The remote Solaris system is missing necessary patches to address security updates :
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a ‘\0’ character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
(CVE-2013-4248)
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
(CVE-2013-6420)
The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
(CVE-2013-6712)
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
(CVE-2014-1943)
softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
(CVE-2014-2270)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Oracle Third Party software advisories.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(80737);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2013-4248", "CVE-2013-6420", "CVE-2013-6712", "CVE-2014-1943", "CVE-2014-2270");
script_name(english:"Oracle Solaris Third-Party Patch Update : php (cve_2013_4248_input_validation)");
script_summary(english:"Check for the 'entire' version.");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Solaris system is missing a security patch for third-party
software."
);
script_set_attribute(
attribute:"description",
value:
"The remote Solaris system is missing necessary patches to address
security updates :
- The openssl_x509_parse function in openssl.c in the
OpenSSL module in PHP before 5.4.18 and 5.5.x before
5.5.2 does not properly handle a '\0' character in a
domain name in the Subject Alternative Name field of an
X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification
Authority, a related issue to CVE-2009-2408.
(CVE-2013-4248)
- The asn1_time_to_time_t function in
ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before
5.4.23, and 5.5.x before 5.5.7 does not properly parse
(1) notBefore and (2) notAfter timestamps in X.509
certificates, which allows remote attackers to execute
arbitrary code or cause a denial of service (memory
corruption) via a crafted certificate that is not
properly handled by the openssl_x509_parse function.
(CVE-2013-6420)
- The scan function in ext/date/lib/parse_iso_intervals.c
in PHP through 5.5.6 does not properly restrict creation
of DateInterval objects, which might allow remote
attackers to cause a denial of service (heap-based
buffer over-read) via a crafted interval specification.
(CVE-2013-6712)
- Fine Free file before 5.17 allows context-dependent
attackers to cause a denial of service (infinite
recursion, CPU consumption, and crash) via a crafted
indirect offset value in the magic of a file.
(CVE-2014-1943)
- softmagic.c in file before 5.17 and libmagic allows
context-dependent attackers to cause a denial of service
(out-of-bounds memory access and crash) via crafted
offsets in the softmagic of a PE executable.
(CVE-2014-2270)"
);
# https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?4a913f44"
);
# https://blogs.oracle.com/sunsecurity/cve-2013-4248-input-validation-vulnerability-in-php
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?f6e0c4fe"
);
# https://blogs.oracle.com/sunsecurity/cve-2014-1943-resource-management-errors-vulnerability-in-php
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?864416ed"
);
script_set_attribute(
attribute:"see_also",
value:"https://blogs.oracle.com/sunsecurity/cve-2014-2270-buffer-errors-vulnerability-in-php"
);
# https://blogs.oracle.com/sunsecurity/multiple-buffer-errors-vulnerabilities-in-php
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?90294d9b"
);
script_set_attribute(attribute:"solution", value:"Upgrade to Solaris 11.1.19.6.0.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:php");
script_set_attribute(attribute:"patch_publication_date", value:"2014/05/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.");
script_family(english:"Solaris Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release", "Host/Solaris11/pkg-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("solaris.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Solaris11/release");
if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11");
pkg_list = solaris_pkg_list_leaves();
if (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, "Solaris pkg-list packages");
if (empty_or_null(egrep(string:pkg_list, pattern:"^php$"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
flag = 0;
if (solaris_check_release(release:"0.5.11-0.175.1.19.0.6.0", sru:"SRU 11.1.19.6.0") > 0) flag++;
if (flag)
{
error_extra = 'Affected package : php\n' + solaris_get_report2();
error_extra = ereg_replace(pattern:"version", replace:"OS version", string:error_extra);
if (report_verbosity > 0) security_hole(port:0, extra:error_extra);
else security_hole(0);
exit(0);
}
else audit(AUDIT_PACKAGE_NOT_AFFECTED, "php");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
www.nessus.org/u?4a913f44
www.nessus.org/u?864416ed
www.nessus.org/u?90294d9b
www.nessus.org/u?f6e0c4fe
blogs.oracle.com/sunsecurity/cve-2014-2270-buffer-errors-vulnerability-in-php