Lucene search

K
nessusThis script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.FREEBSD_PKG_59FABDF2954911EA944808002728F74C.NASL
HistoryMay 14, 2020 - 12:00 a.m.

FreeBSD : typo3 -- multiple vulnerabilities (59fabdf2-9549-11ea-9448-08002728f74c)

2020-05-1400:00:00
This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.0%

Typo3 News :

CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset

It has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to verify whether a backend user account with a given email address exists or not.

CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting.
A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling

It has been discovered that link tags generated by typolink functionality are vulnerable to cross-site scripting - properties being assigned as HTML attributes have not been parsed correctly.

CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized

Calling unserialize() on malicious user-submitted content can result in the following scenarios :

  • trigger deletion of arbitrary directory in file system (if writable for web server)

  • trigger message submission via email using identity of website (mail relay)

Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface

It has been discovered that the backend user interface and install tool are vulnerable to same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server - scripts are then executed with the privileges of the victims’ user session.

In a worst case scenario new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it’ actually a same-site request forgery (SSRF).

Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a 3rd party extension - e.g. file upload in a contact form with knowing the target location.

The attacked victim requires an active and valid backend or install tool user session at the time of the attack to be successful.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2020 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include('compat.inc');

if (description)
{
  script_id(136596);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/13");

  script_cve_id(
    "CVE-2020-11063",
    "CVE-2020-11064",
    "CVE-2020-11065",
    "CVE-2020-11066",
    "CVE-2020-11067",
    "CVE-2020-11069"
  );

  script_name(english:"FreeBSD : typo3 -- multiple vulnerabilities (59fabdf2-9549-11ea-9448-08002728f74c)");

  script_set_attribute(attribute:"synopsis", value:
"The remote FreeBSD host is missing one or more security-related
updates.");
  script_set_attribute(attribute:"description", value:
"Typo3 News :

CVE-2020-11063: TYPO3-CORE-SA-2020-001: Information Disclosure in
Password Reset

It has been discovered that time-based attacks can be used with the
password reset functionality for backend users. This allows an
attacker to verify whether a backend user account with a given email
address exists or not.

CVE-2020-11064: TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form
Engine

It has been discovered that HTML placeholder attributes containing
data of other database records are vulnerable to cross-site scripting.
A valid backend user account is needed to exploit this vulnerability.

CVE-2020-11065: TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link
Handling

It has been discovered that link tags generated by typolink
functionality are vulnerable to cross-site scripting - properties
being assigned as HTML attributes have not been parsed correctly.

CVE-2020-11066: TYPO3-CORE-SA-2020-004: Class destructors causing
side-effects when being unserialized

Calling unserialize() on malicious user-submitted content can result
in the following scenarios :

- trigger deletion of arbitrary directory in file system (if writable
for web server)

- trigger message submission via email using identity of website
(mail relay)

Another insecure deserialization vulnerability is required to actually
exploit mentioned aspects.

CVE-2020-11067: TYPO3-CORE-SA-2020-005: Insecure Deserialization in
Backend User Settings

It has been discovered that backend user settings (in $BE_USER->uc)
are vulnerable to insecure deserialization. In combination with
vulnerabilities of 3rd party components this can lead to remote code
execution. A valid backend user account is needed to exploit this
vulnerability.

CVE-2020-11069: TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to
Backend User Interface

It has been discovered that the backend user interface and install
tool are vulnerable to same-site request forgery. A backend user can
be tricked into interacting with a malicious resource an attacker
previously managed to upload to the web server - scripts are then
executed with the privileges of the victims' user session.

In a worst case scenario new admin users can be created which can
directly be used by an attacker. The vulnerability is basically a
cross-site request forgery (CSRF) triggered by a cross-site scripting
vulnerability (XSS) - but happens on the same target host - thus,
it' actually a same-site request forgery (SSRF).

Malicious payload such as HTML containing JavaScript might be provided
by either an authenticated backend user or by a non-authenticated user
using a 3rd party extension - e.g. file upload in a contact form with
knowing the target location.

The attacked victim requires an active and valid backend or install
tool user session at the time of the attack to be successful.");
  # https://typo3.org/article/typo3-1042-and-9517-security-releases-published
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?85e2a4a7");
  script_set_attribute(attribute:"see_also", value:"https://get.typo3.org/release-notes/9.5.17");
  script_set_attribute(attribute:"see_also", value:"https://get.typo3.org/release-notes/10.4.2");
  script_set_attribute(attribute:"see_also", value:"https://typo3.org/security/advisory/typo3-core-sa-2020-001");
  script_set_attribute(attribute:"see_also", value:"https://typo3.org/security/advisory/typo3-core-sa-2020-002");
  script_set_attribute(attribute:"see_also", value:"https://typo3.org/security/advisory/typo3-core-sa-2020-003");
  script_set_attribute(attribute:"see_also", value:"https://typo3.org/security/advisory/typo3-core-sa-2020-004");
  script_set_attribute(attribute:"see_also", value:"https://typo3.org/security/advisory/typo3-core-sa-2020-005");
  script_set_attribute(attribute:"see_also", value:"https://typo3.org/security/advisory/typo3-core-sa-2020-006");
  # https://vuxml.freebsd.org/freebsd/59fabdf2-9549-11ea-9448-08002728f74c.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d6e8e7f2");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11069");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-11066");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:typo3-10-php72");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:typo3-10-php73");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:typo3-10-php74");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:typo3-9-php72");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:typo3-9-php73");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:typo3-9-php74");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"FreeBSD Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"typo3-9-php72<9.5.17")) flag++;
if (pkg_test(save_report:TRUE, pkg:"typo3-9-php73<9.5.17")) flag++;
if (pkg_test(save_report:TRUE, pkg:"typo3-9-php74<9.5.17")) flag++;
if (pkg_test(save_report:TRUE, pkg:"typo3-10-php72<10.4.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"typo3-10-php73<10.4.2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"typo3-10-php74<10.4.2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
freebsdfreebsdtypo3-10-php72p-cpe:/a:freebsd:freebsd:typo3-10-php72
freebsdfreebsdtypo3-10-php73p-cpe:/a:freebsd:freebsd:typo3-10-php73
freebsdfreebsdtypo3-10-php74p-cpe:/a:freebsd:freebsd:typo3-10-php74
freebsdfreebsdtypo3-9-php72p-cpe:/a:freebsd:freebsd:typo3-9-php72
freebsdfreebsdtypo3-9-php73p-cpe:/a:freebsd:freebsd:typo3-9-php73
freebsdfreebsdtypo3-9-php74p-cpe:/a:freebsd:freebsd:typo3-9-php74
freebsdfreebsdcpe:/o:freebsd:freebsd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.0%