Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.MACOSX_FIREFOX_24_3_ESR.NASL
HistoryFeb 05, 2014 - 12:00 a.m.

Firefox ESR 24.x < 24.3 Multiple Vulnerabilities (Mac OS X)

2014-02-0500:00:00
This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
JSON

The installed version of Firefox ESR 24.x is earlier than 24.3 and is, therefore, potentially affected by the following vulnerabilities :

  • Memory issues exist in the browser engine that could result in a denial of service or arbitrary code execution. (CVE-2014-1477)

  • An error exists related to System Only Wrappers (SOW) and the XML Binding Language (XBL) that could allow XUL content to be disclosed. (CVE-2014-1479)

  • An error exists related to the JavaScript engine and ‘window’ object handling that has unspecified impact.
    (CVE-2014-1481)

  • An error exists related to ‘RasterImage’ and image decoding that could allow application crashes and possibly arbitrary code execution. (CVE-2014-1482)

  • A use-after-free error exists related to image handling and ‘imgRequestProxy’ that could allow application crashes and possibly arbitrary code execution.
    (CVE-2014-1486)

  • An error exists related to ‘web workers’ that could allow cross-origin information disclosure.
    (CVE-2014-1487)

  • Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490)

  • Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(72327);
  script_version("1.12");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id(
    "CVE-2014-1477",
    "CVE-2014-1479",
    "CVE-2014-1481",
    "CVE-2014-1482",
    "CVE-2014-1486",
    "CVE-2014-1487",
    "CVE-2014-1490",
    "CVE-2014-1491"
  );
  script_bugtraq_id(
    65317,
    65320,
    65326,
    65328,
    65330,
    65332,
    65334,
    65335
  );

  script_name(english:"Firefox ESR 24.x < 24.3 Multiple Vulnerabilities (Mac OS X)");
  script_summary(english:"Checks version of Firefox");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host contains a web browser that is potentially
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The installed version of Firefox ESR 24.x is earlier than 24.3 and is,
therefore, potentially affected by the following vulnerabilities :

  - Memory issues exist in the browser engine that could
    result in a denial of service or arbitrary code
    execution. (CVE-2014-1477)

  - An error exists related to System Only Wrappers (SOW)
    and the XML Binding Language (XBL) that could allow
    XUL content to be disclosed. (CVE-2014-1479)

  - An error exists related to the JavaScript engine and
    'window' object handling that has unspecified impact.
    (CVE-2014-1481)

  - An error exists related to 'RasterImage' and image
    decoding that could allow application crashes and
    possibly arbitrary code execution. (CVE-2014-1482)

  - A use-after-free error exists related to image handling
    and 'imgRequestProxy' that could allow application
    crashes and possibly arbitrary code execution.
    (CVE-2014-1486)

  - An error exists related to 'web workers' that could
    allow cross-origin information disclosure.
    (CVE-2014-1487)

  - Network Security Services (NSS) contains a race
    condition in libssl that occurs during session ticket 
    processing. A remote attacker can exploit this flaw
    to cause a denial of service. (CVE-2014-1490)

  - Network Security Services (NSS) does not properly
    restrict public values in Diffie-Hellman key exchanges,
    allowing a remote attacker to bypass cryptographic
    protection mechanisms. (CVE-2014-1491)");
  script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-14-058/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-01/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-02/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-04/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-08/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-09/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-12/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2014-13/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Firefox ESR 24.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1486");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox_esr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

is_esr = get_kb_item(kb_base+"/is_esr");
if (isnull(is_esr)) audit(AUDIT_NOT_INST, "Mozilla Firefox ESR");

mozilla_check_version(product:'firefox', version:version, path:path, esr:TRUE, fix:'24.3', min:'24.0', severity:SECURITY_HOLE, xss:FALSE);
VendorProductVersionCPE
mozillafirefox_esrcpe:/a:mozilla:firefox_esr

