exploited if a secondary
        mechanism can be used to escape the Gecko Media Plugin
        (GMP) sandbox. (CVE-2017-5448)
    
      - A flaw exists when handling bidirectional Unicode text
        in conjunction with CSS animations that allows an
        unauthenticated, remote attacker to cause a denial of
        service condition or the execution or arbitrary code.
        (CVE-2017-5449)
    
      - A flaw exists in the handling of specially crafted
        'onblur' events. An unauthenticated, remote attacker can
        exploit this, via a specially crafted event, to spoof
        the address bar, making the loaded site appear to be
        different from the one actually loaded. (CVE-2017-5451)
    
      - A flaw exists in the RSS reader preview page due to
        improper sanitization of URL parameters for a feed's
        TITLE element. An unauthenticated, remote attacker can
        exploit this to spoof the TITLE element. However, no
        scripted content can be run. (CVE-2017-5453)
    
      - A flaw exists in the FileSystemSecurity::Forget()
        function within file FileSystemSecurity.cpp when using
        the File Picker due to improper sanitization of input
        containing path traversal sequences. An unauthenticated,
        remote attacker can exploit this to bypass file system
        access protections in the sandbox and read arbitrary
        files on the local file system. (CVE-2017-5454)
    
      - An unspecified flaw exists in the internal feed reader
        APIs when handling messages. An unauthenticated, remote
        attacker can exploit this to escape the sandbox and
        gain elevated privileges if it can be combined with
        another vulnerability that allows remote code execution
        inside the sandboxed process. (CVE-2017-5455)
    
      - A flaw exists in the Entries API when using a file
        system request constructor through an IPC message. An
        unauthenticated, remote attacker can exploit this to
        bypass file system access protections in the sandbox
        and gain read and write access to the local file system.
        (CVE-2017-5456)
    
      - A reflected cross-site scripting (XSS) vulnerability
        exists when dragging and dropping a 'javascript:' URL
        into the address bar due to improper validation of
        input. An unauthenticated, remote attacker can exploit
        this to execute arbitrary script code in a user's
        browser session. (CVE-2017-5458)
    
      - A buffer overflow condition exists in WebGL when
        handling web content due to improper validation of
        certain input. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2017-5459)
    
      - A use-after-free error exists in frame selection when
        handling a specially crafted combination of script
        content and key presses by the user. An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-5460)
    
      - An out-of-bounds write error exists in the Network
        Security Services (NSS) library during Base64 decoding
        operations due to insufficient memory being allocated to
        a buffer. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2017-5461)
    
      - A flaw exists in the Network Security Services (NSS)
        library during DRBG number generation due to the
        internal state V not correctly carrying bits over. An
        unauthenticated, remote attacker can exploit this to
        potentially cause predictable random number generation.
        (CVE-2017-5462)
    
      - A flaw exists when making changes to DOM content in the
        accessibility tree due to improper validation of certain
        input, which can lead to the DOM tree becoming out of
        sync with the accessibility tree. An unauthenticated,
        remote attacker can exploit this to corrupt memory,
        resulting in a denial of service condition or the
        execution of arbitrary code. (CVE-2017-5464)
    
      - An out-of-bounds read error exists in ConvolvePixel when
        processing SVG content, which allows for otherwise
        inaccessible memory being copied into SVG graphic
        content. An unauthenticated, remote attacker can exploit
        this to disclose memory contents or cause a denial of
        service condition. (CVE-2017-5465)
    
      - A cross-site script (XSS) vulnerability exists due to
        improper handling of data:text/html URL redirects when
        a reload is triggered, which causes the reloaded
        data:text/html page to have its origin set incorrectly.
        An unauthenticated, remote attacker can exploit this,
        via a specially crafted request, to execute arbitrary
        script code in a user's browser session. (CVE-2017-5466)
    
      - A memory corruption issue exists when rendering Skia
        content outside of the bounds of a clipping region due
        to improper validation of certain input. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-5467)
    
