Ubuntu 14.04 LTS : Ubufox update (USN-2743-2)

2015-09-2300:00:00

www.tenable.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

9.9

Confidence

High

EPSS

0.215

Percentile

96.5%

JSON

The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2743-2 advisory.

USN-2743-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox.

Original advisory details:

Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David

Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup

discovered multiple memory safety issues in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service via application

crash, or execute arbitrary code with the privileges of the user invoking

Firefox. (CVE-2015-4500, CVE-2015-4501)

Andr Bargull discovered that when a web page creates a scripted proxy

for the window with a handler defined a certain way, a reference to the

inner window will be passed, rather than that of the outer window.

(CVE-2015-4502)

Felix Grbert discovered an out-of-bounds read in the QCMS color

management library in some circumstances. If a user were tricked in to

opening a specially crafted website, an attacker could potentially exploit

this to cause a denial of service via application crash, or obtain

sensitive information. (CVE-2015-4504)

Khalil Zhani discovered a buffer overflow when parsing VP9 content in some

circumstances. If a user were tricked in to opening a specially crafted

website, an attacker could potentially exploit this to cause a denial of

service via application crash, or execute arbitrary code with the

privileges of the user invoking Firefox. (CVE-2015-4506)

Spandan Veggalam discovered a crash while using the debugger API in some

circumstances. If a user were tricked in to opening a specially crafted

website whilst using the debugger, an attacker could potentially exploit

this to execute arbitrary code with the privileges of the user invoking

Firefox. (CVE-2015-4507)

Juho Nurminen discovered that the URL bar could display the wrong URL in

reader mode in some circumstances. If a user were tricked in to opening a

specially crafted website, an attacker could potentially exploit this to

conduct URL spoofing attacks. (CVE-2015-4508)

A use-after-free was discovered when manipulating HTML media content in

some circumstances. If a user were tricked in to opening a specially

crafted website, an attacker could potentially exploit this to cause a

denial of service via application crash, or execute arbitrary code with

the privileges of the user invoking Firefox. (CVE-2015-4509)

Looben Yang discovered a use-after-free when using a shared worker with

IndexedDB in some circumstances. If a user were tricked in to opening a

specially crafted website, an attacker could potentially exploit this to

cause a denial of service via application crash, or execute arbitrary code

with the privileges of the user invoking Firefox. (CVE-2015-4510)

Francisco Alonso discovered an out-of-bounds read during 2D canvas

rendering in some circumstances. If a user were tricked in to opening a

specially crafted website, an attacker could potentially exploit this to

obtain sensitive information. (CVE-2015-4512)

Jeff Walden discovered that changes could be made to immutable properties

in some circumstances. If a user were tricked in to opening a specially

crafted website, an attacker could potentially exploit this to execute

arbitrary script in a privileged scope. (CVE-2015-4516)

Ronald Crane reported multiple vulnerabilities. If a user were tricked in

to opening a specially crafted website, an attacker could potentially

exploit these to cause a denial of service via application crash, or

execute arbitrary code with the privileges of the user invoking Firefox.

(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,

CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)

Mario Gomes discovered that dragging and dropping an image after a

redirect exposes the redirected URL to scripts. An attacker could

potentially exploit this to obtain sensitive information. (CVE-2015-4519)

Ehsan Akhgari discovered 2 issues with CORS preflight requests. An

attacker could potentially exploit these to bypass CORS restrictions.

(CVE-2015-4520)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2743-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(86103);
  script_version("2.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/27");
  script_xref(name:"USN", value:"2743-2");

  script_name(english:"Ubuntu 14.04 LTS : Ubufox update (USN-2743-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the
USN-2743-2 advisory.

    USN-2743-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox.

    Original advisory details:

    Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David

    Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup

    discovered multiple memory safety issues in Firefox. If a user were

    tricked in to opening a specially crafted website, an attacker could

    potentially exploit these to cause a denial of service via application

    crash, or execute arbitrary code with the privileges of the user invoking

    Firefox. (CVE-2015-4500, CVE-2015-4501)

    Andr Bargull discovered that when a web page creates a scripted proxy

    for the window with a handler defined a certain way, a reference to the

    inner window will be passed, rather than that of the outer window.

    (CVE-2015-4502)

    Felix Grbert discovered an out-of-bounds read in the QCMS color

    management library in some circumstances. If a user were tricked in to

    opening a specially crafted website, an attacker could potentially exploit

    this to cause a denial of service via application crash, or obtain

    sensitive information. (CVE-2015-4504)

    Khalil Zhani discovered a buffer overflow when parsing VP9 content in some

    circumstances. If a user were tricked in to opening a specially crafted

    website, an attacker could potentially exploit this to cause a denial of

    service via application crash, or execute arbitrary code with the

    privileges of the user invoking Firefox. (CVE-2015-4506)

    Spandan Veggalam discovered a crash while using the debugger API in some

    circumstances. If a user were tricked in to opening a specially crafted

    website whilst using the debugger, an attacker could potentially exploit

    this to execute arbitrary code with the privileges of the user invoking

    Firefox. (CVE-2015-4507)

    Juho Nurminen discovered that the URL bar could display the wrong URL in

    reader mode in some circumstances. If a user were tricked in to opening a

    specially crafted website, an attacker could potentially exploit this to

    conduct URL spoofing attacks. (CVE-2015-4508)

    A use-after-free was discovered when manipulating HTML media content in

    some circumstances. If a user were tricked in to opening a specially

    crafted website, an attacker could potentially exploit this to cause a

    denial of service via application crash, or execute arbitrary code with

    the privileges of the user invoking Firefox. (CVE-2015-4509)

    Looben Yang discovered a use-after-free when using a shared worker with

    IndexedDB in some circumstances. If a user were tricked in to opening a

    specially crafted website, an attacker could potentially exploit this to

    cause a denial of service via application crash, or execute arbitrary code

    with the privileges of the user invoking Firefox. (CVE-2015-4510)

    Francisco Alonso discovered an out-of-bounds read during 2D canvas

    rendering in some circumstances. If a user were tricked in to opening a

    specially crafted website, an attacker could potentially exploit this to

    obtain sensitive information. (CVE-2015-4512)

    Jeff Walden discovered that changes could be made to immutable properties

    in some circumstances. If a user were tricked in to opening a specially

    crafted website, an attacker could potentially exploit this to execute

    arbitrary script in a privileged scope. (CVE-2015-4516)

    Ronald Crane reported multiple vulnerabilities. If a user were tricked in

    to opening a specially crafted website, an attacker could potentially

    exploit these to cause a denial of service via application crash, or

    execute arbitrary code with the privileges of the user invoking Firefox.

    (CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,

    CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)

    Mario Gomes discovered that dragging and dropping an image after a

    redirect exposes the redirected URL to scripts. An attacker could

    potentially exploit this to obtain sensitive information. (CVE-2015-4519)

    Ehsan Akhgari discovered 2 issues with CORS preflight requests. An

    attacker could potentially exploit these to bypass CORS restrictions.

    (CVE-2015-4520)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2743-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected ubufox and / or xul-ext-ubufox packages.");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/09/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:xul-ext-ubufox");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ubufox");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '14.04', 'pkgname': 'ubufox', 'pkgver': '3.2-0ubuntu0.14.04.1'},
    {'osver': '14.04', 'pkgname': 'xul-ext-ubufox', 'pkgver': '3.2-0ubuntu0.14.04.1'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  var extra = '';
  extra += ubuntu_report_get();
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ubufox / xul-ext-ubufox');
}