Vulnerabilities > CVE-2017-7804 - Improper Input Validation vulnerability in Mozilla Firefox, Firefox ESR and Thunderbird
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-955.NASL description This update for MozillaThunderbird to version 52.3 fixes security issues and bugs. The following vulnerabilities were fixed : - CVE-2017-7798: XUL injection in the style editor in devtools - CVE-2017-7800: Use-after-free in WebSockets during disconnection - CVE-2017-7801: Use-after-free with marquee during window resizing - CVE-2017-7784: Use-after-free with image observers - CVE-2017-7802: Use-after-free resizing image elements - CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - CVE-2017-7786: Buffer overflow while painting non-displayable SVG - CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements# - CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - CVE-2017-7807: Domain hijacking through AppCache fallback - CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - CVE-2017-7803: CSP containing last seen 2020-06-05 modified 2017-08-21 plugin id 102622 published 2017-08-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102622 title openSUSE Security Update : MozillaThunderbird (openSUSE-2017-955) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-955. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(102622); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-7753", "CVE-2017-7779", "CVE-2017-7782", "CVE-2017-7784", "CVE-2017-7785", "CVE-2017-7786", "CVE-2017-7787", "CVE-2017-7791", "CVE-2017-7792", "CVE-2017-7798", "CVE-2017-7800", "CVE-2017-7801", "CVE-2017-7802", "CVE-2017-7803", "CVE-2017-7804", "CVE-2017-7807"); script_name(english:"openSUSE Security Update : MozillaThunderbird (openSUSE-2017-955)"); script_summary(english:"Check for the openSUSE-2017-955 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for MozillaThunderbird to version 52.3 fixes security issues and bugs. The following vulnerabilities were fixed : - CVE-2017-7798: XUL injection in the style editor in devtools - CVE-2017-7800: Use-after-free in WebSockets during disconnection - CVE-2017-7801: Use-after-free with marquee during window resizing - CVE-2017-7784: Use-after-free with image observers - CVE-2017-7802: Use-after-free resizing image elements - CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - CVE-2017-7786: Buffer overflow while painting non-displayable SVG - CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements# - CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - CVE-2017-7807: Domain hijacking through AppCache fallback - CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - CVE-2017-7803: CSP containing 'sandbox' improperly applied - CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 The following bugs were fixed : - Unwanted inline images shown in rogue SPAM messages - Deleting message from the POP3 server not working when maildir storage was used - Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later - Inline images not scaled to fit when printing - Selected text from another message sometimes included in a reply - No authorisation prompt displayed when inserting image into email body although image URL requires authentication - Large attachments taking a long time to open under some circumstances" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1052829" ); script_set_attribute( attribute:"solution", value:"Update the affected MozillaThunderbird packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-buildsymbols-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-debuginfo-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-debugsource-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-devel-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-translations-common-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-translations-other-52.3.0-41.15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-52.3.0-44.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-buildsymbols-52.3.0-44.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-debuginfo-52.3.0-44.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-debugsource-52.3.0-44.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-devel-52.3.0-44.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-translations-common-52.3.0-44.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"MozillaThunderbird-translations-other-52.3.0-44.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaThunderbird / MozillaThunderbird-buildsymbols / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2302-1.NASL description Mozilla Firefox was updated to the ESR 52.3 release (bsc#1052829) Following security issues were fixed : - MFSA 2017-19/CVE-2017-7807: Domain hijacking through AppCache fallback - MFSA 2017-19/CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - MFSA 2017-19/CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - MFSA 2017-19/CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - MFSA 2017-19/CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - MFSA 2017-19/CVE-2017-7786: Buffer overflow while painting non-displayable SVG - MFSA 2017-19/CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - MFSA 2017-19/CVE-2017-7784: Use-after-free with image observers - MFSA 2017-19/CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements - MFSA 2017-19/CVE-2017-7798: XUL injection in the style editor in devtools - MFSA 2017-19/CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - MFSA 2017-19/CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 - MFSA 2017-19/CVE-2017-7800: Use-after-free in WebSockets during disconnection - MFSA 2017-19/CVE-2017-7801: Use-after-free with marquee during window resizing - MFSA 2017-19/CVE-2017-7802: Use-after-free resizing image elements - MFSA 2017-19/CVE-2017-7803: CSP containing last seen 2020-06-01 modified 2020-06-02 plugin id 102856 published 2017-08-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102856 title SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2017:2302-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:2302-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(102856); script_version("3.9"); script_cvs_date("Date: 2019/09/11 11:22:16"); script_cve_id("CVE-2017-7753", "CVE-2017-7779", "CVE-2017-7782", "CVE-2017-7784", "CVE-2017-7785", "CVE-2017-7786", "CVE-2017-7787", "CVE-2017-7791", "CVE-2017-7792", "CVE-2017-7798", "CVE-2017-7800", "CVE-2017-7801", "CVE-2017-7802", "CVE-2017-7803", "CVE-2017-7804", "CVE-2017-7807"); script_name(english:"SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2017:2302-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Mozilla Firefox was updated to the ESR 52.3 release (bsc#1052829) Following security issues were fixed : - MFSA 2017-19/CVE-2017-7807: Domain hijacking through AppCache fallback - MFSA 2017-19/CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - MFSA 2017-19/CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - MFSA 2017-19/CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - MFSA 2017-19/CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - MFSA 2017-19/CVE-2017-7786: Buffer overflow while painting non-displayable SVG - MFSA 2017-19/CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - MFSA 2017-19/CVE-2017-7784: Use-after-free with image observers - MFSA 2017-19/CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements - MFSA 2017-19/CVE-2017-7798: XUL injection in the style editor in devtools - MFSA 2017-19/CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - MFSA 2017-19/CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 - MFSA 2017-19/CVE-2017-7800: Use-after-free in WebSockets during disconnection - MFSA 2017-19/CVE-2017-7801: Use-after-free with marquee during window resizing - MFSA 2017-19/CVE-2017-7802: Use-after-free resizing image elements - MFSA 2017-19/CVE-2017-7803: CSP containing 'sandbox' improperly applied This update also fixes : - fixed firefox hangs after a while in FUTEX_WAIT_PRIVATE if cgroups enabled and running on cpu >=1 (bsc#1031485) - The Itanium ia64 build was fixed. