Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-3197.NASL
HistoryMar 20, 2015 - 12:00 a.m.

Debian DSA-3197-1 : openssl - security update

2015-03-2000:00:00
This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
JSON

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues :

  • CVE-2015-0286 Stephen Henson discovered that the ASN1_TYPE_cmp() function can be crashed, resulting in denial of service.

  • CVE-2015-0287 Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

  • CVE-2015-0289 Michal Zalewski discovered a NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service.

  • CVE-2015-0292 It was discovered that missing input sanitising in base64 decoding might result in memory corruption.

  • CVE-2015-0209 It was discovered that a malformed EC private key might result in memory corruption.

  • CVE-2015-0288 It was discovered that missing input sanitising in the X509_to_X509_REQ() function might result in denial of service.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3197. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81955);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2015-0209", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0292");
  script_bugtraq_id(73225, 73227, 73228, 73231, 73237, 73239);
  script_xref(name:"DSA", value:"3197");

  script_name(english:"Debian DSA-3197-1 : openssl - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures
project identifies the following issues :

  - CVE-2015-0286
    Stephen Henson discovered that the ASN1_TYPE_cmp()
    function can be crashed, resulting in denial of service.

  - CVE-2015-0287
    Emilia Kaesper discovered a memory corruption in ASN.1
    parsing.

  - CVE-2015-0289
    Michal Zalewski discovered a NULL pointer dereference in
    the PKCS#7 parsing code, resulting in denial of service.

  - CVE-2015-0292
    It was discovered that missing input sanitising in
    base64 decoding might result in memory corruption.

  - CVE-2015-0209
    It was discovered that a malformed EC private key might
    result in memory corruption.

  - CVE-2015-0288
    It was discovered that missing input sanitising in the
    X509_to_X509_REQ() function might result in denial of
    service."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0286"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0287"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0289"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0292"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0209"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0288"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/openssl"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2015/dsa-3197"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the openssl packages.

For the stable distribution (wheezy), these problems have been fixed
in version 1.0.1e-2+deb7u15. In this update the export ciphers are
removed from the default cipher list."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/20");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"libssl-dev", reference:"1.0.1e-2+deb7u15")) flag++;
if (deb_check(release:"7.0", prefix:"libssl-doc", reference:"1.0.1e-2+deb7u15")) flag++;
if (deb_check(release:"7.0", prefix:"libssl1.0.0", reference:"1.0.1e-2+deb7u15")) flag++;
if (deb_check(release:"7.0", prefix:"libssl1.0.0-dbg", reference:"1.0.1e-2+deb7u15")) flag++;
if (deb_check(release:"7.0", prefix:"openssl", reference:"1.0.1e-2+deb7u15")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxopensslp-cpe:/a:debian:debian_linux:openssl
debiandebian_linux7.0cpe:/o:debian:debian_linux:7.0

