{"id": "FEDORA_2017-FF06FF0EC9.NASL", "bulletinFamily": "scanner", "title": "Fedora 25 : gsoap (2017-ff06ff0ec9) (Devil", "description": "Security fix for CVE-2017-9765.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "published": "2017-08-11T00:00:00", "modified": "2017-08-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/102407", "reporter": "This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-ff06ff0ec9"], "cvelist": ["CVE-2017-9765"], "type": "nessus", "lastseen": "2021-01-07T10:15:23", "edition": 21, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-9765"]}, {"type": "seebug", "idList": ["SSV:96284"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_8745C67E7DD1416596E2FCF9DA2DC5B5.NASL", "FEDORA_2017-D2174C28ED.NASL", "OPENSUSE-2017-842.NASL", "AXIS_DEVILS_IVY.NASL", "DEBIAN_DLA-1036.NASL"]}, {"type": "fedora", "idList": ["FEDORA:A3BDC6096978", "FEDORA:A41766149B46", "FEDORA:9086B608C011"]}, {"type": "hp", "idList": ["HP:C05704368"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891036", "OPENVAS:1361412562310873241", "OPENVAS:1361412562310874394", "OPENVAS:1361412562310873254"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1036-1:85DA7"]}, {"type": "krebs", "idList": ["KREBS:7FB5E9D2AA4F4008C524A1DE82171B62"]}, {"type": "thn", "idList": ["THN:8F66500942235D9D4A03E4C625153A05", "THN:590A2A4F40D408F427266EBA5EE7B530"]}, {"type": "freebsd", "idList": ["8745C67E-7DD1-4165-96E2-FCF9DA2DC5B5"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788024"]}, {"type": "ics", "idList": ["ICSA-19-253-06"]}], "modified": "2021-01-07T10:15:23", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-01-07T10:15:23", "rev": 2}, "vulnersScore": 5.8}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-ff06ff0ec9.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102407);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9765\");\n script_xref(name:\"FEDORA\", value:\"2017-ff06ff0ec9\");\n\n script_name(english:\"Fedora 25 : gsoap (2017-ff06ff0ec9) (Devil's Ivy)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-9765.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ff06ff0ec9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gsoap package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gsoap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"gsoap-2.8.30-2.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsoap\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "102407", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:gsoap"], "scheme": null, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2020-10-03T13:07:51", "description": "Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document, aka Devil's Ivy. NOTE: the large document would be blocked by many common web-server configurations on general-purpose computers.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-20T00:29:00", "title": "CVE-2017-9765", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9765"], "modified": "2017-09-16T10:25:00", "cpe": ["cpe:/a:genivia:gsoap:2.8.30", "cpe:/a:genivia:gsoap:2.8.39", "cpe:/a:genivia:gsoap:2.7.0", "cpe:/a:genivia:gsoap:2.7.11", "cpe:/a:genivia:gsoap:2.8.9", "cpe:/a:genivia:gsoap:2.7.10", "cpe:/a:genivia:gsoap:2.8.27", "cpe:/a:genivia:gsoap:2.8.44", "cpe:/a:genivia:gsoap:2.8.13", "cpe:/a:genivia:gsoap:2.8.31", "cpe:/a:genivia:gsoap:2.7.17", "cpe:/a:genivia:gsoap:2.8.33", "cpe:/a:genivia:gsoap:2.8.1", "cpe:/a:genivia:gsoap:2.8.28", "cpe:/a:genivia:gsoap:2.8.4", "cpe:/a:genivia:gsoap:2.8.0", "cpe:/a:genivia:gsoap:2.8.7", "cpe:/a:genivia:gsoap:2.8.42", "cpe:/a:genivia:gsoap:2.7.12", "cpe:/a:genivia:gsoap:2.8.3", "cpe:/a:genivia:gsoap:2.8.6", "cpe:/a:genivia:gsoap:2.8.32", "cpe:/a:genivia:gsoap:2.8.21", "cpe:/a:genivia:gsoap:2.7.5", "cpe:/a:genivia:gsoap:2.8.16", "cpe:/a:genivia:gsoap:2.8.18", "cpe:/a:genivia:gsoap:2.7.14", "cpe:/a:genivia:gsoap:2.8.37", "cpe:/a:genivia:gsoap:2.7.15", "cpe:/a:genivia:gsoap:2.8.5", "cpe:/a:genivia:gsoap:2.8.34", "cpe:/a:genivia:gsoap:2.7.16", "cpe:/a:genivia:gsoap:2.8.11", "cpe:/a:genivia:gsoap:2.8.22", "cpe:/a:genivia:gsoap:2.7.6", "cpe:/a:genivia:gsoap:2.8.41", "cpe:/a:genivia:gsoap:2.7.8", "cpe:/a:genivia:gsoap:2.8.47", "cpe:/a:genivia:gsoap:2.8.46", "cpe:/a:genivia:gsoap:2.8.40", "cpe:/a:genivia:gsoap:2.8.29", "cpe:/a:genivia:gsoap:2.8.15", "cpe:/a:genivia:gsoap:2.8.24", "cpe:/a:genivia:gsoap:2.8.14", "cpe:/a:genivia:gsoap:2.8.12", "cpe:/a:genivia:gsoap:2.7.4", "cpe:/a:genivia:gsoap:2.8.20", "cpe:/a:genivia:gsoap:2.7.7", "cpe:/a:genivia:gsoap:2.7.13", "cpe:/a:genivia:gsoap:2.8.8", "cpe:/a:genivia:gsoap:2.7.9", "cpe:/a:genivia:gsoap:2.8.26", "cpe:/a:genivia:gsoap:2.8.10", "cpe:/a:genivia:gsoap:2.8.43", "cpe:/a:genivia:gsoap:2.8.35", "cpe:/a:genivia:gsoap:2.8.19", "cpe:/a:genivia:gsoap:2.7.2", "cpe:/a:genivia:gsoap:2.8.2", "cpe:/a:genivia:gsoap:2.8.36", "cpe:/a:genivia:gsoap:2.8.17", "cpe:/a:genivia:gsoap:2.7.1", "cpe:/a:genivia:gsoap:2.8.23", "cpe:/a:genivia:gsoap:2.8.38", "cpe:/a:genivia:gsoap:2.8.25", "cpe:/a:genivia:gsoap:2.7.3", "cpe:/a:genivia:gsoap:2.8.45"], "id": "CVE-2017-9765", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9765", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:genivia:gsoap:2.8.24:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.44:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.39:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.13:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.43:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.11:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.12:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.37:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.15:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.8:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.38:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.20:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.17:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.40:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.28:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.47:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.35:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.25:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.31:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.45:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.19:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.23:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.9:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.13:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.10:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.18:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.11:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.16:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.34:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.12:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.14:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.36:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.22:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.21:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.17:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.42:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.29:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.41:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.30:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.15:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.16:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.27:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.32:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.14:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.33:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.46:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:genivia:gsoap:2.8.26:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T11:56:39", "description": "When we began a security analysis of remote configuration services last year, we had no idea it would lead us to uncover vulnerabilities that affect so many users. We have been studying the prevalence and nature of the vulnerabilities that arise in remote configuration services, so when we approached the M3004, we specifically sought out such a service. We began by enumerating all open ports and examined the code which handled incoming data. The service we found was wsd, a service that imports a third party library from gSOAP by Genivia. We discovered the vulnerability by using IDA Pro, a reverse engineering tool, to examine all code that wrote incoming data to stack buffers. \r\n\r\n\r\nWe reached the vulnerable code by sending a POST command to the ONVIF service available on port 80. We were able to observe the internals of the service and the results of our code by activating ssh through the webserver and then remotely debugging the service with gdbserver, which was already installed on the camera. After verifying the vulnerability by observing it crash at a value we set when the overflow overwrote the stored return pointer on the stack, our next challenge was to gain code execution.\r\n\r\nAlthough there was no limit to how many bytes we could write to the stack, we could not execute code on it, and a filter required that all the values we sent be greater than 31. We used a technique called Return Oriented Programming (ROP) to write addresses to the stack to force the program to execute code snippets in libc so we could circumvent the non-executable stack. Through this technique, we allocated executable space, copied our shellcode to that space, and directed execution to it. Although the requirement that all the addresses we used needed to have values greater than 31 restricted us somewhat, we were still able to gain code execution. Watch the video below for an introduction to ROP.\r\n\r\n Once we reached this step, we wrote shellcode, which again contained all values greater than 31, to open a port and allow a remote user to connect to a shell. At this point we had gained code execution by exploiting Devil's Ivy (CVE-2017-9765). Due to Axis's security settings, this exploit only grants access to a shell as an unprivileged user on the M3004. However, we were able to execute commands from the ONVIF specification that only a privileged user would normally be allowed. We were able to reset the camera to its factory defaults and take control of the camera, reboot it to prevent an operator from viewing the feed, and change network settings.\r\n\r\nRead on for the full technical details or scroll to the bottom to see a video demonstration.