Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.MACOSX_FUSION_6_0_3.NASL
HistoryApr 21, 2014 - 12:00 a.m.

VMware Fusion 6.x < 6.0.3 OpenSSL Library Multiple Vulnerabilities (VMSA-2014-0004) (Heartbleed)

2014-04-2100:00:00
This script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
34
JSON

The version of VMware Fusion 6.x installed on the remote Mac OS X host is prior to 6.0.3. It is, therefore, reportedly affected by the following vulnerabilities in the OpenSSL library :

  • An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the ‘FLUSH+RELOAD’ cache side-channel attack. (CVE-2014-0076)

  • An out-of-bounds read error, known as the ‘Heartbleed Bug’, exists related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material and other protected content.
    (CVE-2014-0160)

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(73670);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2014-0076", "CVE-2014-0160");
  script_bugtraq_id(66363, 66690);
  script_xref(name:"CERT", value:"720951");
  script_xref(name:"EDB-ID", value:"32745");
  script_xref(name:"EDB-ID", value:"32764");
  script_xref(name:"EDB-ID", value:"32791");
  script_xref(name:"EDB-ID", value:"32998");
  script_xref(name:"VMSA", value:"2014-0004");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/25");

  script_name(english:"VMware Fusion 6.x < 6.0.3 OpenSSL Library Multiple Vulnerabilities (VMSA-2014-0004) (Heartbleed)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a virtualization application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of VMware Fusion 6.x installed on the remote Mac OS X host
is prior to 6.0.3.  It is, therefore, reportedly affected by the
following vulnerabilities in the OpenSSL library :

  - An error exists related to the implementation of the
    Elliptic Curve Digital Signature Algorithm (ECDSA) that
    could allow nonce disclosure via the 'FLUSH+RELOAD'
    cache side-channel attack. (CVE-2014-0076)

  - An out-of-bounds read error, known as the 'Heartbleed
    Bug', exists related to handling TLS heartbeat
    extensions that could allow an attacker to obtain
    sensitive information such as primary key material,
    secondary key material and other protected content.
    (CVE-2014-0160)");
  # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2076225
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?03fa22fa");
  # https://www.vmware.com/support/fusion6/doc/fusion-603-release-notes.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bd08e50e");
  script_set_attribute(attribute:"see_also", value:"http://www.heartbleed.com");
  script_set_attribute(attribute:"see_also", value:"https://eprint.iacr.org/2014/140");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/vulnerabilities.html#2014-0160");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20140407.txt");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Fusion 6.0.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0160");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_fusion_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "MacOSX/Fusion/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

get_kb_item_or_exit("Host/local_checks_enabled");

os = get_kb_item("Host/MacOSX/Version");
if (!os) audit(AUDIT_OS_NOT, "Mac OS X");

version = get_kb_item_or_exit("MacOSX/Fusion/Version");
path = get_kb_item_or_exit("MacOSX/Fusion/Path");

fixed_version = '6.0.3';
if (
  version =~ "^6\." &&
  ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed_version + '\n';
    security_warning(port:0, extra:report);
  }
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);
VendorProductVersionCPE
vmwarefusioncpe:/a:vmware:fusion