Related

osv 3
debian 5
openvas 40
ibm 49
nessus 54
fedora 6
centos 3
redhat 4
oraclelinux 4
aix 1
ubuntu 1
slackware 1
altlinux 5
cloudfoundry 1
mageia 1
suse 4
amazon 1
freebsd_advisory 1
freebsd 1
f5 4
cisco 1
kaspersky 1
securityvulns 1
gentoo 1
archlinux 2
fortinet 1
thn 1
ubuntucve 1
openssl 1
osv
osv
openssl - regression update
2015-03-19 00:00:00
openssl - security update
2015-03-19 00:00:00
openssl - security update
2015-03-20 00:00:00
debian
debian
[SECURITY] [DSA 3197-1] openssl security update
2015-03-19 14:31:39
[SECURITY] [DSA 3197-2] openssl regression update
2015-03-24 21:32:24
[SECURITY] [DSA 3197-1] openssl security update
2015-03-19 14:32:03
openvas
openvas
Univention Corporate Server 4.0 erratum 142
2015-04-09 00:00:00
Debian Security Advisory DSA 3197-1 (openssl - security update)
2015-03-19 00:00:00
Debian: Security Advisory (DSA-3197-1)
2015-03-18 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in OpenSSL affect IBM System x, BladeCenter and Flex Systems Unified Extensible Firmware Interface (UEFI) (CVE-2015-0286 CVE-2015-0288 CVE-2015-0289 CVE-2015-0209 CVE-2015-0287)
2019-01-31 02:25:02
Security Bulletin: Vulnerabilities in OpenSSL affect PowerKVM (Multiple CVEs)
2018-06-18 01:27:57
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Netcool/Reporter (CVE's: 2015-0209, 2015-0286, 2015-0287, 2015-0288, 2015-0289, 2015-0292, 2015-0293)
2018-06-17 15:02:35
nessus
nessus
Fedora 20 : openssl-1.0.1e-42.fc20 (2015-4300)
2015-03-25 00:00:00
CentOS 6 : openssl (CESA-2015:0715)
2015-03-24 00:00:00
Ubuntu 14.04 LTS : OpenSSL vulnerabilities (USN-2537-1)
2015-03-20 00:00:00
fedora
fedora
[SECURITY] Fedora 22 Update: openssl-1.0.1k-6.fc22
2015-03-22 04:41:05
[SECURITY] Fedora 21 Update: openssl-1.0.1k-6.fc21
2015-03-22 04:40:24
[SECURITY] Fedora 21 Update: mingw-openssl-1.0.2a-1.fc21
2015-05-04 15:27:35
centos
centos
openssl security update
2015-03-23 20:40:40
openssl security update
2015-03-23 21:19:50
openssl security update
2015-04-14 11:25:52
redhat
redhat
(RHSA-2015:0752) Moderate: openssl security update
2015-03-30 00:00:00
(RHSA-2015:0715) Moderate: openssl security update
2015-03-23 00:00:00
(RHSA-2015:0716) Moderate: openssl security and bug fix update
2015-03-23 19:36:02
oraclelinux
oraclelinux
openssl security update
2015-03-23 00:00:00
openssl security and bug fix update
2015-03-23 00:00:00
openssl security update
2015-04-13 00:00:00
aix
aix
Multiple Security vulnerabilities in AIX OpenSSL
2015-04-13 05:07:43
ubuntu
ubuntu
OpenSSL vulnerabilities
2015-03-19 00:00:00
slackware
slackware
[slackware-security] openssl
2015-04-22 01:22:19
altlinux
altlinux
Security fix for the ALT Linux 7 package openssl10 version 1.0.1k-alt1.M70P.1
2015-03-20 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.1k-alt2
2015-03-19 00:00:00
Security fix for the ALT Linux 7 package openssl10 version 1.0.1k-alt2
2015-03-19 00:00:00
cloudfoundry
cloudfoundry
USN-2537-1: OpenSSL vulnerabilities | Cloud Foundry
2015-03-21 00:00:00
mageia
mageia
Updated openssl packages fix security vulnerabilities
2015-03-19 19:47:16
suse
suse
Security update for openssl (important)
2015-03-19 19:04:54
Security update for compat-openssl098 (important)
2015-03-20 12:04:55
Security update for compat-openssl098 (important)
2015-03-20 13:04:51
amazon
amazon
Medium: openssl
2015-03-23 13:42:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-15:06.openssl
2015-03-19 00:00:00
freebsd
freebsd
OpenSSL -- multiple vulnerabilities
2015-03-19 00:00:00
f5
f5
K16319 : OpenSSL vulnerability CVE-2015-0288
2015-04-11 00:00:00
SOL16319 - OpenSSL vulnerability CVE-2015-0288
2015-03-30 00:00:00
SOL16302 - OpenSSL vulnerability CVE-2015-0292
2015-03-20 00:00:00
cisco
cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
2015-03-20 20:20:00
kaspersky
kaspersky
KLA10479 Multiple vulnerabilities in OpenSSL
2015-03-19 00:00:00
securityvulns
securityvulns
OpenSSL multiple security vulnerabilities
2015-03-21 00:00:00
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2015-03-19 00:00:00
archlinux
archlinux
openssl: multiple issues
2015-03-19 00:00:00
lib32-openssl: multiple issues
2015-03-19 00:00:00
fortinet
fortinet
OpenSSL vulnerabilities - March 2015
2015-03-24 00:00:00
thn
thn
OpenSSL to Patch High Severity Vulnerability this Week
2015-03-17 22:30:00
ubuntucve
ubuntucve
CVE-2015-0292
2015-03-17 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2015-0292
2015-03-19 00:00:00
JSON
Related for DEBIAN_DSA-3197.NASL
osv3debian5openvas40ibm49nessus54fedora6centos3redhat4oraclelinux4aix1ubuntu1slackware1altlinux5cloudfoundry1mageia1suse4amazon1freebsd_advisory1freebsd1f54cisco1kaspersky1securityvulns1gentoo1archlinux2fortinet1thn1ubuntucve1openssl1