Vulnerabilities > CVE-2019-9818 - Use After Free vulnerability in Mozilla Firefox

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2019-1534.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(125809);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26");

  script_cve_id("CVE-2018-18511", "CVE-2019-11691", "CVE-2019-11692", "CVE-2019-11693", "CVE-2019-11694", "CVE-2019-11698", "CVE-2019-5798", "CVE-2019-7317", "CVE-2019-9797", "CVE-2019-9800", "CVE-2019-9815", "CVE-2019-9816", "CVE-2019-9817", "CVE-2019-9818", "CVE-2019-9819", "CVE-2019-9820", "CVE-2019-9821");

  script_name(english:"openSUSE Security Update : MozillaFirefox (openSUSE-2019-1534)");
  script_summary(english:"Check for the openSUSE-2019-1534 patch");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description",
    value:
"This update for MozillaFirefox fixes the following issues :

MozillaFirefox was updated to 60.7.0esr (boo#1135824 MFSA 2019-14) :

  - CVE-2018-18511: Cross-origin theft of images with
    ImageBitmapRenderingContext

  - CVE-2019-11691: Use-after-free in XMLHttpRequest

  - CVE-2019-11692: Use-after-free removing listeners in the
    event listener manager

  - CVE-2019-11693: Buffer overflow in WebGL bufferdata on
    Linux

  - CVE-2019-11694: (Windows only) Uninitialized memory
    memory leakage in Windows sandbox

  - CVE-2019-11698: Theft of user history data through drag
    and drop of hyperlinks to and from bookmarks

  - CVE-2019-5798: Out-of-bounds read in Skia

  - CVE-2019-7317: Use-after-free in png_image_free of
    libpng library

  - CVE-2019-9797: Cross-origin theft of images with
    createImageBitmap

  - CVE-2019-9800: Memory safety bugs fixed in Firefox 67
    and Firefox ESR 60.7

  - CVE-2019-9815: Disable hyperthreading on content
    JavaScript threads on macOS

  - CVE-2019-9816: Type confusion with object groups and
    UnboxedObjects

  - CVE-2019-9817: Stealing of cross-domain images using
    canvas

  - CVE-2019-9818: (Windows only) Use-after-free in crash
    generation server

  - CVE-2019-9819: Compartment mismatch with fetch API

  - CVE-2019-9820: Use-after-free of ChromeEventHandler by
    DocShell

  - CVE-2019-9821: Use-after-free in AssertWorkerThread"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1135824"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Update the affected MozillaFirefox packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-branding-upstream-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-buildsymbols-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-debuginfo-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-debugsource-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-devel-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-translations-common-60.7.0-lp150.3.54.5") ) flag++;
if ( rpm_check(release:"SUSE15.0", reference:"MozillaFirefox-translations-other-60.7.0-lp150.3.54.5") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc");
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from Mozilla Foundation Security Advisory mfsa2019-13.
# The text itself is copyright (C) Mozilla Foundation.

include("compat.inc");

if (description)
{
  script_id(125360);
  script_version("1.5");
  script_cvs_date("Date: 2019/10/30 13:24:46");

  script_cve_id(
    "CVE-2019-7317",
    "CVE-2019-9800",
    "CVE-2019-9814",
    "CVE-2019-9815",
    "CVE-2019-9816",
    "CVE-2019-9817",
    "CVE-2019-9818",
    "CVE-2019-9819",
    "CVE-2019-9820",
    "CVE-2019-9821",
    "CVE-2019-11691",
    "CVE-2019-11692",
    "CVE-2019-11693",
    "CVE-2019-11694",
    "CVE-2019-11695",
    "CVE-2019-11696",
    "CVE-2019-11697",
    "CVE-2019-11698",
    "CVE-2019-11699",
    "CVE-2019-11700",
    "CVE-2019-11701"
  );
  script_bugtraq_id(
      108098,
      108418,
      108421
  );
  script_xref(name:"MFSA", value:"2019-13");

  script_name(english:"Mozilla Firefox < 67.0");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Firefox installed on the remote macOS or Mac OS X host
is prior to 67.0. It is, therefore, affected by multiple
vulnerabilities as referenced in the mfsa2019-13 advisory.

  - If hyperthreading is not disabled, a timing attack
    vulnerability exists, similar to previous Spectre
    attacks. Apple has shipped macOS 10.14.5 with an option
    to disable hyperthreading in applications running
    untrusted code in a thread through a new sysctl. Firefox
    now makes use of it on the main thread and any worker
    threads. Note: users need to update to macOS 10.14.5
    in order to take advantage of this change.
    (CVE-2019-9815)

  - A possible vulnerability exists where type confusion can
    occur when manipulating JavaScript objects in object
    groups, allowing for the bypassing of security checks
    within these groups. Note: this vulnerability has
    only been demonstrated with UnboxedObjects,
    which are disabled by default on all supported releases.
    (CVE-2019-9816)

  - Images from a different domain can be read using a
    canvas object in some circumstances. This could be used
    to steal image data from a different site in violation
    of same-origin policy. (CVE-2019-9817)