\r\n\r\n### Access\r\nWe began our process by downloading the latest firmware for the M3004 camera from Axis\u2019s website. They do require an account to download firmware, but did not verify that we were a legitimate customer. We became Nate Johnson, reachable at a throwaway email address, and immediately had access to the camera\u2019s firmware. We extracted the file system and Linux kernel using binwalk with the Jefferson extractor for JFFS2 file systems.\r\n\r\n\r\nWe ran nmap to scan the camera for open ports and found 1900 (upnp), 3702 (ws-discover) and 5353 (mdns) open. After some analysis of the file system, we found that ws-discover was associated with wsd, a service which handled the SOAP protocol. wsd imports libsoap.so (from gSOAP by Genivia) to parse incoming SOAP messages, which we scrutinized for any code which wrote incoming data to the stack. We used IDA Pro to look for stack buffers, and then manually traced back the source of any data copied into them. Using this technique, it only took one day of looking through assembly code to spot this vulnerability.\r\n\r\n\r\n### Analysis\r\nOne piece of code caught our attention in the function soap_get() that wrote incoming data to an 0x40 byte stack buffer. The code operates in a loop that checks for the end character \u2018?\u2019 or an end of data indicator as an end condition rather than counting the number of bytes it has written to the 0x40 byte stack buffer.\r\n\r\n\r\nIn the screenshot above, R6 is the data counter, set to the size of the stack buffer, R9 is the stack buffer pointer, and R5 is the incoming byte read from the network. If the data counter in R6 is less than zero, the function skips writing to the buffer, but continues to read in data using j_soap_getchar(). By writing enough data to wsd to wrap the counter around to a positive number again, we could write data to the stack past the 0x40 byte limit. This takes a few minutes, but there is no limit on the amount of incoming data, and it is simple enough to send using netcat. We calculated that we needed to send 0x8000000 bytes to wrap the counter around to a positive number, 0x40 to fill up the fixed length stack buffer, and another 0x30 more before we could overwrite the stored return address.\r\n\r\n\r\nWe reached this vulnerability by sending a POST command to \u201c/onvif/device_service\u201d on port 80, which was handed off from the webserver to the wsd service. To send 0x80000070 bytes, we generated a text file beginning with \u201cPOST /onvif/device_service\u201d followed by a new line and \u201c<?\u201d to indicate the beginning of a SOAP message. We filled the rest of the file with junk bytes and then used netcat to send the file with the command \u201cnc [camera_ip] 80 < postpwn.txt\u201d\r\n\r\nWe needed more information to determine whether we were really able to exploit the vulnerability, since all we could tell at this point was that the service was unresponsive immediately after we completed sending all the data. To gain ssh access to the camera, we followed the directions we found in Axis\u2019s support center. Using the camera\u2019s embedded webserver, we navigated to the advanced menu and enabled ssh by editing /etc/conf.d/ssh. After restarting the camera, we were able to ssh in with the set username and password. We discovered that gdbserver was already installed on the camera, so we used a version of gdb compiled for ARM on our local machine to monitor the service when we hit the vulnerability. Sure enough, we saw it crash at the value we supplied in the overflow.\r\n\r\n\r\n\r\nwsd crash with gdb attached. R4-R11 and the current PC were stored on the stack. The output shows the new values we have given them.\r\n\r\n### Code Execution\r\nThe next challenge we faced was gaining code execution, since the stack was non-executable. Unlike other devices we\u2019ve looked at lately, incoming data was not stored at a fixed value on an executable heap, which was great to see and naturally slowed us down. However, we could write as many bytes to the stack as we needed, and libc was in a static location. We put together a ROP chain that used snippets of code in libc to gain execution. The tricky part of this was that we could not use any addresses which contained bytes with a value below 0x20 or 0x3F or 0xFF. Values lower than 0x20 were replaced with the byte 0x20, and 0x3F or 0xFF would mark the end of our buffer. Fortunately, libc was based at an address that allowed us a large section of code to use in the ROP chain.\r\n\r\n\r\n\u200bWe found our ROP addresses manually, using IDA and the regex feature in find. We appended the ROP chain to our large text file, and wrote a script to check for any bad values. In all, it took us a few days of steady work to put together the entire 19-address long chain. We first called pvalloc() to allocate a page-aligned memory buffer then copied our shellcode from lower on the stack into the buffer using strcpy(). We finished up by calling mprotect() to mark the buffer executable and then jumped to the executable buffer to begin our shellcode. \r\n\r\nSurprisingly, writing shellcode presented the most trouble. We set out to to bind to a socket and allow a remote user to connect to a shell. Because we were restricted in values, we first worked on xor encoding the bulk of our shellcode and decoding it in place with a section of restricted value shellcode. ARM processors cache instructions and data, which you can clear with the ISB or an MCR instruction, neither of which we could use with our restrictions. Although there is an example online of changing the data portion of the MCR instruction to clear the instruction path, this did not work for us. We also learned that, on some chips, you can simply branch to your code, since the processor only caches sequential instructions. However, this was not effective either. Finally, we wrote value restricted Thumb shellcode, which only took about an hour after weeks of research into other possibilities.\r\n\r\nTo write value-restricted shellcode, we relied heavily on our ability to execute code in libc. We set up the arguments in our code, then called the functions in libc that performed the system calls we required. For example, to make the socket system call, we wrote the snippet of code you see to the right.\r\n\r\n\r\nAt this point we had gained code execution and a shell on the camera by exploiting the Devil\u2019s Ivy vulnerability. While other devices may run the service using gSOAP as a root user, this particular device only grants access to a shell as the unprivileged wsd user. Despite this, we were able to execute commands from the ONVIF specification that only a privileged user would normally be allowed. The permissions settings were located in a text file on the camera which is writeable by the wsd user. We used sed, available through busybox on the camera, to change the permissions of the SystemReboot command to allow an anonymous user to run it with the following line:\r\n\r\n```sed -i /SystemReboot=8/SystemReboot=f/ access_policy```\r\n\r\nAfter closing the connection, which caused wsd to restart and reload the access_policy file, we were able to send in the SystemReboot command and reboot the camera. An attacker could continually reboot the camera or change its network settings to prevent access to the feed.\r\n\r\n\r\nThere were many other commands available to us, including SetSystemFactoryDefaults, which allows an attacker to reset the system to its factory defaults. After the camera resets to factory defaults, it prompts the attacker to change the credentials, allowing the attacker alone to view the camera feed.\r\n\r\n\r\nView a demonstration of Devil's Ivy on the Axis M3004 security camera below or visit our blog to learn more about what happened when we reported it and how it affects millions of devices.", "published": "2017-07-19T00:00:00", "type": "seebug", "title": "Devil's Ivy vulnerability(CVE-2017-9765)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9765"], "modified": "2017-07-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96284", "id": "SSV:96284", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9765"], "description": "The gSOAP Web services development toolkit offers an XML to C/C++ language binding to ease the development of SOAP/XML Web services in C and C/C++. ", "modified": "2017-08-10T21:27:30", "published": "2017-08-10T21:27:30", "id": "FEDORA:A3BDC6096978", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: gsoap-2.8.30-2.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9765"], "description": "The gSOAP Web services development toolkit offers an XML to C/C++ language binding to ease the development of SOAP/XML Web services in C and C/C++. ", "modified": "2018-04-27T23:00:00", "published": "2018-04-27T23:00:00", "id": "FEDORA:A41766149B46", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: gsoap-2.8.43-3.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9765"], "description": "The gSOAP Web services development toolkit offers an XML to C/C++ language binding to ease the development of SOAP/XML Web services in C and C/C++. ", "modified": "2017-08-10T16:56:38", "published": "2017-08-10T16:56:38", "id": "FEDORA:9086B608C011", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: gsoap-2.8.43-2.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hp": [{"lastseen": "2020-12-24T13:21:19", "bulletinFamily": "software", "cvelist": ["CVE-2017-9765"], "description": "## Potential Security Impact\nExecution of arbitrary code or Denial of Service\n\n**Source:** HP Product Security Response Team (PSRT) \n\n**Reported by:** Check Point Software \n\n## VULNERABILITY SUMMARY\nInteger overflow in SOAP (Simple Object Access Protocol) function in Genivia gSOAP allows execution of arbitrary code or denial of service, aka Devil\u2019s Ivy attack. \n\n## RESOLUTION\nHP has provided firmware updates for impacted printers as indicated in the table below. Follow these steps to obtain the updated firmware: \n\n 1. Go to [www.hp.com](<www.hp.com>)\n\n 2. Select Support at the top of the page, then click Software &amp; drivers. \n\n 3. Enter the appropriate product name or model number from the table below into the search field.\n\n 4. Click Find. \n\n 5. Scroll down and click Firmware from the category list. \n\n 6. Click the Download button for appropriate firmware. \n", "edition": 5, "modified": "2020-09-09T00:00:00", "published": "2017-09-19T00:00:00", "id": "HP:C05704368", "href": "https://support.hp.com/us-en/document/c05704368", "title": "HPSBPI03566 Rev 3 - HP DesignJet, OfficeJet, LaserJet, PageWide, Photosmart Printers, Execution of Arbitrary Code or Denial of Service", "type": "hp", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-06T10:54:47", "description": "Senrio reports :\n\nGenivia gSOAP is prone to a stack-based buffer-overflow vulnerability\nbecause it fails to properly bounds check user-supplied data before\ncopying it into an insufficiently sized buffer.