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1031485" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1052829" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7753/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7779/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7782/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7784/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7785/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7786/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7787/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7791/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7792/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7798/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7800/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7801/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7802/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7804/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7807/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20172302-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6be72c16" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-MozillaFirefox-13254=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-MozillaFirefox-13254=1 SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-MozillaFirefox-13254=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-MozillaFirefox-13254=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-MozillaFirefox-13254=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-MozillaFirefox-13254=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-branding-SLED"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:MozillaFirefox-translations"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"MozillaFirefox-52.3.0esr-72.9.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"MozillaFirefox-branding-SLED-52-24.5.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"MozillaFirefox-translations-52.3.0esr-72.9.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"MozillaFirefox-52.3.0esr-72.9.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"MozillaFirefox-branding-SLED-52-24.5.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"MozillaFirefox-translations-52.3.0esr-72.9.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2589-1.NASL description This update for MozillaFirefox to ESR 52.3 fixes several issues. These security issues were fixed : - CVE-2017-7807 Domain hijacking through AppCache fallback (bsc#1052829) - CVE-2017-7791 Spoofing following page navigation with data: protocol and modal alerts (bsc#1052829) - CVE-2017-7792 Buffer overflow viewing certificates with an extremely long OID (bsc#1052829) - CVE-2017-7782 WindowsDllDetourPatcher allocates memory without DEP protections (bsc#1052829) - CVE-2017-7787 Same-origin policy bypass with iframes through page reloads (bsc#1052829) - CVE-2017-7786 Buffer overflow while painting non-displayable SVG (bsc#1052829) - CVE-2017-7785 Buffer overflow manipulating ARIA attributes in DOM (bsc#1052829) - CVE-2017-7784 Use-after-free with image observers (bsc#1052829) - CVE-2017-7753 Out-of-bounds read with cached style data and pseudo-elements (bsc#1052829) - CVE-2017-7798 XUL injection in the style editor in devtools (bsc#1052829) - CVE-2017-7804 Memory protection bypass through WindowsDllDetourPatcher (bsc#1052829) - CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 (bsc#1052829) - CVE-2017-7800 Use-after-free in WebSockets during disconnection (bsc#1052829) - CVE-2017-7801 Use-after-free with marquee during window resizing (bsc#1052829) - CVE-2017-7802 Use-after-free resizing image elements (bsc#1052829) - CVE-2017-7803 CSP containing last seen 2020-06-01 modified 2020-06-02 plugin id 103563 published 2017-09-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103563 title SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2017:2589-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_555B244E6B204546851FD8EB7D6C1FFA.NASL description Mozilla Foundation reports : Please reference CVE/URL list for details last seen 2020-06-01 modified 2020-06-02 plugin id 102278 published 2017-08-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102278 title FreeBSD : mozilla -- multiple vulnerabilities (555b244e-6b20-4546-851f-d8eb7d6c1ffa) NASL family Windows NASL id MOZILLA_FIREFOX_52_3_ESR.NASL description The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 52.3. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes. last seen 2020-06-01 modified 2020-06-02 plugin id 102358 published 2017-08-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102358 title Mozilla Firefox ESR < 52.3 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1087.NASL description The update for icedove/thunderbird issued as DLA-1087-1 did not build on i386. This update corrects this. For reference, the original advisory text follows. Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing. For Debian 7 last seen 2020-03-17 modified 2017-09-06 plugin id 102961 published 2017-09-06 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102961 title Debian DLA-1087-2 : icedove/thunderbird regression update NASL family Windows NASL id MOZILLA_FIREFOX_55_0.NASL description The version of Mozilla Firefox installed on the remote Windows host is prior to 55. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes. last seen 2020-06-01 modified 2020-06-02 plugin id 102359 published 2017-08-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102359 title Mozilla Firefox < 55 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-921.NASL description This update to Mozilla Firefox 52.3esr fixes a number of security issues. The following vulnerabilities were advised upstream under MFSA 2017-19 (boo#1052829) : - CVE-2017-7798: XUL injection in the style editor in devtools - CVE-2017-7800: Use-after-free in WebSockets during disconnection - CVE-2017-7801: Use-after-free with marquee during window resizing - CVE-2017-7784: Use-after-free with image observers - CVE-2017-7802: Use-after-free resizing image elements - CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM - CVE-2017-7786: Buffer overflow while painting non-displayable SVG - CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements# - CVE-2017-7787: Same-origin policy bypass with iframes through page reloads - CVE-2017-7807: Domain hijacking through AppCache fallback - CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID - CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher - CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts - CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections - CVE-2017-7803: CSP containing last seen 2020-06-05 modified 2017-08-14 plugin id 102472 published 2017-08-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102472 title openSUSE Security Update : MozillaFirefox (openSUSE-2017-921)
References
- http://www.securityfocus.com/bid/100234
- http://www.securitytracker.com/id/1039124
- https://bugzilla.mozilla.org/show_bug.cgi?id=1372849
- https://www.mozilla.org/security/advisories/mfsa2017-18/
- https://www.mozilla.org/security/advisories/mfsa2017-19/
- https://www.mozilla.org/security/advisories/mfsa2017-20/