  - A race condition is present in the crash generation
    server used to generate data for the crash reporter.
    This issue can lead to a use-after-free in the main
    process, resulting in a potentially exploitable crash
    and a sandbox escape. Note: this vulnerability only
    affects Windows. Other operating systems are unaffected.
    (CVE-2019-9818)

  - A vulnerability where a JavaScript compartment mismatch
    can occur while working with the fetch API,
    resulting in a potentially exploitable crash.
    (CVE-2019-9819)

  - A use-after-free vulnerability can occur in the chrome
    event handler when it is freed while still in use. This
    results in a potentially exploitable crash.
    (CVE-2019-9820)

  - A use-after-free vulnerability can occur in
    AssertWorkerThread due to a race condition
    with shared workers. This results in a potentially
    exploitable crash. (CVE-2019-9821)

  - A use-after-free vulnerability can occur when working
    with XMLHttpRequest (XHR) in an event loop,
    causing the XHR main thread to be called after it has
    been freed. This results in a potentially exploitable
    crash. (CVE-2019-11691)

  - A use-after-free vulnerability can occur when listeners
    are removed from the event listener manager while still
    in use, resulting in a potentially exploitable crash.
    (CVE-2019-11692)

  - The bufferdata function in WebGL is
    vulnerable to a buffer overflow with specific graphics
    drivers on Linux. This could result in malicious content
    freezing a tab or triggering a potentially exploitable
    crash. Note: this issue only occurs on Linux. Other
    operating systems are unaffected. (CVE-2019-11693)

  - A use-after-free vulnerability was discovered in the
    pngimagefree function in the libpng
    library. This could lead to denial of service or a
    potentially exploitable crash when a malformed image is
    processed. (CVE-2019-7317)

  - A vulnerability exists in the Windows sandbox where an
    uninitialized value in memory can be leaked to a
    renderer from a broker when making a call to access an
    otherwise unavailable file. This results in the
    potential leaking of information stored at that memory
    location. Note: this issue only occurs on Windows.
    Other operating systems are unaffected. (CVE-2019-11694)

  - A custom cursor defined by scripting on a site can
    position itself over the addressbar to spoof the actual
    cursor when it should not be allowed outside of the
    primary web content area. This could be used by a
    malicious site to trick users into clicking on
    permission prompts, doorhanger notifications, or other
    buttons inadvertently if the location is spoofed over
    the user interface. (CVE-2019-11695)

  - Files with the .JNLP extension used for
    Java web start applications are not treated as
    executable content for download prompts even though they
    can be executed if Java is installed on the local
    system. This could allow users to mistakenly launch an
    executable binary locally. (CVE-2019-11696)

  - If the ALT and a keys are pressed when
    users receive an extension installation prompt, the
    extension will be installed without the install prompt
    delay that keeps the prompt visible in order for users
    to accept or decline the installation. A malicious web
    page could use this with spoofing on the page to trick
    users into installing a malicious extension.
    (CVE-2019-11697)

  - If a crafted hyperlink is dragged and dropped to the
    bookmark bar or sidebar and the resulting bookmark is
    subsequently dragged and dropped into the web content
    area, an arbitrary query of a user's browser history can
    be run and transmitted to the content page via
    drop event data. This allows for the theft
    of browser history by a malicious site. (CVE-2019-11698)

  - A hyperlink using the res: protocol can be
    used to open local files at a known location in Internet
    Explorer if a user approves execution when prompted.
    Note: this issue only occurs on Windows. Other
    operating systems are unaffected. (CVE-2019-11700)

  - A malicious page can briefly cause the wrong name to be
    highlighted as the domain name in the addressbar during
    page navigations. This could result in user confusion of
    which site is currently loaded for spoofing attacks.
    (CVE-2019-11699)

  - The default webcal: protocol handler will
    load a web site vulnerable to cross-site scripting (XSS)
    attacks. This default was left in place as a legacy
    feature and has now been removed. Note: this issue
    only affects users with an account on the vulnerable
    service. Other users are unaffected. (CVE-2019-11701)

  - Mozilla developers and community members Christian
    Holler, Andrei Ciure, Julien Cristau, Jan de Mooij, Jan
    Varga, Marcia Knous, Andr Bargull, and Philipp reported
    memory safety bugs present in Firefox 66. Some of these
    bugs showed evidence of memory corruption and we presume
    that with enough effort that some of these could be
    exploited to run arbitrary code. (CVE-2019-9814)

  - Mozilla developers and community members Olli Pettay,
    Bogdan Tara, Jan de Mooij, Jason Kratzer, Jan Varga,
    Gary Kwong, Tim Guan-tin Chien, Tyson Smith, Ronald
    Crane, and Ted Campbell reported memory safety bugs
    present in Firefox 66 and Firefox ESR 60.6. Some of
    these bugs showed evidence of memory corruption and we
    presume that with enough effort that some of these could
    be exploited to run arbitrary code. (CVE-2019-9800)

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 67.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9820");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

is_esr = get_kb_item(kb_base+"/is_esr");
if (is_esr) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');

mozilla_check_version(version:version, path:path, product:'firefox', esr:FALSE, fix:'67.0', xss:TRUE, severity:SECURITY_HOLE);