\n\nA remote attacker may exploit this issue to execute arbitrary code in\nthe context of the affected device. Failed attempts will likely cause\na denial-of-service condition.", "edition": 32, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-26T00:00:00", "title": "FreeBSD : gsoap -- remote code execution via via overflow (8745c67e-7dd1-4165-96e2-fcf9da2dc5b5) (Devil", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "modified": "2017-07-26T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:gsoap"], "id": "FREEBSD_PKG_8745C67E7DD1416596E2FCF9DA2DC5B5.NASL", "href": "https://www.tenable.com/plugins/nessus/101967", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101967);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-9765\");\n\n script_name(english:\"FreeBSD : gsoap -- remote code execution via via overflow (8745c67e-7dd1-4165-96e2-fcf9da2dc5b5) (Devil's Ivy)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Senrio reports :\n\nGenivia gSOAP is prone to a stack-based buffer-overflow vulnerability\nbecause it fails to properly bounds check user-supplied data before\ncopying it into an insufficiently sized buffer.\n\nA remote attacker may exploit this issue to execute arbitrary code in\nthe context of the affected device. Failed attempts will likely cause\na denial-of-service condition.\"\n );\n # http://www.securityfocus.com/bid/99868/discuss\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/bid/99868/discuss\"\n );\n # http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6e2ac30d\"\n );\n # http://blog.senr.io/devilsivy.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blog.senr.io/devilsivy.html\"\n );\n # https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21,_2017%29\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a5545454\"\n );\n # https://www.genivia.com/changelog.html#Version_2.8.48_upd_%2806/21/2017%29\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?91af07d9\"\n );\n # https://vuxml.freebsd.org/freebsd/8745c67e-7dd1-4165-96e2-fcf9da2dc5b5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ae87df51\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gsoap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"gsoap<2.8.47\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:14:06", "description": "Security fix for CVE-2017-9765.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 21, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-11T00:00:00", "title": "Fedora 26 : gsoap (2017-d2174c28ed) (Devil", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "modified": "2017-08-11T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:26", "p-cpe:/a:fedoraproject:fedora:gsoap"], "id": "FEDORA_2017-D2174C28ED.NASL", "href": "https://www.tenable.com/plugins/nessus/102404", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-d2174c28ed.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102404);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9765\");\n script_xref(name:\"FEDORA\", value:\"2017-d2174c28ed\");\n\n script_name(english:\"Fedora 26 : gsoap (2017-d2174c28ed) (Devil's Ivy)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-9765.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-d2174c28ed\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gsoap package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gsoap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"gsoap-2.8.43-2.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsoap\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:38:27", "description": "A vulnerability was discovered in gsoap, a library for the development\nof SOAP web services and clients, that may be exposed with a large and\nspecific XML message over 2 GB in size. After receiving this 2 GB\nmessage, a buffer overflow can cause an open unsecured server to\ncrash. Clients communicating with HTTPS with trusted servers are not\naffected.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.8.7-2+deb7u1.\n\nWe recommend that you upgrade your gsoap packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 24, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-25T00:00:00", "title": "Debian DLA-1036-1 : gsoap security update (Devil", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "modified": "2017-07-25T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libgsoap2", "p-cpe:/a:debian:debian_linux:gsoap", "p-cpe:/a:debian:debian_linux:gsoap-doc", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:gsoap-dbg"], "id": "DEBIAN_DLA-1036.NASL", "href": "https://www.tenable.com/plugins/nessus/101935", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1036-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101935);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-9765\");\n\n script_name(english:\"Debian DLA-1036-1 : gsoap security update (Devil's Ivy)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability was discovered in gsoap, a library for the development\nof SOAP web services and clients, that may be exposed with a large and\nspecific XML message over 2 GB in size. After receiving this 2 GB\nmessage, a buffer overflow can cause an open unsecured server to\ncrash. Clients communicating with HTTPS with trusted servers are not\naffected.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.8.7-2+deb7u1.\n\nWe recommend that you upgrade your gsoap packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/07/msg00028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/gsoap\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gsoap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gsoap-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gsoap-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgsoap2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"gsoap\", reference:\"2.8.7-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"gsoap-dbg\", reference:\"2.8.7-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"gsoap-doc\", reference:\"2.8.7-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgsoap2\", reference:\"2.8.7-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T11:15:29", "description": "This update for gsoap fixes the following security issue :\n\n - CVE-2017-9765: A remote attacker may have triggered a\n buffer overflow to cause a server crash (denial of\n service) after sending 2GB of a specially crafted XML\n message, or possibly have unspecified futher impact.\n (bsc#1049348)", "edition": 20, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-27T00:00:00", "title": "openSUSE Security Update : gsoap (openSUSE-2017-842) (Devil", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "modified": "2017-07-27T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libgsoap-2_8_46-debuginfo", "p-cpe:/a:novell:opensuse:libgsoap-2_8_46", "p-cpe:/a:novell:opensuse:libgsoap-2_8_33-debuginfo", "p-cpe:/a:novell:opensuse:gsoap-devel", "p-cpe:/a:novell:opensuse:libgsoap-2_8_33", "cpe:/o:novell:opensuse:42.3", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:gsoap-devel-debuginfo", "p-cpe:/a:novell:opensuse:gsoap-debugsource"], "id": "OPENSUSE-2017-842.NASL", "href": "https://www.tenable.com/plugins/nessus/102011", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-842.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102011);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-9765\");\n\n script_name(english:\"openSUSE Security Update : gsoap (openSUSE-2017-842) (Devil's Ivy)\");\n script_summary(english:\"Check for the openSUSE-2017-842 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for gsoap fixes the following security issue :\n\n - CVE-2017-9765: A remote attacker may have triggered a\n buffer overflow to cause a server crash (denial of\n service) after sending 2GB of a specially crafted XML\n message, or possibly have unspecified futher impact.\n (bsc#1049348)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1049348\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gsoap packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gsoap-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gsoap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gsoap-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgsoap-2_8_33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgsoap-2_8_33-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgsoap-2_8_46\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgsoap-2_8_46-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"gsoap-debugsource-2.8.33-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"gsoap-devel-2.8.33-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"gsoap-devel-debuginfo-2.8.33-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libgsoap-2_8_33-2.8.33-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libgsoap-2_8_33-debuginfo-2.8.33-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"gsoap-debugsource-2.8.46-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"gsoap-devel-2.8.46-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"gsoap-devel-debuginfo-2.8.46-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libgsoap-2_8_46-2.8.46-3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libgsoap-2_8_46-debuginfo-2.8.46-3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsoap-debugsource / gsoap-devel / gsoap-devel-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-23T09:20:31", "description": "The remote AXIS device is running a firmware version that is missing a\nsecurity patch. It is, therefore, affected by a remote code execution\nvulnerability, known as Devil's Ivy, due to an overflow condition that\nexists in a third party SOAP library (gSOAP). An unauthenticated,\nremote attacker can exploit this, via an HTTP POST message exceeding\n2GB of data, to trigger a stack-based buffer overflow, resulting in a\ndenial of service condition or the execution of arbitrary code.\n\nAn attacker who successfully exploits this vulnerability can reset the\ndevice to its factory defaults, change network settings, take complete\ncontrol of the device, or reboot it to prevent an operator from\nviewing the feed.", "edition": 31, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-19T00:00:00", "title": "AXIS gSOAP Message Handling RCE (ACV-116267) (Devil", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "modified": "2017-07-19T00:00:00", "cpe": ["cpe:/a:genivia:gsoap"], "id": "AXIS_DEVILS_IVY.NASL", "href": "https://www.tenable.com/plugins/nessus/101810", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101810);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/22\");\n\n script_cve_id(\"CVE-2017-9765\");\n script_bugtraq_id(99868);\n\n script_name(english:\"AXIS gSOAP Message Handling RCE (ACV-116267) (Devil's Ivy)\");\n script_summary(english:\"Checks the version of the AXIS device.