Vulnerabilities > CVE-2017-5471 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
mozilla
CWE-119
nessus

Summary

Memory safety bugs were reported in Firefox 53. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 54.

Vulnerable Configurations

Part Description Count
Application
Mozilla
364

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_54_0.NASL
    descriptionThe version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 54. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470, CVE-2017-5471) - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472) - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749) - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750) - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751) - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752) - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754) - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755) - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756) - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757) - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758) - A flaw exists in the NS_main() function in updater.cpp due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760) - A flaw exists in the Maintenance Service helper.exe application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761) - A flaw exists that is triggered when displaying URLs including authentication sections in reader mode. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to spoof domains in the address bar. (CVE-2017-7762) - A flaw exists in the ReadCMAP() function in gfxMacPlatformFontList.mm that is triggered when handling tibetan characters in combination with macOS fonts. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL. (CVE-2017-7763) - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764) - Multiple integer overflow conditions exist in the Graphite component in the decompress() function in Decompressor.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7772, CVE-2017-7778) - An out-of-bounds read error exists in the Graphite component in the readGraphite() function in Silf.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2017-7774) - An assertion flaw exists in the Graphite component when handling zero value sizes. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7775) - An out-of-bounds read error exists in the Graphite component in getClassGlyph() function in Silf.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7776) - A flaw exists in the Graphite component in the read_glyph() function in GlyphCache.cpp related to use of uninitialized memory. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2017-7777)
    last seen2020-06-01
    modified2020-06-02
    plugin id100808
    published2017-06-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100808
    titleMozilla Firefox < 54 Multiple Vulnerabilities (macOS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100808);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-5470",
        "CVE-2017-5471",
        "CVE-2017-5472",
        "CVE-2017-7749",
        "CVE-2017-7750",
        "CVE-2017-7751",
        "CVE-2017-7752",
        "CVE-2017-7754",
        "CVE-2017-7755",
        "CVE-2017-7756",
        "CVE-2017-7757",
        "CVE-2017-7758",
        "CVE-2017-7760",
        "CVE-2017-7761",
        "CVE-2017-7762",
        "CVE-2017-7763",
        "CVE-2017-7764",
        "CVE-2017-7772",
        "CVE-2017-7774",
        "CVE-2017-7775",
        "CVE-2017-7776",
        "CVE-2017-7777",
        "CVE-2017-7778"
      );
      script_bugtraq_id(
        99040,
        99041,
        99042,
        99047,
        99057
      );
      script_xref(name:"MFSA", value:"2017-15");
    
      script_name(english:"Mozilla Firefox < 54 Multiple Vulnerabilities (macOS)");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web browser installed on the remote macOS or Mac OS X host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Mozilla Firefox installed on the remote macOS or Mac
    OS X host is prior to 54. It is, therefore, affected by multiple
    vulnerabilities :
    
      - Multiple memory corruption issues exist that allow an
        unauthenticated, remote attacker to execute arbitrary
        code by convincing a user to visit a specially crafted
        website. (CVE-2017-5470, CVE-2017-5471)
    
      - A use-after-free error exists in the EndUpdate()
        function in nsCSSFrameConstructor.cpp that is triggered
        when reconstructing trees during regeneration of CSS
        layouts. An unauthenticated, remote attacker can exploit
        this, by convincing a user to visit a specially crafted
        website, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2017-5472)
    
      - A use-after-free error exists in the Reload() function
        in nsDocShell.cpp that is triggered when using an
        incorrect URL during the reload of a docshell. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-7749)
    
      - A use-after-free error exists in the Hide() function in
        nsDocumentViewer.cpp that is triggered when handling
        track elements. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2017-7750)
    
      - A use-after-free error exists in the nsDocumentViewer
        class in nsDocumentViewer.cpp that is triggered when
        handling content viewer listeners. An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-7751)
    
      - A use-after-free error exists that is triggered when
        handling events while specific user interaction occurs
        with the input method editor (IME). An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-7752)
    
