Mozilla Thunderbird < 38.1 Multiple Vulnerabilities (Logjam)

critical Nessus Network Monitor Plugin ID 8879

Synopsis

The remote host has an email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Thunderbird prior to 38.1 are outdated and thus unpatched for the following vulnerabilities :

- A security downgrade vulnerability exists due to a flaw in Network Security Services (NSS). When a client allows for a ECDHE_ECDSA exchange, but the server does not send a ServerKeyExchange message, then the NSS client will take the EC key from the ECDSA certificate. A remote attacker can exploit this to silently downgrade the exchange to a non-forward secret mixed-ECDH exchange. (CVE-2015-2721)
- Multiple memory corruption issues exist that allow an attacker to cause a denial of service condition or potentially execute arbitrary code. (CVE-2015-2724, CVE-2015-2725)
- A use-after-free error exists in the 'CSPService::ShouldLoad()' function when modifying the Document Object Model to remove a DOM object. An attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2015-2731)
- An uninitialized memory use issue exists in the 'CairoTextureClientD3D9::BorrowDrawTarget()' function, the '::d3d11::SetBufferData()' function, and the 'YCbCrImageDataDeserializer::ToDataSourceSurface()' function. The impact is unspecified. (CVE-2015-2734, CVE-2015-2737, CVE-2015-2738)
- A memory corruption issue exists in the 'nsZipArchive::GetDataOffset()' function due to improper string length checks. An attacker can exploit this, via a crafted ZIP archive, to potentially execute arbitrary code. (CVE-2015-2735)
- A memory corruption issue exists in the 'nsZipArchive::BuildFileList()' function due to improper validation of user-supplied input. An attacker can exploit this, via a crafted ZIP archive, to potentially execute arbitrary code. (CVE-2015-2736)
- An unspecified memory corruption issue exists in the 'ArrayBufferBuilder::append()' function due to improper validation of user-supplied input. An attacker can exploit this to potentially execute arbitrary code. (CVE-2015-2739)
- A buffer overflow condition exists in the 'nsXMLHttpRequest::AppendToResponseText()' function due to improper validation of user-supplied input. An attacker can exploit this to potentially execute arbitrary code. (CVE-2015-2740)
- A security bypass vulnerability exists due to a flaw in certificate pinning checks. Key pinning is not enforced upon encountering an X.509 certificate problem that generates a user dialog. A man-in-the-middle attacker can exploit this to bypass intended access restrictions. (CVE-2015-2741)
- A man-in-the-middle vulnerability, known as Logjam, exists due to a flaw in the SSL/TLS protocol. A remote attacker can exploit this flaw to downgrade connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. (CVE-2015-4000)

Solution

Upgrade to Thunderbird 38.1 or later.

Plugin Details

Severity: Critical

ID: 8879

Family: SMTP Clients

Published: 9/22/2015

Updated: 3/6/2019

Nessus ID: 84578, 84582

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Patch Publication Date: 7/2/2015

Vulnerability Publication Date: 5/19/2015

Reference Information

CVE: CVE-2015-2721, CVE-2015-2724, CVE-2015-2725, CVE-2015-2731, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-4000

BID: 74733

Detections

Analytics