Vulnerabilities > CVE-2018-5092 - Use After Free vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3544-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(106347);
  script_version("1.11");
  script_cvs_date("Date: 2019/09/18 12:31:47");

  script_cve_id("CVE-2018-5089", "CVE-2018-5090", "CVE-2018-5091", "CVE-2018-5092", "CVE-2018-5093", "CVE-2018-5094", "CVE-2018-5095", "CVE-2018-5097", "CVE-2018-5098", "CVE-2018-5099", "CVE-2018-5100", "CVE-2018-5101", "CVE-2018-5102", "CVE-2018-5103", "CVE-2018-5104", "CVE-2018-5105", "CVE-2018-5106", "CVE-2018-5107", "CVE-2018-5108", "CVE-2018-5109", "CVE-2018-5111", "CVE-2018-5112", "CVE-2018-5113", "CVE-2018-5114", "CVE-2018-5115", "CVE-2018-5116", "CVE-2018-5117", "CVE-2018-5118", "CVE-2018-5119", "CVE-2018-5122");
  script_xref(name:"USN", value:"3544-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : firefox vulnerabilities (USN-3544-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, spoof the origin in audio capture prompts, trick the user in to
providing HTTP credentials for another origin, spoof the addressbar
contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090,
CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094,
CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099,
CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103,
CVE-2018-5104, CVE-2018-5109, CVE-2018-5114, CVE-2018-5115,
CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions. If a user
were tricked in to installing a specially crafted extension, an
attacker could potentially exploit these to gain additional
privileges, bypass same-origin restrictions, or execute arbitrary
code. (CVE-2018-5105, CVE-2018-5113, CVE-2018-5116)

A security issue was discovered with the developer tools. If a user
were tricked in to opening a specially crafted website with the
developer tools open, an attacker could potentially exploit this to
obtain sensitive information from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker could
potentially exploit this to obtain sensitive information from local
files. (CVE-2018-5107)

It was discovered that manually entered blob URLs could be accessed by
subsequent private browsing tabs. If a user were tricked in to
entering a blob URL, an attacker could potentially exploit this to
obtain sensitive information from a private browsing context.
(CVE-2018-5108)

It was discovered that dragging certain specially formatted URLs to
the addressbar could cause the wrong URL to be displayed. If a user
were tricked in to opening a specially crafted website and dragging a
URL to the addressbar, an attacker could potentially exploit this to
spoof the addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels could open
non-relative URLs. If a user were tricked in to installing a specially
crafted extension and running the developer tools, an attacker could
potentially exploit this to gain additional privileges.
(CVE-2018-5112)

It was discovered that ActivityStream images can attempt to load local
content through file: URLs. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
in combination with another vulnerability that allowed sandbox
protections to be bypassed, in order to obtain sensitive information
from local files. (CVE-2018-5118)

It was discovered that the reader view will load cross-origin content
in violation of CORS headers. An attacker could exploit this to bypass
CORS restrictions. (CVE-2018-5119).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3544-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected firefox package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/25");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"58.0+build6-0ubuntu0.14.04.1")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"58.0+build6-0ubuntu0.16.04.1")) flag++;
if (ubuntu_check(osver:"17.10", pkgname:"firefox", pkgver:"58.0+build6-0ubuntu0.17.10.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(106303);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/08");

  script_cve_id(
    "CVE-2018-5089",
    "CVE-2018-5090",
    "CVE-2018-5091",
    "CVE-2018-5092",
    "CVE-2018-5093",
    "CVE-2018-5094",
    "CVE-2018-5095",
    "CVE-2018-5097",
    "CVE-2018-5098",
    "CVE-2018-5099",
    "CVE-2018-5100",
    "CVE-2018-5101",
    "CVE-2018-5102",
    "CVE-2018-5103",
    "CVE-2018-5104",
    "CVE-2018-5105",
    "CVE-2018-5106",
    "CVE-2018-5107",
    "CVE-2018-5108",
    "CVE-2018-5109",
    "CVE-2018-5110",
    "CVE-2018-5111",
    "CVE-2018-5112",
    "CVE-2018-5113",
    "CVE-2018-5114",
    "CVE-2018-5115",
    "CVE-2018-5116",
    "CVE-2018-5117",
    "CVE-2018-5118",
    "CVE-2018-5119",
    "CVE-2018-5121",
    "CVE-2018-5122"
  );
  script_bugtraq_id(102783);
  script_xref(name:"MFSA", value:"2018-02");

  script_name(english:"Mozilla Firefox < 58 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote Windows host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Mozilla Firefox installed on the remote Windows host
is prior to 58. It is, therefore, affected by multiple
vulnerabilities, some of which allow code execution and potentially
exploitable crashes.");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 58 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5090");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mozilla_org_installed.nasl");
  script_require_keys("Mozilla/Firefox/Version");

