Vulnerabilities > CVE-2018-6120 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
google
debian
redhat
CWE-190
nessus

Summary

An integer overflow that could lead to an attacker-controlled heap out-of-bounds write in PDFium in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.

Vulnerable Configurations

Part Description Count
Application
Google
3876
OS
Debian
1
OS
Redhat
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E457978B548411E89B8554EE754AF08E.NASL
    descriptionGoogle Chrome Releases reports : 4 security fixes in this release : - [835887] Critical: Chain leading to sandbox escape. Reported by Anonymous on 2018-04-23 - [836858] High CVE-2018-6121: Privilege Escalation in extensions - [836141] High CVE-2018-6122: Type confusion in V8 - [833721] High CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2018-04-17 - [841841] Various fixes from internal audits, fuzzing and other initiatives
    last seen2020-06-01
    modified2020-06-02
    plugin id109750
    published2018-05-14
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109750
    titleFreeBSD : chromium -- multiple vulnerabilities (e457978b-5484-11e8-9b85-54ee754af08e)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109750);
      script_version("1.5");
      script_cvs_date("Date: 2019/01/16  9:47:22");
    
      script_cve_id("CVE-2018-6120", "CVE-2018-6121", "CVE-2018-6122");
    
      script_name(english:"FreeBSD : chromium -- multiple vulnerabilities (e457978b-5484-11e8-9b85-54ee754af08e)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Google Chrome Releases reports :
    
    4 security fixes in this release :
    
    - [835887] Critical: Chain leading to sandbox escape. Reported by
    Anonymous on 2018-04-23
    
    - [836858] High CVE-2018-6121: Privilege Escalation in extensions
    
    - [836141] High CVE-2018-6122: Type confusion in V8
    
    - [833721] High CVE-2018-6120: Heap buffer overflow in PDFium.
    Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on
    2018-04-17
    
