Vulnerabilities > CVE-2018-6406 - Out-of-bounds Read vulnerability in Webmproject Libwebm
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in libwebm through 2018-01-30 does not validate the child_frame_length data obtained from a .webm file, which allows remote attackers to cause an information leak or a denial of service (heap-based buffer over-read and later out-of-bounds write), or possibly have unspecified other impact.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-128.NASL description This update for chromium to version 64.0.3282.140 fixes the following security issues : - CVE-2018-6406: Various asan fixes (boo#1078463, boo#1079021) The regular expression library re2 was updated to 2018-02-01. last seen 2020-06-05 modified 2018-02-05 plugin id 106601 published 2018-02-05 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106601 title openSUSE Security Update : chromium (openSUSE-2018-128) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-128. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(106601); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-6406"); script_name(english:"openSUSE Security Update : chromium (openSUSE-2018-128)"); script_summary(english:"Check for the openSUSE-2018-128 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for chromium to version 64.0.3282.140 fixes the following security issues : - CVE-2018-6406: Various asan fixes (boo#1078463, boo#1079021) The regular expression library re2 was updated to 2018-02-01." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1078463" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1079021" ); script_set_attribute( attribute:"solution", value:"Update the affected chromium packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromedriver"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromedriver-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:chromium-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libre2-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libre2-0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libre2-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libre2-0-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:re2-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:re2-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"libre2-0-20180201-12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libre2-0-debuginfo-20180201-12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"re2-debugsource-20180201-12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"re2-devel-20180201-12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"chromedriver-64.0.3282.140-138.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"chromedriver-debuginfo-64.0.3282.140-138.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"chromium-64.0.3282.140-138.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"chromium-debuginfo-64.0.3282.140-138.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"chromium-debugsource-64.0.3282.140-138.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libre2-0-32bit-20180201-12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libre2-0-debuginfo-32bit-20180201-12.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libre2-0 / libre2-0-32bit / libre2-0-debuginfo / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2018-AAFDBB5554.NASL description Update to Chromium 65. For EPEL7, it has been a long time since a successful build has been possible, so this will fix a LOT of CVEs. CVE-2017-15396 CVE-2017-15407 CVE-2017-15408 CVE-2017-15409 CVE-2017-15410 CVE-2017-15411 CVE-2017-15412 CVE-2017-15413 CVE-2017-15415 CVE-2017-15416 CVE-2017-15417 CVE-2017-15418 CVE-2017-15419 CVE-2017-15420 CVE-2017-15422 CVE-2018-6056 CVE-2018-6406 CVE-2018-6057 CVE-2018-6058 CVE-2018-6059 CVE-2018-6060 CVE-2018-6061 CVE-2018-6062 CVE-2018-6063 CVE-2018-6064 CVE-2018-6065 CVE-2018-6066 CVE-2018-6067 CVE-2018-6068 CVE-2018-6069 CVE-2018-6070 CVE-2018-6071 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120695 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120695 title Fedora 28 : chromium (2018-aafdbb5554) NASL family Fedora Local Security Checks NASL id FEDORA_2018-FAFF5F661E.NASL description Update to Chromium 65. For EPEL7, it has been a long time since a successful build has been possible, so this will fix a LOT of CVEs. CVE-2017-15396 CVE-2017-15407 CVE-2017-15408 CVE-2017-15409 CVE-2017-15410 CVE-2017-15411 CVE-2017-15412 CVE-2017-15413 CVE-2017-15415 CVE-2017-15416 CVE-2017-15417 CVE-2017-15418 CVE-2017-15419 CVE-2017-15420 CVE-2017-15422 CVE-2018-6056 CVE-2018-6406 CVE-2018-6057 CVE-2018-6058 CVE-2018-6059 CVE-2018-6060 CVE-2018-6061 CVE-2018-6062 CVE-2018-6063 CVE-2018-6064 CVE-2018-6065 CVE-2018-6066 CVE-2018-6067 CVE-2018-6068 CVE-2018-6069 CVE-2018-6070 CVE-2018-6071 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-28 plugin id 108679 published 2018-03-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108679 title Fedora 27 : chromium (2018-faff5f661e)
References
- https://bugs.chromium.org/p/webm/issues/detail?id=1492
- https://bugs.chromium.org/p/webm/issues/detail?id=1492
- https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md
- https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md