Lucene search

K
nessusThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.MOZILLA_FIREFOX_50_1.NASL
HistoryDec 15, 2016 - 12:00 a.m.

Mozilla Firefox < 50.1 Multiple Vulnerabilities

2016-12-1500:00:00
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13

The version of Mozilla Firefox installed on the remote Windows host is prior to 50.1. It is, therefore, affected by the following vulnerabilities :

  • Multiple memory corruption issues exists when handling style contexts, regular expressions, and clamped gradients that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9080)

  • Multiple memory corruption issues exists, such as when handling document state changes or HTML5 content, or else due to dereferencing already freed memory or improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9893)

  • A buffer overflow condition exists in SkiaGl, within the GrResourceProvider::createBuffer() function in file gfx/skia/skia/src/gpu/GrResourceProvider.cpp, due to a GrGLBuffer being truncated during allocation. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9894)

  • A security bypass vulnerability exists due to event handlers for marquee elements being executed despite a Content Security Policy (CSP) that disallowed inline JavaScript. An unauthenticated, remote attacker can exploit this to impact integrity. (CVE-2016-9895)

  • A use-after-free error exists within WebVR when handling the navigator object. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code.
    (CVE-2016-9896)

  • A memory corruption issue exists in libGLES when WebGL functions use a vector constructor with a varying array within libGLES. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9897)

  • A use-after-free error exists in Editor, specifically within file editor/libeditor/HTMLEditor.cpp, when handling DOM subtrees. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.
    (CVE-2016-9898)

  • A use-after-free error exists in the nsNodeUtils::CloneAndAdopt() function within file dom/base/nsNodeUtils.cpp, while manipulating DOM events and removing audio elements, due to improper handling of failing node adoption. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.
    (CVE-2016-9899)

  • A security bypass vulnerability exists in the nsDataDocumentContentPolicy::ShouldLoad() function within file dom/base/nsDataDocumentContentPolicy.cpp that allows external resources to be inappropriately loaded by SVG images by utilizing ‘data:’ URLs. An unauthenticated, remote attacker can exploit this to disclose sensitive cross-domain information.
    (CVE-2016-9900)

  • A flaw exists due to improper sanitization of HTML tags received from the Pocket server. An unauthenticated, remote attacker can exploit this to run JavaScript code in the about:pocket-saved (unprivileged) page, giving it access to Pocket’s messaging API through HTML injection.
    (CVE-2016-9901)

  • A flaw exists in the Pocket toolbar button, specifically in browser/extensions/pocket/content/main.js, due to improper verification of the origin of events fired from its own pages. An unauthenticated, remote attacker can exploit this to inject content and commands from other origins into the Pocket context. Note that this issue does not affect users with e10s enabled. (CVE-2016-9902)

  • A universal cross-site scripting (XSS) vulnerability exists in the Add-ons SDK, specifically within files addon-sdk/source/lib/sdk/ui/frame/view.html and addon-sdk/source/lib/sdk/ui/frame/view.js, due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session.
    (CVE-2016-9903)

  • An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to determine whether an atom is used by another compartment or zone in specific contexts, by utilizing a JavaScript Map/Set timing attack. (CVE-2016-9904)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(95886);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2016-9080",
    "CVE-2016-9893",
    "CVE-2016-9894",
    "CVE-2016-9895",
    "CVE-2016-9896",
    "CVE-2016-9897",
    "CVE-2016-9898",
    "CVE-2016-9899",
    "CVE-2016-9900",
    "CVE-2016-9901",
    "CVE-2016-9902",
    "CVE-2016-9903",
    "CVE-2016-9904"
  );
  script_bugtraq_id(94883, 94885);
  script_xref(name:"MFSA", value:"2016-94");

  script_name(english:"Mozilla Firefox < 50.1 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Mozilla Firefox installed on the remote Windows host
is prior to 50.1. It is, therefore, affected by the following
vulnerabilities :