    - [841841] Various fixes from internal audits, fuzzing and other
    initiatives"
      );
      # https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?875f0b01"
      );
      # https://vuxml.freebsd.org/freebsd/e457978b-5484-11e8-9b85-54ee754af08e.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6038cbfd"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:chromium");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"chromium<66.0.3359.170")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-812B5D5A71.NASL
    descriptionUpdate to 66.0.3359.181. Security fix for CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 CVE-2018-6116 CVE-2018-6117 CVE-2018-6118 CVE-2018-6121 CVE-2018-6122 CVE-2018-6120 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-06-06
    plugin id110327
    published2018-06-06
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110327
    titleFedora 27 : chromium (2018-812b5d5a71)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201805-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201805-06 (Chromium, Google Chrome: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details. Impact : A remote attacker, by enticing a user to install malicious extensions, could possibly escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id109930
    published2018-05-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109930
    titleGLSA-201805-06 : Chromium, Google Chrome: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1446.NASL
    descriptionAn update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Chromium is an open source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 66.0.3359.170. Security Fix(es) : * chromium-browser: Heap buffer overflow in PDFium (CVE-2018-6120) * chromium-browser: Privilege Escalation in extensions (CVE-2018-6121) * chromium-browser: Type confusion in V8 (CVE-2018-6122) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-05-31
    modified2018-05-16
    plugin id109837
    published2018-05-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109837
    titleRHEL 6 : chromium-browser (RHSA-2018:1446)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4237.NASL
    descriptionSeveral vulnerabilities have been discovered in the chromium web browser. - CVE-2018-6118 Ned Williamson discovered a use-after-free issue. - CVE-2018-6120 Zhou Aiting discovered a buffer overflow issue in the pdfium library. - CVE-2018-6121 It was discovered that malicious extensions could escalate privileges. - CVE-2018-6122 A type confusion issue was discovered in the v8 JavaScript library. - CVE-2018-6123 Looben Yang discovered a use-after-free issue. - CVE-2018-6124 Guang Gong discovered a type confusion issue. - CVE-2018-6125 Yubico discovered that the WebUSB implementation was too permissive. - CVE-2018-6126 Ivan Fratric discovered a buffer overflow issue in the skia library. - CVE-2018-6127 Looben Yang discovered a use-after-free issue. - CVE-2018-6129 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC. - CVE-2018-6130 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC. - CVE-2018-6131 Natalie Silvanovich discovered an error in WebAssembly. - CVE-2018-6132 Ronald E. Crane discovered an uninitialized memory issue. - CVE-2018-6133 Khalil Zhani discovered a URL spoofing issue. - CVE-2018-6134 Jun Kokatsu discovered a way to bypass the Referrer Policy. - CVE-2018-6135 Jasper Rebane discovered a user interface spoofing issue. - CVE-2018-6136 Peter Wong discovered an out-of-bounds read issue in the v8 JavaScript library. - CVE-2018-6137 Michael Smith discovered an information leak. - CVE-2018-6138 Francois Lajeunesse-Robert discovered that the extensions policy was too permissive. - CVE-2018-6139 Rob Wu discovered a way to bypass restrictions in the debugger extension. - CVE-2018-6140 Rob Wu discovered a way to bypass restrictions in the debugger extension. - CVE-2018-6141 Yangkang discovered a buffer overflow issue in the skia library. - CVE-2018-6142 Choongwoo Han discovered an out-of-bounds read in the v8 JavaScript library. - CVE-2018-6143 Guang Gong discovered an out-of-bounds read in the v8 JavaScript library. - CVE-2018-6144 pdknsk discovered an out-of-bounds read in the pdfium library. - CVE-2018-6145 Masato Kinugawa discovered an error in the MathML implementation. - CVE-2018-6147 Michail Pishchagin discovered an error in password entry fields. - CVE-2018-6148 Michal Bentkowski discovered that the Content Security Policy header was handled incorrectly. - CVE-2018-6149 Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the v8 JavaScript library.
    last seen2020-06-01
    modified2020-06-02
    plugin id110820
    published2018-07-02
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110820
    titleDebian DSA-4237-1 : chromium-browser - security update
  • NASL familyWindows
    NASL idGOOGLE_CHROME_66_0_3359_170.NASL
    descriptionThe version of Google Chrome installed on the remote Windows host is prior to 66.0.3359.170. It is, therefore, affected by a multiple unspecified vulnerabilities as noted in Chrome stable channel update release notes for May 10th, 2018. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id109899
    published2018-05-17
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109899
    titleGoogle Chrome < 66.0.3359.170 Multiple Vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_GOOGLE_CHROME_66_0_3359_170.NASL
    descriptionThe version of Google Chrome installed on the remote host is prior to 66.0.3359.170. It is, therefore, affected by multiple unspecified vulnerabilities as noted in Chrome stable channel update release notes for May 10th, 2018. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id109900
    published2018-05-17
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109900
    titleGoogle Chrome < 66.0.3359.170 Multiple Vulnerabilities (macOS)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-456.NASL
    descriptionThis update for Chromium to version 66.0.3359.170 fixes the following issues : Security issues fixed (boo#1092923) : - CVE-2018-6121: Privilege Escalation in extensions - CVE-2018-6122: Type confusion in V8 - CVE-2018-6120: Heap buffer overflow in PDFium - Various fixes from internal audits, fuzzing and other initiatives The following bugs are fixed : - boo#1092272: Improved support for subpixel rending
    last seen2020-06-05
    modified2018-05-14
    plugin id109753
    published2018-05-14
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109753
    titleopenSUSE Security Update : Chromium (openSUSE-2018-456)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-94E1BC8C23.NASL
    descriptionUpdate to 66.0.3359.181. Security fix for CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 CVE-2018-6116 CVE-2018-6117 CVE-2018-6118 CVE-2018-6121 CVE-2018-6122 CVE-2018-6120 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120630
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120630
    titleFedora 28 : chromium (2018-94e1bc8c23)

Redhat

advisories
rhsa
idRHSA-2018:1446
rpms
  • chromium-browser-0:66.0.3359.170-1.el6_9
  • chromium-browser-debuginfo-0:66.0.3359.170-1.el6_9