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AXIS device is running a firmware version that is missing a\nsecurity patch. It is, therefore, affected by a remote code execution\nvulnerability, known as Devil's Ivy, due to an overflow condition that\nexists in a third party SOAP library (gSOAP). An unauthenticated,\nremote attacker can exploit this, via an HTTP POST message exceeding\n2GB of data, to trigger a stack-based buffer overflow, resulting in a\ndenial of service condition or the execution of arbitrary code.\n\nAn attacker who successfully exploits this vulnerability can reset the\ndevice to its factory defaults, change network settings, take complete\ncontrol of the device, or reboot it to prevent an operator from\nviewing the feed.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.axis.com/files/faq/ACV116267_(CVE-2017-9765).pdf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.axis.com/ftp/pub_soft/MPQT/SR/acv_116267_patched_fw.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.senr.io/devilsivy.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the latest available firmware version for your device per\nthe vendor advisory (ACV-116267).\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9765\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:genivia:gsoap\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"snmp_sysDesc.nasl\", \"ftpserver_detect_type_nd_version.nasl\", \"axis_www_detect.nbin\");\n script_require_ports(\"SNMP/sysDesc\", \"Services/ftp\", \"Services/www\", 21, 80);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ftp_func.inc');\ninclude('misc_func.inc');\ninclude('http.inc');\ninclude('install_func.inc');\n\npatch_list = {\n \"A1001\" :{\"1\\.(?:[0-4][0-9]|50)\\.\":\"1.50.0.2\", \"1\\.5[1-7]\\.\":\"1.57.0.2\"},\n \"A8004\" : \"1.65.1\",\n \"A8105-E\" : \"1.58.2.2\",\n \"A9161\" : \"1.10.0.2\",\n \"A9188\" : \"1.10.0.2\",\n \"A9188-VE\" : \"1.10.0.2\",\n \"C1004-E\" : \"1.30.0.2\",\n \"C2005\" : \"1.30.0.2\",\n \"C3003\" : \"1.30.0.2\",\n \"ACB-LE\" : \"6.15.5.3\",\n \"ACC-L\" : \"6.15.6.3\",\n \"ACC-LW\" : \"6.15.6.3\",\n \"ACD-V\" : \"6.15.6.3\",\n \"ACD-WV\" : \"6.15.6.3\",\n \"ACE-L\" : \"6.15.5.3\",\n \"F34\" : \"6.50.1.2\",\n \"F41\" : \"6.50.1.2\",\n \"F44\" : \"6.50.1.2\",\n \"F44DualAudioInput\" : \"6.50.1.2\",\n \"M1004-W\" : \"5.50.5.10\",\n \"M1011\" : \"5.20.3\",\n \"M1011-W\" : \"5.20.4\",\n \"M1013\" : \"5.50.5.10\",\n \"M1014\" : \"5.50.5.10\",\n \"M1025\" : \"5.50.5.10\",\n \"M1031-W\" : \"5.20.5\",\n \"M1033-W\" : \"5.50.5.10\",\n \"M1034-W\" : \"5.50.5.10\",\n \"M1045-LW\" : \"6.15.6.1\",\n \"M1054\" : \"5.50.3.10\",\n \"M1065-L\" : \"7.20.1\",\n \"M1065-LW\" : \"6.15.6.1\",\n \"M1103\" : \"5.50.3.6\",\n \"M1104\" : \"5.50.3.6\",\n \"M1113\" : \"5.50.3.6\",\n \"M1114\" : \"5.50.3.6\",\n \"M1124\" : \"6.50.1.2\",\n \"M1125\" : \"6.50.1.2\",\n \"M1143-L\" : \"5.60.1.8\",\n \"M1144-L\" : \"5.60.1.8\",\n \"M1145\" : \"6.50.1.2\",\n \"M1145-L\" : \"6.50.1.2\",\n \"M2025-LE\" : \"7.20.1\",\n \"M2026-LE\" : \"7.20.1\",\n \"M3004\" : \"5.50.5.10\",\n \"M3005\" : \"5.50.5.10\",\n \"M3006\" : \"6.50.1.2\",\n \"M3007\" : \"6.50.1.2\",\n \"M3011\" : \"5.21.2\",\n \"M3014\" : {\"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.9.9\", \"5\\.(?:4[1-9]|50)\\.\":\"5.50.5.2\"},\n \"M3024\" : \"5.50.5.10\",\n \"M3025\" : \"5.50.5.10\",\n \"M3026\" : \"6.50.1.2\",\n \"M3027\" : \"6.50.1.2\",\n \"M3037\" : \"5.75.1.3\",\n \"M3044-V\" : \"7.20.1\",\n \"M3044-WV\" : \"6.15.6.1\",\n \"M3045-V\" : \"7.20.1\",\n \"M3045-WV\" : \"6.15.6.1\",\n \"M3046-V_1.8mm\" : \"6.15.7.1\",\n \"M3046-V\" : \"7.20.1\",\n \"M3104-L\" : \"7.20.1\",\n \"M3105-L\" : \"7.20.1\",\n \"M3106-L\" : \"7.20.1\",\n \"M3113-R\" : \"5.40.9.9\",\n \"M3113-VE\" : \"5.40.9.9\",\n \"M3114-R\" : \"5.40.9.9\",\n \"M3114-VE\" : \"5.40.9.9\",\n \"P8513\" : \"5.40.9.9\",\n \"P8514\" : \"5.40.9.9\",\n \"M3113-R\" : \"5.50.5.1\",\n \"M3113-VE\" : \"5.50.5.1\",\n \"M3114-R\" : \"5.50.5.1\",\n \"M3114-VE\" : \"5.50.5.1\",\n \"P8513\" : \"5.50.5.1\",\n \"P8514\" : \"5.50.5.1\",\n \"M3203\" : \"5.50.3.7\",\n \"M3204\" : \"5.50.3.7\",\n \"M5013\" : \"5.50.3.7\",\n \"M5014\" : \"5.50.3.7\",\n \"M7001\" : \"5.20.5\",\n \"M7011\" : \"6.50.1.2\",\n \"M7010\" : \"5.50.4.7\",\n \"M7014\" : \"5.50.4.7\",\n \"M7016\" : \"5.51.2.8\",\n \"M2014-E\" : \"5.50.9.2\",\n \"P1204\" : \"5.50.9.2\",\n \"P1214\" : \"5.50.9.2\",\n \"P1214-E\" : \"5.50.9.2\",\n \"P1224-E\" : \"5.50.9.2\",\n \"P12/M20\" : \"5.50.9.2\",\n \"P8524\" : \"5.50.9.2\",\n \"P1244\" : \"6.50.1.2\",\n \"P1254\" : \"6.50.1.2\",\n \"P1264\" : \"6.50.1.2\",\n \"P1311\" : \"5.20.2\",\n \"P1343\" : {\"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.9.11\", \"5\\.(?:4[1-9]|50)\\.\":\"5.50.5.1\"},\n \"P1344\" : {\"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.9.11\", \"5\\.(?:4[1-9]|50)\\.\":\"5.50.5.1\"},\n \"P1346\" : \"5.40.9.9\",\n \"P1347\" : \"5.40.9.9\",\n \"P1353\" : \"6.50.1.2\",\n \"P1354\" : \"6.50.1.2\",\n \"P1355\" : \"5.60.1.8\",\n \"P1357\" : \"6.50.1.2\",\n \"P1364\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P1365\" : \"6.50.1.2\",\n \"P1365 Mk II\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P1405\" : \"6.50.1.2\",\n \"P1405-LE Mk II\" : \"7.20.1\",\n \"P1425\" : \"6.50.1.2\",\n \"P1425-LE Mk II\" : \"7.20.1\",\n \"P1427\" : \"6.50.1.2\",\n \"P1428-E\" : \"6.50.1.2\",\n \"P1435\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P3214\" : \"6.50.1.2\",\n \"P3215\" : \"6.50.1.2\",\n \"P3224\" : \"6.50.1.2\",\n \"P3225\" : \"6.50.1.2\",\n \"P3224-V Mk II\" : \"6.55.5\",\n \"P3224-VE Mk II\" : \"6.55.5\",\n \"P3224-LV Mk II\" : \"6.55.5\",\n \"P3224-LVE Mk II\" : \"6.55.5\",\n \"P3225-V Mk II\" : \"6.55.5\",\n \"P3225-VE Mk II\" : \"6.55.5\",\n \"P3225-LV Mk II\" : \"6.55.5\",\n \"P3225-LVE Mk II\" : \"6.55.5\",\n \"P3301\" : {\"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.9.7\", \"5\\.(?:4[1-9]|50)\\.\":\"5.50.5.1\"},\n \"P3304\" : {\"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.9.7\", \"5\\.(?:4[1-9]|50)\\.\":\"5.50.5.1\"},\n \"P3343\" : \"5.40.9.11\",\n \"P3344\" : \"5.40.9.11\",\n \"P3346\" : \"5.50.3.7\",\n \"P3353\" : {\"6\\.[0-5][0-9]\\.\":\"6.50.1.2\", \"5\\.(?:4[1-9]|[5-6][0-9])\\.\":\"5.60.1.5\", \"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.17.2\"},\n \"P3354\" : {\"6\\.[0-5][0-9]\\.\":\"6.50.1.2\", \"5\\.(?:4[1-9]|[5-6][0-9])\\.\":\"5.60.1.5\", \"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.17.2\"},\n \"P3363\" : {\"6\\.[0-5][0-9]\\.\":\"6.50.1.2\", \"5\\.[0-6][0-9]\\.\":\"5.60.1.7\"},\n \"P3364\" : {\"6\\.[0-5][0-9]\\.\":\"6.50.1.2\", \"5\\.(?:4[1-9]|[5-6][0-9])\\.\":\"5.60.1.7\", \"5\\.(?:[0-3][0-9]|40)\\.\":\"5.40.17.2\"},\n \"P3365\" : \"6.50.1.2\",\n \"P3367\" : \"6.50.1.2\",\n \"P3384\" : \"6.50.1.2\",\n \"P3707-PE\" : \"6.50.1.3\",\n \"P3904\" : \"6.50.1.2\",\n \"P3904-R\" : \"6.50.1.2\",\n \"P3905\" : \"6.50.1.2\",\n \"P3915-R\" : \"6.50.1.2\",\n \"P5414-E\" : \"6.50.1.2\",\n \"P5415-E\" : \"6.50.1.2\",\n \"P5512\" : \"5.50.4.7\",\n \"P5512-E\" : \"5.50.4.7\",\n \"P5514\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P5514-E\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P5515\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P5515-E\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"P5522\" : \"5.50.4.8\",\n \"P5522-E\" : \"5.50.4.7\",\n \"P5532\" : \"5.41.3.4\",\n \"P5532-E\" : \"5.41.3.4\",\n \"P5534\" : \"5.40.9.8\",\n \"P5534-E\" : \"5.40.9.9\",\n \"P5544\" : \"5.41.2.4\",\n \"P5624-E\" : \"6.50.1.2\",\n \"P5624-E Mk II\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"P5635-E\" : \"6.50.1.2\",\n \"P5635-E Mk II\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"P7210\" : \"5.50.4.7\",\n \"P7214\" : \"5.50.4.7\",\n \"P7216\" : \"5.51.2.7\",\n \"P7224\" : \"5.51.2.7\",\n \"Q1602\" : \"5.60.1.8\",\n \"Q1604\" : \"6.50.1.2\",\n \"Q1614\" : \"6.50.1.2\",\n \"Q1615\" : \"6.50.1.2\",\n \"Q1635\" : \"6.50.1.2\",\n \"Q1635-E\" : \"6.50.1.2\",\n \"Q1615 Mk II\" : \"6.25.2.6\",\n \"Q1659\" : \"6.55.1.1\",\n \"Q1755\" : \"5.50.4.6\",\n \"Q1755-PT\" : \"5.50.2.2\",\n \"Q8722-E\" : \"5.50.2.2\",\n \"Q1765-EX\" : \"6.50.1.2\",\n \"Q1765-LE\" : \"6.50.1.2\",\n \"Q1765-LE-PT\" : \"6.50.1.2\",\n \"Q1775\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"(?:6\\.[0-5][0-9]|5\\.85)\\.\":\"6.50.1.2\"},\n \"Q1910\" : \"5.50.4.6\",\n \"Q1921\" : \"5.50.4.6\",\n \"Q1922\" : \"5.50.4.6\",\n \"Q1931-E\" : \"6.50.1.2\",\n \"Q1931-E-PT\" : \"6.50.1.2\",\n \"Q1932-E\" : \"6.50.1.2\",\n \"Q1932-E-PT\" : \"6.50.1.2\",\n \"Q1941-E\" : \"7.20.1\",\n \"Q1942-E\" : \"7.20.1\",\n \"Q2901-E\" : \"6.50.1.2\",\n \"Q2901-E-PT\" : \"6.50.1.2\",\n \"Q3505\" : \"6.50.1.2\",\n \"Q3504\" : \"6.25.2.5\",\n \"Q3505 Mk II\" : \"6.25.2.5\",\n \"Q3615\" : \"7.20.1\",\n \"Q3617\" : \"7.20.1\",\n \"Q3708-PVE\" : \"5.95.4.4\",\n \"Q3709-PVE\" : \"5.75.1.6\",\n \"Q6000-E\" : \"6.50.1.2\",\n \"Q6000-E Mk II\" : \"6.50.1.2\",\n \"Q6032\" : \"5.41.1.5\",\n \"Q6032-C\" : \"5.41.3.2\",\n \"Q6032-E\" : \"5.41.1.7\",\n \"Q6034\" : \"5.41.1.4\",\n \"Q6034-C\" : \"5.41.3.2\",\n \"Q6034-E\" : \"5.41.1.6\",\n \"Q6035\" : \"5.41.1.5\",\n \"Q6035-C\" : \"5.41.3.3\",\n \"Q6035-E\" : \"5.41.1.8\",\n \"Q6042\" : \"6.50.1.2\",\n \"Q6042-C\" : \"6.50.1.2\",\n \"Q6042-E\" : \"6.50.1.2\",\n \"Q6042-S\" : \"6.50.1.2\",\n \"Q6044\" : \"6.50.1.2\",\n \"Q6044-C\" : \"6.50.1.2\",\n \"Q6044-E\" : \"6.50.1.2\",\n \"Q6044-S\" : \"6.50.1.2\",\n \"Q6045\" : \"5.70.1.4\",\n \"Q6045-C\" : \"5.70.1.3\",\n \"Q6045-C Mk II\" : \"6.50.1.2\",\n \"Q6045-E\" : \"5.70.1.5\",\n \"Q6045-E Mk II\" : \"6.50.1.2\",\n \"Q6045 Mk II\" : \"6.50.1.2\",\n \"Q6045-S\" : \"5.70.1.3\",\n \"Q6045-S Mk II\" : \"6.50.1.2\",\n \"Q6052\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"Q6052-E\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"Q6054\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"Q6054-E\" : \"7.20.1\",\n \"Q6054-E\" : \"6.50.1.2\",\n \"Q6055\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"Q6055-C\" : \"7.20.1\",\n \"Q6055-E\" : {\"7\\.[0-2][0-9]\\.\":\"7.20.1\", \"6\\.[0-5][0-9]\\.\":\"6.50.1.2\"},\n \"Q6055-S\" : \"7.20.1\",\n \"Q6114-E\" : \"6.50.1.2\",\n \"Q6115-E\" : \"6.50.1.2\",\n \"Q6128-E\" : \"6.50.1.2\",\n \"Q6155-E\" : \"7.20.1\",\n \"Q6155-E\" : \"6.50.1.2\",\n \"Q7401\" : \"5.50.4.6\",\n \"Q7404\" : \"5.50.4.7\",\n \"Q7406\" : \"5.51.2.6\",\n \"Q7411\" : \"6.50.1.2\",\n \"Q7414\" : \"5.51.2.6\",\n \"Q7424-R\" : \"5.50.4.6\",\n \"Q7424-R Mk II\" : \"5.51.3.2\",\n \"Q7436\" : \"6.50.1.2\",\n \"Q8414-LVS\" : \"6.50.1.2\",\n \"Q8631-E\" : \"6.50.1.2\",\n \"Q8632-E\" : \"6.50.1.2\",\n \"Q8665-E\" : \"6.50.1.2\",\n \"Q8665-LE\" : \"6.50.1.2\",\n \"ACR\" : \"1.11.1\",\n \"V5914\" : \"5.75.1.7\",\n \"V5915\" : \"5.75.1.7\" \n};\n\nmodel = '';\nversion = '';\nsource = '';\n\n##\n# This vulnerability is in the web interface. If our web interface\n# is failing to extract the version / model for some reason than\n# a paranoid check can fall back to FTP and SNMP.