      - A flaw exists in the developer tools due to an incorrect
        ownership model of privateBrowsing information. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition. (CVE-2017-5468)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mozilla Firefox version 53 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5469");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_firefox_installed.nasl");
      script_require_keys("MacOSX/Firefox/Installed");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    kb_base = "MacOSX/Firefox";
    get_kb_item_or_exit(kb_base+"/Installed");
    
    version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
    path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
    
    if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');
    
    mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'53', severity:SECURITY_HOLE);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3260-2.NASL
    descriptionUSN-3260-1 fixed vulnerabilities in Firefox. The update caused the date picker panel and form validation errors to close immediately on opening. This update fixes the problem. We apologize for the inconvenience. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, obtain sensitive information, spoof the addressbar contents or other UI elements, escape the sandbox to read local files, conduct cross-site scripting (XSS) attacks, cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469) A flaw was discovered in the DRBG number generation in NSS. If an attacker were able to perform a man-in-the-middle attack, this flaw could potentially be exploited to view sensitive information. (CVE-2017-5462). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100153
    published2017-05-12
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100153
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : firefox regression (USN-3260-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3260-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100153);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2017-5429", "CVE-2017-5430", "CVE-2017-5432", "CVE-2017-5433", "CVE-2017-5434", "CVE-2017-5435", "CVE-2017-5436", "CVE-2017-5437", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5440", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5443", "CVE-2017-5444", "CVE-2017-5445", "CVE-2017-5446", "CVE-2017-5447", "CVE-2017-5448", "CVE-2017-5449", "CVE-2017-5451", "CVE-2017-5453", "CVE-2017-5454", "CVE-2017-5455", "CVE-2017-5456", "CVE-2017-5458", "CVE-2017-5459", "CVE-2017-5460", "CVE-2017-5461", "CVE-2017-5462", "CVE-2017-5464", "CVE-2017-5465", "CVE-2017-5466", "CVE-2017-5467", "CVE-2017-5468", "CVE-2017-5469");
      script_xref(name:"USN", value:"3260-2");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : firefox regression (USN-3260-2)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3260-1 fixed vulnerabilities in Firefox. The update caused the
    date picker panel and form validation errors to close immediately on
    opening. This update fixes the problem.
    
    We apologize for the inconvenience.
    
    Multiple security issues were discovered in Firefox. If a user were
    tricked in to opening a specially crafted website, an attacker could
    potentially exploit these to read uninitialized memory, obtain
    sensitive information, spoof the addressbar contents or other UI
    elements, escape the sandbox to read local files, conduct cross-site
    scripting (XSS) attacks, cause a denial of service via application
    crash, or execute arbitrary code. (CVE-2017-5429, CVE-2017-5430,
    CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435,
    CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439,
    CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443,
    CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447,
    CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453,
    CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458,
    CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5464,
    CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468,
    CVE-2017-5469)
    
    A flaw was discovered in the DRBG number generation in NSS.
    If an attacker were able to perform a man-in-the-middle
    attack, this flaw could potentially be exploited to view
    sensitive information. (CVE-2017-5462).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3260-2/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"53.0.2+build1-0ubuntu0.14.04.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"53.0.2+build1-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"firefox", pkgver:"53.0.2+build1-0ubuntu0.16.10.2")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"firefox", pkgver:"53.0.2+build1-0ubuntu0.17.04.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3260-1.NASL
    descriptionMultiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, obtain sensitive information, spoof the addressbar contents or other UI elements, escape the sandbox to read local files, conduct cross-site scripting (XSS) attacks, cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469) A flaw was discovered in the DRBG number generation in NSS. If an attacker were able to perform a man-in-the-middle attack, this flaw could potentially be exploited to view sensitive information. (CVE-2017-5462). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99626
    published2017-04-24
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99626
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : firefox vulnerabilities (USN-3260-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3260-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99626);
      script_version("3.11");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2017-5429", "CVE-2017-5430", "CVE-2017-5432", "CVE-2017-5433", "CVE-2017-5434", "CVE-2017-5435", "CVE-2017-5436", "CVE-2017-5437", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5440", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5443", "CVE-2017-5444", "CVE-2017-5445", "CVE-2017-5446", "CVE-2017-5447", "CVE-2017-5448", "CVE-2017-5449", "CVE-2017-5451", "CVE-2017-5453", "CVE-2017-5454", "CVE-2017-5455", "CVE-2017-5456", "CVE-2017-5458", "CVE-2017-5459", "CVE-2017-5460", "CVE-2017-5461", "CVE-2017-5462", "CVE-2017-5464", "CVE-2017-5465", "CVE-2017-5466", "CVE-2017-5467", "CVE-2017-5468", "CVE-2017-5469");
      script_xref(name:"USN", value:"3260-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : firefox vulnerabilities (USN-3260-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple security issues were discovered in Firefox. If a user were
    tricked in to opening a specially crafted website, an attacker could
    potentially exploit these to read uninitialized memory, obtain
    sensitive information, spoof the addressbar contents or other UI
    elements, escape the sandbox to read local files, conduct cross-site
    scripting (XSS) attacks, cause a denial of service via application
    crash, or execute arbitrary code. (CVE-2017-5429, CVE-2017-5430,
    CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435,
    CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439,
    CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443,
    CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447,
    CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453,
    CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458,
    CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5464,
    CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468,
    CVE-2017-5469)
    
