Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.ALA_ALAS-2017-802.NASL
HistoryMar 07, 2017 - 12:00 a.m.

Amazon Linux AMI : libtiff / compat-libtiff3 (ALAS-2017-802)

2017-03-0700:00:00
This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
www.tenable.com
17
JSON

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2016-9533 , CVE-2016-9534 , CVE-2016-9535)

Multiple flaws have been discovered in various libtiff tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2015-8870 , CVE-2016-5652 , CVE-2016-9540 , CVE-2016-9537 , CVE-2016-9536)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2017-802.
#

include("compat.inc");

if (description)
{
  script_id(97554);
  script_version("3.2");
  script_cvs_date("Date: 2018/04/18 15:09:36");

  script_cve_id("CVE-2015-8870", "CVE-2016-5652", "CVE-2016-9533", "CVE-2016-9534", "CVE-2016-9535", "CVE-2016-9536", "CVE-2016-9537", "CVE-2016-9540");
  script_xref(name:"ALAS", value:"2017-802");

  script_name(english:"Amazon Linux AMI : libtiff / compat-libtiff3 (ALAS-2017-802)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple flaws have been discovered in libtiff. A remote attacker
could exploit these flaws to cause a crash or memory corruption and,
possibly, execute arbitrary code by tricking an application linked
against libtiff into processing specially crafted files.
(CVE-2016-9533 , CVE-2016-9534 , CVE-2016-9535)

Multiple flaws have been discovered in various libtiff tools
(tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into
processing a specially crafted file, a remote attacker could exploit
these flaws to cause a crash or memory corruption and, possibly,
execute arbitrary code with the privileges of the user running the
libtiff tool. (CVE-2015-8870 , CVE-2016-5652 , CVE-2016-9540 ,
CVE-2016-9537 , CVE-2016-9536)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2017-802.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Run 'yum update libtiff' to update your system.

Run 'yum update compat-libtiff3' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:compat-libtiff3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:compat-libtiff3-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtiff");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtiff-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtiff-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtiff-static");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/07");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"compat-libtiff3-3.9.4-21.15.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"compat-libtiff3-debuginfo-3.9.4-21.15.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libtiff-4.0.3-27.29.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libtiff-debuginfo-4.0.3-27.29.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libtiff-devel-4.0.3-27.29.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libtiff-static-4.0.3-27.29.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "compat-libtiff3 / compat-libtiff3-debuginfo / libtiff / etc");
}
VendorProductVersionCPE
amazonlinuxcompat-libtiff3p-cpe:/a:amazon:linux:compat-libtiff3
amazonlinuxcompat-libtiff3-debuginfop-cpe:/a:amazon:linux:compat-libtiff3-debuginfo
amazonlinuxlibtiffp-cpe:/a:amazon:linux:libtiff
amazonlinuxlibtiff-debuginfop-cpe:/a:amazon:linux:libtiff-debuginfo
amazonlinuxlibtiff-develp-cpe:/a:amazon:linux:libtiff-devel
amazonlinuxlibtiff-staticp-cpe:/a:amazon:linux:libtiff-static
amazonlinuxcpe:/o:amazon:linux

