Google Chrome < 68.0.3440.75 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700361

Synopsis

The remote host is utilizing a web browser that is affected by multiple attack vectors.

Description

The version of Google Chrome installed on the remote host is prior to 68.0.3440.75, and is affected by multiple vulnerabilities :

- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A flaw exists in the 'ComputeRandomMagic()' function in 'blink/renderer/platform/heap/heap_page.cc' that is triggered as random numbers are not properly handled when generating heap magic values. This may lead to weaker heap object integrity checks than intended.
- A flaw exists in the safe browsing feature that is triggered when handling DMG file analysis. This may allow a context-dependent attacker to have an unspecified impact.
- A dangling reference flaw exists in the PDFiumEngine class in 'pdf/pdfium/pdfium_engine.cc' that is triggered when handling image data while paints are pending. This may allow a context-dependent attacker to have an unspecified impact.
- A flaw exists in the CPDF_DIBSource class destructor in 'fpdfapi/render/cpdf_dibsource.cpp' that may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- A type confusion flaw exists in multiple JS functions that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to have an unspecified impact. No further details have been provided.
- A flaw exists in the HTMLMediaElement class in 'blink/renderer/core/html/media/html_media_element.cc' that is triggered when handling media files. This may allow a context-dependent attacker to gain cross-origin access to potentially sensitive information.
- A flaw exists in the 'ActiveTabPermissionGranter::GrantIfRequested()' function in 'browser/extensions/active_tab_permission_granter.cc' that is triggered as an extension has permission to the file-scheme of a file-URL loaded tab. This may allow a malicious extension to gain unauthorized access to page information 'e.g'. via the 'chrome.tabs'.executeScript API.
- A flaw exists that is triggered as it is possible to include web content in WebUI documents. This may allow a context-dependent attacker to bypass intended security restrictions.
- A flaw exists that is triggered as certain input is not properly validated when handling temporary registers during shader compilation. This may allow a context-dependent attacker to crash a process linked against the library.
- An unspecified flaw exists that is triggered when handling termination garbage collection. This may allow a context-dependent attacker to have an unspecified impact.
- A use-after-free error exists in the 'vp8_deblock()' function in 'vp8/common/postproc.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'PermissionServiceImpl::RequestPermissions()' function in 'content/browser/permissions/permission_service_impl.cc' that is triggered when handling permission types. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the HTMLMediaElement class in 'blink/renderer/core/html/media/html_media_element.cc' that is triggered when handling media files. This may allow a context-dependent attacker to bypass cross-origin resource sharing (CORS) configurations.
- A flaw exists as it does not properly limit certain characters (U+0153, U+00E6, U+04D5, U+0499, and U+0525) before displaying them as Unicode. With a specially crafted IDN domain, a context-dependent attacker can spoof an Omnibox address.
- A type confusion flaw exists in the 'PacketBuffer::FindFrames()' function in 'modules/video_coding/packet_buffer.

Solution

Upgrade to Chrome version 68.0.3440.75 or later.

See Also

http://www.nessus.org/u?89d1144b

Plugin Details

Severity: High

ID: 700361

Family: Web Clients

Published: 8/23/2018

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 5/10/2018

Vulnerability Publication Date: 5/10/2018

Reference Information

CVE: CVE-2018-4117

BID: 104887