This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.AL2_ALASFIREFOX-2023-011.NASLAmazon Linux 2 : firefox (ALASFIREFOX-2023-011)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.6%
The version of firefox installed on the remote host is prior to 91.10.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2023-011 advisory.
-
The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.
(CVE-2022-29913) -
A malicious website could have learned the size of a cross-origin resource that supported Range requests.
This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31736) -
A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31737)
-
When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31738)
-
On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31740)
-
A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31741)
-
An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31742)
-
Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
(CVE-2022-31747)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASFIREFOX-2023-011.
##
include('compat.inc');
if (description)
{
script_id(182000);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/25");
script_cve_id(
"CVE-2022-29913",
"CVE-2022-31736",
"CVE-2022-31737",
"CVE-2022-31738",
"CVE-2022-31740",
"CVE-2022-31741",
"CVE-2022-31742",
"CVE-2022-31747"
);
script_xref(name:"IAVA", value:"2022-A-0226-S");
script_name(english:"Amazon Linux 2 : firefox (ALASFIREFOX-2023-011)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of firefox installed on the remote host is prior to 91.10.0-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2FIREFOX-2023-011 advisory.
- The parent process would not properly check whether the Speech Synthesis feature is enabled, when
receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.
(CVE-2022-29913)
- A malicious website could have learned the size of a cross-origin resource that supported Range requests.
This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31736)
- A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a
potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox
ESR < 91.10. (CVE-2022-31737)
- When exiting fullscreen mode, an iframe could have confused the browser about the current state of
fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects
Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31738)
- On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation
problem, and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox <
101, and Firefox ESR < 91.10. (CVE-2022-31740)
- A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and
potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and
Firefox ESR < 91.10. (CVE-2022-31741)
- An attacker could have exploited a timing attack by sending a large number of allowCredential entries and
detecting the difference between invalid key handles and cross-origin key handles. This could have led to
cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird <
91.10, Firefox < 101, and Firefox ESR < 91.10. (CVE-2022-31742)
- Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory
safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been exploited to run arbitrary
code. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
(CVE-2022-31747)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASFIREFOX-2023-011.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-29913.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31736.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31737.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31738.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31740.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31741.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31742.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31747.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update firefox' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31747");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/31");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:firefox-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'firefox-91.10.0-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
{'reference':'firefox-91.10.0-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
{'reference':'firefox-debuginfo-91.10.0-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
{'reference':'firefox-debuginfo-91.10.0-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox / firefox-debuginfo");
}References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31736
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31737
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31738
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31740
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31741
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31742
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31747
alas.aws.amazon.com/AL2/ALASFIREFOX-2023-011.html
alas.aws.amazon.com/cve/html/CVE-2022-29913.html
alas.aws.amazon.com/cve/html/CVE-2022-31736.html
alas.aws.amazon.com/cve/html/CVE-2022-31737.html
alas.aws.amazon.com/cve/html/CVE-2022-31738.html
alas.aws.amazon.com/cve/html/CVE-2022-31740.html
alas.aws.amazon.com/cve/html/CVE-2022-31741.html
alas.aws.amazon.com/cve/html/CVE-2022-31742.html
alas.aws.amazon.com/cve/html/CVE-2022-31747.html
alas.aws.amazon.com/faqs.html
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.6 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.6%