ID CVE-2015-2715
Summary Race condition in the nsThreadManager::RegisterCurrentThread function in Mozilla Firefox before 38.0 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and heap memory corruption) by leveraging improper Media Decoder Thread creation at the time of a shutdown.
References
Vulnerable Configurations
  • Mozilla Firefox 37.0.2
    cpe:2.3:a:mozilla:firefox:37.0.2
  • OpenSUSE 13.1
    cpe:2.3:o:opensuse:opensuse:13.1
  • OpenSUSE 13.2
    cpe:2.3:o:opensuse:opensuse:13.2
CVSS
Base: 6.8 (as of 27-07-2015 - 10:58)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-375.NASL
    description The Mozilla Firefox web browser was updated to version 38.0.1 to fix several security and non-security issues. This update also includes a Mozilla Network Security Services (NSS) update to version 3.18.1. The following vulnerabilities and issues were fixed : Changes in Mozilla Firefox : - update to Firefox 38.0.1 stability and regression fixes - Systems with first generation NVidia Optimus graphics cards may crash on start-up - Users who import cookies from Google Chrome can end up with broken websites - Large animated images may fail to play and may stop other images from loading - update to Firefox 38.0 (bnc#930622) - New tab-based preferences - Ruby annotation support - more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes : - MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards - MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer - MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS - MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu - MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation - MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled - MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free due to Media Decoder Thread creation during shutdown - MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML - MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow and out-of-bounds read while parsing MP4 video metadata - MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site hosting trusted page can intercept webchannel responses - MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages Changes in Mozilla NSS : - update to 3.18.1 - Firefox target release 38 - No new functionality is introduced in this release. Notable Changes : - The following CA certificate had the Websites and Code Signing trust bits restored to their original state to allow more time to develop a better transition strategy for affected sites : - OU = Equifax Secure Certificate Authority - The following CA certificate was removed : - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi - The following intermediate CA certificate has been added as actively distrusted because it was mis-used to issue certificates for domain names the holder did not own or control : - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG - The version number of the updated root CA list has been set to 2.4 - update to 3.18 - Firefox target release 38 New functionality : - When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. - The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt
    last seen 2019-02-21
    modified 2015-05-26
    plugin id 83801
    published 2015-05-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83801
    title openSUSE Security Update : MozillaFirefox (openSUSE-2015-375)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2602-1.NASL
    description Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Gary Kwong, Andrew McCreight, Christian Holler, Jon Coppeard, and Milan Sreckovic discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2708, CVE-2015-2709) Atte Kettunen discovered a buffer overflow during the rendering of SVG content with certain CSS properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2710) Alex Verstak discovered that is ignored in some circumstances. (CVE-2015-2711) Dougall Johnson discovered an out of bounds read and write in asm.js. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2712) Scott Bell discovered a use-afer-free during the processing of text when vertical text is enabled. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2713) Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during shutdown. An attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2715) Ucha Gobejishvili discovered a buffer overflow when parsing compressed XML content. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2716) A buffer overflow and out-of-bounds read were discovered when parsing metadata in MP4 files in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-2717) Mark Hammond discovered that when a trusted page is hosted within an iframe in an untrusted page, the untrusted page can intercept webchannel responses meant for the trusted page in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to bypass origin restrictions. (CVE-2015-2718). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 83434
    published 2015-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83434
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : firefox vulnerabilities (USN-2602-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FIREFOX_38.NASL
    description The version of Firefox installed on the remote Mac OS X host is prior to 38.0. It is, therefore, affected by the following vulnerabilities : - Multiple memory corruption issues exist within the browser engine. A remote attacker can exploit these to corrupt memory and execute arbitrary code. (CVE-2015-2708, CVE-2015-2709) - A buffer overflow condition exists in SVGTextFrame.cpp when rendering SVG graphics that are combined with certain CSS properties due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2710) - A security bypass vulnerability exists due to the referrer policy not being enforced in certain situations when opening links (e.g. using the context menu or a middle-clicks by mouse). A remote attacker can exploit this to bypass intended policy settings. (CVE-2015-2711) - An out-of-bounds read and write issue exists in the CheckHeapLengthCondition() function due to improper JavaScript validation of heap lengths. A remote attacker can exploit this, via a specially crafted web page, to disclose memory contents. (CVE-2015-2712) - A use-after-free error exists due to improper processing of text when vertical text is enabled. A remote attacker can exploit this to dereference already freed memory. (CVE-2015-2713) - A use-after-free error exists in the RegisterCurrentThread() function in nsThreadManager.cpp due to a race condition related to media decoder threads created during the shutdown process. A remote attacker can exploit this to dereference already freed memory. (CVE-2015-2715) - A buffer overflow condition exists in the XML_GetBuffer() function in xmlparse.c due to improper validation of user-supplied input when handling compressed XML content. