Lucene search

K
nessusThis script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SYMANTEC_PROTECTION_ENGINE_SYM16_015_NIX.NASL
HistorySep 22, 2016 - 12:00 a.m.

Symantec Protection Engine 7.0.x < 7.0.5 HF02 / 7.5.x < 7.5.5 HF01 / 7.8.x < 7.8.0 HF03 Multiple DoS (SYM16-015) (Linux)

2016-09-2200:00:00
This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.9 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

78.7%

The version of Symantec Protection Engine (SPE) installed on the remote Linux host is 7.0.x prior to 7.0.5 hotfix 02, 7.5.x prior to 7.5.5 hotifx 01, or 7.8.x prior to 7.8.0 hotifx 03. It is, therefore, affected by multiple denial of service vulnerabilities :

  • A denial of service vulnerability exists in the decomposer engine due to an out-of-bounds read error that occurs when decompressing RAR archives. An unauthenticated, remote attacker can exploit this, via a specially crafted RAR file, to crash the application.
    (CVE-2016-5309)

  • A denial of service vulnerability exists in the decomposer engine due to memory corruption issue that occurs when decompressing RAR archives. An unauthenticated, remote attacker can exploit this, via a specially crafted RAR file, to crash the application.
    (CVE-2016-5310)

#TRUSTED 4c628e3334c19223be035540df9cf1335df273e3d1bceec3e8508bddbe95773b72b79115bbd26af1787d7863a81188720707a19e66718c8ce4577efa9bb0e04aa929d3159f39d378ad4862ddeaa4116b1f3193054b5fba364ae04d37fc5fc8f09fbf096a621c59fb9daa75e3d3ffa9ba899fffc555df0036568ab1cc46e050b23cf769b628be503afaa561eaadca7e7f03bd4ef6b5d5ca1b6a965bc0dfd502c160b41ebec5d545dd0e5e181d5984810da35ba9f0830b672f99ad6ae45e3e6d2c2267c8d1338fef9c44967a8000d1f81bbfe6ba415d2a55d00bdb76b6f52a67fd2c8ca8528fc168f4a507ffbd9b508a0de038d04b627ba4b8b15cc986b2171d170f2b7399acdb8f42fd0bd42ca75b1db8493bb09aa367ca3989010bfa13fb52476384e687096955a7e5837cf7888b28f57da6658a3ed946169a296dc33b656782f6822a46d06177b4db75a81aa203a40b68f2e2fe47c67674d43c91928b5aed06415b7845fc0ef072732ae594418be380a7e3832d20c7a10c73d3811ed942cdfab45b755992ca56976077ad5860404fc8f929fb4a84006b4dfc64a5ddee84c42d69f8242facf5df7f3f6b023fca3fd35037c69e609e00c59dbae94a989a2c338a6622ee0c482aded550db5675aca6c7a0f970ba1adbfcdc620f2be4dd5810a6d902c2c0b0e0d5acc48acb341700314bf075df09a3c563d9ce5a3becf35f0a3bc6
#TRUST-RSA-SHA256 4ab557af21759e2268ebc2e556a017f04525ce0dcff283d06863485db21c7c91b8bed7bb5f4ea3952ef99169d0524ab757167bfe13fb8dbeda1c404c8285bab2dba262aadbc83fdb9bb3c78d8ce865aa3069b46e72b8bafe056f421337a3f8d0a936a971dcac73e60c526bcc1908ee2a5665c9f5fdf48b4019f3ca59aa1752f81732d767d953f4cbfbb73249faeb3b90b2d0abd9063b0d86111ca4d8e2f28092521bb2f857afc4e7d78fd3b60f846f0715b9728ae092c0483ded2e54a9beb3f4f8f4f2ae6feb445b67395c3012bbc25449d3720b18bfac1927141db508bbfbe019f6272db38051b52053029e53da72dcd8284392dad34d16317380fedefd2c2f1f22690c0ad226b79bc9d1c5a83353e4ed706440c0b8722d0d57039233985b0ce026a2f2014a2119747462e18dab78b31bc5b3e4db1cf29bd9383953c780197eda7cfd504765e25c027022402abfbb26329550a1049fdab8337aee7ca978752c720aa6cf44bd18ed49478c737b34581eab36b9b31c57a31abd99e9d9031fa4d966d994c01cd54df8183dcefa6dd8583e0dc101885d0299613e09357d6d40ef74a9b4cd8eefef19757ff8c1c39d6734c2b79d00682fdcb2d3f33daeaeae5409d597aff6d9bc1b699d76b45759b59be44cb259128f8f0ae5447b5a357e7131d74114442296f4f07e39a142d607c031595b6e56758d8cbcd02594c8605f0094bc28
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93655);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id("CVE-2016-5309", "CVE-2016-5310");
  script_bugtraq_id(92866, 92868);
  script_xref(name:"IAVA", value:"2016-A-0256");