      - An out-of-bounds read error exists in the IsComplete()
        function in WebGLTexture.cpp that is triggered when
        handling textures. An unauthenticated, remote attacker
        can exploit this to disclose memory contents.
        (CVE-2017-7754)
    
      - A privilege escalation vulnerability exists due to
        improper loading of dynamic-link library (DLL) files. A
        local attacker can exploit this, via a specially crafted
        DLL file in the installation path, to inject and execute
        arbitrary code. (CVE-2017-7755)
    
      - A use-after-free error exists in the SetRequestHead()
        function in XMLHttpRequestMainThread.cpp that is
        triggered when logging XML HTTP Requests (XHR). An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-7756)
    
      - A use-after-free error exists in ActorsParent.cpp due to
        improper handling of objects in memory. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-7757)
    
      - An out-of-bounds read error exists in the
        AppendAudioSegment() function in TrackEncoder.cpp that
        is triggered when the number of channels in an audio
        stream changes while the Opus encoder is in use. An
        unauthenticated, remote attacker can exploit this to
        disclose sensitive information. (CVE-2017-7758)
    
      - A flaw exists in the NS_main() function in updater.cpp
        due to improper validation of input when handling
        callback file path parameters. A local attacker can
        exploit this to manipulate files in the installation
        directory. (CVE-2017-7760)
    
      - A flaw exists in the Maintenance Service helper.exe
        application that is triggered as permissions for a
        temporary directory are set to writable by
        non-privileged users. A local attacker can exploit this
        to delete arbitrary files on the system. (CVE-2017-7761)
    
      - A flaw exists that is triggered when displaying URLs
        including authentication sections in reader mode. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted URL, to spoof domains in the address
        bar. (CVE-2017-7762)
    
      - A flaw exists in the ReadCMAP() function in
        gfxMacPlatformFontList.mm that is triggered when
        handling tibetan characters in combination with macOS
        fonts. An unauthenticated, remote attacker can exploit
        this, via a specially crafted IDN domain, to spoof a
        valid URL. (CVE-2017-7763)
    
      - A flaw exists in the isLabelSafe() function in
        nsIDNService.cpp that is triggered when handling
        characters from different unicode blocks. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted IDN domain, to spoof a valid URL and
        conduct phishing attacks. (CVE-2017-7764)
    
      - Multiple integer overflow conditions exist in the
        Graphite component in the decompress() function in
        Decompressor.cpp due to improper validation of
        user-supplied input. An unauthenticated, remote attacker
        can exploit this to cause a denial of service condition
        or the execution of arbitrary code. (CVE-2017-7772,
        CVE-2017-7778)
    
      - An out-of-bounds read error exists in the Graphite
        component in the readGraphite() function in Silf.cpp. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or disclose memory
        contents. (CVE-2017-7774)
    
      - An assertion flaw exists in the Graphite component when
        handling zero value sizes. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition. (CVE-2017-7775)
    
      - An out-of-bounds read error exists in the Graphite
        component in getClassGlyph() function in Silf.cpp due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition. (CVE-2017-7776)
    
      - A flaw exists in the Graphite component in the
        read_glyph() function in GlyphCache.cpp related to use
        of uninitialized memory. An unauthenticated, remote
        attacker can exploit this to have an unspecified impact.
        (CVE-2017-7777)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mozilla Firefox version 54 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7778");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_firefox_installed.nasl");
      script_require_keys("MacOSX/Firefox/Installed");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    kb_base = "MacOSX/Firefox";
    get_kb_item_or_exit(kb_base+"/Installed");
    
    version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
    path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
    
    if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');
    
    mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'54', severity:SECURITY_HOLE);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6CEC1B0ADA15467D86911DEA392D4C8D.NASL
    descriptionMozilla Foundation reports : Please reference CVE/URL list for details
    last seen2020-06-01
    modified2020-06-02
    plugin id100775
    published2017-06-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100775
    titleFreeBSD : mozilla -- multiple vulnerabilities (6cec1b0a-da15-467d-8691-1dea392d4c8d)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100775);
      script_version("3.10");
      script_cvs_date("Date: 2019/07/10 16:04:13");
    