\n#\n# @return NULL\n##\nfunction do_paranoid()\n{\n var ftp_port_list = get_kb_list(\"Services/ftp\");\n if (empty_or_null(ftp_port_list))\n {\n # add default port (in case we have an empty list)\n ftp_port_list = add_port_in_list(port: 21);\n }\n\n var port = 0;\n foreach port (ftp_port_list)\n {\n var banner = get_ftp_banner(port:port);\n if (!banner) continue;\n\n # ftp banner parser\n var item = pregmatch(string:banner,\n pattern:\"^220 (?:Axis|AXIS) ([0-9a-zA-Z-]+(?: Mk[ ]?II)?(?: Board [A-Z]+)?) [^0-9]+ ([0-9\\\\.]+)\");\n\n if(!empty_or_null(item))\n {\n # fix inconsistent formatting\n model = str_replace(find:'MkII', replace:'Mk II', string:item[1]);\n source = \"FTP\";\n version = item[2];\n return NULL;\n }\n }\n\n var snmp_desc = get_kb_list(\"SNMP/sysDesc\");\n if (!empty_or_null(snmp_desc))\n {\n var desc = NULL;\n foreach desc (snmp_desc)\n {\n item = pregmatch(pattern:\"^\\s*;\\s*(?:AXIS|Axis) ([^;]+);[^;]+;\\s*([\\d.]+)[^\\d.]\", string:desc);\n if(!empty_or_null(item))\n {\n # fix inconsistent formatting\n model = str_replace(find:'MkII', replace:'Mk II', string:item[1]);\n version = item[2];\n source = \"SNMP\";\n return NULL;\n }\n }\n }\n\n return NULL;\n}\n\n# loop over the AXIS web installs and pull out the model/version\nif (get_install_count(app_name:\"AXIS device\") > 0)\n{\n http_port_list = get_kb_list(\"Services/www\");\n if (empty_or_null(http_port_list))\n {\n http_port_list = add_port_in_list(port: 80);\n }\n\n foreach port (http_port_list)\n {\n installs = get_installs(app_name:'AXIS device', port:port, exit_if_not_found:FALSE);\n if (installs[0] != IF_OK)\n {\n continue;\n }\n\n install = installs[1][0];\n if (!empty_or_null(install[\"version\"]) && !empty_or_null(install[\"model\"]))\n {\n source = \"HTTP\";\n model = install[\"model\"];\n version = install[\"version\"];\n\n # fix inconsistent formatting\n model = str_replace(find:'MkII', replace:'Mk II', string:model);\n break;\n }\n }\n}\n\n# The vulnerability is through the web interface. However, if we are feeling\n# paranoid we can lean on other protocols to inform us of the version\nif (report_paranoia >= 2 && (empty_or_null(model) || empty_or_null(version)))\n{\n do_paranoid();\n}\n\nif (empty_or_null(model) || empty_or_null(version))\n{\n audit(AUDIT_HOST_NOT, \"an AXIS device\");\n}\n\nif(isnull(patch_list[model]))\n{\n audit(AUDIT_DEVICE_NOT_VULN, \"The AXIS \" + model, version);\n}\n\nfix = NULL;\n\n# some models have multiple fixed branches\nif(typeof_ex(patch_list[model]) == \"array\")\n{\n foreach branch (keys(patch_list[model]))\n {\n # add an anchor to ensure the match only occurs at the beginning\n if (preg(string:version, pattern:\"^\" + branch) == TRUE)\n {\n fix = patch_list[model][branch];\n\n # if we found it then don't keep looping\n break;\n }\n }\n\n if(isnull(fix))\n {\n audit(AUDIT_DEVICE_NOT_VULN, \"The AXIS \" + model, version);\n }\n}\nelse\n{\n fix = patch_list[model];\n}\n\nif (!empty_or_null(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n report = '\\n Model : ' + model +\n '\\n Software version : ' + version +\n '\\n Version source : ' + source +\n '\\n Fixed version : ' + fix + '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n exit(0);\n}\n\naudit(AUDIT_DEVICE_NOT_VULN, \"The AXIS \" + model, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-29T20:09:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "description": "A vulnerability was discovered in gsoap, a library for the development\nof SOAP web services and clients, that may be exposed with a large and\nspecific XML message over 2 GB in size. After receiving this 2 GB\nmessage, a buffer overflow can cause an open unsecured server to crash.\nClients communicating with HTTPS with trusted servers are not affected.", "modified": "2020-01-29T00:00:00", "published": "2018-02-08T00:00:00", "id": "OPENVAS:1361412562310891036", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891036", "type": "openvas", "title": "Debian LTS: Security Advisory for gsoap (DLA-1036-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891036\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-9765\");\n script_name(\"Debian LTS: Security Advisory for gsoap (DLA-1036-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-08 00:00:00 +0100 (Thu, 08 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/07/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"gsoap on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n2.8.7-2+deb7u1.\n\nWe recommend that you upgrade your gsoap packages.\");\n\n script_tag(name:\"summary\", value:\"A vulnerability was discovered in gsoap, a library for the development\nof SOAP web services and clients, that may be exposed with a large and\nspecific XML message over 2 GB in size. After receiving this 2 GB\nmessage, a buffer overflow can cause an open unsecured server to crash.\nClients communicating with HTTPS with trusted servers are not affected.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"gsoap\", ver:\"2.8.7-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"gsoap-dbg\", ver:\"2.8.7-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"gsoap-doc\", ver:\"2.8.7-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgsoap2\", ver:\"2.8.7-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-02T00:00:00", "id": "OPENVAS:1361412562310874394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874394", "type": "openvas", "title": "Fedora Update for gsoap FEDORA-2018-a9615e2a1e", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_a9615e2a1e_gsoap_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for gsoap FEDORA-2018-a9615e2a1e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874394\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-02 16:58:58 +0530 (Wed, 02 May 2018)\");\n script_cve_id(\"CVE-2017-9765\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gsoap FEDORA-2018-a9615e2a1e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gsoap'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gsoap on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-a9615e2a1e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOYSGU773RYHO644VSYD7ACAXNYVBOXG\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"gsoap\", rpm:\"gsoap~2.8.43~3.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-12T00:00:00", "id": "OPENVAS:1361412562310873254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873254", "type": "openvas", "title": "Fedora Update for gsoap FEDORA-2017-d2174c28ed", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_d2174c28ed_gsoap_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for gsoap FEDORA-2017-d2174c28ed\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873254\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-12 07:50:54 +0200 (Sat, 12 Aug 2017)\");\n script_cve_id(\"CVE-2017-9765\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gsoap FEDORA-2017-d2174c28ed\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gsoap'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gsoap on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-d2174c28ed\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GEH7JGE2PXLLVJ4FYNOUJMNM6TZDRLH7\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"gsoap\", rpm:\"gsoap~2.8.43~2.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9765"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-08-12T00:00:00", "id": "OPENVAS:1361412562310873241", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873241", "type": "openvas", "title": "Fedora Update for gsoap FEDORA-2017-ff06ff0ec9", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_ff06ff0ec9_gsoap_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for gsoap FEDORA-2017-ff06ff0ec9\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873241\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-12 07:49:47 +0200 (Sat, 12 Aug 2017)\");\n script_cve_id(\"CVE-2017-9765\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gsoap FEDORA-2017-ff06ff0ec9\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gsoap'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gsoap on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-ff06ff0ec9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMGZJAQHDQKV5NEVLVAWL4GVK64FOJG3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"gsoap\", rpm:\"gsoap~2.8.30~2.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:21:47", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9765"], "description": "Package : gsoap\nVersion : 2.8.7-2+deb7u1\nCVE ID : CVE-2017-9765\n\nA vulnerability was discovered in gsoap, a library for the development\nof SOAP web services and clients, that may be exposed with a large and\nspecific XML message over 2 GB in size. After receiving this 2 GB\nmessage, a buffer overflow can cause an open unsecured server to crash.\nClients communicating with HTTPS with trusted servers are not affected.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n2.8.7-2+deb7u1.\n\nWe recommend that you upgrade your gsoap packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-07-24T19:19:34", "published": "2017-07-24T19:19:34", "id": "DEBIAN:DLA-1036-1:85DA7", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201707/msg00028.html", "title": "[SECURITY] [DLA 1036-1] gsoap security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2017-07-29T13:20:35", "bulletinFamily": "blog", "cvelist": ["CVE-2017-9765"], "description": "**Axis Communications** -- a maker of high-end security cameras whose devices can be found in many high-security areas -- recently patched a dangerous coding flaw in virtually all of its products that an attacker could use to remotely seize control over or crash the devices.\n\nThe problem wasn't specific to Axis, which seems to have reacted far more quickly than competitors to quash the bug. Rather, the vulnerability resides in open-source, third-party computer code that has been used in countless products and technologies (including a great many security cameras), meaning it may be some time before most vulnerable vendors ship out a fix -- and even longer before users install it.\n\nAt issue is a flaw in a bundle of reusable code (often called a \"[code library](<https://en.wikipedia.org/wiki/Library_\\(computing\\)>)\") known as [gSOAP](<http://www.cs.fsu.edu/~engelen/soap.html>), a widely-used toolkit that software or device makers can use so that their creations can talk to the Internet (or \"[parse XML](<http://xml.silmaril.ie/parsers.html>)\" for my geek readers). By some estimates, there are hundreds -- if not thousands -- of security camera types and other so-called \"Internet of Things\"(IoT) devices that rely upon the vulnerable gSOAP code.