Related

nessus 40
securityvulns 21
ibm 47
openvas 18
altlinux 4
gentoo 1
ubuntu 1
mageia 1
freebsd_advisory 1
vmware 2
slackware 1
f5 4
openssl 1
seebug 13
ubuntucve 2
debiancve 1
prion 1
threatpost 2
veracode 2
freebsd 2
cve 1
checkpoint_security 1
thn 5
packetstorm 3
atlassian 2
attackerkb 1
vulnerlab 1
n0where 1
hp 1
exploitpack 1
suse 1
ics 4
zdt 2
fortinet 1
debian 3
hackerone 3
malwarebytes 1
redhat 1
kitploit 1
nessus
nessus
GLSA-201404-07 : OpenSSL: Information Disclosure
2014-04-08 00:00:00
IBM Rational ClearQuest 7.1.1.x / 7.1.2.x < 7.1.2.13.01 / 8.0.0.x < 8.0.0.10.01 / 8.0.1.x < 8.0.1.3.01 OpenSSL Library Multiple Vulnerabilities (credentialed check) (Heartbleed)
2015-03-12 00:00:00
Slackware 14.0 / 14.1 / current : openssl (SSA:2014-098-01)
2014-04-08 00:00:00
securityvulns
securityvulns
OpenSSL security vulnerabilities
2014-05-30 00:00:00
[USN-2165-1] OpenSSL vulnerabilities
2014-04-08 00:00:00
FreeBSD Security Advisory FreeBSD-SA-14:06.openssl [REVISED]
2014-04-20 00:00:00
ibm
ibm
Security Bulletin: DS8870 Release 7.2 is affected by a vulnerability in OpenSSL (CVE-2014-0160 and CVE-2014-0076)
2018-06-18 00:07:43
Security Bulletin: Flex System Integrated Management Module 2 (IMM2) is affected by vulnerabilities in OpenSSL (CVE-2014-0160 and CVE-2014-0076)
2019-01-30 08:35:01
Security Bulletin: IBM ToolsCenter Suite is affected by vulnerabilities in OpenSSL (CVE-2014-0160 and CVE-2014-0076)
2019-01-30 08:35:01
openvas
openvas
Ubuntu Update for openssl USN-2165-1
2014-04-08 00:00:00
VMSA-2014-0004 VMware product updates address OpenSSL security vulnerabilities
2014-05-08 00:00:00
Ubuntu: Security Advisory (USN-2165-1)
2014-04-08 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 7 package openssl10 version 1.0.1g-alt1
2014-04-08 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.1g-alt1
2014-04-07 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 1.0.1g-alt1
2014-04-07 00:00:00
gentoo
gentoo
OpenSSL: Information Disclosure
2014-04-08 00:00:00
ubuntu
ubuntu
OpenSSL vulnerabilities
2014-04-07 00:00:00
mageia
mageia
Updated openssl package fix two security vulnerabilities
2014-04-08 11:58:47
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:06.openssl
2014-04-08 00:00:00
vmware
vmware
VMware product updates address OpenSSL security vulnerabilities
2014-04-14 00:00:00
VMware product updates address OpenSSL security vulnerabilities
2014-04-14 00:00:00
slackware
slackware
[slackware-security] openssl
2014-04-08 15:05:22
f5
f5
SOL15295 - OpenSSL vulnerability CVE-2014-0076
2014-05-29 00:00:00
K15295 : OpenSSL vulnerability CVE-2014-0076
2014-05-29 00:00:00
K15159 : OpenSSL vulnerability CVE-2014-0160
2015-02-16 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2014-0076
2014-02-14 00:00:00
seebug
seebug
OpenSSL ECDSA Nonces恢复漏洞
2014-03-25 00:00:00
IBM AIX OpenSSL TLS心跳信息泄漏漏洞
2014-04-16 00:00:00
Oracle Session Monitor Suite OpenSSL TLS心跳信息泄漏漏洞
2014-04-21 00:00:00
ubuntucve
ubuntucve
CVE-2014-0076
2014-03-25 00:00:00
CVE-2014-0160
2014-04-07 00:00:00
debiancve
debiancve
CVE-2014-0076
2014-03-25 13:25:00
prion
prion
Design/Logic Flaw
2014-03-25 13:25:00
threatpost
threatpost
Second NSA Crypto Tool Found in RSA BSafe
2014-03-31 15:59:27
Oracle Gives Heartbleed Update, Patches 14 Products
2014-04-21 13:55:42
veracode
veracode
