Vulnerabilities > CVE-2018-6120 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An integer overflow that could lead to an attacker-controlled heap out-of-bounds write in PDFium in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E457978B548411E89B8554EE754AF08E.NASL description Google Chrome Releases reports : 4 security fixes in this release : - [835887] Critical: Chain leading to sandbox escape. Reported by Anonymous on 2018-04-23 - [836858] High CVE-2018-6121: Privilege Escalation in extensions - [836141] High CVE-2018-6122: Type confusion in V8 - [833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17 - [841841] Various fixes from internal audits, fuzzing and other initiatives last seen 2020-06-01 modified 2020-06-02 plugin id 109750 published 2018-05-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109750 title FreeBSD : chromium -- multiple vulnerabilities (e457978b-5484-11e8-9b85-54ee754af08e) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(109750); script_version("1.5"); script_cvs_date("Date: 2019/01/16 9:47:22"); script_cve_id("CVE-2018-6120", "CVE-2018-6121", "CVE-2018-6122"); script_name(english:"FreeBSD : chromium -- multiple vulnerabilities (e457978b-5484-11e8-9b85-54ee754af08e)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Google Chrome Releases reports : 4 security fixes in this release : - [835887] Critical: Chain leading to sandbox escape. Reported by Anonymous on 2018-04-23 - [836858] High CVE-2018-6121: Privilege Escalation in extensions - [836141] High CVE-2018-6122: Type confusion in V8 - [833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17 - [841841] Various fixes from internal audits, fuzzing and other initiatives" ); # https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?875f0b01" ); # https://vuxml.freebsd.org/freebsd/e457978b-5484-11e8-9b85-54ee754af08e.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6038cbfd" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:chromium"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"chromium<66.0.3359.170")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2018-812B5D5A71.NASL description Update to 66.0.3359.181. Security fix for CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 CVE-2018-6116 CVE-2018-6117 CVE-2018-6118 CVE-2018-6121 CVE-2018-6122 CVE-2018-6120 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-06-06 plugin id 110327 published 2018-06-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110327 title Fedora 27 : chromium (2018-812b5d5a71) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201805-06.NASL description The remote host is affected by the vulnerability described in GLSA-201805-06 (Chromium, Google Chrome: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details. Impact : A remote attacker, by enticing a user to install malicious extensions, could possibly escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 109930 published 2018-05-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109930 title GLSA-201805-06 : Chromium, Google Chrome: Multiple vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1446.NASL description An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Chromium is an open source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 66.0.3359.170. Security Fix(es) : * chromium-browser: Heap buffer overflow in PDFium (CVE-2018-6120) * chromium-browser: Privilege Escalation in extensions (CVE-2018-6121) * chromium-browser: Type confusion in V8 (CVE-2018-6122) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-05-31 modified 2018-05-16 plugin id 109837 published 2018-05-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109837 title RHEL 6 : chromium-browser (RHSA-2018:1446) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4237.NASL description Several vulnerabilities have been discovered in the chromium web browser. - CVE-2018-6118 Ned Williamson discovered a use-after-free issue. - CVE-2018-6120 Zhou Aiting discovered a buffer overflow issue in the pdfium library. - CVE-2018-6121 It was discovered that malicious extensions could escalate privileges. - CVE-2018-6122 A type confusion issue was discovered in the v8 JavaScript library. - CVE-2018-6123 Looben Yang discovered a use-after-free issue. - CVE-2018-6124 Guang Gong discovered a type confusion issue. - CVE-2018-6125 Yubico discovered that the WebUSB implementation was too permissive. - CVE-2018-6126 Ivan Fratric discovered a buffer overflow issue in the skia library. - CVE-2018-6127 Looben Yang discovered a use-after-free issue. - CVE-2018-6129 