Vulnerability CVE-2017-5426

Vulnerability Name:

CVE-2017-5426 (CCN-122810)

Assigned:

2017-03-07

Published:

2017-03-07

Updated:

2019-10-03

Summary:

On Linux, if the secure computing mode BPF (seccomp-bpf) filter is running when the Gecko Media Plugin sandbox is started, the sandbox fails to be applied and items that would run within the sandbox are run protected only by the running filter which is typically weak compared to the sandbox.
Note: this issue only affects Linux. Other operating systems are not affected. This vulnerability affects Firefox < 52 and Thunderbird < 52.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-732

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2017-5426

Source: BID
Type: Third Party Advisory, VDB Entry
96694

Source: CCN
Type: BID-96694
Mozilla Firefox CVE-2017-5426 Security Bypass Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1037966

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1257361

Source: XF
Type: UNKNOWN
firefox-cve20175426-sec-bypass(122810)

Source: CCN
Type: Mozilla Foundation Security Advisory 2017-05
Security vulnerabilities fixed in Firefox 52

Source: CONFIRM
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-05/

Source: CONFIRM
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-09/

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 52.0)

AND

cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 52.0)

AND

cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox:51.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20175426	V	CVE-2017-5426	2023-06-22
oval:org.opensuse.security:def:7868	P	MozillaFirefox-102.11.0-150200.152.87.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:645	P	Security update for php7 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:609	P	Security update for sqlite3 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:720	P	Security update for ucode-intel (Moderate)	2022-08-31
oval:org.opensuse.security:def:3252	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3546	P	libICE6-1.0.8-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94882	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1523	P	Security update for MozillaThunderbird (Important)	2022-06-13
oval:org.opensuse.security:def:1167	P	Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (Important)	2022-05-16
oval:org.opensuse.security:def:1301	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important)	2022-04-14
oval:org.opensuse.security:def:1056	P	Security update for yaml-cpp (Moderate)	2022-04-01
oval:org.opensuse.security:def:1693	P	Security update for stunnel (Important)	2022-03-16
oval:org.opensuse.security:def:1412	P	Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP3) (Important)	2022-02-01
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64678	P	Security update for apache2 (Important)	2022-01-17
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:945	P	Security update for net-snmp (Important)	2022-01-11
oval:org.opensuse.security:def:70030	P	Security update for xorg-x11-server (Important)	2021-12-21
oval:org.opensuse.security:def:93994	P	(Important)	2021-12-06
oval:org.opensuse.security:def:1137	P	Security update for the Linux Kernel (Important)	2021-11-16
oval:org.opensuse.security:def:1639	P	Security update for squid (Moderate)	2021-10-20
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:66933	P	Security update for gd (Moderate)	2021-09-27
oval:org.opensuse.security:def:71207	P	hardlink-1.0+git.e66999f-1.25 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71352	P	openssh-7.9p1-4.7 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:64765	P	Security update for ghostscript (Critical)	2021-09-15
oval:org.opensuse.security:def:70289	P	Security update for libesmtp (Important)	2021-09-03
oval:org.opensuse.security:def:69925	P	Security update for ffmpeg (Important)	2021-09-02
oval:org.opensuse.security:def:47634	P	gstreamer-plugins-base-1.8.3-12.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48129	P	libjansson4-2.12-3.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47131	P	ppc64-diag-2.7.1-5.6 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47683	P	libXrender1-0.9.8-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47987	P	cyrus-sasl-2.1.26-8.7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47377	P	libmpfr4-3.1.2-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48191	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47241	P	dnsmasq-2.76-17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47831	P	mutt-1.10.1-55.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48080	P	libXinerama1-1.1.3-3.54 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47459	P	pam_krb5-2.4.4-4.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47673	P	libXdmcp6-1.1.1-12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48240	P	memcached-1.4.39-4.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47242	P	dosfstools-3.0.26-6.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48172	P	libpng12-0-1.2.50-19.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48358	P	zypper-1.13.51-21.26.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47755	P	libopenssl1_1-1.1.1-1.9 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48302	P	sane-backends-1.0.24-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47145	P	rpcbind-0.2.3-21.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47619	P	giflib-progs-5.0.5-12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47942	P	aaa_base-13.2+git20140911.61c1681-38.13.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48119	P	libgraphite2-3-1.3.1-10.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47570	P	bzip2-1.0.6-29.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48256	P	pam_krb5-2.4.4-4.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47620	P	git-core-2.12.3-27.14.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48045	P	ibus-chewing-1.4.14-4.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48211	P	libunwind-1.1-11.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47591	P	dbus-1-1.8.22-29.10.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47794	P	libtasn1-4.9-3.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47256	P	freeradius-server-3.0.14-1.8 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47658	P	krb5-1.12.5-40.28.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48320	P	sysvinit-tools-2.88+-101.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47948	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47266	P	glib2-lang-2.48.2-10.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47659	P	krb5-appl-clients-1.0.3-1.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48156	P	libnetpbm11-10.66.3-8.7.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47130	P	powerpc-utils-1.3.2-17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47702	P	libecpg6-10.5-1.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48287	P	python-pywbem-0.7.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:1732	P	open-vm-tools-desktop-11.2.5-1.17 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62728	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1098	P	libopenjp2-7-2.3.0-1.25 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101020	P	minicom-2.7.1-1.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101134	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72447	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1773	P	Security update for MozillaThunderbird (Important)	2021-07-22
