[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Sat Feb 17 05:21:08 PST 2018
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 580 Published: Sat, 17 Feb 2018 02:53:15 GMT
New Fixlets:
============
***************************************************************
Title: Use of Plaintext Network Protocols in ChromeVox - CVE-2017-15397
Severity: <Unspecified>
Fixlet ID: 402202
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4022
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15397
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use of plaintext network protocols in ChromeVox.
***************************************************************
Title: CRLF and Code Injection in Printer Zeroconfig - CVE-2017-15400
Severity: <Unspecified>
Fixlet ID: 402301
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4023
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15400
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: CRLF and code injection in printer zeroconfig.
***************************************************************
Title: Unintended reset of the global settings preference file vulnerability in Adobe Flash Player 27.0.0.187 and earlier versions - CVE-2017-11305
Severity: Medium
Fixlet ID: 402401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4024
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11305
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unintended reset of the global settings preference file vulnerability in Adobe Flash Player 27.0.0.187 and earlier versions.
***************************************************************
Title: OpenSSL Security Bypass Vulnerability - CVE-2017-3738
Severity: Medium
Fixlet ID: 402501
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4025
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3738
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
***************************************************************
Title: OpenSSL Security Bypass Vulnerability - CVE-2017-3736
Severity: Medium
Fixlet ID: 402601
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4026
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3736
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
***************************************************************
Title: OpenSSL Security Bypass Vulnerability - CVE-2017-3737
Severity: Medium
Fixlet ID: 402701
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4027
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3737
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
***************************************************************
Title: Stack overflow in V8 - CVE-2017-15406
Severity: <Unspecified>
Fixlet ID: 404001
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4040
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15406
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Stack overflow in V8.
***************************************************************
Title: A use-after-free vulnerability in Adobe Flash Player 28.0.0.137 and earlier versions - CVE-2018-4878
Severity: <Unspecified>
Fixlet ID: 404201
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4042
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4878
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to the handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.
***************************************************************
Title: Manually entered blob URL can be accessed by subsequent private browsing tabs - CVE-2018-5108
Severity: <Unspecified>
Fixlet ID: 404302
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4043
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5108
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. This could allow for the leaking of private information specific to the private browsing context. This issue is mitigated by the requirement that the user enter the Blob URL manually in order for the access violation to occur.
***************************************************************
Title: Use-after-free in Web Workers - CVE-2018-5092
Severity: <Unspecified>
Fixlet ID: 404401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4044
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5092
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use-after-free vulnerability can occur when the thread for a Web Worker is freed from memory prematurely instead of from memory in the main thread while cancelling fetch operations.
***************************************************************
Title: Buffer overflow in WebAssembly with garbage collection on uninitialized memory - CVE-2018-5094
Severity: <Unspecified>
Fixlet ID: 404501
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4045
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5094
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A heap buffer overflow vulnerability may occur in WebAssembly when shrinkElements is called followed by garbage collection on memory that is now uninitialized. This results in a potentially exploitable crash.
***************************************************************
Title: The old value of a cookie changed to HttpOnly remains accessible to scripts - CVE-2018-5114
Severity: <Unspecified>
Fixlet ID: 404601
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4046
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5114
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: If an existing cookie is changed to be HttpOnly while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie.
***************************************************************
Title: Background network requests can open HTTP authentication in unrelated foreground tabs - CVE-2018-5115
Severity: <Unspecified>
Fixlet ID: 404701
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4047
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5115
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about the originating site of the authentication request and may cause users to mistakenly send private credential information to a third party site.
***************************************************************
Title: Extension development tools panel can open a non-relative URL in the panel - CVE-2018-5112
Severity: <Unspecified>
Fixlet ID: 404801
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4048
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5112
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that it should not be able to access, including potentially privileged pages.
***************************************************************
Title: WebExtensions can save and execute files on local file system without user prompts - CVE-2018-5105
Severity: <Unspecified>
Fixlet ID: 405001
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4050
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5105
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent.
***************************************************************
Title: Buffer overflow in WebAssembly during Memory/Table resizing - CVE-2018-5093
Severity: <Unspecified>
Fixlet ID: 405101
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4051
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5093
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash.
***************************************************************
Title: Use-after-free when IsPotentiallyScrollable arguments are freed from memory - CVE-2018-5100
Severity: <Unspecified>
Fixlet ID: 405201
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4052
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5100
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use-after-free vulnerability can occur when arguments passed to the IsPotentiallyScrollable function are freed while still in use by scripts. This results in a potentially exploitable crash.
***************************************************************
Title: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow - CVE-2018-5113
Severity: <Unspecified>
Fixlet ID: 405301
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4053
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5113
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The browser.identity.launchWebAuthFlow function of WebExtensions is only allowed to load content over https: but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension.
***************************************************************
Title: URL spoofing in addressbar through drag and drop - CVE-2018-5111
Severity: <Unspecified>
Fixlet ID: 405401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4054
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5111
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site.
***************************************************************
Title: Printing process will follow symlinks for local file access - CVE-2018-5107
Severity: <Unspecified>
Fixlet ID: 405501
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4055
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5107
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information could be exposed.
***************************************************************
Title: Use-after-free with floating first-letter style elements - CVE-2018-5101
Severity: <Unspecified>
Fixlet ID: 405601
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4056
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5101
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: A use-after-free vulnerability can occur when manipulating floating first-letter style elements, resulting in a potentially exploitable crash.
***************************************************************
Title: Audio capture prompts and starts with incorrect origin attribution - CVE-2018-5109
Severity: <Unspecified>
Fixlet ID: 405701
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4057
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5109
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to capture an audio stream.
***************************************************************
Title: IxVeriWave file parser crash - CVE-2018-5334
Severity: Medium
Fixlet ID: 406401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4064
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5334
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks.
***************************************************************
Title: Multiple dissectors could crash - CVE-2018-5336
Severity: Medium
Fixlet ID: 406501
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4065
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5336
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash. This was addressed in epan/tvbparse.c by limiting the recursion depth.
***************************************************************
Title: WCP dissector crash - CVE-2018-5335
Severity: Medium
Fixlet ID: 406601
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A4066
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5335
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in epan/dissectors/packet-wcp.c by validating the available buffer length.
More information about the WinVulns-Announcements
mailing list