This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.NEWSTART_CGSL_NS-SA-2020-0064_FIREFOX.NASLNewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2020-0064)
The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has firefox packages installed that are affected by multiple vulnerabilities:
-
Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after- free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6819)
-
Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6820)
-
When reading from areas partially or fully outside the source resource with WebGL’s copyTexSubImage method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6821)
-
On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in GMPDecodeData. It is possible that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
(CVE-2020-6822) -
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6825)
-
A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12387)
-
A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-6831)
-
The ‘Copy as cURL’ feature of Devtools’ network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the ‘Copy as cURL’ feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12392)
-
Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12395)
-
Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12410)
-
Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12406)
-
When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12405)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2020-0064. The text
# itself is copyright (C) ZTE, Inc.
##
include('compat.inc');
if (description)
{
script_id(143928);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");
script_cve_id(
"CVE-2020-6819",
"CVE-2020-6820",
"CVE-2020-6821",
"CVE-2020-6822",
"CVE-2020-6825",
"CVE-2020-6831",
"CVE-2020-12387",
"CVE-2020-12392",
"CVE-2020-12395",
"CVE-2020-12405",
"CVE-2020-12406",
"CVE-2020-12410"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2020-0032");
script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2020-0064)");
script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has firefox packages installed that are affected
by multiple vulnerabilities:
- Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after-
free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects
Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6819)
- Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We
are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird <
68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1. (CVE-2020-6820)
- When reading from areas partially or fully outside the source resource with WebGL's
copyTexSubImage method, the specification requires the returned values be zero. Previously,
this memory was uninitialized, leading to potentially sensitive data disclosure. This vulnerability
affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6821)
- On 32-bit builds, an out of bounds write could have occurred when processing an image larger than 4 GB in
GMPDecodeData. It is possible that with enough effort this could have been exploited to run
arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
(CVE-2020-6822)
- Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs
present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we
presume that with enough effort some of these could have been exploited to run arbitrary code. This
vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75. (CVE-2020-6825)
- A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This
resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76,
and Thunderbird < 68.8.0. (CVE-2020-12387)
- A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to
memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-6831)
- The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a
request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the
command into a terminal, it could have resulted in the disclosure of local files. This vulnerability
affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12392)
- Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR
68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8,
Firefox < 76, and Thunderbird < 68.8.0. (CVE-2020-12395)
- Mozilla developers reported memory safety bugs present in Firefox 76 and Firefox ESR 68.8. Some of these
bugs showed evidence of memory corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and
Firefox ESR < 68.9. (CVE-2020-12410)
- Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting
in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This
vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. (CVE-2020-12406)
- When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a
potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox
ESR < 68.9. (CVE-2020-12405)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2020-0064");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL firefox packages. Note that updated packages may not be available yet. Please contact ZTE
for more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12395");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-6831");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/03");
script_set_attribute(attribute:"patch_publication_date", value:"2020/12/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/12/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');
if (release !~ "CGSL CORE 5.04" &&
release !~ "CGSL MAIN 5.04")
audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);
flag = 0;
pkgs = {
'CGSL CORE 5.04': [
'firefox-68.9.0-1.el7.centos',
'firefox-debuginfo-68.9.0-1.el7.centos'
],
'CGSL MAIN 5.04': [
'firefox-68.9.0-1.el7.centos',
'firefox-debuginfo-68.9.0-1.el7.centos'
]
};
pkg_list = pkgs[release];
foreach (pkg in pkg_list)
if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firefox');
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12387
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12392
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12395
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6821
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6822
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6825
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6831
security.gd-linux.com/notice/NS-SA-2020-0064
Related
