Lucene search

HistoryDec 18, 2020 - 12:00 a.m.

Oracle Linux 8 : ELSA-2020-5624-1: / thunderbird (ELSA-2020-56241)

2020-12-1800:00:00

www.tenable.com

9.5 High

AI Score

Confidence

High

JSON

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-56241 advisory.

Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971)
Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973)
When an extension with the proxy permission registered to receive <allurls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. (CVE-2020-35111)
Uninitialized Use in V8. (CVE-2020-16042)
When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. (CVE-2020-26974)
Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978)
Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5.
Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2020-35113)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2020-56241.
##

include('compat.inc');

if (description)
{
  script_id(144457);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/01");

  script_cve_id(
    "CVE-2020-16042",
    "CVE-2020-26971",
    "CVE-2020-26973",
    "CVE-2020-26974",
    "CVE-2020-26978",
    "CVE-2020-35111",
    "CVE-2020-35113"
  );

  script_name(english:"Oracle Linux 8 : ELSA-2020-5624-1: / thunderbird (ELSA-2020-56241)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the
ELSA-2020-56241 advisory.

  - Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971)

  - Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973)

  - When an extension with the proxy permission registered to receive <allurls>, the
    proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such
    URLs, a user opening View Source could have inadvertently leaked their IP address.  (CVE-2020-35111)

  - Uninitialized Use in V8. (CVE-2020-16042)

  - When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object
    could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory
    corruption, and a potentially exploitable crash.  (CVE-2020-26974)

  - Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978)

  - Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5.
    Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of
    these could have been exploited to run arbitrary code.  (CVE-2020-35113)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2020-5624-1.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected thunderbird package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-35113");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:thunderbird");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('audit.inc');
include('global_settings.inc');
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);

pkgs = [
    {'reference':'thunderbird-78.6.0-1.0.1.el8_3', 'release':'8', 'allowmaj':TRUE}
];

flag = 0;
foreach package_array ( pkgs ) {
  reference = NULL;
  release = NULL;
  sp = NULL;
  cpu = NULL;
  el_string = NULL;
  rpm_spec_vers_cmp = NULL;
  epoch = NULL;
  allowmaj = NULL;
  rpm_prefix = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];
  if (reference && release) {
    if (rpm_prefix) {
        if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'thunderbird');
}

VendorProductVersionCPE
oraclelinux8cpe:/o:oracle:linux:8
oraclelinuxthunderbirdp-cpe:/a:oracle:linux:thunderbird

Vendor	Product	Version	CPE
oracle	linux	8	cpe:/o:oracle:linux:8
oracle	linux	thunderbird	p-cpe:/a:oracle:linux:thunderbird

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26971

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26973

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26974

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26978

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35111

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35113

linux.oracle.com/errata/ELSA-2020-5624-1.html

9.5 High

AI Score

Confidence

High

JSON

Related for ORACLELINUX_ELSA-2020-56241.NASL