Firefox ESR < 38.1 Multiple Vulnerabilities (Logjam)

critical Nessus Plugin ID 84580

Synopsis

The remote Windows host contains a web browser that is affected by multiple vulnerabilities.

Description

The version of Firefox ESR installed on the remote Windows host is prior to 38.1. It is, therefore, affected by multiple vulnerabilities :

- A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721)

- Multiple user-after-free errors exist when using an XMLHttpRequest object in concert with either shared or dedicated workers. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-2722, CVE-2015-2733)

- Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725)

- A security bypass vulnerability exists due to a failure to preserve context restrictions. A remote attacker can exploit this, via a crafted web site that is accessed with unspecified mouse and keyboard actions, to read arbitrary files or execute arbitrary JavaScript code.
(CVE-2015-2727)

- A type confusion flaw exists in the Indexed Database Manager's handling of IDBDatabase. A remote attacker can exploit this to cause a denial of service condition or to execute arbitrary code. (CVE-2015-2728)

- An out-of-bounds read flaw exists in the AudioParamTimeline::AudioNodeInputValue() function when computing oscillator rending ranges. An attacker can exploit this to disclose the contents of four bytes of memory or cause a denial of service condition.
(CVE-2015-2729)

- A signature spoofing vulnerability exists due to a flaw in Network Security Services (NSS) in its Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation. A remote attacker can exploit this to forge signatures. (CVE-2015-2730)

- A use-after-free error exists in the CSPService::ShouldLoad() function when modifying the Document Object Model to remove a DOM object. An attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the CairoTextureClientD3D9::BorrowDrawTarget() function, the ::d3d11::SetBufferData() function, and the YCbCrImageDataDeserializer::ToDataSourceSurface() function. The impact is unspecified. (CVE-2015-2734, CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the nsZipArchive::GetDataOffset() function due to improper string length checks. An attacker can exploit this, via a crafted ZIP archive, to potentially execute arbitrary code. (CVE-2015-2735)

- A memory corruption issue exists in the nsZipArchive::BuildFileList() function due to improper validation of user-supplied input. An attacker can exploit this, via a crafted ZIP archive, to potentially execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the ArrayBufferBuilder::append() function due to improper validation of user-supplied input. An attacker can exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the nsXMLHttpRequest::AppendToResponseText() function due to improper validation of user-supplied input. An attacker can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in certificate pinning checks. Key pinning is not enforced upon encountering an X.509 certificate problem that generates a user dialog. A man-in-the-middle attacker can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A privilege escalation vulnerability exists in the PDF viewer (PDF.js) due to internal workers being executed insecurely. An attacker can exploit this, by leveraging a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000)

Solution

Upgrade to Firefox 38.1 or later.

See Also

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/

https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/

https://weakdh.org/

Plugin Details

Severity: Critical

ID: 84580

File Name: mozilla_firefox_38_1_esr.nasl

Version: 1.14

Type: local

Agent: windows

Family: Windows

Published: 7/7/2015

Updated: 12/5/2022

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-2740

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_esr

Required KB Items: Mozilla/Firefox/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 7/2/2015

Vulnerability Publication Date: 5/19/2015

Reference Information

CVE: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743, CVE-2015-4000

BID: 74733