Vulnerabilities > CVE-2018-17470 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 7.4 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
google
debian
redhat
CWE-119
nessus

Summary

A heap buffer overflow in GPU in Google Chrome prior to 70.0.3538.67 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Vulnerable Configurations

Part Description Count
Application
Google
4345
OS
Debian
1
OS
Redhat
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1253.NASL
    descriptionThis update for Chromium to version 70.0.3538.67 fixes multiple issues. Security issues fixed (bsc#1112111) : - CVE-2018-17462: Sandbox escape in AppCache - CVE-2018-17463: Remote code execution in V8 - Heap buffer overflow in Little CMS in PDFium - CVE-2018-17464: URL spoof in Omnibox - CVE-2018-17465: Use after free in V8 - CVE-2018-17466: Memory corruption in Angle - CVE-2018-17467: URL spoof in Omnibox - CVE-2018-17468: Cross-origin URL disclosure in Blink - CVE-2018-17469: Heap buffer overflow in PDFium - CVE-2018-17470: Memory corruption in GPU Internals - CVE-2018-17471: Security UI occlusion in full screen mode - CVE-2018-17473: URL spoof in Omnibox - CVE-2018-17474: Use after free in Blink - CVE-2018-17475: URL spoof in Omnibox - CVE-2018-17476: Security UI occlusion in full screen mode - CVE-2018-5179: Lack of limits on update() in ServiceWorker - CVE-2018-17477: UI spoof in Extensions VAAPI hardware accelerated rendering is now enabled by default. This update contains the following packaging changes : - Use the system libusb-1.0 library - Use bundled harfbuzz library - Disable gnome-keyring to avoid crashes
    last seen2020-06-05
    modified2018-10-25
    plugin id118386
    published2018-10-25
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118386
    titleopenSUSE Security Update : Chromium (openSUSE-2018-1253)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GOOGLE_CHROME_70_0_3538_67.NASL
    descriptionThe version of Google Chrome installed on the remote macOS host is prior to 70.0.3538.67. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2018/10/16. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118152
    published2018-10-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118152
    titleGoogle Chrome < 70.0.3538.67 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4330.NASL
    descriptionSeveral vulnerabilities have been discovered in the chromium web browser. - CVE-2018-5179 Yannic Boneberger discovered an error in the ServiceWorker implementation. - CVE-2018-17462 Ned Williamson and Niklas Baumstark discovered a way to escape the sandbox. - CVE-2018-17463 Ned Williamson and Niklas Baumstark discovered a remote code execution issue in the v8 JavaScript library. - CVE-2018-17464 xisigr discovered a URL spoofing issue. - CVE-2018-17465 Lin Zuojian discovered a use-after-free issue in the v8 JavaScript library. - CVE-2018-17466 Omair discovered a memory corruption issue in the angle library. - CVE-2018-17467 Khalil Zhani discovered a URL spoofing issue. - CVE-2018-17468 Jams Lee discovered an information disclosure issue. - CVE-2018-17469 Zhen Zhou discovered a buffer overflow issue in the pdfium library. - CVE-2018-17470 Zhe Jin discovered a memory corruption issue in the GPU backend implementation. - CVE-2018-17471 Lnyas Zhang discovered an issue with the full screen user interface. - CVE-2018-17473 Khalil Zhani discovered a URL spoofing issue. - CVE-2018-17474 Zhe Jin discovered a use-after-free issue. - CVE-2018-17475 Vladimir Metnew discovered a URL spoofing issue. - CVE-2018-17476 Khalil Zhani discovered an issue with the full screen user interface. - CVE-2018-17477 Aaron Muir Hamilton discovered a user interface spoofing issue in the extensions pane. This update also fixes a buffer overflow in the embedded lcms library included with chromium.
    last seen2020-03-17
    modified2018-11-05
    plugin id118719
    published2018-11-05
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118719
    titleDebian DSA-4330-1 : chromium-browser - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201811-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201811-10 (Chromium: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details. Impact : A remote attacker could execute arbitrary code, escalate privileges, cause a heap buffer overflow, obtain sensitive information, or spoof a URL. Workaround : There is no known workaround at this time.
    last seen2020-03-18
    modified2018-11-26
    plugin id119130
    published2018-11-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119130
    titleGLSA-201811-10 : Chromium: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3004.NASL