  script_name(english:"Symantec Protection Engine 7.0.x < 7.0.5 HF02 / 7.5.x < 7.5.5 HF01 / 7.8.x < 7.8.0 HF03 Multiple DoS (SYM16-015) (Linux)");
  script_summary(english:"Checks the version of Symantec Protection Engine.");

  script_set_attribute(attribute:"synopsis", value:
"A security application installed on the remote host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Symantec Protection Engine (SPE) installed on the
remote Linux host is 7.0.x prior to 7.0.5 hotfix 02, 7.5.x prior to
7.5.5 hotifx 01, or 7.8.x prior to 7.8.0 hotifx 03. It is, therefore,
affected by multiple denial of service vulnerabilities :

  - A denial of service vulnerability exists in the
    decomposer engine due to an out-of-bounds read error
    that occurs when decompressing RAR archives. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted RAR file, to crash the application.
    (CVE-2016-5309)

  - A denial of service vulnerability exists in the
    decomposer engine due to memory corruption issue that
    occurs when decompressing RAR archives. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted RAR file, to crash the application.
    (CVE-2016-5310)");
  # https://support.symantec.com/en_US/article.SYMSA1379.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0df20c4e");
  script_set_attribute(attribute:"see_also", value:"https://support.symantec.com/en_US/article.INFO3791.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Symantec Protection Engine (SPE) version 7.0.5 HF02 / 7.5.5
HF01 / 7.8.0 HF03 or later per the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5310");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:protection_engine");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("symantec_protection_engine.nbin");
  script_require_keys("installed_sw/Symantec Protection Engine");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("hostlevel_funcs.inc");
include("install_func.inc");


enable_ssh_wrappers();

app = 'Symantec Protection Engine';
port = NULL;
function check_hf(path)
{
  local_var cmd, ret, buf, match, ver;
  local_var line, matches, vuln;

  vuln = FALSE;
  cmd = "cat -v " + path + "/bin/libdec2.so";

  if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

  port = kb_ssh_transport();
  if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

  ret = ssh_open_connection();
  if (!ret) exit(1, 'ssh_open_connection() failed.');


  buf = ssh_cmd(cmd:cmd);
  ssh_close_connection();
  if(!empty_or_null(buf)){
    match = eregmatch(pattern:"Decomposer\^@(\d\.\d\.\d\.\d)",string:buf);
    ver = match[1];
    if(ver_compare(ver:ver, fix:"5.4.7.5", strict:FALSE) < 0) vuln = TRUE;
  }
  else audit(AUDIT_UNKNOWN_APP_VER, "Symantec Protection Engine: Decomposer Engine");
  return vuln;
}

install = get_single_install(app_name:app);
version = install["version"];
path = install["path"];
path = chomp(path);

fix = NULL;

if (version =~ "^7\.0\.[0-9.]+$")
{
  if (
    version =~ "^7\.0\.5\." &&
    check_hf(path:path)
  ) fix = "7.0.5.x with HF02 applied";

  if (version =~ "^7\.0\.[0-4]\.")
    fix = "7.0.5.x with HF02 applied";
}
else if (version =~ "^7\.5\.[0-9.]+$")
{
  if (
    version =~ "^7\.5\.5\." &&
    check_hf(path:path)
  ) fix = "7.5.5.x with HF01 applied";

  if (version =~ "^7\.5\.[0-4]\.")
    fix = "7.5.5.x with HF01 applied";
}
else if (version =~ "^7\.8\.[0-9.]+$")
{
  if (
    version =~ "^7\.8\.0\." &&
    check_hf(path:path)
  ) fix = "7.8.0.x with HF03 applied";
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

if (!empty_or_null(fix))
{
  report = report_items_str(
    report_items:make_array(
      "Path", path,
      "Installed version", version,
      "Fixed version", fix
    ),
    ordered_fields:make_list("Path", "Installed version", "Fixed version")
  );

  security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);
VendorProductVersionCPE
symantecprotection_enginecpe:/a:symantec:protection_engine

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.9 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

78.7%

Related for SYMANTEC_PROTECTION_ENGINE_SYM16_015_NIX.NASL