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2716) - An integer overflow condition exists in the parseChunk() function in MPEG4Extractor.cpp due to improper handling of MP4 video metadata in chunks. A remote attacker can exploit this, via specially crafted media content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2717) - A security bypass vulnerability exists in WebChannel.jsm due to improper handling of message traffic. An untrusted page hosting a trusted page within an iframe can intercept webchannel responses for the trusted page. This allows a remote attacker, via a specially crafted web page, to bypass origin restrictions, resulting in the disclosure of sensitive information. (CVE-2015-2718) - Multiple integer overflow conditions exist in the bundled libstagefright component due to improper validation of user-supplied input when processing MPEG4 sample metadata. A remote attacker can exploit this, via specially crafted media content, to execute arbitrary code. (CVE-2015-4496)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 83437
    published 2015-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83437
    title Firefox < 38.0 Multiple Vulnerabilities (Mac OS X)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201605-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and Thunderbird. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-04-05
    plugin id 91379
    published 2016-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91379
    title GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_38_0.NASL
    description The version of Firefox installed on the remote Windows host is prior to 38.0. It is, therefore, affected by the following vulnerabilities : - A privilege escalation vulnerability exists in the Inter-process Communications (IPC) implementation due to a failure to validate the identity of a listener process. (CVE-2011-3079) - An issue exists in the Mozilla updater in which DLL files in the current working directory or Windows temporary directories will be loaded, allowing the execution of arbitrary code. (CVE-2015-0833 / CVE-2015-2720) - Multiple memory corruption issues exist within the browser engine. A remote attacker can exploit these to corrupt memory and execute arbitrary code. (CVE-2015-2708, CVE-2015-2709) - A buffer overflow condition exists in SVGTextFrame.cpp when rendering SVG graphics that are combined with certain CSS properties due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2710) - A security bypass vulnerability exists due to the referrer policy not being enforced in certain situations when opening links (e.g. using the context menu or a middle-clicks by mouse). A remote attacker can exploit this to bypass intended policy settings. (CVE-2015-2711) - An out-of-bounds read and write issue exists in the CheckHeapLengthCondition() function due to improper JavaScript validation of heap lengths. A remote attacker can exploit this, via a specially crafted web page, to disclose memory contents. (CVE-2015-2712) - A use-after-free error exists due to improper processing of text when vertical text is enabled. A remote attacker can exploit this to dereference already freed memory. (CVE-2015-2713) - A use-after-free error exists in the RegisterCurrentThread() function in nsThreadManager.cpp due to a race condition related to media decoder threads created during the shutdown process. A remote attacker can exploit this to dereference already freed memory. (CVE-2015-2715) - A buffer overflow condition exists in the XML_GetBuffer() function in xmlparse.c due to improper validation of user-supplied input when handling compressed XML content. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2716) - An integer overflow condition exists in the parseChunk() function in MPEG4Extractor.cpp due to improper handling of MP4 video metadata in chunks. A remote attacker can exploit this, via specially crafted media content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-2717) - A security bypass vulnerability exists in WebChannel.jsm due to improper handling of message traffic. An untrusted page hosting a trusted page within an iframe can intercept webchannel responses for the trusted page. This allows a remote attacker, via a specially crafted web page, to bypass origin restrictions, resulting in the disclosure of sensitive information. (CVE-2015-2718) - Multiple integer overflow conditions exist in the bundled libstagefright component due to improper validation of user-supplied input when processing MPEG4 sample metadata. A remote attacker can exploit this, via specially crafted media content, to execute arbitrary code. (CVE-2015-4496)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 83439
    published 2015-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83439
    title Firefox < 38.0 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_D9B43004F5FD4807B1D7DBF66455B244.NASL
    description The Mozilla Project reports : MFSA-2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) MFSA-2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer MFSA-2015-48 Buffer overflow with SVG content and CSS MFSA-2015-49 Referrer policy ignored when links opened by middle-click and context menu MFSA-2015-50 Out-of-bounds read and write in asm.js validation MFSA-2015-51 Use-after-free during text processing with vertical text enabled MFSA-2015-52 Sensitive URL encoded information written to Android logcat MFSA-2015-53 Use-after-free due to Media Decoder Thread creation during shutdown MFSA-2015-54 Buffer overflow when parsing compressed XML MFSA-2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata MFSA-2015-56 Untrusted site hosting trusted page can intercept webchannel responses MFSA-2015-57 Privilege escalation through IPC channel messages MFSA-2015-58 Mozilla Windows updater can be run outside of application directory MFSA 2015-93 Integer overflows in libstagefright while processing MP4 video metadata
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 83389
    published 2015-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83389
    title FreeBSD : mozilla -- multiple vulnerabilities (d9b43004-f5fd-4807-b1d7-dbf66455b244)
refmap via4
bid 74611
confirm
gentoo GLSA-201605-06
suse openSUSE-SU-2015:0934
ubuntu USN-2602-1
Last major update 02-01-2017 - 21:59
Published 14-05-2015 - 06:59
Last modified 30-10-2018 - 12:27
Back to Top