検出

Mozilla Firefox < 52.0の複数の脆弱性

critical Nessus プラグイン ID 97639

Language:

概要

リモートのWindowsホストに含まれるWebブラウザは複数の脆弱性の影響を受けます。

説明

リモートのWindowsホストにインストールされているMozilla Firefoxのバージョンが、52.0より前です。したがって、以下の複数の脆弱性による影響を受けます。

 - Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5398)

 - Mozilla developers and community members Carsten Book, Calixte Denizet, Christian Holler, Andrew McCreight, David Bolter, David Keeler, Jon Coppeard, Tyson Smith, Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed Davis, Julian Seward, Julian Hector, Philipp, Markus Stange, and Andre Bargull reported memory safety bugs present in Firefox 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5399)

 - JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5400)

 - A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. 結果として発生するクラッシュは悪用される可能性があります。
 (CVE-2017-5401)

 - A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. (CVE-2017-5402)

 - When adding a range to an object in the DOM, it is possible to use addRange to add the range to an incorrect root object. これはメモリ解放後使用(use-after-free)をトリガーし、悪用可能なクラッシュを引き起こします。
 (CVE-2017-5403)

 - A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. (CVE-2017-5404)

 - Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. (CVE-2017-5405)

 - A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks.
 (CVE-2017-5406)

 - Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. これは、履歴情報を抽出し、ドメイン間でテキスト値を読み取るために使用される可能性があります。This violates same-origin policy and leads to information disclosure. (CVE-2017-5407)

 - Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. (CVE-2017-5408)

 - The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. 注: この攻撃にはローカルシステムへのアクセスが必要であり、Windowsにのみ影響します。他のオペレーティングシステムは影響を受けません。(CVE-2017-5409)

 - Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. (CVE-2017-5410)

 - A use-after-free can occur during buffer storage operations within the ANGLE graphics library, used for WebGL content. バッファストレージは、状況次第で解放されるかまたは継続して使用され、悪用可能なクラッシュを引き起こすことがあります。注: この問題は、Windowsのみで使われているlibGLESに存在します。他のオペレーティングシステムは影響を受けません。(CVE-2017-5411)

 - A buffer overflow read during SVG filter color value operations, resulting in data exposure. (CVE-2017-5412)

 - A segmentation fault can occur during some bidirectional layout operations. (CVE-2017-5413)

 - The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. (CVE-2017-5414)

 - An attack can use a blob URL and script to spoof an arbitrary addressbar URL prefaced by blob: as the protocol, leading to user confusion and further spoofing attacks. (CVE-2017-5415)

 - In certain circumstances a networking event listener can be prematurely released. This appears to result in a null dereference in practice. (CVE-2017-5416)

 - When dragging content from the primary browser pane to the addressbar on a malicious site, it is possible to change the addressbar so that the displayed location following navigation does not match the URL of the newly loaded page. これにより、なりすまし攻撃が可能になります。
 (CVE-2017-5417)

 - An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random memory containing matches to specifically set patterns.
 (CVE-2017-5418)

 - If a malicious site repeatedly triggers a modal authentication prompt, eventually the browser UI will become non-responsive, requiring shutdown through the operating system. This is a denial of service (DOS) attack. (CVE-2017-5419)

 - A javascript: url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the addressbar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly. (CVE-2017-5420)

 - A malicious site could spoof the contents of the print preview window if popup windows are enabled, resulting in user confusion of what site is currently loaded.
 (CVE-2017-5421)

 - If a malicious site uses the view-source: プロトコルを利用すると、ハイパーリンクを選択したときに悪用できないブラウザークラッシュを引き起こす可能性があります。これはview-source: linkable. (CVE-2017-5422)

 - A non-existent chrome.manifest file will attempt to be loaded during startup from the primary installation directory. ローカルアクセスを持つ悪意のあるユーザーが、このディレクトリにchrome.manifestと他の参照ファイルを置くと、起動時に読み込まれて有効になります。This could result in malicious software being added without consent or modification of referenced installed files. (CVE-2017-5427)

Tenable Network Securityは、前述の記述ブロックをMozillaセキュリティアドバイザリから直接抽出しています。
Tenable では、新たな問題を持ち込まずに、できる限り自動的に整理して書式設定するようにしています。

ソリューション

Mozilla Firefox をバージョン 52.0 以降にアップグレードしてください。

参考資料

https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/

プラグインの詳細

深刻度: Critical

ID: 97639

ファイル名: mozilla_firefox_52.nasl

バージョン: 1.7

タイプ: local

エージェント: windows

ファミリー: Windows

公開日: 2017/3/9

更新日: 2019/11/13

サポートされているセンサー: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

リスク情報

VPR

リスクファクター: Medium

スコア: 6.7

CVSS v2

リスクファクター: Critical

基本値: 10

現状値: 7.8

ベクトル: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS スコアのソース: CVE-2017-5399

CVSS v3

リスクファクター: Critical

基本値: 9.8

現状値: 8.8

ベクトル: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

現状ベクトル: CVSS:3.0/E:P/RL:O/RC:C

脆弱性情報

CPE: cpe:/a:mozilla:firefox

必要な KB アイテム: Mozilla/Firefox/Version

エクスプロイトが利用可能: true

エクスプロイトの容易さ: Exploits are available

パッチ公開日: 2017/3/7

脆弱性公開日: 2017/3/7

参照情報

CVE: CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5409, CVE-2017-5410, CVE-2017-5411, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5427

BID: 96651, 96654, 96664, 96677, 96691, 96692, 96693, 96696

MFSA: 2017-05