Oracle Linux 6 : firefox (ELSA-2019-3281)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2019-3281.
##

include('compat.inc');

if (description)
{
  script_id(180779);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/07");

  script_cve_id(
    "CVE-2019-11757",
    "CVE-2019-11758",
    "CVE-2019-11759",
    "CVE-2019-11760",
    "CVE-2019-11761",
    "CVE-2019-11762",
    "CVE-2019-11763",
    "CVE-2019-11764"
  );
  script_xref(name:"IAVA", value:"2019-A-0395-S");

  script_name(english:"Oracle Linux 6 : firefox (ELSA-2019-3281)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the
ELSA-2019-3281 advisory.

  - When following the value's prototype chain, it was possible to retain a reference to a locale, delete it,
    and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. This
    vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11757)

  - Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total
    Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we
    presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability
    affects Firefox < 69, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11758)

  - An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the
    stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. This
    vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11759)

  - A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a
    potentially exploitable crash in some instances. This vulnerability affects Firefox < 70, Thunderbird <
    68.2, and Firefox ESR < 68.2. (CVE-2019-11760)

  - By using a form with a data URI it was possible to gain access to the privileged JSONView object that had
    been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass
    of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and
    Firefox ESR < 68.2. (CVE-2019-11761)

  - Mozilla developers and community members reported memory safety bugs present in Firefox 69 and Firefox ESR
    68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some
    of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 70, Thunderbird <
    68.2, and Firefox ESR < 68.2. (CVE-2019-11764)

  - If two same-origin documents set document.domain differently to become cross-origin, it was possible for
    them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability
    affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11762)

  - Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly
    parsing these entities. This could have led to HTML comment text being treated as HTML which could have
    led to XSS in a web application under certain conditions. It could have also led to HTML entities being
    masked from filters - enabling the use of entities to mask the actual characters of interest from filters.
    This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2. (CVE-2019-11763)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2019-3281.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected firefox package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11764");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:firefox");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);

var pkgs = [
    {'reference':'firefox-68.2.0-4.0.1.el6_10', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
    {'reference':'firefox-68.2.0-4.0.1.el6_10', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'firefox');
}