References

Related

debian 3
openvas 62
nessus 46
veracode 7
redhat 5
ubuntu 3
mageia 2
oraclelinux 4
centos 4
suse 6
freebsd 1
securityvulns 1
mozilla 7
seebug 3
cvelist 8
cve 8
ubuntucve 8
debiancve 2
prion 8
intothesymmetry 1
zdi 1
f5 2
ibm 4
osv 2
gentoo 1
debian
debian
[SECURITY] [DSA 2858-1] iceweasel security update
2014-02-10 15:42:08
[DLA 23-1] nss security update
2014-07-31 11:27:15
[SECURITY] [DSA 2994-1] nss security update
2014-07-31 11:51:51
openvas
openvas
Mozilla Thunderbird Multiple Vulnerabilities-01 (Feb 2014) - Mac OS X
2014-02-11 00:00:00
Mozilla Firefox ESR Multiple Vulnerabilities-01 (Feb 2014) - Windows
2014-02-11 00:00:00
Debian: Security Advisory (DSA-2858-1)
2014-02-09 00:00:00
nessus
nessus
Thunderbird < 24.3 Multiple Vulnerabilities (Mac OS X)
2014-02-05 00:00:00
Fedora 19 : thunderbird-24.3.0-1.fc19 (2014-2083)
2014-03-02 00:00:00
Firefox ESR 24.x < 24.3 Multiple Vulnerabilities
2014-02-05 00:00:00
veracode
veracode
Arbitrary Code Execution
2019-05-02 05:00:59
Authentication Bypass
2019-05-02 05:00:58
Same-Origin Policy Bypass
2019-05-02 05:00:59
redhat
redhat
(RHSA-2014:0133) Important: thunderbird security update
2014-02-04 00:00:00
(RHSA-2014:0132) Critical: firefox security update
2014-02-04 00:00:00
(RHSA-2014:1246) Moderate: nss and nspr security, bug fix, and enhancement update
2014-09-16 00:00:00
ubuntu
ubuntu
Thunderbird vulnerabilities
2014-02-19 00:00:00
Firefox vulnerabilities
2014-02-10 00:00:00
Firefox regression
2014-02-19 00:00:00
mageia
mageia
Updated Firefox & Thunderbird packages fix multiple security vulnerabilities
2014-02-07 00:02:09
Updated seamonkey packages fix multiple vulnerabilities
2014-02-11 00:18:15
oraclelinux
oraclelinux
firefox security update
2014-02-04 00:00:00
thunderbird security update
2014-02-04 00:00:00
nss and nspr security, bug fix, and enhancement update
2014-09-17 00:00:00
centos
centos
thunderbird security update
2014-02-05 09:18:22
firefox security update
2014-02-05 09:15:53
nss security update
2014-09-30 11:21:57
suse
suse
Mozilla updates February 2014 (important)
2014-02-08 13:04:12
Security update for MozillaFirefox (important)
2014-02-18 13:25:23
Security update for Mozilla Firefox (important)
2014-02-19 21:04:13
freebsd
freebsd
mozilla -- multiple vulnerabilities
2014-02-04 00:00:00
securityvulns
securityvulns
Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities
2014-02-10 00:00:00
mozilla
mozilla
NSS ticket handling issues — Mozilla
2014-02-04 00:00:00
Incorrect use of discarded images by RasterImage — Mozilla
2014-02-04 00:00:00
Inconsistent JavaScript handling of access to Window objects — Mozilla
2014-02-04 00:00:00
seebug
seebug
Mozilla Network Security Services释放后重利用内存破坏漏洞(CVE-2014-1490)
2014-02-12 00:00:00
Mozilla Firefox/Thunderbird/SeaMonkey多个内存破坏漏洞(CVE-2014-1477)
2014-02-12 00:00:00
Mozilla Firefox/Thunderbird/SeaMonkey释放后重用远程代码执行漏洞
2014-02-11 00:00:00
cvelist
cvelist
CVE-2014-1482
2014-02-06 02:00:00
CVE-2014-1479
2014-02-06 02:00:00
CVE-2014-1490
2014-02-06 02:00:00
cve
cve
CVE-2014-1481
2014-02-06 05:44:00
CVE-2014-1479
2014-02-06 05:44:00
CVE-2014-1490
2014-02-06 05:44:00
ubuntucve
ubuntucve
CVE-2014-1490
2014-02-05 00:00:00
CVE-2014-1481
2014-02-04 00:00:00
CVE-2014-1479
2014-02-04 00:00:00
debiancve
debiancve
CVE-2014-1490
2014-02-06 05:44:00
CVE-2014-1491
2014-02-06 05:44:00
prion
prion
Design/Logic Flaw
2014-02-06 05:44:00
Race condition
2014-02-06 05:44:00
Memory corruption
2014-02-06 05:44:00
intothesymmetry
intothesymmetry
Small subgroup attack in Mozilla NSS
2015-12-22 13:29:00
zdi
zdi
Mozilla Firefox imgRequestProxy Use-After-Free Remote Code Execution Vulnerability
2014-04-03 00:00:00
f5
f5
SOL16716 - Multiple Mozilla NSS vulnerabilities
2015-06-05 00:00:00
K16716 : Multiple Mozilla NSS vulnerabilities
2015-09-17 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Network Security Services (NSS) and Netscape Portable Runtime (NSPR) affect IBM SAN Volume Controller and Storwize Family (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544, CVE-2014-1545)
2023-03-29 01:48:02
Security Bulletin: Vulnerabilities in Network Security Services (NSS) and Netscape Portable Runtime (NSPR) affect IBM SAN Volume Controller and Storwize Family (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-1544, CVE-2014-1545)
2022-08-20 00:54:31
Security Bulletin: Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154
2023-02-28 01:12:10
osv
osv
nss - security update
2014-07-31 00:00:00
nss - security update
2014-07-31 00:00:00
gentoo
gentoo
Mozilla Products: Multiple vulnerabilities
2015-04-07 00:00:00
JSON
Related for MACOSX_FIREFOX_24_3_ESR.NASL
debian3openvas62nessus46veracode7redhat5ubuntu3mageia2oraclelinux4centos4suse6freebsd1securityvulns1mozilla7seebug3cvelist8cve8ubuntucve8debiancve2prion8intothesymmetry1zdi1f52ibm4osv2gentoo1