      script_cve_id("CVE-2017-5470", "CVE-2017-5471", "CVE-2017-5472", "CVE-2017-7749", "CVE-2017-7750", "CVE-2017-7751", "CVE-2017-7752", "CVE-2017-7754", "CVE-2017-7755", "CVE-2017-7756", "CVE-2017-7757", "CVE-2017-7758", "CVE-2017-7759", "CVE-2017-7760", "CVE-2017-7761", "CVE-2017-7762", "CVE-2017-7763", "CVE-2017-7764", "CVE-2017-7765", "CVE-2017-7766", "CVE-2017-7767", "CVE-2017-7768", "CVE-2017-7778");
    
      script_name(english:"FreeBSD : mozilla -- multiple vulnerabilities (6cec1b0a-da15-467d-8691-1dea392d4c8d)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mozilla Foundation reports :
    
    Please reference CVE/URL list for details"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/"
      );
      # https://vuxml.freebsd.org/freebsd/6cec1b0a-da15-467d-8691-1dea392d4c8d.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0775f4b7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox-esr");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:libxul");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-seamonkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-thunderbird");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:seamonkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:thunderbird");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"firefox<54.0,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"seamonkey<2.49.1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"linux-seamonkey<2.49.1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"firefox-esr<52.2.0,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"linux-firefox<52.2.0,2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"libxul<52.2.0")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"thunderbird<52.2.0")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"linux-thunderbird<52.2.0")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3315-1.NASL
    descriptionMultiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, spoof the addressbar contents, or execute arbitrary code. (CVE-2017-5470, CVE-2017-5471, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7762, CVE-2017-7764) Multiple security issues were discovered in the Graphite 2 library used by Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, or execute arbitrary code. (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100835
    published2017-06-16
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100835
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : firefox vulnerabilities (USN-3315-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3315-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100835);
      script_version("3.11");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2017-5470", "CVE-2017-5471", "CVE-2017-5472", "CVE-2017-7749", "CVE-2017-7750", "CVE-2017-7751", "CVE-2017-7752", "CVE-2017-7754", "CVE-2017-7756", "CVE-2017-7757", "CVE-2017-7758", "CVE-2017-7762", "CVE-2017-7764", "CVE-2017-7771", "CVE-2017-7772", "CVE-2017-7773", "CVE-2017-7774", "CVE-2017-7775", "CVE-2017-7776", "CVE-2017-7777", "CVE-2017-7778");
      script_xref(name:"USN", value:"3315-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : firefox vulnerabilities (USN-3315-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple security issues were discovered in Firefox. If a user were
    tricked in to opening a specially crafted website, an attacker could
    potentially exploit these to cause a denial of service, read
    uninitialized memory, obtain sensitive information, spoof the
    addressbar contents, or execute arbitrary code. (CVE-2017-5470,
    CVE-2017-5471, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750,
    CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756,
    CVE-2017-7757, CVE-2017-7758, CVE-2017-7762, CVE-2017-7764)
    
    Multiple security issues were discovered in the Graphite 2 library
    used by Firefox. If a user were tricked in to opening a specially
    crafted website, an attacker could potentially exploit these to cause
    a denial of service, read uninitialized memory, or execute arbitrary
    code. (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774,
    CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3315-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected firefox package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"54.0+build3-0ubuntu0.14.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"54.0+build3-0ubuntu0.16.04.1")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"firefox", pkgver:"54.0+build3-0ubuntu0.16.10.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"firefox", pkgver:"54.0+build3-0ubuntu0.17.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
    }
    