  exit(0);
}

include("mozilla_version.inc");

port = get_kb_item("SMB/transport");
if (!port) port = 445;

installs = get_kb_list("SMB/Mozilla/Firefox/*");
if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox");

mozilla_check_version(installs:installs, product:'firefox', fix:'58', severity:SECURITY_HOLE);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(106301);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/08");

  script_cve_id(
    "CVE-2018-5089",
    "CVE-2018-5090",
    "CVE-2018-5091",
    "CVE-2018-5092",
    "CVE-2018-5093",
    "CVE-2018-5094",
    "CVE-2018-5095",
    "CVE-2018-5097",
    "CVE-2018-5098",
    "CVE-2018-5099",
    "CVE-2018-5100",
    "CVE-2018-5101",
    "CVE-2018-5102",
    "CVE-2018-5103",
    "CVE-2018-5104",
    "CVE-2018-5105",
    "CVE-2018-5106",
    "CVE-2018-5107",
    "CVE-2018-5108",
    "CVE-2018-5109",
    "CVE-2018-5110",
    "CVE-2018-5111",
    "CVE-2018-5112",
    "CVE-2018-5113",
    "CVE-2018-5114",
    "CVE-2018-5115",
    "CVE-2018-5116",
    "CVE-2018-5117",
    "CVE-2018-5118",
    "CVE-2018-5119",
    "CVE-2018-5121",
    "CVE-2018-5122"
  );
  script_bugtraq_id(102783);
  script_xref(name:"MFSA", value:"2018-02");

  script_name(english:"Mozilla Firefox < 58 Multiple Vulnerabilities (macOS)");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is
affected by a multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Mozilla Firefox installed on the remote macOS or Mac
OS X host is prior to 58. It is, therefore, affected by multiple
vulnerabilities, some of which allow code execution and potentially
exploitable crashes.");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 58 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5090");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');

mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'58', severity:SECURITY_HOLE);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2019 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(106288);
  script_version("3.11");
  script_cvs_date("Date: 2019/07/10 16:04:13");

  script_cve_id("CVE-2018-5089", "CVE-2018-5090", "CVE-2018-5091", "CVE-2018-5092", "CVE-2018-5093", "CVE-2018-5094", "CVE-2018-5095", "CVE-2018-5097", "CVE-2018-5098", "CVE-2018-5099", "CVE-2018-5100", "CVE-2018-5101", "CVE-2018-5102", "CVE-2018-5103", "CVE-2018-5104", "CVE-2018-5105", "CVE-2018-5106", "CVE-2018-5107", "CVE-2018-5108", "CVE-2018-5109", "CVE-2018-5110", "CVE-2018-5111", "CVE-2018-5112", "CVE-2018-5113", "CVE-2018-5114", "CVE-2018-5115", "CVE-2018-5116", "CVE-2018-5117", "CVE-2018-5118", "CVE-2018-5119", "CVE-2018-5121", "CVE-2018-5122");

  script_name(english:"FreeBSD : mozilla -- multiple vulnerabilities (a891c5b4-3d7a-4de9-9c71-eef3fd698c77)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Mozilla Foundation reports :

CVE-2018-5091: Use-after-free with DTMF timers

CVE-2018-5092: Use-after-free in Web Workers

CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table
resizing

CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection
on uninitialized memory

CVE-2018-5095: Integer overflow in Skia library during edge builder
allocation

CVE-2018-5097: Use-after-free when source document is manipulated
during XSLT

CVE-2018-5098: Use-after-free while manipulating form input elements

CVE-2018-5099: Use-after-free with widget listener

CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments
are freed from memory

CVE-2018-5101: Use-after-free with floating first-letter style
elements

CVE-2018-5102: Use-after-free in HTML media elements

CVE-2018-5103: Use-after-free during mouse event handling

CVE-2018-5104: Use-after-free during font face manipulation

CVE-2018-5105: WebExtensions can save and execute files on local file
system without user prompts

CVE-2018-5106: Developer Tools can expose style editor information
cross-origin through service worker

CVE-2018-5107: Printing process will follow symlinks for local file
access

CVE-2018-5108: Manually entered blob URL can be accessed by subsequent
private browsing tabs

CVE-2018-5109: Audio capture prompts and starts with incorrect origin
attribution

CVE-2018-5110: Cursor can be made invisible on OS X

CVE-2018-5111: URL spoofing in addressbar through drag and drop

CVE-2018-5112: Extension development tools panel can open a
non-relative URL in the panel

CVE-2018-5113: WebExtensions can load non-HTTPS pages with
browser.identity.launchWebAuthFlow

CVE-2018-5114: The old value of a cookie changed to HttpOnly remains
accessible to scripts