  - Multiple memory corruption issues exists when handling
    style contexts, regular expressions, and clamped
    gradients that allow an unauthenticated, remote attacker
    to cause a denial of service condition or the execution
    of arbitrary code. (CVE-2016-9080)

  - Multiple memory corruption issues exists, such as when
    handling document state changes or HTML5 content, or
    else due to dereferencing already freed memory or
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit these to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-9893)

  - A buffer overflow condition exists in SkiaGl, within the
    GrResourceProvider::createBuffer() function in file
    gfx/skia/skia/src/gpu/GrResourceProvider.cpp, due to a
    GrGLBuffer being truncated during allocation. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2016-9894)

  - A security bypass vulnerability exists due to event
    handlers for marquee elements being executed despite a
    Content Security Policy (CSP) that disallowed inline
    JavaScript. An unauthenticated, remote attacker can
    exploit this to impact integrity. (CVE-2016-9895)

  - A use-after-free error exists within WebVR when handling
    the navigator object. An unauthenticated, remote
    attacker can exploit this to dereference already freed
    memory, resulting in the execution of arbitrary code.
    (CVE-2016-9896)

  - A memory corruption issue exists in libGLES when WebGL
    functions use a vector constructor with a varying array
    within libGLES. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2016-9897)

  - A use-after-free error exists in Editor, specifically
    within file editor/libeditor/HTMLEditor.cpp, when
    handling DOM subtrees. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition or the execution of arbitrary code.
    (CVE-2016-9898)

  - A use-after-free error exists in the
    nsNodeUtils::CloneAndAdopt() function within file
    dom/base/nsNodeUtils.cpp, while manipulating DOM events
    and removing audio elements, due to improper handling of
    failing node adoption. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition or the execution of arbitrary code.
    (CVE-2016-9899)

  - A security bypass vulnerability exists in the
    nsDataDocumentContentPolicy::ShouldLoad() function
    within file dom/base/nsDataDocumentContentPolicy.cpp
    that allows external resources to be inappropriately
    loaded by SVG images by utilizing 'data:' URLs. An
    unauthenticated, remote attacker can exploit this to
    disclose sensitive cross-domain information.
    (CVE-2016-9900)

  - A flaw exists due to improper sanitization of HTML tags
    received from the Pocket server. An unauthenticated,
    remote attacker can exploit this to run JavaScript code
    in the about:pocket-saved (unprivileged) page, giving it
    access to Pocket's messaging API through HTML injection.
    (CVE-2016-9901)

  - A flaw exists in the Pocket toolbar button, specifically
    in browser/extensions/pocket/content/main.js, due to
    improper verification of the origin of events fired from
    its own pages. An unauthenticated, remote attacker can
    exploit this to inject content and commands from other
    origins into the Pocket context. Note that this issue
    does not affect users with e10s enabled. (CVE-2016-9902)

  - A universal cross-site scripting (XSS) vulnerability
    exists in the Add-ons SDK, specifically within files
    addon-sdk/source/lib/sdk/ui/frame/view.html and
    addon-sdk/source/lib/sdk/ui/frame/view.js, due to
    improper validation of input before returning it to
    users. An unauthenticated, remote attacker can exploit
    this, via a specially crafted request, to execute
    arbitrary script code in a user's browser session.
    (CVE-2016-9903)

  - An information disclosure vulnerability exists that
    allows an unauthenticated, remote attacker to determine
    whether an atom is used by another compartment or zone
    in specific contexts, by utilizing a JavaScript Map/Set
    timing attack. (CVE-2016-9904)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 50.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9901");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mozilla_org_installed.nasl");
  script_require_keys("Mozilla/Firefox/Version");

  exit(0);
}

include("mozilla_version.inc");

port = get_kb_item("SMB/transport");
if (!port) port = 445;

installs = get_kb_list("SMB/Mozilla/Firefox/*");
if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox");

mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'50.1', severity:SECURITY_HOLE);
VendorProductVersion
mozillafirefox
Related for MOZILLA_FIREFOX_50_1.NASL