    A flaw was discovered in the DRBG number generation in NSS. If an
    attacker were able to perform a man-in-the-middle attack, this flaw
    could potentially be exploited to view sensitive information.
    (CVE-2017-5462).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3260-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"53.0+build6-0ubuntu0.14.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"53.0+build6-0ubuntu0.16.04.1")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"firefox", pkgver:"53.0+build6-0ubuntu0.16.10.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"firefox", pkgver:"53.0+build6-0ubuntu0.17.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_5E0A038ACA30416DA2F538CBF5E7DF33.NASL
    descriptionMozilla Foundation reports : Please reference CVE/URL list for details
    last seen2020-06-01
    modified2020-06-02
    plugin id99496
    published2017-04-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99496
    titleFreeBSD : mozilla -- multiple vulnerabilities (5e0a038a-ca30-416d-a2f5-38cbf5e7df33)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_53_0.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Windows host is prior to 53. It is, therefore, affected by the following vulnerabilities : - Multiple buffer overflow conditions exist in the FLEX generated code due to improper validation of certain input. An unauthenticated, remote attacker can exploit these to execute arbitrary code. (CVE-2016-6354, CVE-2017-5469) - Multiple flaws exist in the Libevent library, within files evdns.c and evutil.c, due to improper validation of input when handling IP address strings, empty base name strings, and DNS packets. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-10195, CVE-2016-10196, CVE-2016-10197, CVE-2017-5437) - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5429, CVE-2017-5430) - A use-after-free error exists in input text selection that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5432) - A use-after-free error exists in the SMIL animation functions when handling animation elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5433) - A use-after-free error exists when redirecting focus handling that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5434) - A use-after-free error exists in design mode interactions when handling transaction processing in the editor. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5435) - An out-of-bounds write error exists in the Graphite 2 library when handling specially crafted Graphite fonts. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5436) - A use-after-free error exists in the nsAutoPtr() function during XSLT processing due to the result handler being held by a freed handler. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5438) - A use-after-free error exists in the Length() function in nsTArray when handling template parameters during XSLT processing. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5439) - A use-after-free error exists in the txExecutionState destructor when processing XSLT content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5440) - A use-after-free error exists when holding a selection during scroll events. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5441) - A use-after-free error exists when changing styles in DOM elements that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5442) - An out-of-bounds write error exists while decoding improperly formed BinHex format archives that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5443) - A buffer overflow condition exists while parsing application/http-index-format format content due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via improperly formatted data, to disclose out-of-bounds memory content. (CVE-2017-5444) - A flaw exists in nsDirIndexParser.cpp when parsing application/http-index-format format content in which uninitialized values are used to create an array. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-5445) - An out-of-bounds read error exists when handling HTTP/2 DATA connections to a server that sends DATA frames with incorrect content. An unauthenticated, remote attacker can exploit to cause a denial of service condition or the disclosure of memory contents. (CVE-2017-5446) - An out-of-bounds read error exists when processing glyph widths during text layout. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2017-5447) - An out-of-bounds write error exists in the ClearKeyDecryptor::Decrypt() function within file ClearKeyDecryptionManager.cpp when decrypting Clearkey-encrypted media content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. This vulnerability can only be exploited if a secondary mechanism can be used to escape the Gecko Media Plugin (GMP) sandbox. (CVE-2017-5448) - A flaw exists when handling bidirectional Unicode text in conjunction with CSS animations that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution or arbitrary code. (CVE-2017-5449) - A flaw exists in the handling of specially crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id99632
    published2017-04-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99632
    titleMozilla Firefox < 53 Multiple Vulnerabilities