Tenable SecurityCenter < 5.3.2 Multiple Vulnerabilities (TNS-2016-09)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91814);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/09");

  script_cve_id(
    "CVE-2016-3074",
    "CVE-2016-4537",
    "CVE-2016-4538",
    "CVE-2016-4539",
    "CVE-2016-4540",
    "CVE-2016-4541",
    "CVE-2016-4542",
    "CVE-2016-4543",
    "CVE-2016-4544"
  );
  script_bugtraq_id(
    87087,
    89844,
    90172,
    90173,
    90174
  );

  script_name(english:"Tenable SecurityCenter < 5.3.2 Multiple Vulnerabilities (TNS-2016-09)");
  script_summary(english:"Checks the version of PHP in SecurityCenter.");

  script_set_attribute(attribute:"synopsis", value:
"The Tenable SecurityCenter application installed on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Tenable SecurityCenter application installed on the remote host is
either prior to version 5.3.2 or is missing a security patch. It is,
therefore, affected by multiple vulnerabilities in the bundled version
of PHP :

  - A signedness error exists in the GD Graphics library in
    gd_gd2.c due to improper validation of user-supplied
    input when handling compressed GD2 data. An
    unauthenticated, remote attacker can exploit this to
    cause a heap-based buffer overflow, resulting in a
    denial of service condition or the execution of
    arbitrary code. (CVE-2016-3074)

  - An out-of-bounds read error exists in the php_str2num()
    function in bcmath.c when handling negative scales. An
    unauthenticated, remote attacker can exploit this, via a
    crafted call, to cause a denial of service condition or
    the disclosure of memory contents. (CVE-2016-4537)

  - A flaw exists in the bcpowmod() function in bcmath.c due
    to modifying certain data structures without considering
    whether they are copies of the _zero_, _one_, or _two_
    global variables. An unauthenticated, remote attacker
    can exploit this, via a crafted call, to cause a denial
    of service condition. (CVE-2016-4538)

  - A flaw exists in the xml_parse_into_struct() function in
    xml.c when handling specially crafted XML contents. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2016-4539)

  - Multiple out-of-bounds read errors exist within file
    ext/intl/grapheme/grapheme_string.c when handling
    negative offsets in the zif_grapheme_stripos() and
    zif_grapheme_strpos() functions. An unauthenticated,
    remote attacker can exploit these issues to cause a
    denial of service condition or disclose memory contents.
    (CVE-2016-4540, CVE-2016-4541)

  - A flaw exists in the exif_process_IFD_TAG() function in
    exif.c due to improper construction of spprintf
    arguments. An unauthenticated, remote attacker can
    exploit this, via crafted header data, to cause an
    out-of-bounds read error, resulting in a denial of
    service condition or the disclosure of memory contents.
    (CVE-2016-4542)

  - A flaw exists in the exif_process_IFD_in_JPEG() function
    in exif.c due to improper validation of IFD sizes. An
    unauthenticated, remote attacker can exploit this, via
    crafted header data, to cause an out-of-bounds read
    error, resulting in a denial of service condition or the
    disclosure of memory contents. (CVE-2016-4543)

  - A flaw exists in the exif_process_TIFF_in_JPEG()
    function in exif.c due to improper validation of TIFF
    start data. An unauthenticated, remote attacker can
    exploit this, via crafted header data, to cause an
    out-of-bounds read error, resulting in a denial of
    service condition or the disclosure of memory contents.
    (CVE-2016-4544)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2016-09");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.21");
  script_set_attribute(attribute:"solution", value:
"Upgrade to SecurityCenter version 5.3.2 or later. Alternatively, apply
the relevant patch as referenced in the vendor advisory.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3074");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/05/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/24");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
  script_require_keys("Host/local_checks_enabled","Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/SecurityCenter/support/php/version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

appname = 'SecurityCenter';

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
sc_ver = get_kb_item("Host/SecurityCenter/Version");

port = 0;
if(empty_or_null(sc_ver))
{
  port = 443;
  install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
  sc_ver = install["version"];
}

# Affected: SecurityCenter 4.8.2, 5.0.2, 5.1.0, 5.2.0, 5.3.1
if (sc_ver !~ "^(4\.8\.2($|\.)|5\.0\.2($|\.)|5\.1\.0($|\.)|5\.2\.0($|\.)|5\.3\.1($|\.))") 
  audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver);

# Grab php version from kb
version = get_kb_item("Host/SecurityCenter/support/php/version");

if (empty_or_null(version)) audit(AUDIT_UNKNOWN_APP_VER, "PHP bundled with Tenable SecurityCenter");

fix = "5.6.21"; # default to known php release branch used in advisory
if (version =~ "^5\.4\.") fix = "5.4.45";
if (version =~ "^7\.0\.") fix = "7.0.6";

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report = '\n' +
    '\n  SecurityCenter version     : ' + sc_ver +
    '\n  SecurityCenter PHP version : ' + version +
    '\n  Fixed PHP version          : ' + fix +
    '\n';
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, "PHP (within SecurityCenter)", version);