Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-4388.NASL
HistoryFeb 11, 2019 - 12:00 a.m.

Debian DSA-4388-1 : mosquitto - security update

2019-02-1100:00:00
This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10
JSON

Three vulnerabilities were discovered in the Mosquitto MQTT broker, which could result in authentication bypass. Please refer to https://mosquitto.org/blog/2019/02/version-1-5-6-released/ for additional information.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4388. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(122069);
  script_version("1.3");
  script_cvs_date("Date: 2020/02/13");

  script_cve_id("CVE-2018-12546", "CVE-2018-12550", "CVE-2018-12551");
  script_xref(name:"DSA", value:"4388");

  script_name(english:"Debian DSA-4388-1 : mosquitto - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Three vulnerabilities were discovered in the Mosquitto MQTT broker,
which could result in authentication bypass. Please refer to
https://mosquitto.org/blog/2019/02/version-1-5-6-released/ for
additional information."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://mosquitto.org/blog/2019/02/version-1-5-6-released/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/mosquitto"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/mosquitto"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2019/dsa-4388"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the mosquitto packages.

For the stable distribution (stretch), these problems have been fixed
in version 1.4.10-3+deb9u3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mosquitto");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"9.0", prefix:"libmosquitto-dev", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"libmosquitto1", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"libmosquitto1-dbg", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"libmosquittopp-dev", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"libmosquittopp1", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"libmosquittopp1-dbg", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"mosquitto", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"mosquitto-clients", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"mosquitto-dbg", reference:"1.4.10-3+deb9u3")) flag++;
if (deb_check(release:"9.0", prefix:"mosquitto-dev", reference:"1.4.10-3+deb9u3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxmosquittop-cpe:/a:debian:debian_linux:mosquitto
debiandebian_linux9.0cpe:/o:debian:debian_linux:9.0

Related

suse 2
osv 5
nessus 3
openvas 4
fedora 1
debian 2
prion 3
debiancve 3
cve 3
veracode 3
ubuntucve 3
alpinelinux 3
suse
suse
Security update for mosquitto (low)
2019-02-23 00:00:00
Security update for mosquitto (low)
2019-02-22 00:00:00
osv
osv
mosquitto - security update
2019-02-10 00:00:00
mosquitto - security update
2019-10-26 00:00:00
CVE-2018-12551
2019-03-27 18:29:00
nessus
nessus
Fedora 28 : mosquitto (2019-8cbe2a05cd)
2019-02-19 00:00:00
openSUSE Security Update : mosquitto (openSUSE-2019-233)
2019-02-25 00:00:00
Debian DLA-1972-1 : mosquitto security update
2019-10-28 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-4388-1)
2019-02-09 00:00:00
openSUSE: Security Advisory for mosquitto (openSUSE-SU-2019:0233-1)
2019-02-23 00:00:00
Fedora Update for mosquitto FEDORA-2019-8cbe2a05cd
2019-02-18 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: mosquitto-1.5.6-1.fc28
2019-02-18 01:27:35
debian
debian
[SECURITY] [DSA 4388-1] mosquitto security update
2019-02-10 19:00:34
[SECURITY] [DLA 1972-1] mosquitto security update
2019-10-26 21:33:17
prion
prion
Code injection
2019-03-27 18:29:00
Default credentials
2019-03-27 18:29:00
Design/Logic Flaw
2019-03-27 18:29:00
debiancve
debiancve
CVE-2018-12546
2019-03-27 18:29:00
CVE-2018-12550
2019-03-27 18:29:00
CVE-2018-12551
2019-03-27 18:29:00
cve
cve
CVE-2018-12546
2019-03-27 18:29:00
CVE-2018-12551
2019-03-27 18:29:00
CVE-2018-12550
2019-03-27 18:29:00
veracode
veracode
Missing Access Control Enforcement
2019-02-12 03:36:12
Authentication Bypass
2019-02-12 07:09:38
Insecure Authorization
2019-02-12 02:15:05
ubuntucve
ubuntucve
CVE-2018-12546
2019-03-27 00:00:00
CVE-2018-12551
2019-03-27 00:00:00
CVE-2018-12550
2019-03-27 00:00:00
alpinelinux
alpinelinux
CVE-2018-12546
2019-03-27 18:29:00
CVE-2018-12550
2019-03-27 18:29:00
CVE-2018-12551
2019-03-27 18:29:00
JSON
Related for DEBIAN_DSA-4388.NASL
suse2osv5nessus3openvas4fedora1debian2prion3debiancve3cve3veracode3ubuntucve3alpinelinux3