Описание
Уязвимость automount-демона браузеров Tor, Firefox, Firefox ESR и почтового клиента Thunderbird связана с недостаточной защитой служебных данных при обработке пути файла. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, обойти ограничения безопасности
Вендор
Red Hat Inc.
АО «ИВК»
Сообщество свободного программного обеспечения
Mozilla Corp.
Novell Inc.
The Tor Project, Inc.
Наименование ПО
Red Hat Enterprise Linux
Альт Линукс СПТ
Debian GNU/Linux
Firefox
Firefox ESR
Thunderbird
Suse Linux Enterprise Desktop
SUSE Enterprise Storage
SUSE Linux Enterprise Server for SAP Applications
SUSE Linux Enterprise Software Development Kit
SUSE OpenStack Cloud
Suse Linux Enterprise Server
OpenSUSE Leap
SUSE CaaS Platform
SUSE Linux Enterprise Module for Desktop Applications
SUSE Linux Enterprise Point of Sale
SUSE Linux Enterprise Workstation Extension
SUSE Linux Enterprise High Performance Computing
openSUSE Tumbleweed
SUSE Manager Proxy
SUSE Manager Retail Branch Server
SUSE Manager Server
Tor
SUSE Package Hub
Версия ПО
6 (Red Hat Enterprise Linux)
7 (Red Hat Enterprise Linux)
7.0 (Альт Линукс СПТ)
9 (Debian GNU/Linux)
до 62 (Firefox)
до 60.2 (Firefox ESR)
до 60.2.1 (Thunderbird)
12 SP3 (Suse Linux Enterprise Desktop)
12 SP4 (Suse Linux Enterprise Desktop)
4 (SUSE Enterprise Storage)
12 SP2 (SUSE Linux Enterprise Server for SAP Applications)
12 SP3 (SUSE Linux Enterprise Server for SAP Applications)
12 SP4 (SUSE Linux Enterprise Server for SAP Applications)
12 SP3 (SUSE Linux Enterprise Software Development Kit)
12 SP4 (SUSE Linux Enterprise Software Development Kit)
7 (SUSE OpenStack Cloud)
12 SP3 (Suse Linux Enterprise Server)
12 SP4 (Suse Linux Enterprise Server)
15.0 (OpenSUSE Leap)
3.0 (SUSE CaaS Platform)
15 (SUSE Linux Enterprise Module for Desktop Applications)
12 SP2-CLIENT (SUSE Linux Enterprise Point of Sale)
15 SP1 (SUSE Linux Enterprise Module for Desktop Applications)
12 SP2-ESPOS (Suse Linux Enterprise Server)
12-LTSS (Suse Linux Enterprise Server)
12 SP1 (SUSE Linux Enterprise Server for SAP Applications)
15 (SUSE Linux Enterprise Workstation Extension)
15 SP1 (SUSE Linux Enterprise Workstation Extension)
15 (SUSE Linux Enterprise Server for SAP Applications)
15 SP1 (SUSE Linux Enterprise Server for SAP Applications)
12 SP1-LTSS (Suse Linux Enterprise Server)
12 SP2-LTSS (Suse Linux Enterprise Server)
12 SP5 (Suse Linux Enterprise Server)
12 SP5 (SUSE Linux Enterprise Server for SAP Applications)
12 SP5 (SUSE Linux Enterprise Software Development Kit)
8 (Debian GNU/Linux)
6 (SUSE Enterprise Storage)
12 SP5 (SUSE Linux Enterprise High Performance Computing)
- (openSUSE Tumbleweed)
15 SP2 (SUSE Linux Enterprise Workstation Extension)
15.2 (OpenSUSE Leap)
15 SP2 (SUSE Linux Enterprise Module for Desktop Applications)
4.0 (SUSE Manager Proxy)
4.0 (SUSE Manager Retail Branch Server)
4.0 (SUSE Manager Server)
15 SP3 (SUSE Linux Enterprise Workstation Extension)
15 SP3 (SUSE Linux Enterprise Module for Desktop Applications)
15.3 (OpenSUSE Leap)
15 SP1 (Suse Linux Enterprise Server)
15.4 (OpenSUSE Leap)
15 SP3 (SUSE Linux Enterprise High Performance Computing)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
15 SP3 (Suse Linux Enterprise Desktop)
7 (SUSE Enterprise Storage)
15 SP2 (Suse Linux Enterprise Server)
15 SP2 (SUSE Linux Enterprise Server for SAP Applications)
4.1 (SUSE Manager Server)
4.1 (SUSE Manager Proxy)
4.1 (SUSE Manager Retail Branch Server)
15 SP4 (Suse Linux Enterprise Server)
15 SP2 (Suse Linux Enterprise Desktop)
15 SP2 (SUSE Linux Enterprise High Performance Computing)
15 SP4 (Suse Linux Enterprise Desktop)