\n\nBy exploiting the bug, an attacker could force a vulnerable device to run malicious code, block the owner from viewing any video footage, or crash the system. Basically, lots of stuff you _don't_ want your pricey security camera system to be doing.\n\n[Genivia](<https://www.genivia.com/dev.html>), the company that maintains gSOAP, released [an update](<https://www.genivia.com/advisory.html>) on June 21, 2017 that fixes the flaw. In short order, Axis released a patch to plug the gSOAP hole [in nearly 250 of its products.](<https://www.axis.com/files/faq/ACV116267_\\(CVE-2017-9765\\).pdf>)\n\nGenivia chief executive **Robert Van Engelen** said his company has already reached out to all of its customers about the issue. He said a majority of customers use the gSOAP software to develop products, but that mostly these are client-side applications or non-server applications that are not affected by this software crash issue.\n\n\"It's a crash, not an exploit as far as we know,\" Van Engelen said. \"I estimate that over 85% of the applications are unlikely to be affected by this crash issue.\"\n\nStill, there are almost certainly dozens of other companies that use the vulnerable gSOAP code library and haven't (or won't) issue updates to fix this flaw, says **Stephen Ridley**, chief technology officer and founder of [Senrio](<https://www.senr.io>) -- the security company that discovered and reported the bug. What's more, because the vulnerable code is embedded within device firmware (the built-in software that powers hardware), there is no easy way for end users to tell if the firmware is affected without word one way or the other from the device maker.\n\n\"It is likely that tens of millions of products -- software products and connected devices -- are affected by this,\" Ridley said.\n\n\"Genivia claims to have more than 1 million downloads of gSOAP (most likely developers), and IBM, Microsoft, Adobe and Xerox as customers,\" the Senrio [report](<http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions>) reads. \"On [Sourceforge](<https://sourceforge.net/projects/gsoap2/>), gSOAP was downloaded more than 1,000 times in one week, and [30,000 times in 2017](<https://sourceforge.net/projects/gsoap2/files/stats/timeline?dates=2017-01-01+to+2017-07-12>). Once gSOAP is downloaded and added to a company\u2019s repository, it\u2019s likely used many times for different product lines.\" \n\n\nAnyone familiar with the stories published on this blog over the past year knows that most IoT devices -- security cameras in particular -- [do not have a stellar history](<https://krebsonsecurity.com/?s=mirai&x=0&y=0>) of shipping in a default-secure state (heck, many of these devices are [running versions of Linux that date back more than a decade](<https://krebsonsecurity.com/2016/12/researchers-find-fresh-fodder-for-iot-attack-cannons/>)). Left connected to the Internet in an insecure state, these devices can quickly be infected with IoT threats like [Mirai](<https://en.wikipedia.org/wiki/Mirai_\\(malware\\)>), which enslave them for use in high-impact denial-of-service attacks designed [to knock people and Web sites offline](<https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/>).\n\nWhen I heard about this bug I pinged the folks over at [IPVM](<https://www.ipvm.com>), a trade publication that tracks the video surveillance industry. IPVM Business Analyst **Brian Karas** said the type of flaw (known as a buffer overflow) in this case doesn't expose the vulnerable systems to IoT worms like Mirai, which can spread to devices that are running under factory-default usernames and passwords.\n\nIPVM polled almost a dozen top security camera makers, and said only two (including Axis) responded that they used the vulnerable gSOAP library in their products. Another three said they hadn't yet determined whether any of their products were potentially vulnerable.\n\n\"You probably wouldn't be able to make a universal, Mirai-style exploit for this flaw because it lacks the elements of simplicity and reproduceability,\" Karas said, noting that the exploit requires that an attacker be able to upload at least a 2 GB file to the Web interface for a vulnerable device.\n\n\"In my experience, I don't think it's that common for embedded systems to accept a 2-gigabyte file upload,\" Karas said. \"Every device is going to respond slightly differently, and it would probably take a lot of time to research each device and put together some kind of universal attack tool. Yes, people should be aware of this and patch if they can, but this is nowhere near as bad as [the threat from] Mirai.\"\n\nKaras said similar to most other cyber security vulnerabilities in network devices, restricting network access to the unit will greatly reduce the chance of exploit.\n\n\"Cameras utilizing a VMS ([video management system](<https://en.wikipedia.org/wiki/Video_management_system>)) or recorder for remote access, instead of being directly connected to the internet, are essentially immune from remote attack (though it is possible for the VMS itself to have vulnerabilities),\" IPVM wrote in an analysis of the gSOAP bug. In addition, changing the factory default settings (e.g., picking decent administrator passwords) and updating the firmware on the devices to the latest version may go a long way toward sidestepping any vulnerabilities.", "modified": "2017-07-18T14:30:11", "published": "2017-07-18T14:30:11", "id": "KREBS:7FB5E9D2AA4F4008C524A1DE82171B62", "href": "https://krebsonsecurity.com/2017/07/experts-in-lather-over-gsoap-security-flaw/", "title": "Experts in Lather Over \u2018gSOAP\u2019 Security Flaw", "type": "krebs", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2018-01-27T10:06:59", "bulletinFamily": "info", "cvelist": ["CVE-2017-9765"], "description": "[](<https://1.bp.blogspot.com/-kjKkhwO27H8/WW5M20e0jSI/AAAAAAAAtqg/xNfl31VAXlEp85PYfmw5X8vYL3bjkrnrgCLcBGAs/s1600/internet-of-the-things-hacking.png>)\n\nSecurity researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking. \n \nThe vulnerability (CVE-2017-9765), [discovered](<http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions>) by researchers at the IoT-focused security firm Senrio, resides in the software development library called **gSOAP toolkit** (Simple Object Access Protocol) \u2014 an advanced C/C++ auto-coding tool for developing XML Web services and XML application. \n \nDubbed \"**Devil's Ivy**,\" the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices. \n\n\nThe Devil's Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications. \n\n\n> \"When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,\" researchers say. \n\n> \"Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.\"\n\n \nAxis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete [list of affected camera models](<https://www.axis.com/files/faq/ACV116267_\\(CVE-2017-9765\\).pdf>) here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible. \n \nHowever, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others. \n \nAxis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia [released a patch](<https://www.genivia.com/changelog.html#Version_2.8.48_upd_\\(06/21/2017\\)>) on June 21, 2017. \n \nThe company also reached out to electronics industry consortium [ONVIF](<https://www.onvif.org/about/member-list/>) to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole. \n \nInternet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.\n", "modified": "2017-07-18T18:28:47", "published": "2017-07-18T07:04:00", "id": "THN:8F66500942235D9D4A03E4C625153A05", "href": "https://thehackernews.com/2017/07/gsoap-iot-device-hacking.html", "type": "thn", "title": "Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-27T10:06:58", "bulletinFamily": "info", "cvelist": ["CVE-2017-7494", "CVE-2017-11421", "CVE-2017-9765"], "description": "[](<https://4.bp.blogspot.com/-DH264ym-PZ0/WXNTcb_StJI/AAAAAAAAtvA/JrS38SlU0ZA1oc-_iefk_XU1CVnjj7UugCLcBGAs/s1600/the-hacker-news-cybersecurity.png>)\n\nHere we are with our weekly roundup, briefing this week's top cyber security threats, incidents and challenges. \n \nThis week has been very short with big news from shutting down of two of the largest Dark Web marketplaces and theft of millions of dollars in the popular Ethereum cryptocurrency to the discovery of new Linux malware leveraging SambaCry exploit. \n \nWe are here with the outline of this week's stories, just in case you missed any of them. We recommend you read the entire thing (_just click 'Read More' because there's some valuable advice in there as well_). \n \nHere's the list of this Week's Top Stories: \n \n\n\n### 1\\. Feds Shuts Down AlphaBay and Hansa Dark Web Markets \u2014 Dream Market Under Suspicion\n\n \nOn Thursday, Europol announced that the authorities had shut down two of the largest criminal Dark Web markets \u2014 [AlphaBay and Hansa](<https://thehackernews.com/2017/07/alphabay-hansa-darkweb-markets-seized.html>) \u2014 in what's being called the largest-ever international operation against the dark web's black market conducted by the FBI, DEA and Dutch National Police. \n \nInterestingly, the federal authorities [shut down AlphaBay](<https://thehackernews.com/2017/07/alphabay-darkweb-alexandre-cazes.html>), but before taking down Hansa market, they took control of the Dark Web market and kept it running for at least a month in an effort to monitor the activities of its visitors, including a massive flood of Alphabay refugees. \n \nAfter the shutdown of both [AlphaBay](<https://thehackernews.com/2017/07/dark-web-market-exit-scam.html>) and Hansa, [Dream Market](<https://thehackernews.com/2017/07/dream-market-darkweb.html>) has emerged as the leading player, which has been in business since 2013, but it has now been speculated by many dark web users that Dream Market is also under police control. \n \nFor detailed information \u2014 [Read more](<https://thehackernews.com/2017/07/dream-market-darkweb.html>). \n \n\n\n### 2\\. New Ransomware Threatens to Send Your Internet History to All Your Friends\n\n \nAfter [WannaCry](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) and [Petya ransomware](<https://thehackernews.com/2017/06/petya-ransomware-attack.html>) outbreaks, a new strain of ransomware has been making the rounds on the Google Play Store in bogus apps, which targets Android mobile phone users. \n \nDubbed [LeakerLocker](<https://thehackernews.com/2017/07/leakerlocker-android-ransomware.html>), instead