Side-channel Timing Attack
2017-02-08 02:53:24
Information Disclosure Through Buffer Over-read
2019-01-15 09:00:11
freebsd
freebsd
OpenSSL -- Local Information Disclosure
2014-04-07 00:00:00
OpenSSL -- Remote Information Disclosure
2014-04-07 00:00:00
cve
cve
CVE-2014-0076
2014-03-25 13:25:00
checkpoint_security
checkpoint_security
Check Point response to OpenSSL vulnerability (CVE-2014-0160)
2014-04-07 21:00:00
thn
thn
Heartbleed - OpenSSL Zero-day Bug leaves Millions of websites Vulnerable
2014-04-08 08:23:00
HeartBleed Bug Explained - 10 Most Frequently Asked Questions
2014-04-14 20:40:00
NSA denies Report that Agency knew and exploited Heartbleed Vulnerability
2014-04-11 23:21:00
packetstorm
packetstorm
Heartbleed Proof Of Concept
2014-04-08 00:00:00
Heartbleed OpenSSL Information Leak Proof Of Concept
2014-04-24 00:00:00
Streamworks Job Scheduler Release 7 Authentication Weakness
2019-01-16 00:00:00
atlassian
atlassian
Update Tomcat Native DLL in JIRA Installer
2014-06-26 19:39:26
Update Tomcat Native DLL in JIRA Installer
2014-06-26 19:39:26
attackerkb
attackerkb
CVE-2014-0160 (AKA: Heartbleed)
2014-04-07 00:00:00
vulnerlab
vulnerlab
HeartBleed SSL CVE 20140160 - 10 Steps to Fix in Ubuntu
2014-04-09 00:00:00
n0where
n0where
Access Point Impersonation Attacks: hostapd-wpe
2016-04-12 22:19:39
hp
hp
HPSBHF03021 rev.1 - HP Thin Client with ThinPro OS or Smart Zero Core Services, Running OpenSSL, Remote Disclosure of Information
2014-04-23 00:00:00
exploitpack
exploitpack
OpenSSL TLS Heartbeat Extension - Heartbleed Information Leak (2) (DTLS Support)
2014-04-24 00:00:00
suse
suse
update for openssl (important)
2014-04-08 13:04:15
ics
ics
Schneider Electric Wonderware Intelligence Security Patch for OpenSSL Vulnerability
2018-08-27 12:00:00
ABB Relion 650 Series OpenSSL Vulnerability (Update A)
2018-09-06 12:00:00
Siemens Industrial Products OpenSSL Heartbleed Vulnerability (Update B)
2018-09-06 12:00:00
zdt
zdt
OpenSSL Heartbeat (Heartbleed) Information Leak Exploit
2014-04-10 00:00:00
OpenSSL TLS Heartbeat Extension - Memory Disclosure
2014-04-08 00:00:00
fortinet
fortinet
Information Disclosure Vulnerability in OpenSSL (Heartbleed)
2014-04-08 00:00:00
debian
debian
[SECURITY] [DSA 2896-2] openssl security update
2014-04-08 13:47:13
[SECURITY] [DSA 2896-2] openssl security update
2014-04-08 13:47:33
[SECURITY] [DSA 2896-1] openssl security update
2014-04-07 21:36:46
hackerone
hackerone
Mail.ru: scfbp.tng.mail.ru: Heartbleed
2015-02-25 07:49:11
Internet Bug Bounty: TLS heartbeat read overrun
2014-04-05 23:51:06
Mail.ru: Heartbleed: my.com (185.30.178.33) port 1433
2015-01-19 13:54:12
malwarebytes
malwarebytes
Five years later, Heartbleed vulnerability still unpatched
2019-09-12 15:00:00
redhat
redhat
(RHSA-2014:0396) Important: rhev-hypervisor6 security update
2014-04-10 00:00:00
kitploit
kitploit
sslscan - tests SSL/TLS enabled services to discover supported cipher suites
2016-12-26 14:30:00
JSON
Related for MACOSX_FUSION_6_0_3.NASL
nessus40securityvulns21ibm47openvas18altlinux4gentoo1ubuntu1mageia1freebsd_advisory1vmware2slackware1f54openssl1seebug13ubuntucve2debiancve1prion1threatpost2veracode2freebsd2cve1checkpoint_security1thn5packetstorm3atlassian2attackerkb1vulnerlab1n0where1hp1exploitpack1suse1ics4zdt2fortinet1debian3hackerone3malwarebytes1redhat1kitploit1