15 (Suse Linux Enterprise Server)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
15 SP1 (Suse Linux Enterprise Desktop)
15 (Suse Linux Enterprise Desktop)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Desktop Applications)
15 (SUSE Linux Enterprise High Performance Computing)
15 SP1 (SUSE Linux Enterprise High Performance Computing)
15 SP4 (SUSE Linux Enterprise Workstation Extension)
до 7.0.9 (Tor)
12 (SUSE Package Hub)
Тип ПО
Операционная система
Прикладное ПО информационных систем
Сетевое средство
Сетевое программное средство
Операционные системы и аппаратные платформы
Red Hat Inc. Red Hat Enterprise Linux 6
Red Hat Inc. Red Hat Enterprise Linux 7
Сообщество свободного программного обеспечения Linux -
АО «ИВК» Альт Линукс СПТ 7.0
Сообщество свободного программного обеспечения Debian GNU/Linux 9
Novell Inc. Suse Linux Enterprise Desktop 12 SP3
Novell Inc. Suse Linux Enterprise Desktop 12 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4
Novell Inc. Suse Linux Enterprise Server 12 SP3
Novell Inc. Suse Linux Enterprise Server 12 SP4
Novell Inc. OpenSUSE Leap 15.0
Novell Inc. Suse Linux Enterprise Server 12 SP2-ESPOS
Novell Inc. Suse Linux Enterprise Server 12-LTSS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP1
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1
Novell Inc. Suse Linux Enterprise Server 12 SP1-LTSS
Novell Inc. Suse Linux Enterprise Server 12 SP2-LTSS
Novell Inc. Suse Linux Enterprise Server 12 SP5
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5
Сообщество свободного программного обеспечения Debian GNU/Linux 8
Novell Inc. openSUSE Tumbleweed -
Novell Inc. OpenSUSE Leap 15.2
Apple Inc. Mac OS -
Novell Inc. OpenSUSE Leap 15.3
Novell Inc. Suse Linux Enterprise Server 15 SP1
Novell Inc. OpenSUSE Leap 15.4
Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. Suse Linux Enterprise Desktop 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP2
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP2
Novell Inc. Suse Linux Enterprise Desktop 15 SP4
Novell Inc. Suse Linux Enterprise Server 15
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP1
Novell Inc. Suse Linux Enterprise Desktop 15
Уровень опасности уязвимости
Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Средний уровень опасности (базовая оценка CVSS 3.1 составляет 6,5)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для Tor:
https://blog.torproject.org/tor-browser-709-released/
https://trac.torproject.org/projects/tor/ticket/24052
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2017-16541
Для программных продуктов Mozilla Corp.:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/
Для Альт Линукс:
https://cve.basealt.ru/otchet-po-obnovleniiam-ot-31072019.html
Для Debian GNU/Linux:
https://www.debian.org/security/2018/dsa-4327
https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2017-16541.html
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Существует в открытом доступе
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
- MFSA
EPSS
Процентиль: 80%
0.01522
Низкий
6.5 Medium
CVSS3
7.8 High
CVSS2
Связанные уязвимости
CVSS3: 6.5
ubuntu
почти 8 лет назад
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
CVSS3: 6.5
redhat
почти 8 лет назад
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
CVSS3: 6.5
nvd
почти 8 лет назад
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
CVSS3: 6.5
debian
почти 8 лет назад
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to ...
CVSS3: 6.5
github
около 3 лет назад
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
EPSS
Процентиль: 80%
0.01522
Низкий
6.5 Medium
CVSS3
7.8 High
CVSS2