Vulnerabilities > CVE-2018-17478 - Improper Validation of Array Index vulnerability in Google Chrome

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
google
CWE-129
nessus

Summary

Incorrect array position calculations in V8 in Google Chrome prior to 70.0.3538.102 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.

Vulnerable Configurations

Part Description Count
Application
Google
4352

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1434.NASL
    descriptionThis update contains Chromium 70.0.3538.102 and fixes security issues and bugs. Vulnerabilities fixed : - CVE-2018-17478: Out of bounds memory access in V8 (boo#1115537) - Various fixes from internal audits, fuzzing and other initiatives Packaging changes : - noto-emoji-fonts is no longer a recommended dependency
    last seen2020-06-05
    modified2018-11-21
    plugin id119084
    published2018-11-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119084
    titleopenSUSE Security Update : chromium (openSUSE-2018-1434)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-1434.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119084);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-17478");
    
      script_name(english:"openSUSE Security Update : chromium (openSUSE-2018-1434)");
      script_summary(english:"Check for the openSUSE-2018-1434 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update contains Chromium 70.0.3538.102 and fixes security issues
    and bugs.
    
    Vulnerabilities fixed :
    
      - CVE-2018-17478: Out of bounds memory access in V8
        (boo#1115537)
    
      - Various fixes from internal audits, fuzzing and other
        initiatives
    
    Packaging changes :
    
      - noto-emoji-fonts is no longer a recommended dependency"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115537"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected chromium packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromedriver");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromedriver-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"chromedriver-70.0.3538.102-182.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"chromedriver-debuginfo-70.0.3538.102-182.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"chromium-70.0.3538.102-182.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"chromium-debuginfo-70.0.3538.102-182.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"chromium-debugsource-70.0.3538.102-182.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chromedriver / chromedriver-debuginfo / chromium / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-928.NASL
    descriptionThis update contains Chromium 70.0.3538.102 and fixes security issues and bugs. Vulnerabilities fixed : - CVE-2018-17478: Out of bounds memory access in V8 (boo#1115537) - Various fixes from internal audits, fuzzing and other initiatives Packaging changes : - noto-emoji-fonts is no longer a recommended dependency
    last seen2020-05-31
    modified2019-03-27
    plugin id123378
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123378
    titleopenSUSE Security Update : chromium (openSUSE-2019-928)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-928.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123378);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/29");
    
      script_cve_id("CVE-2018-17478");
    
      script_name(english:"openSUSE Security Update : chromium (openSUSE-2019-928)");
      script_summary(english:"Check for the openSUSE-2019-928 patch");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update contains Chromium 70.0.3538.102 and fixes security issues
    and bugs.
    
    Vulnerabilities fixed :
    
      - CVE-2018-17478: Out of bounds memory access in V8
        (boo#1115537)
    
      - Various fixes from internal audits, fuzzing and other
        initiatives
    
    Packaging changes :
    
      - noto-emoji-fonts is no longer a recommended dependency"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115537"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected chromium packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromedriver");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromedriver-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"chromedriver-70.0.3538.102-lp150.2.23.2") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"chromedriver-debuginfo-70.0.3538.102-lp150.2.23.2") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"chromium-70.0.3538.102-lp150.2.23.2", allowmaj:TRUE) ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"chromium-debuginfo-70.0.3538.102-lp150.2.23.2", allowmaj:TRUE) ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"chromium-debugsource-70.0.3538.102-lp150.2.23.2", allowmaj:TRUE) ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "chromedriver / chromedriver-debuginfo / chromium / etc");
    }
    
  • NASL familyWindows
    NASL idGOOGLE_CHROME_70_0_3538_102.NASL
    descriptionThe version of Google Chrome installed on the remote Windows host is prior to 70.0.3538.102. It is, therefore, affected by a vulnerability as noted in Google Chrome stable channel update release notes for 2018/11/09. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118887
    published2018-11-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118887
    titleGoogle Chrome < 70.0.3538.102 Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118887);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/01");
    
      script_cve_id("CVE-2018-17478");
    
      script_name(english:"Google Chrome < 70.0.3538.102 Vulnerability");
      script_summary(english:"Checks the version of Google Chrome.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web browser installed on the remote Windows host is affected by a
    vulnerability");
      script_set_attribute(attribute:"description", value:
    "The version of Google Chrome installed on the remote Windows host is
    prior to 70.0.3538.102. It is, therefore, affected by a vulnerability
    as noted in Google Chrome stable channel update release notes for
    2018/11/09. Please refer to the release notes for additional
    information. Note that Nessus has not attempted to exploit these
    issues but has instead relied only on the application's self-reported
    version number.");
      # https://chromereleases.googleblog.com/2018/11/stable-channel-update-for-desktop.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5419092d");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Google Chrome version 70.0.3538.102 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-17478");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:google:chrome");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("google_chrome_installed.nasl");
      script_require_keys("SMB/Google_Chrome/Installed");
    
      exit(0);
    }
    
    include("google_chrome_version.inc");
    
    get_kb_item_or_exit("SMB/Google_Chrome/Installed");
    installs = get_kb_list("SMB/Google_Chrome/*");
    
    google_chrome_check_version(installs:installs, fix:'70.0.3538.102', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-FD194A1F14.NASL
    descriptionSecurity fix for CVE-2018-17478 CVE-2018-17479. Update to 70.0.3538.110. ---- Update to chromium 70.0.3538.77. Fixes CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120933
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120933
    titleFedora 28 : chromium (2018-fd194a1f14)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-8E866C5066.NASL
    descriptionSecurity fix for CVE-2018-17478 CVE-2018-17479. Update to 70.0.3538.110. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120607
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120607
    titleFedora 29 : chromium (2018-8e866c5066)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1425.NASL
    descriptionThis update contains Chromium 70.0.3538.102 and fixes security issues and bugs. Vulnerabilities fixed : - CVE-2018-17478: Out of bounds memory access in V8 (boo#1115537) - Various fixes from internal audits, fuzzing and other initiatives Packaging changes : - noto-emoji-fonts is no longer a recommended dependency
    last seen2020-06-05
    modified2018-11-19
    plugin id119030
    published2018-11-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119030
    titleopenSUSE Security Update : chromium (openSUSE-2018-1425)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GOOGLE_CHROME_70_0_3538_102.NASL
    descriptionThe version of Google Chrome installed on the remote macOS host is prior to 70.0.3538.102. It is, therefore, affected by a vulnerability as noted in Google Chrome stable channel update release notes for 2018/11/09. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id118886
    published2018-11-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118886
    titleGoogle Chrome < 70.0.3538.102 Vulnerability
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4340.NASL
    descriptionAn out-of-bounds bounds memory access issue was discovered in chromium
    last seen2020-06-01
    modified2020-06-02
    plugin id119018
    published2018-11-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119018
    titleDebian DSA-4340-1 : chromium-browser - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3648.NASL
    descriptionAn update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Chromium is an open source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 70.0.3538.110. Security Fix(es) : * chromium-browser: Use-after-free in GPU (CVE-2018-17479) * chromium-browser: Out of bounds memory access in V8 (CVE-2018-17478) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-05-31
    modified2018-11-27
    plugin id119167
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119167
    titleRHEL 6 : chromium-browser (RHSA-2018:3648)

Redhat

rpms
  • chromium-browser-0:70.0.3538.110-1.el6_10
  • chromium-browser-debuginfo-0:70.0.3538.110-1.el6_10