Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : firefox vulnerabilities (USN-3544-1)

2018-01-25T00:00:00
ID UBUNTU_USN-3544-1.NASL
Type nessus
Reporter Tenable
Modified 2018-06-26T00:00:00

Description

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, spoof the origin in audio capture prompts, trick the user in to providing HTTP credentials for another origin, spoof the addressbar contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090, CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5109, CVE-2018-5114, CVE-2018-5115, CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit these to gain additional privileges, bypass same-origin restrictions, or execute arbitrary code. (CVE-2018-5105, CVE-2018-5113, CVE-2018-5116)

A security issue was discovered with the developer tools. If a user were tricked in to opening a specially crafted website with the developer tools open, an attacker could potentially exploit this to obtain sensitive information from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2018-5107)

It was discovered that manually entered blob URLs could be accessed by subsequent private browsing tabs. If a user were tricked in to entering a blob URL, an attacker could potentially exploit this to obtain sensitive information from a private browsing context. (CVE-2018-5108)

It was discovered that dragging certain specially formatted URLs to the addressbar could cause the wrong URL to be displayed. If a user were tricked in to opening a specially crafted website and dragging a URL to the addressbar, an attacker could potentially exploit this to spoof the addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels could open non-relative URLs. If a user were tricked in to installing a specially crafted extension and running the developer tools, an attacker could potentially exploit this to gain additional privileges. (CVE-2018-5112)

It was discovered that ActivityStream images can attempt to load local content through file: URLs. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this in combination with another vulnerability that allowed sandbox protections to be bypassed, in order to obtain sensitive information from local files. (CVE-2018-5118)

It was discovered that the reader view will load cross-origin content in violation of CORS headers. An attacker could exploit this to bypass CORS restrictions. (CVE-2018-5119).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3544-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(106347);
  script_version("1.7");
  script_cvs_date("Date: 2018/06/26 14:13:47");

  script_cve_id("CVE-2018-5089", "CVE-2018-5090", "CVE-2018-5091", "CVE-2018-5092", "CVE-2018-5093", "CVE-2018-5094", "CVE-2018-5095", "CVE-2018-5097", "CVE-2018-5098", "CVE-2018-5099", "CVE-2018-5100", "CVE-2018-5101", "CVE-2018-5102", "CVE-2018-5103", "CVE-2018-5104", "CVE-2018-5105", "CVE-2018-5106", "CVE-2018-5107", "CVE-2018-5108", "CVE-2018-5109", "CVE-2018-5111", "CVE-2018-5112", "CVE-2018-5113", "CVE-2018-5114", "CVE-2018-5115", "CVE-2018-5116", "CVE-2018-5117", "CVE-2018-5118", "CVE-2018-5119", "CVE-2018-5122");
  script_osvdb_id(171538, 171698, 173244, 173245, 173246, 173247, 173248, 173249, 173250, 173251, 173252, 173253, 173254, 173255, 173256, 173257, 173258, 173259, 173260, 173261, 173262, 173263, 173264, 173265, 173266, 173267, 173268, 173269, 173270, 173271, 173272, 173273, 173274, 173275, 173276, 173277, 173279, 173280, 173281, 173282, 173283, 173284, 173285, 173286, 173287, 173288, 173289, 173290, 173291, 173292, 173294, 173295, 173296, 173297, 173298, 173299, 173300, 173301, 173302, 173304, 173312, 173313, 173324, 173325, 173326, 173327, 173328, 173330, 173331, 173332, 173336, 173337, 173338, 173339, 173340, 173341, 173342, 173343, 173344, 173345, 173346, 173348);
  script_xref(name:"USN", value:"3544-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : firefox vulnerabilities (USN-3544-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, spoof the origin in audio capture prompts, trick the user in to
providing HTTP credentials for another origin, spoof the addressbar
contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090,
CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094,
CVE-2018-5095, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099,
CVE-2018-5100, CVE-2018-5101, CVE-2018-5102, CVE-2018-5103,
CVE-2018-5104, CVE-2018-5109, CVE-2018-5114, CVE-2018-5115,
CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions. If a user
were tricked in to installing a specially crafted extension, an
attacker could potentially exploit these to gain additional
privileges, bypass same-origin restrictions, or execute arbitrary
code. (CVE-2018-5105, CVE-2018-5113, CVE-2018-5116)

A security issue was discovered with the developer tools. If a user
were tricked in to opening a specially crafted website with the
developer tools open, an attacker could potentially exploit this to
obtain sensitive information from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker could
potentially exploit this to obtain sensitive information from local
files. (CVE-2018-5107)

It was discovered that manually entered blob URLs could be accessed by
subsequent private browsing tabs. If a user were tricked in to
entering a blob URL, an attacker could potentially exploit this to
obtain sensitive information from a private browsing context.
(CVE-2018-5108)

It was discovered that dragging certain specially formatted URLs to
the addressbar could cause the wrong URL to be displayed. If a user
were tricked in to opening a specially crafted website and dragging a
URL to the addressbar, an attacker could potentially exploit this to
spoof the addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels could open
non-relative URLs. If a user were tricked in to installing a specially
crafted extension and running the developer tools, an attacker could
potentially exploit this to gain additional privileges.
(CVE-2018-5112)

It was discovered that ActivityStream images can attempt to load local
content through file: URLs. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
in combination with another vulnerability that allowed sandbox
protections to be bypassed, in order to obtain sensitive information
from local files. (CVE-2018-5118)

It was discovered that the reader view will load cross-origin content
in violation of CORS headers. An attacker could exploit this to bypass
CORS restrictions. (CVE-2018-5119).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected firefox package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:firefox");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 Tenable Network Security, Inc.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(14\.04|16\.04|17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"firefox", pkgver:"58.0+build6-0ubuntu0.14.04.1")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"firefox", pkgver:"58.0+build6-0ubuntu0.16.04.1")) flag++;
if (ubuntu_check(osver:"17.10", pkgname:"firefox", pkgver:"58.0+build6-0ubuntu0.17.10.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "firefox");
}