This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-FIREFOX-RHEL7.NASLRHEL 7 : firefox (Unpatched Vulnerability)
8 High
AI Score
Confidence
High
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
-
firefox: Possible integer overflow to fix inside XML_Parse in Expat (CVE-2016-9063)
-
firefox: arbitrary code execution and a sandbox escape (CVE-2019-25136)
-
By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63.
(CVE-2018-12398) -
When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63. (CVE-2018-12399)
-
Some special resource URIs will cause a non-exploitable crash if loaded with optional parameters following a ‘?’ in the parsed string. This could lead to denial of service (DOS) attacks. This vulnerability affects Firefox < 63. (CVE-2018-12401)
-
The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of Save Page As… functionality. For example, a malicious page could recover a visitor’s Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page.
Similarly, SameSite cookies are sent on cross-origin requests when the Save Page As… menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies.
This vulnerability affects Firefox < 63. (CVE-2018-12402) -
If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content warning is not displayed to users. This vulnerability affects Firefox < 63. (CVE-2018-12403)
-
WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the permissions granted to extensions. This could allow an extension to interfere with the loading and usage of these pages and use capabilities that were intended to be restricted from extensions. This vulnerability affects Firefox < 64. (CVE-2018-18495)
-
Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This vulnerability affects Firefox < 64. (CVE-2018-18497)
-
In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led to an exploitable crash. This vulnerability affects Firefox < 122. (CVE-2024-0744)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory firefox. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195501);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-9063",
"CVE-2018-12398",
"CVE-2018-12399",
"CVE-2018-12401",
"CVE-2018-12402",
"CVE-2018-12403",
"CVE-2018-18495",
"CVE-2018-18497",
"CVE-2019-25136",
"CVE-2024-0744"
);
script_name(english:"RHEL 7 : firefox (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- firefox: Possible integer overflow to fix inside XML_Parse in Expat (CVE-2016-9063)
- firefox: arbitrary code execution and a sandbox escape (CVE-2019-25136)
- By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject
stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63.
(CVE-2018-12398)
- When a new protocol handler is registered, the API accepts a title argument which can be used to mislead
users about which domain is registering the new protocol. This may result in the user approving a protocol
handler that they otherwise would not have. This vulnerability affects Firefox < 63. (CVE-2018-12399)
- Some special resource URIs will cause a non-exploitable crash if loaded with optional parameters following
a '?' in the parsed string. This could lead to denial of service (DOS) attacks. This vulnerability affects
Firefox < 63. (CVE-2018-12401)
- The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This
manifests when sub-resources are loaded as part of Save Page As... functionality. For example, a
malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise
unreachable to the malicious page, if they can convince the visitor to save the complete web page.
Similarly, SameSite cookies are sent on cross-origin requests when the Save Page As... menu item is
selected to save a page, which can result in saving the wrong version of resources based on those cookies.
This vulnerability affects Firefox < 63. (CVE-2018-12402)
- If a site is loaded over a HTTPS connection but loads a favicon resource over HTTP, the mixed content
warning is not displayed to users. This vulnerability affects Firefox < 63. (CVE-2018-12403)
- WebExtension content scripts can be loaded into about: pages in some circumstances, in violation of the
permissions granted to extensions. This could allow an extension to interfere with the loading and usage
of these pages and use capabilities that were intended to be restricted from extensions. This
vulnerability affects Firefox < 64. (CVE-2018-18495)
- Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a
pipe in the URL field is used within the extension to load multiple pages as a single argument. This could
allow a malicious WebExtension to open privileged about: or file: locations. This vulnerability affects
Firefox < 64. (CVE-2018-18497)
- In some circumstances, JIT compiled code could have dereferenced a wild pointer value. This could have led
to an exploitable crash. This vulnerability affects Firefox < 122. (CVE-2024-0744)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9063");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-25136");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-expat1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:expat");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mingw-virt-viewer");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'expat', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'expat', 'cves':['CVE-2016-9063']},
{'reference':'firefox', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'firefox', 'cves':['CVE-2018-12398', 'CVE-2018-12399', 'CVE-2018-12401', 'CVE-2018-12402', 'CVE-2018-12403', 'CVE-2018-18495', 'CVE-2018-18497', 'CVE-2019-25136', 'CVE-2024-0744']},
{'reference':'mingw-virt-viewer', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'mingw-virt-viewer', 'cves':['CVE-2016-9063']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'expat / firefox / mingw-virt-viewer');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | 5 | cpe:/o:redhat:enterprise_linux:5 |
| redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
| redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
| redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
| redhat | enterprise_linux | compat-expat1 | p-cpe:/a:redhat:enterprise_linux:compat-expat1 |
| redhat | enterprise_linux | expat | p-cpe:/a:redhat:enterprise_linux:expat |
| redhat | enterprise_linux | firefox | p-cpe:/a:redhat:enterprise_linux:firefox |
| redhat | enterprise_linux | mingw-virt-viewer | p-cpe:/a:redhat:enterprise_linux:mingw-virt-viewer |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12398
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12401
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12403
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18495
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18497
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25136
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0744
Related
