OracleVM 3.3 : nss (OVMSA-2014-0014)

2014-11-26T00:00:00
ID ORACLEVM_OVMSA-2014-0014.NASL
Type nessus
Reporter Tenable
Modified 2018-07-24T00:00:00

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

  • Added nss-vendor.patch to change vendor

  • Update some patches on account of the rebase

  • Resolves: Bug 1099619

  • Backport nss-3.12.6 upstream fix required by Firefox 31

  • Resolves: Bug 1099619

  • Remove two unused patches and apply a needed one that was missed

  • Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1

  • Update to nss-3.16.1

  • Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1

  • Make pem's derEncodingsMatch function work with encrypted keys

  • Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL

  • Remove unused patches

  • Resolves: Bug 1048713

  • Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL

  • Revoke trust in one mis-issued anssi certificate

  • Resolves: Bug 1042685 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-6.6]

  • Enable patch with fix for deadlock in trust domain lock and object lock

  • Resolves: Bug 1036477 - deadlock in trust domain lock and object lock

  • Disable hw gcm on rhel-5 based build environments where OS lacks support

  • Rollback changes to build nss without softokn until Bug 689919 is approved

  • Cipher suite was run as part of the nss-softokn build

  • Update to NSS_3_15_3_RTM

  • Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741)

  • Using export NSS_DISABLE_HW_GCM=1 to deal with some problemmatic build systems

  • Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must be /usr/lib64/libnssckbi.so

  • Add s390x and ia64 to the %define multilib_arches list used for defining alt_ckbi

  • Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must be /usr/lib64/libnssckbi.so

  • Add zero default value to DISABLETEST check and fix the TEST_FAILURES check and reporting

  • Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must be kept when modified by NSS

  • Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

  • Add a zero default value to the DISABLETEST and TEST_FAILURES checks

  • Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

  • Fix the test for zero failures in the %check section

  • Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

  • Restore a mistakenly removed patch

  • Resolves: rhbz#961659 - SQL backend does not reload certificates

  • Rebuild for the pem module to link with freel from nss-softokn-3.14.3-6.el6

  • Related: rhbz#993441 - NSS needs to conform to new FIPS standard.

  • Related: rhbz#1010224 - NSS 3.15 breaks SSL in OpenLDAP clients

  • Don't require nss-softokn-fips

  • Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard.

  • Additional syntax fixes in nss-versus-softoken-test.patch

  • Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

  • Fix all.sh test for which application was last build by updating nss-versus-softoken-test.path

  • Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x)

  • Disable the cipher suite already run as part of the nss-softokn build

  • Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard.

  • Require nss-softokn-fips

  • Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2014-0014.
#

include("compat.inc");

if (description)
{
  script_id(79537);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/24 18:56:11");

  script_cve_id("CVE-2013-1741", "CVE-2013-5605", "CVE-2013-5606");
  script_bugtraq_id(63736, 63737, 63738);

  script_name(english:"OracleVM 3.3 : nss (OVMSA-2014-0014)");
  script_summary(english:"Checks the RPM output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote OracleVM host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote OracleVM system is missing necessary patches to address
critical security updates :

  - Added nss-vendor.patch to change vendor

  - Update some patches on account of the rebase

  - Resolves: Bug 1099619

  - Backport nss-3.12.6 upstream fix required by Firefox 31

  - Resolves: Bug 1099619

  - Remove two unused patches and apply a needed one that
    was missed

  - Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS
    3.16.1

  - Update to nss-3.16.1

  - Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS
    3.16.1

  - Make pem's derEncodingsMatch function work with
    encrypted keys

  - Resolves: Bug 1048713 - [PEM] active FTPS with encrypted
    client key ends up with
    SSL_ERROR_TOKEN_INSERTION_REMOVAL

  - Remove unused patches

  - Resolves: Bug 1048713

  - Resolves: Bug 1048713 - [PEM] active FTPS with encrypted
    client key ends up with
    SSL_ERROR_TOKEN_INSERTION_REMOVAL

  - Revoke trust in one mis-issued anssi certificate

  - Resolves: Bug 1042685 - nss: Mis-issued ANSSI/DCSSI
    certificate (MFSA 2013-117) [rhel-6.6]

  - Enable patch with fix for deadlock in trust domain lock
    and object lock

  - Resolves: Bug 1036477 - deadlock in trust domain lock
    and object lock

  - Disable hw gcm on rhel-5 based build environments where
    OS lacks support

  - Rollback changes to build nss without softokn until Bug
    689919 is approved

  - Cipher suite was run as part of the nss-softokn build

  - Update to NSS_3_15_3_RTM

  - Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606
    (CVE-2013-1741)

  - Using export NSS_DISABLE_HW_GCM=1 to deal with some
    problemmatic build systems

  - Resolves: rhbz#1016044 - nss.s390: primary link for
    libnssckbi.so must be /usr/lib64/libnssckbi.so

  - Add s390x and ia64 to the %define multilib_arches list
    used for defining alt_ckbi

  - Resolves: rhbz#1016044 - nss.s390: primary link for
    libnssckbi.so must be /usr/lib64/libnssckbi.so

  - Add zero default value to DISABLETEST check and fix the
    TEST_FAILURES check and reporting

  - Resolves: rhbz#990631 - file permissions of
    pkcs11.txt/secmod.db must be kept when modified by NSS

  - Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for
    FF 24.x)

  - Add a zero default value to the DISABLETEST and
    TEST_FAILURES checks

  - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1
    (for FF 24.x)

  - Fix the test for zero failures in the %check section

  - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1
    (for FF 24.x)

  - Restore a mistakenly removed patch

  - Resolves: rhbz#961659 - SQL backend does not reload
    certificates

  - Rebuild for the pem module to link with freel from
    nss-softokn-3.14.3-6.el6

  - Related: rhbz#993441 - NSS needs to conform to new FIPS
    standard. 

  - Related: rhbz#1010224 - NSS 3.15 breaks SSL in OpenLDAP
    clients

  - Don't require nss-softokn-fips

  - Resolves: rhbz#993441 - NSS needs to conform to new FIPS
    standard. 

  - Additional syntax fixes in
    nss-versus-softoken-test.patch

  - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1
    (for FF 24.x)

  - Fix all.sh test for which application was last build by
    updating nss-versus-softoken-test.path

  - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1
    (for FF 24.x)

  - Disable the cipher suite already run as part of the
    nss-softokn build

  - Resolves: rhbz#993441 - NSS needs to conform to new FIPS
    standard. 

  - Require nss-softokn-fips

  - Resolves: rhbz#993441 - NSS needs to conform to new FIPS
    standard."
  );
  # https://oss.oracle.com/pipermail/oraclevm-errata/2014-August/000216.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?7cd372b4"
  );
  # https://oss.oracle.com/pipermail/oraclevm-errata/2014-August/000217.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?60735f17"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nss / nss-sysinit / nss-tools packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:nss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:nss-sysinit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:nss-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
  script_family(english:"OracleVM Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! ereg(pattern:"^OVS" + "3\.3" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

flag = 0;
if (rpm_check(release:"OVS3.3", reference:"nss-3.16.1-4.0.1.el6_5")) flag++;
if (rpm_check(release:"OVS3.3", reference:"nss-sysinit-3.16.1-4.0.1.el6_5")) flag++;
if (rpm_check(release:"OVS3.3", reference:"nss-tools-3.16.1-4.0.1.el6_5")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nss / nss-sysinit / nss-tools");
}