of encrypting files on your device, this Android ransomware secretly collects personal images, messages and browsing history and then threatens to share them with your contacts if you don't pay $50 (\u00a338). \n \nFor more detailed information on the LeakerLocker ransomware \u2014 [Read more](<https://thehackernews.com/2017/07/leakerlocker-android-ransomware.html>). \n \n\n\n### 3\\. New CIA Leaks \u2014 Smartphone Hacking and Malware Development\n\n[](<https://1.bp.blogspot.com/-QdcoFTNWWHQ/WWePxKGZCqI/AAAAAAAAtm8/m7OoDKS5lzQ1GMVAQ0agWsOYo7wP2GM_QCLcBGAs/s1600/smartphone-hacking-tool.png>)\n\nWikiLeaks last week published the 16th batch of its ongoing Vault 7 leak, revealing the [CIA's Highrise Project ](<https://thehackernews.com/2017/07/cia-smartphone-hacking-tool.html>)that allowed the spying agency to stealthy collect and forwards stolen data from compromised smartphones to its server through SMS messages. \n \nThis week, the whistleblowing organisation revealed about a CIA contractor \u2014 [Raytheon Blackbird Technologies](<https://thehackernews.com/2017/07/cia-malware-development.html>) \u2014 who was responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals. \n \nFor more detailed information on Highrise Project and its contractor Raytheon Blackbird Technologies \u2014 [Read More](<https://thehackernews.com/2017/07/cia-malware-development.html>). \n \n\n\n### 4\\. Three Back-to-Back Multi-Million Dollar Ethereum Heist in 20 Days\n\n \nThis week, an unknown hacker stole nearly [$32 Million worth of Ethereum](<https://thehackernews.com/2017/07/ethereum-cryptocurrency-hacking.html>) \u2013 one of the most popular and increasingly valuable cryptocurrencies \u2013 from wallet accounts linked to at least three companies by exploiting a critical vulnerability in Parity's Ethereum Wallet software. \n \nThis was the third Ethereum cryptocurrency heist that came out two days after an alleged [hacker stole $7.4 Million](<https://thehackernews.com/2017/07/ethereum-cryptocurrency-heist.html>) worth of Ether from trading platform CoinDash and two weeks after someone hacked into South Korean cryptocurrency exchange and [stole more than $1 Million in Ether](<https://thehackernews.com/2017/07/bitcoin-ethereum-cryptocurrency-exchange.html#>) and Bitcoins from user accounts. \n \nFor more detailed information about the Ethereum Heist \u2014 [Read More](<https://thehackernews.com/2017/07/ethereum-cryptocurrency-hacking.html>). \n \n\n\n### 5\\. Critical Gnome Flaw Leaves Linux PCs Vulnerable\n\n \nThis week has been bad for Linux users as well. A security researcher discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that allowed hackers to execute malicious code on targeted Linux machines. \n \nGerman researcher Nils Dagsson Moskopp dubbed the vulnerability Bad Taste ([CVE-2017-11421](<https://thehackernews.com/2017/07/linux-gnome-vulnerability.html>)) and also released proof-of-concept (PoC) code on his blog to demonstrate the vulnerability. \n \nFor more details about the Bad Taste vulnerability and its PoC \u2014 [Read More](<https://thehackernews.com/2017/07/linux-gnome-vulnerability.html>). \n \n\n\n### 6\\. New Malware Exploits SambaCry to Hijack NAS Devices\n\n[](<https://4.bp.blogspot.com/-W7qON8E4XPQ/WW8UKkBfj5I/AAAAAAAAtrA/yX6XHNoym1oYwi3gPXyGvn0oBkjSFM5NwCLcBGAs/s1600/sambacry-backdoor-nas-devices.png>)\n\nDespite being patched in late May, the [SambaCry vulnerability](<https://thehackernews.com/2017/05/samba-rce-exploit.html>) is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances. \n \nSambaCry is a 7-year-old critical remote code execution (RCE) vulnerability (CVE-2017-7494) in Samba networking software that could allow a hacker to [remotely take full control](<https://thehackernews.com/2017/06/linux-samba-vulnerability.html>) of a vulnerable Linux and Unix machines. \n \nThe flaw was discovered and patched two months ago, but researchers at Trend Micro warned that the flaw had been actively exploited by the [SHELLBIND malware](<https://thehackernews.com/2017/07/linux-malware-sambacry.html>) that mostly targets NAS devices used by small and medium-size businesses. \n \nFor more detailed information on the SHELLBIND malware \u2014 [Read More](<https://thehackernews.com/2017/07/linux-malware-sambacry.html>). \n \n\n\n### 7\\. Devil's Ivy \u2014 Millions of Internet-Connected Devices At Risk\n\n \nThis week, researchers at the IoT-focused security firm Senrio discovered a critical remotely exploitable vulnerability in an open-source software development library used by major IoT manufacturers that eventually left millions of smart devices vulnerable to hacking. \n \nDubbed Devil's Ivy, the vulnerability ([CVE-2017-9765](<https://thehackernews.com/2017/07/gsoap-iot-device-hacking.html>)) in the gSOAP toolkit (Simple Object Access Protocol) \u2014 an advanced C/C++ auto-coding tool for developing XML Web services and XML application. \n \nThe researchers also released proof-of-concept (PoC) video demonstrating the RCE on a security camera manufactured by Axis Communications. \n \nFor more detailed information on the Devil's Ivy and PoC video \u2014 [Read More](<https://thehackernews.com/2017/07/gsoap-iot-device-hacking.html>). \n \n\n\n### 8\\. \u201cUbuntu Linux for Windows 10 Released\u201d \u2014 Sounds So Weird?\n\n \nDownloading an entire operating system has just become as easy as downloading an application for Windows 10 users, as Microsoft last week announced the availability of popular Linux distro 'Ubuntu' in the Windows App Store. \n \nWhile the company announced its plans to launch Fedora and SUSE Linux as well on Windows Store, the company did not reveal exactly when its users can expect to see these two flavours of Linux distro on the App Store. \n \nFor detailed information on how to install and run Ubuntu on Windows 10 \u2014 [Read More](<https://thehackernews.com/2017/07/windows-10-ubuntu-linux.html>). \n \n\n\n### 9\\. Over 70,000 Memcached Servers Vulnerable to Hacking\n\n[](<https://3.bp.blogspot.com/-WfDOuFmgJLo/WW4pkRfGFkI/AAAAAAAAtqQ/rNakdiVULsgnWngXlDAj0e0RfkdcvZDdQCLcBGAs/s1600/memcached-vulnerabilities.png>)\n\nIt's been almost eight months since the Memcached developers have patched several [critical remote code execution](<https://thehackernews.com/2017/07/memcached-vulnerabilities.html>) (RCE) vulnerabilities in the software, but tens of thousands of servers running Memcached application are still vulnerable. \n \nCisco's Talos intelligence and research group last year discovered three critical [RCE vulnerabilities in Memcached](<https://thehackernews.com/2016/11/memcached-hacking.html>) \u2014 a moder[http://thehackernews.com/2017/07/segway-hoverboard-hacking.html](<https://thehackernews.com/2017/07/segway-hoverboard-hacking.html>)n open-source and easily deployable distributed caching system that allows objects to be stored in memory. \n \nThe vulnerability exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers, but the team of researchers scanned the internet on two different occasions and found that over 70,000 servers are still vulnerable to the attacks, including ransomware attacks similar to the one that [hit MongoDB databases](<https://thehackernews.com/2017/01/mongodb-database-security.html>) in late December. \n \nFor more in-depth information on the Memcached vulnerabilities \u2014 [Read More](<https://thehackernews.com/2017/07/memcached-vulnerabilities.html>). \n \n\n\n### 10\\. Tor Launches Bug Bounty Program for Public\n\n \nAfter its [intention to launch](<https://thehackernews.com/2015/12/tor-project-bug-bounty.html>) a public bug bounty program in late December 2015, the Tor Project has finally launched a \"[Bug Bounty Program](<https://thehackernews.com/2017/07/tor-bug-bounty-program.html>),\" encouraging hackers and security researchers to find and privately report bugs that could compromise the anonymity network. \n \nThe bug bounty reports will be sent through HackerOne \u2014 a startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors \u2013 and even the U.S. Department of Defense for [Hack the Pentagon](<https://thehackernews.com/2016/03/hack-the-pentagon.html>) initiative. \n \nFor detailed information on bug bounty prices and types of valid vulnerabilities \u2014 [Read More](<https://thehackernews.com/2017/07/tor-bug-bounty-program.html>). \n \n\n\n### Other Important News This Week\n\n \nBesides these, there were lots of incidents happened this week, including: \n \n\n\n * [Microsoft's smart move](<https://thehackernews.com/2017/07/russian-fancy-bear-hacking-group.html>) to help take down cyber espionage campaigns conducted by \"[Fancy Bear](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>)\" hacking group.\n * A new [credential stealing malware](<https://thehackernews.com/2017/07/cybercrime-as-as-service.html>) found being sold for as cheap as $7 on underground forums.\n * Cisco patched a highly critical RCE [vulnerability in its WebEx](<https://thehackernews.com/2017/07/cisco-webex-vulnerability.html>) browser extension for Chrome and Firefox, which could allow attackers to execute malicious code on a victim's computer remotely.\n * Windows 10 now let you [Reset forgotten password directly](<https://thehackernews.com/2017/07/reset-windows-password-recovery.html>) from your computer's Lock Screen.\n * Several critical vulnerabilities in Segway Ninebot miniPRO could allow hackers to remotely take \"full control\" over the hoverboard within range and leave riders out-of-control.\n * [Ashley Madison](<https://thehackernews.com/2017/07/ashley-madison-data-breach.html>)'s parent company Ruby Corp has agreed to pay a total of $11.2 Million to roughly 37 million users whose personal details were exposed in a [massive data breach](<https://thehackernews.com/2015/07/adult-dating-website.html>) two years ago.\n", "modified": "2017-07-22T18:40:04", "published": "2017-07-22T02:35:00", "id": "THN:590A2A4F40D408F427266EBA5EE7B530", "href": "https://thehackernews.com/2017/07/hacker-news-cybersecurity.html", "type": "thn", "title": "THN Weekly Roundup \u2014 10 Most Important Stories You Shouldn't Miss", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:14", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9765"], "description": "\nSenrio reports:\n\nGenivia gSOAP is prone to a stack-based buffer-overflow\n\t vulnerability because it fails to properly bounds check user-supplied\n\t data before copying it into an insufficiently sized buffer.\nA remote attacker may exploit this issue to execute arbitrary code\n\t in the context of the affected device. Failed attempts will likely\n\t cause a denial-of-service condition.