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC. - CVE-2018-6130 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC. - CVE-2018-6131 Natalie Silvanovich discovered an error in WebAssembly. - CVE-2018-6132 Ronald E. Crane discovered an uninitialized memory issue. - CVE-2018-6133 Khalil Zhani discovered a URL spoofing issue. - CVE-2018-6134 Jun Kokatsu discovered a way to bypass the Referrer Policy. - CVE-2018-6135 Jasper Rebane discovered a user interface spoofing issue. - CVE-2018-6136 Peter Wong discovered an out-of-bounds read issue in the v8 JavaScript library. - CVE-2018-6137 Michael Smith discovered an information leak. - CVE-2018-6138 Francois Lajeunesse-Robert discovered that the extensions policy was too permissive. - CVE-2018-6139 Rob Wu discovered a way to bypass restrictions in the debugger extension. - CVE-2018-6140 Rob Wu discovered a way to bypass restrictions in the debugger extension. - CVE-2018-6141 Yangkang discovered a buffer overflow issue in the skia library. - CVE-2018-6142 Choongwoo Han discovered an out-of-bounds read in the v8 JavaScript library. - CVE-2018-6143 Guang Gong discovered an out-of-bounds read in the v8 JavaScript library. - CVE-2018-6144 pdknsk discovered an out-of-bounds read in the pdfium library. - CVE-2018-6145 Masato Kinugawa discovered an error in the MathML implementation. - CVE-2018-6147 Michail Pishchagin discovered an error in password entry fields. - CVE-2018-6148 Michal Bentkowski discovered that the Content Security Policy header was handled incorrectly. - CVE-2018-6149 Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the v8 JavaScript library. last seen 2020-06-01 modified 2020-06-02 plugin id 110820 published 2018-07-02 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110820 title Debian DSA-4237-1 : chromium-browser - security update NASL family Windows NASL id GOOGLE_CHROME_66_0_3359_170.NASL description The version of Google Chrome installed on the remote Windows host is prior to 66.0.3359.170. It is, therefore, affected by a multiple unspecified vulnerabilities as noted in Chrome stable channel update release notes for May 10th, 2018. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109899 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109899 title Google Chrome < 66.0.3359.170 Multiple Vulnerabilities NASL family MacOS X Local Security Checks NASL id MACOSX_GOOGLE_CHROME_66_0_3359_170.NASL description The version of Google Chrome installed on the remote host is prior to 66.0.3359.170. It is, therefore, affected by multiple unspecified vulnerabilities as noted in Chrome stable channel update release notes for May 10th, 2018. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 109900 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109900 title Google Chrome < 66.0.3359.170 Multiple Vulnerabilities (macOS) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-456.NASL description This update for Chromium to version 66.0.3359.170 fixes the following issues : Security issues fixed (boo#1092923) : - CVE-2018-6121: Privilege Escalation in extensions - CVE-2018-6122: Type confusion in V8 - CVE-2018-6120: Heap buffer overflow in PDFium - Various fixes from internal audits, fuzzing and other initiatives The following bugs are fixed : - boo#1092272: Improved support for subpixel rending last seen 2020-06-05 modified 2018-05-14 plugin id 109753 published 2018-05-14 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109753 title openSUSE Security Update : Chromium (openSUSE-2018-456) NASL family Fedora Local Security Checks NASL id FEDORA_2018-94E1BC8C23.NASL description Update to 66.0.3359.181. Security fix for CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 CVE-2018-6116 CVE-2018-6117 CVE-2018-6118 CVE-2018-6121 CVE-2018-6122 CVE-2018-6120 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120630 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120630 title Fedora 28 : chromium (2018-94e1bc8c23)
Redhat
advisories |
| ||||
rpms |
|
References
- http://www.securityfocus.com/bid/104143
- http://www.securityfocus.com/bid/104143
- https://access.redhat.com/errata/RHSA-2018:1446
- https://access.redhat.com/errata/RHSA-2018:1446
- https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html
- https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html
- https://crbug.com/833721
- https://crbug.com/833721
- https://security.gentoo.org/glsa/201805-06
- https://security.gentoo.org/glsa/201805-06
- https://www.debian.org/security/2018/dsa-4237
- https://www.debian.org/security/2018/dsa-4237