According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP’s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.(CVE-2015-4021)
An out of bounds read flaw was found in the way the xmlrpc extension parsed dates in the ISO 8601 format. A specially crafted XML-RPC request or response could possibly cause a PHP application to crash.(CVE-2014-3668)
It was found that certain PHP functions did not properly handle file names containing a NULL character.
A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-4598)
A flaw was found in the way PHP handled malformed source files when running in CGI mode. A specially crafted PHP file could cause PHP CGI to crash.(CVE-2014-9427)
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.(CVE-2018-10548)
An infinite loop vulnerability was found in ext/iconv/iconv.c in PHP due to the iconv stream not rejecting invalid multibyte sequences. A remote attacker could use this vulnerability to hang the php process and consume resources.(CVE-2018-10546)
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a ‘\0’ character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.(CVE-2013-4248)
A use-after-free flaw was found in the way PHP’s unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP’s unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.(CVE-2015-0231)
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-4602)
It was found that certain PHP functions did not properly handle file names containing a NULL character.
A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.(CVE-2015-3412)
The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a ‘Python script text executable’ rule.(CVE-2015-4605)
A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP’s enchant extension. A specially crafted tag input could possibly cause a PHP application to crash.(CVE-2014-9705)
A buffer overflow flaw was found in the Exif extension.
A specially crafted JPEG or TIFF file could cause a PHP application using the exif_thumbnail() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application.(CVE-2014-3670)
A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-4148)
A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes’ unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.(CVE-2014-3515)
The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a ‘Python script text executable’ rule.(CVE-2015-4604)
A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP’s gd extension.
A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap (XPM) file.(CVE-2014-2497)
A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time.(CVE-2015-4024)
Multiple flaws were discovered in the way PHP’s Soap extension performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to disclose portion of its memory or crash.(CVE-2015-4599)
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-4603)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124997);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2013-4248",
"CVE-2014-2497",
"CVE-2014-3515",
"CVE-2014-3668",
"CVE-2014-3670",
"CVE-2014-9427",
"CVE-2014-9705",
"CVE-2015-0231",
"CVE-2015-3412",
"CVE-2015-4021",
"CVE-2015-4024",
"CVE-2015-4148",
"CVE-2015-4598",
"CVE-2015-4599",
"CVE-2015-4602",
"CVE-2015-4603",
"CVE-2015-4604",
"CVE-2015-4605",
"CVE-2018-10546",
"CVE-2018-10548"
);
script_bugtraq_id(
61776,
66233,
68237,
70665,
70666,
71833,
72539,
73031,
74700,
74903,
75103,
75233,
75241,
75244,
75249,
75250,
75251,
75252
);
script_name(english:"EulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1544)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the php packages installed, the EulerOS
Virtualization installation on the remote host is affected by the
following vulnerabilities :
- An integer underflow flaw leading to out-of-bounds
memory access was found in the way PHP's Phar extension
parsed Phar archives. A specially crafted archive could
cause PHP to crash or, possibly, execute arbitrary code
when opened.(CVE-2015-4021)
- An out of bounds read flaw was found in the way the
xmlrpc extension parsed dates in the ISO 8601 format. A
specially crafted XML-RPC request or response could
possibly cause a PHP application to
crash.(CVE-2014-3668)
- It was found that certain PHP functions did not
properly handle file names containing a NULL character.
