RSA Authentication Manager 8.2 SP1 Vulnerabilities in Mozilla Firefox -false positive
2 months ago
Originally Published: 2018-03-06
Article Number
000067172
CVE Identifier(s)
CVE-2017-7793,CVE-2017-7810,CVE-2017-7814,CVE-2017-7818,CVE-2017-7819,CVE-2017-7823,CVE-2017-7824,CVE-2017-7825
Alert Impact
Not Exploitable
Resolution
  • CVE-2017-7793 - Use-after-free with Fetch API
    • Description
      • A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash.
    • CVSSv3 Base Score 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (SUSE)
    • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7810 - Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
    • Description
      • Mozilla developers and community members Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian Hengst reported memory safety bugs present in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
    • CVSSv3 Base Score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (SUSE)
    • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7814 - Blob and data URLs bypass phishing and malware protection warnings
    • Description
      • File downloads encoded with blob: and data: URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables that would otherwise be detected as suspicious.
      • CVSSv3 Base Score 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (SUSE)
      • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7818 - Use-after-free during ARIA array manipulation
    • Description
      • A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash.
    • CVSSv3 Base Score 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (SUSE)
    • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7819 - Use-after-free while resizing images in design mode
    • Description
      • A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash.
    • CVSSv3 Base Score 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (SUSE)
    • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7823 - CSP sandbox directive did not create a unique origin
    • Description
      • The content security policy (CSP) sandbox directive did not create a unique origin for the document, causing it to behave as if the allow-same-origin keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content.
    • CVSSv3 Base Score 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (SUSE)
    • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7824 - Buffer overflow when drawing and validating elements with ANGLE
    • Description
      • A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash.
      • CVSSv3 Base Score 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (SUSE)
      • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
  • CVE-2017-7825 - OS X fonts render some Tibetan and Arabic Unicode characters as spaces
    • Description
      • Several fonts on OS X display some Tibetan and Arabic characters as whitespace. When used in the address bar as part of an IDN this can be used for domain name spoofing attacks.
    • CVSSv3 Base Score 5.4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (SUSE)
    • Response: The flaw exists but cannot be exploited. The Firefox web browser is not used on the RSA Authentication Manager appliance.
       
Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Related Articles

Trending Articles

Don't see what you're looking for?