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_54_0.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Windows host is prior to 54. It is, therefore, affected by multiple vulnerabilities : - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470, CVE-2017-5471) - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472) - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749) - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750) - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7751) - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7752) - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2017-7754) - A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755) - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756) - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757) - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758) - A flaw exists in the NS_main() function in updater.cpp due to improper validation of input when handling callback file path parameters. A local attacker can exploit this to manipulate files in the installation directory. (CVE-2017-7760) - A flaw exists in the Maintenance Service helper.exe application that is triggered as permissions for a temporary directory are set to writable by non-privileged users. A local attacker can exploit this to delete arbitrary files on the system. (CVE-2017-7761) - A flaw exists that is triggered when displaying URLs including authentication sections in reader mode. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to spoof domains in the address bar. (CVE-2017-7762) - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764) - A flaw exists that is triggered due to improper parsing of long filenames when handling downloaded files. An unauthenticated, remote attacker can exploit this to cause a file to be downloaded without the
    last seen2020-06-01
    modified2020-06-02
    plugin id100810
    published2017-06-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100810
    titleMozilla Firefox < 54 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100810);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-5470",
        "CVE-2017-5471",
        "CVE-2017-5472",
        "CVE-2017-7749",
        "CVE-2017-7750",
        "CVE-2017-7751",
        "CVE-2017-7752",
        "CVE-2017-7754",
        "CVE-2017-7755",
        "CVE-2017-7756",
        "CVE-2017-7757",
        "CVE-2017-7758",
        "CVE-2017-7760",
        "CVE-2017-7761",
        "CVE-2017-7762",
        "CVE-2017-7764",
        "CVE-2017-7765",
        "CVE-2017-7766",
        "CVE-2017-7767",
        "CVE-2017-7768",
        "CVE-2017-7772",
        "CVE-2017-7774",
        "CVE-2017-7775",
        "CVE-2017-7776",
        "CVE-2017-7777",
        "CVE-2017-7778"
      );
      script_bugtraq_id(
        99040,
        99041,
        99042,
        99047,
        99057
      );
      script_xref(name:"MFSA", value:"2017-15");
    
      script_name(english:"Mozilla Firefox < 54 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web browser installed on the remote Windows host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Mozilla Firefox installed on the remote Windows host is
    prior to 54. It is, therefore, affected by multiple vulnerabilities :
    
      - Multiple memory corruption issues exist that allow an
        unauthenticated, remote attacker to execute arbitrary
        code by convincing a user to visit a specially crafted
        website. (CVE-2017-5470, CVE-2017-5471)
    
      - A use-after-free error exists in the EndUpdate()
        function in nsCSSFrameConstructor.cpp that is triggered
        when reconstructing trees during regeneration of CSS
        layouts. An unauthenticated, remote attacker can exploit
        this, by convincing a user to visit a specially crafted
        website, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2017-5472)
    
      - A use-after-free error exists in the Reload() function
        in nsDocShell.cpp that is triggered when using an
        incorrect URL during the reload of a docshell. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-7749)
    
      - A use-after-free error exists in the Hide() function in
        nsDocumentViewer.cpp that is triggered when handling
        track elements. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2017-7750)
    
      - A use-after-free error exists in the nsDocumentViewer
        class in nsDocumentViewer.cpp that is triggered when
        handling content viewer listeners. An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-7751)
    
      - A use-after-free error exists that is triggered when
        handling events while specific user interaction occurs
        with the input method editor (IME). An unauthenticated,
        remote attacker can exploit this to cause a denial of
        service condition or the execution of arbitrary code.
        (CVE-2017-7752)
    
      - An out-of-bounds read error exists in the IsComplete()
        function in WebGLTexture.cpp that is triggered when
        handling textures. An unauthenticated, remote attacker
        can exploit this to disclose memory contents.
        (CVE-2017-7754)
    
      - A privilege escalation vulnerability exists due to
        improper loading of dynamic-link library (DLL) files. A
        local attacker can exploit this, via a specially crafted
        DLL file in the installation path, to inject and execute
        arbitrary code. (CVE-2017-7755)
    