A remote attacker could possibly use this flaw to make
a PHP script access unexpected files and bypass
intended file system access
restrictions.(CVE-2015-4598)
- A flaw was found in the way PHP handled malformed
source files when running in CGI mode. A specially
crafted PHP file could cause PHP CGI to
crash.(CVE-2014-9427)
- An issue was discovered in PHP before 5.6.36, 7.0.x
before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
7.2.5. ext/ldap/ldap.c allows remote LDAP servers to
cause a denial of service (NULL pointer dereference and
application crash) because of mishandling of the
ldap_get_dn return value.(CVE-2018-10548)
- An infinite loop vulnerability was found in
ext/iconv/iconv.c in PHP due to the iconv stream not
rejecting invalid multibyte sequences. A remote
attacker could use this vulnerability to hang the php
process and consume resources.(CVE-2018-10546)
- The openssl_x509_parse function in openssl.c in the
OpenSSL module in PHP before 5.4.18 and 5.5.x before
5.5.2 does not properly handle a '\\0' character in a
domain name in the Subject Alternative Name field of an
X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification
Authority, a related issue to
CVE-2009-2408.(CVE-2013-4248)
- A use-after-free flaw was found in the way PHP's
unserialize() function processed data. If a remote
attacker was able to pass crafted input to PHP's
unserialize() function, they could cause the PHP
interpreter to crash or, possibly, execute arbitrary
code.(CVE-2015-0231)
- A flaw was discovered in the way PHP performed object
unserialization. Specially crafted input processed by
the unserialize() function could cause a PHP
application to crash or, possibly, execute arbitrary
code.(CVE-2015-4602)
- It was found that certain PHP functions did not
properly handle file names containing a NULL character.
A remote attacker could possibly use this flaw to make
a PHP script access unexpected files and bypass
intended file system access
restrictions.(CVE-2015-3412)
- The mcopy function in softmagic.c in file 5.x, as used
in the Fileinfo component in PHP before 5.4.40, 5.5.x
before 5.5.24, and 5.6.x before 5.6.8, does not
properly restrict a certain offset value, which allows
remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code
via a crafted string that is mishandled by a 'Python
script text executable' rule.(CVE-2015-4605)
- A heap buffer overflow flaw was found in the
enchant_broker_request_dict() function of PHP's enchant
extension. A specially crafted tag input could possibly
cause a PHP application to crash.(CVE-2014-9705)
- A buffer overflow flaw was found in the Exif extension.
A specially crafted JPEG or TIFF file could cause a PHP
application using the exif_thumbnail() function to
crash or, possibly, execute arbitrary code with the
privileges of the user running that PHP
application.(CVE-2014-3670)
- A flaws was discovered in the way PHP performed object
unserialization. Specially crafted input processed by
the unserialize() function could cause a PHP
application to crash or, possibly, execute arbitrary
code.(CVE-2015-4148)
- A type confusion issue was found in the SPL ArrayObject
and SPLObjectStorage classes' unserialize() method. A
remote attacker able to submit specially crafted input
to a PHP application, which would then unserialize this
input using one of the aforementioned methods, could
use this flaw to execute arbitrary code with the
privileges of the user running that PHP
application.(CVE-2014-3515)
- The mget function in softmagic.c in file 5.x, as used
in the Fileinfo component in PHP before 5.4.40, 5.5.x
before 5.5.24, and 5.6.x before 5.6.8, does not
properly maintain a certain pointer relationship, which
allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code
via a crafted string that is mishandled by a 'Python
script text executable' rule.(CVE-2015-4604)
- A NULL pointer dereference flaw was found in the
gdImageCreateFromXpm() function of PHP's gd extension.
A remote attacker could use this flaw to crash a PHP
application using gd via a specially crafted X PixMap
(XPM) file.(CVE-2014-2497)
- A flaw was found in the way PHP parsed multipart HTTP
POST requests. A specially crafted request could cause
PHP to use an excessive amount of CPU
time.(CVE-2015-4024)
- Multiple flaws were discovered in the way PHP's Soap
extension performed object unserialization. Specially
crafted input processed by the unserialize() function
could cause a PHP application to disclose portion of
its memory or crash.(CVE-2015-4599)
- A flaw was discovered in the way PHP performed object
unserialization. Specially crafted input processed by
the unserialize() function could cause a PHP
application to crash or, possibly, execute arbitrary
code.(CVE-2015-4603)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1544
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb62c9b4");
script_set_attribute(attribute:"solution", value:
"Update the affected php packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["php-5.4.16-45.h9",
"php-cli-5.4.16-45.h9",
"php-common-5.4.16-45.h9"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9705
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3412
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4148
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4598
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4602
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4603
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4604
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4605
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548
www.nessus.org/u?eb62c9b4