oval:org.opensuse.security:def:68012	P	Security update for the Linux Kernel (Live Patch 16 for SLE 15 SP1) (Important)	2021-07-14
oval:org.opensuse.security:def:49443	P	Security update for nodejs10 (Important)	2021-07-14
oval:org.opensuse.security:def:66841	P	Security update for freeradius-server (Moderate)	2021-06-23
oval:org.opensuse.security:def:48359	P	DirectFB-1.7.1-6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48745	P	libsilc-1_1-2-1.1.10-24.128 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48534	P	libpng12-0-1.2.50-13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48886	P	telepathy-gabble-0.18.3-5.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48398	P	cyrus-sasl-2.1.26-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:2435	P	MozillaThunderbird-52.8-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63524	P	MozillaThunderbird-52.8-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48784	P	libFLAC++6-32bit-1.3.0-11.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48573	P	libzip2-0.11.1-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:71094	P	rpcbind-0.2.3-3.22 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48776	P	gnome-shell-calendar-3.20.4-70.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48618	P	rsyslog-8.4.0-14.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48469	P	libXinerama1-1.1.3-3.54 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48680	P	libIlmImf-Imf_2_1-21-32bit-2.1.0-4.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48815	P	raptor-2.0.10-3.67 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48367	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48657	P	yast2-3.1.206-36.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48847	P	lhasa-0.2.0-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48719	P	freerdp-1.0.2-7.9 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64507	P	Security update for hivex (Moderate)	2021-05-26
oval:org.opensuse.security:def:73624	P	Security update for graphviz (Critical)	2021-05-19
oval:org.opensuse.security:def:67754	P	Security update for the Linux Kernel (Live Patch 21 for SLE 15) (Important)	2021-04-28
oval:org.opensuse.security:def:68112	P	Security update for the Linux Kernel (Live Patch 14 for SLE 15 SP1) (Important)	2021-03-17
oval:org.opensuse.security:def:100707	P	(Important)	2021-02-17
oval:org.opensuse.security:def:94307	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72109	P	MozillaFirefox-52.7.3-1.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89851	P	MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62390	P	MozillaFirefox-52.7.3-1.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103747	P	MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72220	P	MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:90092	P	MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62501	P	MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2474	P	MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107373	P	MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:116931	P	MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63563	P	MozillaThunderbird-60.6.1-3.28.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72331	P	MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62612	P	MozillaFirefox-68.8.0-3.87.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71465	P	cups-filters-1.25.0-1.107 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2515	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107686	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117201	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63604	P	MozillaThunderbird-68.8.0-3.80.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103506	P	MozillaFirefox-60.6.2-3.32.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:73247	P	libxcb-composite0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50173	P	MozillaThunderbird on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25703	P	Security update for squid (Moderate)	2020-12-01
oval:org.opensuse.security:def:73365	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49554	P	libjbig2-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24941	P	Security update for java-1_7_0-openjdk (Moderate)	2020-12-01
oval:org.opensuse.security:def:66674	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49497	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70184	P	osc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25645	P	Security update for the Linux Kernel (Critical)	2020-12-01
oval:org.opensuse.security:def:64420	P	opensc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25504	P	Security update for libvirt (Important)	2020-12-01
oval:org.opensuse.security:def:73506	P	jcl-over-slf4j on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50214	P	MozillaThunderbird on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25213	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:50080	P	libvirt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49608	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24930	P	Security update for sysstat (Low)	2020-12-01
oval:org.opensuse.security:def:25005	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:49332	P	socat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26341	P	Security update for fmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:26376	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:25659	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:50119	P	apache2-mod_php7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25557	P	Security update for transfig (Low)	2020-12-01
oval:org.opensuse.security:def:67854	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50134	P	MozillaThunderbird on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25270	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:66582	P	pam on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25354	P	Security update for mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:49386	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25132	P	Security update for file (Moderate)	2020-12-01
oval:org.opensuse.security:def:50160	P	libpskc-devel on GA media (Moderate)	2020-12-01
oval:com.ubuntu.xenial:def:201754260000000	V	CVE-2017-5426 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-11
oval:com.ubuntu.trusty:def:20175426000	V	CVE-2017-5426 on Ubuntu 14.04 LTS (trusty) - medium.	2018-06-11
oval:com.ubuntu.xenial:def:20175426000	V	CVE-2017-5426 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-11
oval:com.ubuntu.precise:def:20175426000	V	CVE-2017-5426 on Ubuntu 12.04 LTS (precise) - medium.	2017-03-07

BACK