      - A use-after-free error exists in the SetRequestHead()
        function in XMLHttpRequestMainThread.cpp that is
        triggered when logging XML HTTP Requests (XHR). An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-7756)
    
      - A use-after-free error exists in ActorsParent.cpp due to
        improper handling of objects in memory. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-7757)
    
      - An out-of-bounds read error exists in the
        AppendAudioSegment() function in TrackEncoder.cpp that
        is triggered when the number of channels in an audio
        stream changes while the Opus encoder is in use. An
        unauthenticated, remote attacker can exploit this to
        disclose sensitive information. (CVE-2017-7758)
    
      - A flaw exists in the NS_main() function in updater.cpp
        due to improper validation of input when handling
        callback file path parameters. A local attacker can
        exploit this to manipulate files in the installation
        directory. (CVE-2017-7760)
    
      - A flaw exists in the Maintenance Service helper.exe
        application that is triggered as permissions for a
        temporary directory are set to writable by
        non-privileged users. A local attacker can exploit this
        to delete arbitrary files on the system. (CVE-2017-7761)
    
      - A flaw exists that is triggered when displaying URLs
        including authentication sections in reader mode. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted URL, to spoof domains in the address
        bar. (CVE-2017-7762)
    
      - A flaw exists in the isLabelSafe() function in
        nsIDNService.cpp that is triggered when handling
        characters from different unicode blocks. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted IDN domain, to spoof a valid URL and
        conduct phishing attacks. (CVE-2017-7764)
    
      - A flaw exists that is triggered due to improper parsing
        of long filenames when handling downloaded files. An
        unauthenticated, remote attacker can exploit this to
        cause a file to be downloaded without the
        'mark-of-the-web' applied, resulting in security
        warnings for executables not being displayed.
        (CVE-2017-7765)
    
      - A flaw exists in the Mozilla Maintenance Service that is
        triggered when handling paths for the 'patch',
        'install', and 'working' directories. A local attacker
        can exploit this to execute arbitrary code with elevated
        privileges. (CVE-2017-7766)
    
      - A flaw exists in the Mozilla Maintenance Service that is
        triggered when being invoked using the Mozilla Windows
        Updater. A local attacker can exploit this to overwrite
        arbitrary files with random data. (CVE-2017-7767)
    
      - A flaw exists in the IsStatusApplying() function in
        workmonitor.cpp that is triggered when logging the
        update status. A local attacker can exploit this to read
        32 bytes of arbitrary files. (CVE-2017-7768)
    
      - Multiple integer overflow conditions exist in the
        Graphite component in the decompress() function in
        Decompressor.cpp due to improper validation of
        user-supplied input. An unauthenticated, remote attacker
        can exploit this to cause a denial of service condition
        or the execution of arbitrary code. (CVE-2017-7772,
        CVE-2017-7778)
    
      - An out-of-bounds read error exists in the Graphite
        component in the readGraphite() function in Silf.cpp. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or disclose memory
        contents. (CVE-2017-7774)
    
      - An assertion flaw exists in the Graphite component when
        handling zero value sizes. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition. (CVE-2017-7775)
    
      - An out-of-bounds read error exists in the Graphite
        component in getClassGlyph() function in Silf.cpp due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition. (CVE-2017-7776)
    
      - A flaw exists in the Graphite component in the
        read_glyph() function in GlyphCache.cpp related to use
        of uninitialized memory. An unauthenticated, remote
        attacker can exploit this to have an unspecified impact.
        (CVE-2017-7777)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mozilla Firefox version 54 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7778");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mozilla_org_installed.nasl");
      script_require_keys("Mozilla/Firefox/Version");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    port = get_kb_item("SMB/transport");
    if (!port) port = 445;
    
    installs = get_kb_list("SMB/Mozilla/Firefox/*");
    if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox");
    
    mozilla_check_version(installs:installs, product:'firefox', fix:'54', severity:SECURITY_HOLE);