Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)

2015-08-20T00:00:00
ID SECURITYCENTER_OPENSSL_1_0_1P.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

The SecurityCenter application installed on the remote host is affected by a certificate validation bypass vulnerability in the bundled OpenSSL library. The library is version 1.0.1n or later and prior to 1.0.1p. It is, therefore, affected by a flaw in the X509_verify_cert() function that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. A remote attacker can exploit this to cause certain certificate checks to be bypassed, resulting in an invalid certificate being considered valid.

                                        
                                            #TRUSTED a0da3bc15c856d67cef034f2c73793a8155a0afa73d1f7a8b5e41e9b10b378fdb1ea230951f3ac46f756b885334055d370c31109db8f1b027eb633028e935c2c102dcaf931cbb281da935cd1ae876bfbbff657de96fafd80b40ce390e7d1dbf73b5fda7f61ec2f27c8799a9668cb32760479162dbbdc5fe2921232c7209c88b4026cb53affa8bc590ed860f66db29752da2109322695dd09379b1201c79b745bcb05412f11eca51a86482194e11cf128d230ca2b332ecfc2b7f727d4a246675727737f7666ae8718bf715cb5816280a222d0695e005afde0e9fc36311f016f1657174cd44b1f44626979f2858957816308bbb9aa66e1d54e2b38cec8333bfed5694b202b7bc8b9644b8d315b6601a38e23c82b0b9d78e73da835d2b2ce16118d4b548f48c4dfd158b74525e7882462ebedbe63911560f9d4d3045b2891399393a0ed965ffb61c5e7c359334738c7bac6840b12a1847d559d0be408617646b2ace021a0a3a40329e80def707752484af2306f9dcc5e84a4e025aca50ed50b413df1b27a0680446a0f187a9b20718b09420f9b4098d4e845bda060a6c0c188dfa3f4b5c819ac46418fe1f7ec2b5a447fe58ef48d151872a4339cea00c77ade5de63030221bc098846e336bb19354fbdc8f00ed9ea7e88af3430d8d09ca7371de018dd4837c480540e11d932102f5c9aff7667a1e5aff56e371ae9ba7f81299718b
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85565);
  script_version("1.18");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-1793");
  script_bugtraq_id(75652);

  script_name(english:"Tenable SecurityCenter Alternative Certificate Validation Bypass Vulnerability (TNS-2015-08)");
  script_summary(english:"Checks the version of OpenSSL in SecurityCenter.");

  script_set_attribute(attribute:"synopsis", value:
"The remote application is affected by a certificate validation bypass
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The SecurityCenter application installed on the remote host is
affected by a certificate validation bypass vulnerability in the
bundled OpenSSL library. The library is version 1.0.1n or later and
prior to 1.0.1p. It is, therefore, affected by a flaw in the
X509_verify_cert() function that is triggered when locating alternate
certificate chains in cases where the first attempt to build such a
chain fails. A remote attacker can exploit this to cause certain
certificate checks to be bypassed, resulting in an invalid certificate
being considered valid.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-08");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20150709.txt");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1793");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
  script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/local_checks_enabled");

  exit(0);
}

include("openssl_version.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("install_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
sc_ver = get_kb_item("Host/SecurityCenter/Version");
port = 0;
if(empty_or_null(sc_ver))
{
  port = 443;
  install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
  sc_ver = install["version"];
}
if (! preg(pattern:"^(4\.[6-8]\.|5\.0\.[0-1])", string:sc_ver)) audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver);

# Establish running of local commands
if ( islocalhost() )
{
  if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread");
  info_t = INFO_LOCAL;
}
else
{
  sock_g = ssh_open_connection();
  if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials.");
  info_t = INFO_SSH;
}

fixes = make_list("1.0.1p", "1.0.2d");
cutoffs = make_list("1.0.1n", "1.0.2b");
pattern = "OpenSSL (\d+(?:\.\d+)*(-beta\d+|[a-z]*))";

# Check version
line = info_send_cmd(cmd:"/opt/sc4/support/bin/openssl version");
if (!line) line = info_send_cmd(cmd:"/opt/sc/support/bin/openssl version");
if (info_t == INFO_SSH) ssh_close_connection();

if (!line) audit(AUDIT_UNKNOWN_APP_VER, "OpenSSL (within SecurityCenter)");
match = pregmatch(pattern:pattern, string:line);
if (isnull(match)) audit(AUDIT_UNKNOWN_APP_VER, line);
version = match[1];

fix = NULL;

for ( i=0; i<2; i++)
{
  if (
    openssl_ver_cmp(ver:version, fix:fixes[i], same_branch:TRUE, is_min_check:FALSE) < 0 &&
    openssl_ver_cmp(ver:version, fix:cutoffs[i], same_branch:TRUE, is_min_check:FALSE) >= 0
  )
  {
    fix = fixes[i];
    break;
  }
}

if (!isnull(fix))
{
  report = '\n' +
    '\n  SecurityCenter version         : ' + sc_ver +
    '\n  SecurityCenter OpenSSL version : ' + version +
    '\n  Fixed OpenSSL version          : ' + fix +
    '\n';
  security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, "OpenSSL (within SecurityCenter)", version);