    descriptionAn update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Chromium is an open source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 70.0.3538.67. Security Fix(es) : * chromium-browser: Sandbox escape in AppCache (CVE-2018-17462) * chromium-browser: Remote code execution in V8 (CVE-2018-17463) * chromium-browser: URL spoof in Omnibox (CVE-2018-17464) * chromium-browser: Use after free in V8 (CVE-2018-17465) * chromium-browser: Memory corruption in Angle (CVE-2018-17466) * lcms2: Integer overflow in AllocateDataSet() in cmscgats.c leading to heap-based buffer overflow (CVE-2018-16435) * chromium-browser: URL spoof in Omnibox (CVE-2018-17467) * chromium-browser: Cross-origin URL disclosure in Blink (CVE-2018-17468) * chromium-browser: Heap buffer overflow in PDFium (CVE-2018-17469) * chromium-browser: Memory corruption in GPU Internals (CVE-2018-17470) * chromium-browser: Security UI occlusion in full screen mode (CVE-2018-17471) * chromium-browser: URL spoof in Omnibox (CVE-2018-17473) * chromium-browser: Use after free in Blink (CVE-2018-17474) * chromium-browser: Lack of limits on update() in ServiceWorker (CVE-2018-5179) * chromium-browser: URL spoof in Omnibox (CVE-2018-17475) * chromium-browser: Security UI occlusion in full screen mode (CVE-2018-17476) * chromium-browser: UI spoof in Extensions (CVE-2018-17477) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-05-31
    modified2018-10-25
    plugin id118373
    published2018-10-25
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118373
    titleRHEL 6 : chromium-browser (RHSA-2018:3004)
  • NASL familyWindows
    NASL idGOOGLE_CHROME_70_0_3538_67.NASL
    descriptionThe version of Google Chrome installed on the remote Windows host is prior to 70.0.3538.67. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2018/10/16. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118153
    published2018-10-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118153
    titleGoogle Chrome < 70.0.3538.67 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-FD194A1F14.NASL
    descriptionSecurity fix for CVE-2018-17478 CVE-2018-17479. Update to 70.0.3538.110. ---- Update to chromium 70.0.3538.77. Fixes CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120933
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120933
    titleFedora 28 : chromium (2018-fd194a1f14)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-34F7F68029.NASL
    descriptionUpdate to chromium 70.0.3538.77. Fixes CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120342
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120342
    titleFedora 29 : chromium (2018-34f7f68029)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1208.NASL
    descriptionThis update for Chromium to version 70.0.3538.67 fixes multiple issues. Security issues fixed (bsc#1112111) : - CVE-2018-17462: Sandbox escape in AppCache - CVE-2018-17463: Remote code execution in V8 - Heap buffer overflow in Little CMS in PDFium - CVE-2018-17464: URL spoof in Omnibox - CVE-2018-17465: Use after free in V8 - CVE-2018-17466: Memory corruption in Angle - CVE-2018-17467: URL spoof in Omnibox - CVE-2018-17468: Cross-origin URL disclosure in Blink - CVE-2018-17469: Heap buffer overflow in PDFium - CVE-2018-17470: Memory corruption in GPU Internals - CVE-2018-17471: Security UI occlusion in full screen mode - CVE-2018-17473: URL spoof in Omnibox - CVE-2018-17474: Use after free in Blink - CVE-2018-17475: URL spoof in Omnibox - CVE-2018-17476: Security UI occlusion in full screen mode - CVE-2018-5179: Lack of limits on update() in ServiceWorker - CVE-2018-17477: UI spoof in Extensions VAAPI hardware accelerated rendering is now enabled by default. This update contains the following packaging changes : - Use the system libusb-1.0 library - Use bundled harfbuzz library - Disable gnome-keyring to avoid crashes
    last seen2020-06-05
    modified2018-10-23
    plugin id118317
    published2018-10-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118317
    titleopenSUSE Security Update : Chromium (openSUSE-2018-1208)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-712.NASL
    descriptionThis update for Chromium to version 70.0.3538.67 fixes multiple issues. Security issues fixed (bsc#1112111) : - CVE-2018-17462: Sandbox escape in AppCache - CVE-2018-17463: Remote code execution in V8 - Heap buffer overflow in Little CMS in PDFium - CVE-2018-17464: URL spoof in Omnibox - CVE-2018-17465: Use after free in V8 - CVE-2018-17466: Memory corruption in Angle - CVE-2018-17467: URL spoof in Omnibox - CVE-2018-17468: Cross-origin URL disclosure in Blink - CVE-2018-17469: Heap buffer overflow in PDFium - CVE-2018-17470: Memory corruption in GPU Internals - CVE-2018-17471: Security UI occlusion in full screen mode - CVE-2018-17473: URL spoof in Omnibox - CVE-2018-17474: Use after free in Blink - CVE-2018-17475: URL spoof in Omnibox - CVE-2018-17476: Security UI occlusion in full screen mode - CVE-2018-5179: Lack of limits on update() in ServiceWorker - CVE-2018-17477: UI spoof in Extensions VAAPI hardware accelerated rendering is now enabled by default. This update contains the following packaging changes : - Use the system libusb-1.0 library - Use bundled harfbuzz library - Disable gnome-keyring to avoid crashes
    last seen2020-05-31
    modified2019-03-27
    plugin id123310
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123310
    titleopenSUSE Security Update : Chromium (openSUSE-2019-712)

Redhat

advisories
rhsa
idRHSA-2018:3004
rpms
  • chromium-browser-0:70.0.3538.67-1.el6_10
  • chromium-browser-debuginfo-0:70.0.3538.67-1.el6_10