\n\n", "edition": 6, "modified": "2017-07-18T00:00:00", "published": "2017-07-18T00:00:00", "id": "8745C67E-7DD1-4165-96E2-FCF9DA2DC5B5", "href": "https://vuxml.freebsd.org/freebsd/8745c67e-7dd1-4165-96e2-fcf9da2dc5b5.html", "title": "gsoap -- remote code execution via via overflow", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2017-07-20T10:26:55", "bulletinFamily": "info", "cvelist": ["CVE-2017-9765"], "edition": 1, "description": "Remember a few days ago Avanti vending machines loopholes, leakage of a large amount of user information? It didn't take long, the other one for IoT device attacks appeared again, this time the recruitment is the development of IoT devices open-source software library that may affect millions of IoT devices. \nSecurity researcher found a large number of the IoT device developers the use of open source software development Library for gSOAP in the emergence of a severe remote code execution vulnerability that could affect millions of IoT devices. \n! [](/Article/UploadPic/2017-7/20177201572551. png? www. myhack58. com) \ngSOAP is a double-authorized library that can be used for free can also be used for commercial purposes by Genivia company development and maintenance, wherein the SOAP is the Simple Object Access Protocol acronym, meaning the Simple Object Access Protocol. gSOAP is widely used in embedded device firmware development in C/C++ library. Genivia at its official website shows, the gSOAP library can help manufacturers\u201cthe development in line with the industry, the latest XML, XML WebService, WSDL, SOAP, REST, JSON, WS-Security and other standards products.\u201d \nIoT security company Senrio researcher first in the gSOAP found this vulnerability number CVE-2017-9765, and named it \u201cDevil's Ivy\u201din green dill on.\u201c Green Rose\u201d is a stack buffer overflow vulnerability that may allow a hacker remote attack DOS attacks in SOAP Web Services daemon, and in the presence of a vulnerability on a device to execute arbitrary code. \nSenrio representation, the reason for this vulnerability is named the\u201cgreen Rose\u201d, is because of this vulnerability just like the green dill-like, hard to kill, but also through code reuse can quickly spread. This vulnerability exists in the download the amount up to millions of third-party tools package, it can affect millions of IoT devices, and very difficult to remove. \nThe main attack Axis security cameras \nThe researchers in the analysis of Axis M3004 Security Camera products, for the first time found \u201cthe green rose\u201d vulnerability.\u201c Green dill\u201d attack by Axis Communications, axis network communications company, to develop secure networked Camera, the video below will demonstrate the entire attack process. \n\nThe use of\u201cgreen rose\u201d, the attacker can remotely access a segment of video data, or prevent the original user to access the video information. \nOriginally this camera is mainly used for security, for example, for Bank Hall monitoring, etc. If attacked, will lead to disclosure of sensitive information, or cause the supervisor is unable to detect or record a crime, resulting in criminal evidence is lost. \nThe researchers used the reverse tool IDA Pro, detection to the\u201cgreen radish\u201dpart of the attack details: \n! [](/Article/UploadPic/2017-7/20177201572413. png? www. myhack58. com) \nVulnerability and fix \nAxis company recognized its 252 camera products in 249 paragraph are subject to the\u201cgreen radish\u201dvulnerability, and in the 6 on 6 November released a firmware upgrade for the repair of vulnerabilities. The relevant users should upgrade immediately updated. \nThe following is the full Camera Model List, the user can control the list, identify yourself as a webcam model and take the appropriate repair measures. \n! [](/Article/UploadPic/2017-7/20177201572217. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-7/20177201573247. png? www. myhack58. com) \nVulnerabilities after the outbreak, the Axis immediately to be responsible for the maintenance gSOAP by Genivia company reported this vulnerability, Genivia then, in 6 month 21 days the issuance of the patch, contact the ONVIF, the vulnerability notice all use gSOAP for the ONVIF members, including Canon, Cisco, Siemens, etc., and urge these vendors as soon as possible to fix vulnerabilities. ONVIF stands for open network video interface Forum, is an international non-profit organization by a group of hardware manufacturers spontaneous composition, often publishing IT technology and solutions. \nAlthough the Axis in the product to fix the \u201cgreen rose\u201d vulnerability, but researchers are still worried, they believe that this vulnerability may also affect other IoT devices, as Canon, Siemens, Cisco, Hitachi and other major manufacturers are using gSOAP this developer library. Moreover, gSOAP has a huge IoT developer user groups. Genivia has in the official website declared that the gSOAP downloads exceeded 100 million times. \nDiscover the vulnerability of Senrio the company analyzed the available information, found that about 6% of the NOVIF members using the gSOAP development of products, Senrio infer, there may be millions of devices will be\u201cgreen rose\u201deffect. \n! [](/Article/UploadPic/2017-7/20177201573138. png? www. myhack58. com) \nResponse on IoT attack \nMaybe in life, we are familiar with the networking device is a personal computer and a mobile phone, but in fact, Large the intersection of traffic lights, small wrist wearable device, all belonging to the IoT device. IoT devices are flooded with every aspect of our lives, its security issues can not be ignored. \nIn recent years, the IoT device vulnerabilities are frequent, can be described as Network Security most vulnerable. Hackers often take advantage of the IoT device vulnerabilities, intrusion security network, to more serious damage. The detection of\u201cgreen rose\u201d, Senrio company for IoT security presents some recommendations: \n1\\. Security hardware facilities are not connected to the public network: 7 on 1 May, a Sudanese researcher, said more than 14700 Station Axis spherical Surveillance Camera vulnerabilities, anyone can access the surveillance video. In fact, all the presence of the\u201cgreen rose\u201dvulnerability of the camera are very easy to exploit. Security Camera such device should be connected to the personal network, so as to reduce the invasion possible. \n2\\. As much as possible to do everything IoT [the security guard](<http://www.myhack58.com/Article/60/Article_060_1.htm>)measures: for IoT devices set up a firewall or using NAT network address translation technology, you can reduce the IoT device of the degree of exposure, and enhance the threat detection index. \n3\\. Timely update and patching: vulnerability is inevitable. Leakage occurs, the user can do is in a patch is released for the first time to download updates, and timely repair. \nFor manufacturers, the added like ONVIF such groups may be a great benefit. In such groups, not only to achieve rapid emergency response and linkage, in a timely and effective stop-loss, but also to achieve more technology sharing and Threat Intelligence are used interchangeably, as far as possible to reduce security risks. \n\n", "modified": "2017-07-20T00:00:00", "published": "2017-07-20T00:00:00", "id": "MYHACK58:62201788024", "href": "http://www.myhack58.com/Article/html/3/62/2017/88024.htm", "title": "gSOAP open-source software development library aeration\u201cgreen rose\u201dvulnerability, millions of IoT devices in jeopardy-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2020-12-18T03:22:47", "bulletinFamily": "info", "cvelist": ["CVE-2017-9765"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 8.1**\n * **ATTENTION: **Exploitable remotely\n * **Vendor:** OSIsoft LLC\n * **Equipment:** OSIsoft PI SQL Client\n * **Vulnerability: **Integer Overflow or Wraparound\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow remote code execution or cause a denial of service, resulting in disclosure, deletion, or modification of information.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of OSIsoft PI SQL Client, a component interface that enables data access via SQL queries to the PI System, are affected:\n\n * PI SQL Client 2018 (PI SQL Client OLEDB 2018)\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [INTEGER OVERFLOW OR WRAPAROUND CWE-190](<https://cwe.mitre.org/data/definitions/190.html>)\n\nAn attacker could exploit this vulnerability in a third-party component to remotely execute code on the client computer with the same permissions as the PI SQL Client user.\n\nCommunication with a malicious PI SQL Data Access Server (RTQP Engine) is needed to expose a PI SQL client to this vulnerability.\n\n[CVE-2017-9765](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9765>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **United States\n\n### 3.4 RESEARCHER\n\nOSIsoft reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nOSIsoft recommends users upgrade to PI SQL Client 2018 R2 or later to resolve this issue. To download PI SQL Client 2018 R2, please access the OSIsoft customer portal (login required).\n\nOSIsoft also provides the following measures to be used to avoid exploitation:\n\nConfigure the PI SQL Client OLEDB 2018 Data Link Advanced Properties to use NetTcp (Port 5465) and delete Https/Soap (Port 5464) from the network protocol order.\n\nThe following measures can be used to lower the likelihood of exploitation: \n\n * Restrict PI SQL Client outbound network connections to trusted servers.\n * Monitor network infrastructure for spoofing attacks on PI SQL Data Access Servers.\n * Monitor PI SQL Data Access Servers for unauthorized access.\n\nThe following measures can be used to lower the potential impact of exploitation: \n\n * Execute PI SQL Client using a least privilege account.\n * Use application whitelisting on the PI SQL Client to block unauthorized code execution.\n\nFor more information on this vulnerability, please refer to OSIsoft\u2019s security bulletin (login required): [OSIsoft releases security update to PI SQL Client 2018](<https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=OSIsoft-releases-security-update-to-PI-SQL-Client-2018>)\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. High skill level is needed to exploit.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/icsa-19-253-06>); we'd welcome your feedback.\n", "edition": 8, "modified": "2019-09-10T00:00:00", "published": "2019-09-10T00:00:00", "id": "ICSA-19-253-06", "href": "https://www.us-cert.gov//ics/advisories/icsa-19-253-06", "title": "OSIsoft PI SQL Client", "type": "ics", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}