CVE-2018-5115: Background network requests can open HTTP
authentication in unrelated foreground tabs

CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin
frame content access

CVE-2018-5117: URL spoofing with right-to-left text aligned
left-to-right

CVE-2018-5118: Activity Stream images can attempt to load local
content through file :

CVE-2018-5119: Reader view will load cross-origin content in violation
of CORS headers

CVE-2018-5121: OS X Tibetan characters render incompletely in the
addressbar

CVE-2018-5122: Potential integer overflow in DoCrypt

CVE-2018-5090: Memory safety bugs fixed in Firefox 58

CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR
52.6"
  );
  # https://www.mozilla.org/security/advisories/mfsa2018-02/
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/"
  );
  # https://www.mozilla.org/security/advisories/mfsa2018-03/
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/"
  );
  # https://vuxml.freebsd.org/freebsd/a891c5b4-3d7a-4de9-9c71-eef3fd698c77.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?9a44141c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox-esr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:libxul");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-seamonkey");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-thunderbird");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:seamonkey");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:thunderbird");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:waterfox");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"firefox<58.0_1,1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"waterfox<56.0.3.63")) flag++;
if (pkg_test(save_report:TRUE, pkg:"seamonkey<2.49.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-seamonkey<2.49.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"firefox-esr<52.6.0_1,1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-firefox<52.6.0,2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"libxul<52.6.0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"thunderbird<52.6.0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-thunderbird<52.6.0")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3544-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(106790);
  script_version("3.11");
  script_cvs_date("Date: 2019/09/18 12:31:47");

  script_cve_id("CVE-2018-5089", "CVE-2018-5090", "CVE-2018-5091", "CVE-2018-5092", "CVE-2018-5093", "CVE-2018-5094", "CVE-2018-5095", "CVE-2018-5097", "CVE-2018-5098", "CVE-2018-5099", "CVE-2018-5100", "CVE-2018-5101", "CVE-2018-5102", "CVE-2018-5103", "CVE-2018-5104", "CVE-2018-5105", "CVE-2018-5106", "CVE-2018-5107", "CVE-2018-5108", "CVE-2018-5109", "CVE-2018-5111", "CVE-2018-5112", "CVE-2018-5113", "CVE-2018-5114", "CVE-2018-5115", "CVE-2018-5116", "CVE-2018-5117", "CVE-2018-5118", "CVE-2018-5119", "CVE-2018-5122");
  script_xref(name:"USN", value:"3544-2");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : firefox regressions (USN-3544-2)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web
compatibility regression and a tab crash during printing in some
circumstances. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, spoof the origin in audio capture prompts, trick the user in to
providing HTTP credentials for another origin, spoof the addressbar
contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090,
CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094,
CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099,
CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103,
CVE-2018-5104, CVE-2018-5109, CVE-2018-5114, CVE-2018-5115,
CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions.
If a user were tricked in to installing a specially crafted
extension, an attacker could potentially exploit these to
gain additional privileges, bypass same-origin restrictions,
or execute arbitrary code. (CVE-2018-5105, CVE-2018-5113,
CVE-2018-5116)

A security issue was discovered with the developer tools. If
a user were tricked in to opening a specially crafted
website with the developer tools open, an attacker could
potentially exploit this to obtain sensitive information
from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker
could potentially exploit this to obtain sensitive
information from local files. (CVE-2018-5107)

It was discovered that manually entered blob URLs could be
accessed by subsequent private browsing tabs. If a user were
tricked in to entering a blob URL, an attacker could
potentially exploit this to obtain sensitive information
from a private browsing context. (CVE-2018-5108)

It was discovered that dragging certain specially formatted
URLs to the addressbar could cause the wrong URL to be
displayed. If a user were tricked in to opening a specially
crafted website and dragging a URL to the addressbar, an
attacker could potentially exploit this to spoof the
addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels
could open non-relative URLs. If a user were tricked in to
installing a specially crafted extension and running the
developer tools, an attacker could potentially exploit this
to gain additional privileges. (CVE-2018-5112)

It was discovered that ActivityStream images can attempt to
load local content through file: URLs. If a user were
tricked in to opening a specially crafted website, an
attacker could potentially exploit this in combination with
another vulnerability that allowed sandbox protections to be
bypassed, in order to obtain sensitive information from
local files. (CVE-2018-5118)

It was discovered that the reader view will load
cross-origin content in violation of CORS headers. An
attacker could exploit this to bypass CORS restrictions.
(CVE-2018-5119).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3544-2/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected firefox package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/13");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"58.0.2+build1-0ubuntu0.14.04.1")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"58.0.2+build1-0ubuntu0.16.04.1")) flag++;
if (ubuntu_check(osver:"17.10", pkgname:"firefox", pkgver:"58.0.2+build1-0ubuntu0.17.10.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
}