ID

VAR-202007-1133

CVE

CVE-2020-6514

TITLE

Google Chrome Security hole

DESCRIPTION

Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream. Google Chrome is a web browser developed by Google (Google). WebRTC is one of the components that supports browsers for real-time voice or video conversations. A security vulnerability exists in WebRTC in versions prior to Google Chrome 84.0.4147.89. An attacker could exploit this vulnerability to bypass security restrictions. For the stable distribution (buster), these problems have been fixed in version 68.11.0esr-1~deb10u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8huUkACgkQEMKTtsN8 TjZrWRAAmJKPn+TnXVDcxt9OC/ko2aovs7IotOScCOvjO9Aez+l64cUEOAj4Zxc1 gd/CC/fW/LNudbmLrMKjGft3bFwi/78htATpgcJE5diEjEVlyvgMJiwvwoN+zOO2 1u4hgN6sYiBVnEKBOtS3wA0VGa19tW5mWXWZgtfmEMfuNpz3bUQ8ApQ48M47VdUO JjZbtTP92N8h99Mko3k2Z2xUDimRZ0xvVYXmEQ9lUzQnNpz0yKwSuo/GsjnH3l1n 2Y8ih+m9pCuYfcpXvWtLlQc70koS84MaAzdqYsp1xMpXLHzejDM/e0oDEJppBjwP 0U4qHSbirlwMHn1PSILFsDjYfTwSmFUqvmPb9mcPMnz60xuh6IT+2RUKXekBo263 1uhlHgqd5+hWYuWxQz7FgssJVUzfH2ZzaIoTRTYtTQVJmHeYViWf54AEGP36D6++ I8tNyCVTbDW+114dWjAmkuQ+yVjt0eSb4rqLqwcKxvNT6cCzRRJp2/tSsQCAvFdB dzExvQQMD/t4o+0BUYxani0jJf9DR9N7BoUBQdI0eZNV/mJ1BmDWXJqEpExhilfb 9QlI6oRu/Cw05BpkD1FKeXR+MgMKpi/jubhsYkZQcV9t7C0D/L13DEAqxr4zi4te eLLP/BQ3bl+h71ZHBCYCpbCc+joreguC3Z09IaDYFafewmOACHs= =QMwo -----END PGP SIGNATURE----- . WebRTC: usrsctp is called with pointer as network address When usrsctp is used with a custom transport, an address must be provided to usrsctp_conninput be used as the source and destination address of the incoming packet. WebRTC uses the address of the SctpTransport instance for this value. Unfortunately, this value is often transmitted to the peer, for example to validate signing of the cookie. This could allow an attacker access to the location in memory of the SctpTransport of a peer, bypassing ASLR. To reproduce, place the following code on line 9529 of sctp_output.c. This will output the peer's address to the log: struct sctp_state_cookie cookie2; struct sctp_state_cookie* cookie3; cookie3 = sctp_get_next_param(cookie, 4, &cookie2, sizeof(struct sctp_state_cookie)); LOGE(\"COOKIE INITACK ADDRESS %llx laddress %llx\", *((long long*)cookie3->address), *((long long*)cookie3->address)); Or, view the SCTP packets sent by WebRTC before they are sent to the encryption layer. They are full of pointers. This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2020-Jul-28. Disclosure at an earlier date is possible if agreed upon by all parties. Related CVE Numbers: CVE-2020-6514. Found by: deadbeef@chromium.org . 8.0) - ppc64le, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:3253-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3253 Issue date: 2020-07-30 CVE Names: CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.11.0 ESR. Security Fix(es): * chromium-browser: Use after free in ANGLE (CVE-2020-6463) * chromium-browser: Inappropriate implementation in WebRTC (CVE-2020-6514) * Mozilla: Potential leak of redirect targets when loading scripts in a worker (CVE-2020-15652) * Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11 (CVE-2020-15659) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1840893 - CVE-2020-6463 chromium-browser: Use after free in ANGLE 1857349 - CVE-2020-6514 chromium-browser: Inappropriate implementation in WebRTC 1861570 - CVE-2020-15652 Mozilla: Potential leak of redirect targets when loading scripts in a worker 1861572 - CVE-2020-15659 Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: firefox-68.11.0-1.el7_8.src.rpm x86_64: firefox-68.11.0-1.el7_8.x86_64.rpm firefox-debuginfo-68.11.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-68.11.0-1.el7_8.i686.rpm firefox-debuginfo-68.11.0-1.el7_8.i686.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-68.11.0-1.el7_8.src.rpm ppc64: firefox-68.11.0-1.el7_8.ppc64.rpm firefox-debuginfo-68.11.0-1.el7_8.ppc64.rpm ppc64le: firefox-68.11.0-1.el7_8.ppc64le.rpm firefox-debuginfo-68.11.0-1.el7_8.ppc64le.rpm s390x: firefox-68.11.0-1.el7_8.s390x.rpm firefox-debuginfo-68.11.0-1.el7_8.s390x.rpm x86_64: firefox-68.11.0-1.el7_8.x86_64.rpm firefox-debuginfo-68.11.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): x86_64: firefox-68.11.0-1.el7_8.i686.rpm firefox-debuginfo-68.11.0-1.el7_8.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-68.11.0-1.el7_8.src.rpm x86_64: firefox-68.11.0-1.el7_8.x86_64.rpm firefox-debuginfo-68.11.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-68.11.0-1.el7_8.i686.rpm firefox-debuginfo-68.11.0-1.el7_8.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6463 https://access.redhat.com/security/cve/CVE-2020-6514 https://access.redhat.com/security/cve/CVE-2020-15652 https://access.redhat.com/security/cve/CVE-2020-15659 https://access.redhat.com/security/updates/classification/#important https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXyMgu9zjgjWX9erEAQg1Lw//ThDhQNyzbi/DcKqRZ4oE2crnYGEpor13 fbkpiATllwswE+uVcroydKTdj+hFJ3kopnSxTL2uvtIqq2fNAVRQiCyRwR5Cza7X i9khFoKJOoEtw4ZpkMOXEQxWBeAX9Jo8et1e3Fq0FP7SJvt+rTFJag380FKi+qUu Ixy+ks3rKmFPUdvSbqm4OMIIPJUJa04xRtx9qrHgMSsxw88bwEUezckl0unJorCq iGI2j9hjmiYGKhzr9TamTaQqRIKenn1E8J8gYrgHO5fBMaD5JaPchYM5KjPCsAyz Tv97a31s16Vn+gUKbb8HGORbXd1V8JtzqYowyQJm+DIj6/K1g0Ahjui7wI1+HIvq eQokM/2JHqulmG39kwfEze4X0T/AIiGKFxhLutRbih+YZ9XJ5utmhnJ02ueK7TWM rRRlyWw/lmryGCK5zOL5+9tx4rJUHxwiaQSDcCzf5Dtf4mEPhsizT5KBJCbdd5ZO AP+/eyAFnb5z/+Fsj35glsgF5mNuDb/DiYFKjrg11KKp/aViNx709ZVmi/jcGd6c hoba26uGhr4Dn8oWI+r0M5R/+jfiyJ0Ay/xhQrjwnj/hNArf0+Re3wsqtCTbRVrA PeesTMwXOBpuVJ7wCWtE1Ns2UdKy3COnBTla4xRE3U5JKSSD+Coi2HEwhZW0zUhH EmDN6VjH+XE=JK3R -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 6) - i386, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. 8.1) - aarch64, ppc64le, s390x, x86_64 3

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

other

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Natalie Silvanovich of Google Project Zero

SOURCES

LAST UPDATE DATE

2025-03-07T21:01:39.477000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE