Botan security vulnerabilities: Infinite loop in square root algorithm, heap overflow on ECC point, access to heap overflow via ECC point decoding
Reporter | Title | Published | Views | Family All 45 |
---|---|---|---|---|
Gentoo Linux | Botan: Multiple vulnerabilities | 13 Dec 201600:00 | – | gentoo |
Tenable Nessus | GLSA-201612-38 : Botan: Multiple vulnerabilities | 13 Dec 201600:00 | – | nessus |
Tenable Nessus | Fedora 23 : botan-1.10.12-1.fc23 / code-editor-2.8.1-13.fc23 / monotone-1.1-13.fc23 / etc (2016-fb9b356b74) | 4 Mar 201600:00 | – | nessus |
Tenable Nessus | Fedora 22 : botan-1.10.12-1.fc22 / code-editor-2.8.1-13.fc22 / monotone-1.1-13.fc22 / etc (2016-1c08d77b96) | 4 Mar 201600:00 | – | nessus |
Tenable Nessus | Debian DSA-3565-1 : botan1.10 - security update | 3 May 201600:00 | – | nessus |
FreeBSD | Multiple vulnerabilities in Botan | 1 Feb 201600:00 | – | freebsd |
Fedora | [SECURITY] Fedora 23 Update: code-editor-2.8.1-13.fc23 | 23 Feb 201619:24 | – | fedora |
Fedora | [SECURITY] Fedora 23 Update: qt-creator-3.6.0-6.fc23 | 23 Feb 201619:24 | – | fedora |
Fedora | [SECURITY] Fedora 22 Update: botan-1.10.12-1.fc22 | 29 Feb 201622:26 | – | fedora |
Fedora | [SECURITY] Fedora 22 Update: monotone-1.1-13.fc22 | 29 Feb 201622:26 | – | fedora |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(90287);
script_version("2.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2016-2194", "CVE-2016-2195");
script_name(english:"FreeBSD : Multiple vulnerabilities in Botan (4cd9b19f-f66d-11e5-b94c-001999f8d30b)");
script_summary(english:"Checks for updated package in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:"The remote FreeBSD host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"The botan developers reports :
Infinite loop in modular square root algorithm - The ressol function
implements the Tonelli-Shanks algorithm for finding square roots could
be sent into a nearly infinite loop due to a misplaced conditional
check. This could occur if a composite modulus is provided, as this
algorithm is only defined for primes. This function is exposed to
attacker controlled input via the OS2ECP function during ECC point
decompression.
Heap overflow on invalid ECC point - The PointGFp constructor did not
check that the affine coordinate arguments were less than the prime,
but then in curve multiplication assumed that both arguments if
multiplied would fit into an integer twice the size of the prime.
The bigint_mul and bigint_sqr functions received the size of the
output buffer, but only used it to dispatch to a faster algorithm in
cases where there was sufficient output space to call an unrolled
multiplication function.
The result is a heap overflow accessible via ECC point decoding, which
accepted untrusted inputs. This is likely exploitable for remote code
execution.
On systems which use the mlock pool allocator, it would allow an
attacker to overwrite memory held in secure_vector objects. After this
point the write will hit the guard page at the end of the mmapped
region so it probably could not be used for code execution directly,
but would allow overwriting adjacent key material."
);
# http://botan.randombit.net/security.html
script_set_attribute(
attribute:"see_also",
value:"https://botan.randombit.net/security.html"
);
# https://vuxml.freebsd.org/freebsd/4cd9b19f-f66d-11e5-b94c-001999f8d30b.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?e4c67765"
);
script_set_attribute(attribute:"solution", value:"Update the affected package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:botan110");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/01");
script_set_attribute(attribute:"patch_publication_date", value:"2016/03/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"botan110<1.10.11")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo