Mozilla Firefox < 49.0 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9624

Synopsis

The remote host has a web browser installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Firefox prior to 49.0 are unpatched for the following vulnerabilities :

- A flaw exists as the certificate pinning policy for built-in sites like 'addons.mozilla.org' is not honored due to the pins having expired. This may allow a Man-in-the-Middle (MitM) attacker able to generate a trusted certificate to conduct spoofing attacks.
- A flaw exists in the 'CrossCompartmentWrapper::getPrototypeIfOrdinary()' function in 'js/src/proxy/CrossCompartmentWrapper.cpp' that is triggered as certain input is not properly validated. With a specially crafted web page, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists in 'dom/media/systemservices/LoadManager.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'imgFrame::InitForDecoder()' function in 'image/imgFrame.cpp' that is triggered when handling paletted images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'GenerateCallGetter()' function in 'jit/IonCaches.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists in 'dom/media/platforms/wmf/WMFVideoMFTManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/sctp/src/netinet/sctputil.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the WebRTC component that is triggered as certain input is not properly validated when handling H.264 STAP-A content. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsNodeUtils::CloneAndAdopt()' function in 'dom/base/nsNodeUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'parse()' function in 'libavcodec/vp9_parser.c' that is triggered when handling input frame sizes. This may allow a context-dependent attacker to corrupt memory, crashing a process linked against the library and potentially allowing the execution of arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'netwerk/sctp/src/netinet/sctputil.c' that is triggered when handling association failures. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in the 'nsHttpChannelAuthProvider::OnAuthCancelled()' function in 'netwerk/protocol/http/nsHttpChannelAuthProvider.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified flaw exists that may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
- A flaw exists that is triggered as certain input is not properly validated when handling APNG images. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- A use-after-free error exists that is triggered when handling SVG format content being manipulated through script code. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in the 'nsTextNodeDirectionalityMap::RemoveElementFromMap()' function in 'dom/base/DirectionalityUtils.cpp' that is triggered when handling changing of text direction. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists when handling content that requests favicons from non-whitelisted schemes using certain URI handlers e.g. jar:. This may allow a context-dependent attacker to bypass intended restrictions.
- A use-after-free error exists in the 'nsRefreshDriver::Tick()' function that is triggered when handling web animations destroying a timeline. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A type confusion flaw exists in 'layout/forms/nsRangeFrame.cpp' that triggered when handling layout with input elements. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An overflow condition exists in the 'FilterSupport::ComputeSourceNeededRegions()' function that is triggered when handling empty filters during canvas rendering. This may allow a context-dependent attacker to cause a global-based buffer overflow and potentially execute arbitrary code.
- An overflow condition exists in the 'nsCaseTransformTextRunFactory::TransformString()' function in 'layout/generic/nsTextRunTransformations.cpp' that is triggered when converting text containing certain unicode characters. This may allow a context-dependent attacker to cause a heap-based buffer overflow, potentially allowing the execution of arbitrary code.
- A flaw exists that is triggered when handling drag-and-drop events for files. This may allow a context-dependent attacker to gain knowledge of the full local file path.
- An out-of-bounds read flaw exists in 'dom/security/nsCSPParser.cpp' that is triggered when handling content security policies (CSP) containing empty referrer directives. This may allow a context-dependent attacker to cause a crash.
- A flaw exists related to the handling of iframes. This may allow a context-dependent attacker to conduct an 'iframe src' fragment timing attack that discloses cross-origin data.
- An overflow condition exists in the 'nsBMPEncoder::AddImageFrame()' function in 'dom/base/ImageEncoder.cpp' that is triggered when encoding image frames to images. This may allow a context-dependent attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists in the 'DocAccessible::ProcessInvalidationList()' function in 'accessible/generic/DocAccessible.cpp' that is triggered when setting an aria-owns attribute. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error exists in 'layout/style/nsRuleNode.cpp' that is triggered when handling web animations during restyling. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An unspecified flaw exists in the 'HyperTextAccessible::GetChildOffset()' function. This may allow a context-dependent attacker to potentially execute arbitrary code.
- An out-of-bounds read flaw exists in the 'nsCSSFrameConstructor::GetInsertionPrevSibling()' function in 'layout/base/nsCSSFrameConstructor.cpp' that is triggered when handling text runs. This may allow a context-dependent attacker to potentially disclose memory contents.

Solution

Upgrade to Firefox version 49.0 or later.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=1284690

https://www.mozilla.org/en-US/security/advisories/mfsa2016-85

https://www.mozilla.org/en-US/security/advisories/mfsa2016-86

Plugin Details

Severity: High

ID: 9624

Family: Web Clients

Published: 10/7/2016

Updated: 3/6/2019

Nessus ID: 93660, 93662

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox

Patch Publication Date: 9/20/2016

Vulnerability Publication Date: 9/20/2016

Reference Information

CVE: CVE-2016-2827, CVE-2016-5256, CVE-2016-5257, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5274, CVE-2016-5275, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284

BID: 77677, 93052