Related

nessus 30
redhat 1
centos 1
openvas 25
oraclelinux 1
freebsd 1
amazon 1
f5 2
ubuntucve 8
debian 5
osv 6
veracode 9
prion 9
debiancve 8
cve 9
checkpoint_advisories 1
redhatcve 7
talos 1
seebug 1
alpinelinux 1
ubuntu 2
cloudfoundry 1
threatpost 1
archlinux 2
ibm 2
altlinux 1
slackware 1
suse 1
apple 2
mageia 1
gentoo 1
nessus
nessus
CentOS 6 / 7 : libtiff (CESA-2017:0225)
2017-02-02 00:00:00
FreeBSD : tiff -- multiple vulnerabilities (fb74eacc-ec8a-11e6-bc8a-0011d823eebd)
2017-02-07 00:00:00
RHEL 6 / 7 : libtiff (RHSA-2017:0225)
2017-02-02 00:00:00
redhat
redhat
(RHSA-2017:0225) Moderate: libtiff security update
2017-02-01 07:02:26
centos
centos
libtiff security update
2017-02-01 12:51:43
openvas
openvas
CentOS Update for libtiff CESA-2017:0225 centos6
2017-02-03 00:00:00
CentOS Update for libtiff CESA-2017:0225 centos7
2017-02-03 00:00:00
RedHat Update for libtiff RHSA-2017:0225-01
2017-02-03 00:00:00
oraclelinux
oraclelinux
libtiff security update
2017-02-01 00:00:00
freebsd
freebsd
tiff -- multiple vulnerabilities
2016-11-19 00:00:00
amazon
amazon
Medium: libtiff, compat-libtiff3
2017-03-06 14:00:00
f5
f5
K45593826 : LibTIFF vulnerabilities CVE-2015-8870, CVE-2016-5652, CVE-2016-9536, CVE-2016-9537, and CVE-2016-9540
2017-04-12 00:00:00
K34527393 : LibTIFF vulnerabilities CVE-2016-9533, CVE-2016-9534, and CVE-2016-9535
2017-04-12 00:00:00
ubuntucve
ubuntucve
CVE-2016-9536
2016-11-22 00:00:00
CVE-2016-9534
2016-11-22 00:00:00
CVE-2016-9537
2016-11-22 00:00:00
debian
debian
[SECURITY] [DLA 795-1] tiff security update
2017-01-23 23:01:22
[SECURITY] [DLA 880-1] tiff3 security update
2017-03-30 19:36:30
[SECURITY] [DSA 3762-1] tiff security update
2017-01-13 15:45:16
osv
osv
tiff - security update
2017-01-23 00:00:00
tiff3 - security update
2017-03-30 00:00:00
CVE-2016-5652
2017-01-06 21:59:01
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:15:37
Denial Of Service (DoS)
2018-08-01 02:51:10
Out-of-bounds Write
2019-05-02 06:09:59
prion
prion
Integer overflow
2016-12-06 18:59:00
Heap overflow
2016-11-22 19:59:00
Heap overflow
2016-11-22 19:59:00
debiancve
debiancve
CVE-2015-8870
2016-12-06 18:59:00
CVE-2016-9534
2016-11-22 19:59:00
CVE-2016-9540
2016-11-22 19:59:00
cve
cve
CVE-2016-9537
2016-11-22 19:59:00
CVE-2015-8870
2016-12-06 18:59:00
CVE-2016-9534
2016-11-22 19:59:00
checkpoint_advisories
checkpoint_advisories
LibTIFF tiffcrop Integer Overflow (CVE-2016-9537)
2017-06-05 00:00:00
redhatcve
redhatcve
CVE-2016-9536
2016-11-23 17:19:09
CVE-2016-9540
2016-11-23 17:18:49
CVE-2016-9534
2016-11-23 17:18:57
talos
talos
LibTIFF TIFF2PDF TIFFTAG_JPEGTABLES Remote Code Execution Vulnerability
2016-10-25 00:00:00
seebug
seebug
LibTIFF TIFF2PDF TIFFTAG_JPEGTABLES Remote Code Execution Vulnerability(CVE-2016-5652)
2017-10-12 00:00:00
alpinelinux
alpinelinux
CVE-2016-5652
2017-01-06 21:59:00
ubuntu
ubuntu
LibTIFF vulnerabilities
2017-07-19 00:00:00
LibTIFF vulnerabilities
2017-02-27 00:00:00
cloudfoundry
cloudfoundry
USN-3212-1: LibTIFF vulnerabilities | Cloud Foundry
2017-03-17 00:00:00
threatpost
threatpost
Remote Code Execution Vulnerabilities Plague LibTIFF Library
2016-10-26 12:34:20
archlinux
archlinux
[ASA-201611-26] libtiff: multiple issues
2016-11-25 00:00:00
[ASA-201611-27] lib32-libtiff: multiple issues
2016-11-25 00:00:00
ibm
ibm
Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libTIFF
2023-12-07 22:45:03
Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libTIFF
2023-12-07 22:45:02
altlinux
altlinux
Security fix for the ALT Linux 10 package libtiff version 4.0.10.0.57.f9fc01c3-alt1
2019-04-09 00:00:00
slackware
slackware
[slackware-security] libtiff
2017-04-08 20:11:36
suse
suse
Security update for tiff (important)
2016-12-07 15:08:51
apple
apple
About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite - Apple Support
2017-08-29 02:52:03
About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
2017-03-27 00:00:00
mageia
mageia
Updated libtiff packages fix security vulnerability
2017-07-01 10:04:05
gentoo
gentoo
libTIFF: Multiple vulnerabilities
2017-01-09 00:00:00
JSON
Related for ALA_ALAS-2017-802.NASL
nessus30redhat1centos1openvas25oraclelinux1freebsd1amazon1f52ubuntucve8debian5osv6veracode9prion9debiancve8cve9checkpoint_advisories1redhatcve7talos1seebug1alpinelinux1ubuntu2cloudfoundry1threatpost1archlinux2ibm2altlinux1slackware1suse1apple2mageia1gentoo1