Scientific Linux Security Update : nss, nss-util, and nss-softokn on SL5.x, SL6.x, SL7.x i386/x86_64 (20141202) (POODLE)

2014-12-0400:00:00

www.tenable.com

113

This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails.

This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle attack when using block cipher suites in cipher block chaining (CBC) mode. This issue is identified as CVE-2014-3566, and also known under the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication.

The nss, nss-util, and nss-softokn packages have been upgraded to upstream version 3.16.2.3, which provides a number of bug fixes and enhancements over the previous version, and adds the support for Mozilla Firefox 31.3.

After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(79713);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/28");

  script_cve_id("CVE-2014-3566");

  script_name(english:"Scientific Linux Security Update : nss, nss-util, and nss-softokn on SL5.x, SL6.x, SL7.x i386/x86_64 (20141202) (POODLE)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update adds support for the TLS Fallback Signaling Cipher Suite
Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol
downgrade attacks against applications which re-connect using a lower
SSL/TLS protocol version when the initial connection indicating the
highest supported protocol version fails.

This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle
attack when using block cipher suites in cipher block chaining (CBC)
mode. This issue is identified as CVE-2014-3566, and also known under
the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in
a future update; it is recommended that users configure their
applications to require at least TLS protocol version 1.0 for secure
communication.

The nss, nss-util, and nss-softokn packages have been upgraded to
upstream version 3.16.2.3, which provides a number of bug fixes and
enhancements over the previous version, and adds the support for
Mozilla Firefox 31.3.

After installing this update, applications using NSS or NSPR must be
restarted for this update to take effect."
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1412&L=scientific-linux-errata&T=0&P=542
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?2a43fe36"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-softokn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-softokn-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-softokn-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-sysinit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-util");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nss-util-devel");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/04");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL5", reference:"nss-3.16.2.3-1.el5_11")) flag++;
if (rpm_check(release:"SL5", reference:"nss-debuginfo-3.16.2.3-1.el5_11")) flag++;
if (rpm_check(release:"SL5", reference:"nss-devel-3.16.2.3-1.el5_11")) flag++;
if (rpm_check(release:"SL5", reference:"nss-pkcs11-devel-3.16.2.3-1.el5_11")) flag++;
if (rpm_check(release:"SL5", reference:"nss-tools-3.16.2.3-1.el5_11")) flag++;

if (rpm_check(release:"SL6", reference:"nss-3.16.2.3-3.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-debuginfo-3.16.2.3-3.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-devel-3.16.2.3-3.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-pkcs11-devel-3.16.2.3-3.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-sysinit-3.16.2.3-3.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-tools-3.16.2.3-3.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-util-3.16.2.3-2.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-util-debuginfo-3.16.2.3-2.el6_6")) flag++;
if (rpm_check(release:"SL6", reference:"nss-util-devel-3.16.2.3-2.el6_6")) flag++;

if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-3.16.2.3-2.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-debuginfo-3.16.2.3-2.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-devel-3.16.2.3-2.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-pkcs11-devel-3.16.2.3-2.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-softokn-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-softokn-debuginfo-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-softokn-devel-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-softokn-freebl-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-softokn-freebl-devel-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-sysinit-3.16.2.3-2.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-tools-3.16.2.3-2.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-util-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-util-debuginfo-3.16.2.3-1.el7_0")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nss-util-devel-3.16.2.3-1.el7_0")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nss / nss-debuginfo / nss-devel / nss-pkcs11-devel / nss-softokn / etc");
}

VendorProductVersionCPE
fermilabscientific_linuxnssp-cpe:/a:fermilab:scientific_linux:nss
fermilabscientific_linuxnss-debuginfop-cpe:/a:fermilab:scientific_linux:nss-debuginfo
fermilabscientific_linuxnss-develp-cpe:/a:fermilab:scientific_linux:nss-devel
fermilabscientific_linuxnss-pkcs11-develp-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel
fermilabscientific_linuxnss-softoknp-cpe:/a:fermilab:scientific_linux:nss-softokn
fermilabscientific_linuxnss-softokn-debuginfop-cpe:/a:fermilab:scientific_linux:nss-softokn-debuginfo
fermilabscientific_linuxnss-softokn-develp-cpe:/a:fermilab:scientific_linux:nss-softokn-devel
fermilabscientific_linuxnss-softokn-freeblp-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl
fermilabscientific_linuxnss-softokn-freebl-develp-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl-devel
fermilabscientific_linuxnss-sysinitp-cpe:/a:fermilab:scientific_linux:nss-sysinit

Vendor	Product	Version	CPE
fermilab	scientific_linux	nss	p-cpe:/a:fermilab:scientific_linux:nss
fermilab	scientific_linux	nss-debuginfo	p-cpe:/a:fermilab:scientific_linux:nss-debuginfo
fermilab	scientific_linux	nss-devel	p-cpe:/a:fermilab:scientific_linux:nss-devel
fermilab	scientific_linux	nss-pkcs11-devel	p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel
fermilab	scientific_linux	nss-softokn	p-cpe:/a:fermilab:scientific_linux:nss-softokn
fermilab	scientific_linux	nss-softokn-debuginfo	p-cpe:/a:fermilab:scientific_linux:nss-softokn-debuginfo
fermilab	scientific_linux	nss-softokn-devel	p-cpe:/a:fermilab:scientific_linux:nss-softokn-devel
fermilab	scientific_linux	nss-softokn-freebl	p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl
fermilab	scientific_linux	nss-softokn-freebl-devel	p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl-devel
fermilab	scientific_linux	nss-sysinit	p-cpe:/a:fermilab:scientific_linux:nss-sysinit

Rows per page:

1-10 of 151

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

www.nessus.org/u?2a43fe36

JSON

Related for SL_20141202_NSS__NSS_UTIL__AND_NSS_SOFTOKN_ON_SL5_X.NASL