{"securelist": [{"lastseen": "2019-02-21T13:54:21", "bulletinFamily": "blog", "description": "\n\n[ **More graphs and statistics in full PDF version**](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21120154/Threats_to_users_of_adult_websites_2018.pdf>)\n\n## Introduction\n\n2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms \u2013 Tumblr \u2013 announced it was [banning erotic content ](<https://www.theverge.com/2018/12/5/18126451/tumblr-porn-social-media-ban>) (even though [almost a quarter](<https://motherboard.vice.com/en_us/article/4xa8v3/so-how-much-porn-is-on-tumblr>) of its users consume adult content). In addition, the UK received the title of '[The Second Most Porn-Hungry Country in the World](<http://www.gizmodo.co.uk/2018/12/the-uk-is-still-the-second-most-porn-hungry-country-in-the-world-according-to-pornhub/>)' and is now [implementing a law on age-verification for pornography lovers](<https://uk.news.yahoo.com/porn-sites-will-require-proof-age-april-next-year-123901041.html>) that will prohibit anyone below the age of 18 to watch this sort of content. This is potentially[ opening a world of new tricks](<https://news.sky.com/story/academics-doubt-value-of-online-porn-age-checks-10952614https:/news.sky.com/story/academics-doubt-value-of-online-porn-age-checks-10952614>) for scammers and threat actors to take advantage of users. In addition, even commercial giant Starbucks [declared a 'holy war' on porn](<https://www.nbcnews.com/news/us-news/starbucks-says-it-will-start-blocking-pornography-its-stores-wi-n941646>) as it was revealed that many visitors prefer to have their coffee while consuming adult content, rather than listening to music or reading the latest headlines on news websites.\n\nSuch measures might well be valid, at least from a cybersecurity perspective, as the following example suggests. According to news reports last year, an extremely active [adult website user](<https://www.oversight.gov/sites/default/files/oig-reports/ManagementAdvisory%20_USGSITSecurityVulnerabilities_101718_0.pdf>), who turned out to be a government employee, dramatically failed to keep his hobby outside of the workplace. By accessing more than 9,000 web pages with adult content, he compromised his device and subsequently infected the entire network with malware, leaving it vulnerable to spyware attacks. This, and other examples confirm that adult content remains a controversial topic from both a social and cybersecurity standpoint.\n\nIt is no secret that digital pornography has long been associated with malware and cyberthreats. While [some](<https://www.kaspersky.com/blog/porno-danger-fact-or-fiction/21865/>) of these stories are now shown to be myths, others are very legitimate. A year ago, we conducted [research](<https://www.kaspersky.com/blog/porn-themed-threats-report/20891/>) on the malware hidden in pornography and found out that such threats are both real and effective. One of the key takeaways of last year's report was the fact that cybercriminals not only use adult content in multiple ways \u2013 from lucrative decoys to make victims install malicious applications on their devices, to topical fraud schemes used to steal victims' banking credentials and other personal information \u2013 but they also make money by stealing access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription.\n\nLast year, we discovered a number of malicious samples that were specifically hunting for credentials to access some of the most popular pornographic websites. When we considered why someone would hunt for credentials to pornographic websites, we checked the underground markets (both on the dark web and on open parts of the internet) and found that credentials to pornography website accounts are themselves quite a valuable commodity to be sold online. They are for sale in their thousands.\n\nIt would be going too far to say that the findings from our previous exploration of the relationships between cyberthreats and adult content were unexpected. At the end of the day, pornography has always been, and remains one of the most sought after types of online content. At the same time, cybercriminals have always looked to increase their profits with the most efficient and cheapest way of delivering malicious payloads to victims. It was almost inevitable that adult content would become an important tool for them.\n\nThat said, our monitoring of the wider cyberthreat landscape shows that threat actors tend to change their habits, tactics and techniques over time. This means that even in a niche area, such as pornographic content and websites, changes are possible. That is why this year we decided to repeat our exercise and investigate the topic once again. As it turned out, some things have indeed changed.\n\n## Methodology and key findings\n\nTo measure the level of risk that may be associated with adult content online, we investigated several different indicators. We examined malware disguised as pornographic content, and malware that hunts for credentials to access pornography websites. We looked at the threats that are attacking users across the internet in order to find out which popular websites might be dangerous to visit. Additionally, we checked our phishing and spam database to see if there is a lot of pornographic content on file and how is it used in the wild. Using aggregated threat-statistics obtained from the Kaspersky Security Network \u2013 the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world \u2013 we measured how often and how many users of our products have encountered adult-content themed threats.\n\nAdditionally, we checked around twenty underground online markets and counted how many accounts are up for sale, which are the most popular, and the price they are sold for.\n\nAs a result, we discovered the following:\n\n * **Searching for pornography online has become safer:** in 2018, **650,000 users **faced attacks launched from online resources. That is **36% less **than in 2017 when more than a million of these attacks were detected.\n * **Cybercriminals are actively using popular porn-tags to promote malware in search results. **The 20 most popular make up 80% of all malware disguised as porn. Overall, 87,227 unique users downloaded porn-disguised malware in 2018, with 8% of them using a corporate rather than personal network to do this.\n * **In 2018, the number of attacks using malware to hunt for credentials that grant access to pornography websites grew almost three-fold compared to 2017,** with more than 850,000 attempts to install such malware. The number of users attacked doubled, with 110,000 attacked PCs across the world.\n * The number of** unique sales offers of credentials for premium accounts to adult content websites almost doubled** to more than **10,000**.\n * **Porn-themed threats increased in terms of the number of samples, but declined in terms of variety:** In 2018, Kaspersky Lab identified at least **642 families of PC threats** disguised under one common pornography tag. In terms of their malicious function, these families were distributed between **57 types **(76 last year**)**. In most cases they are are **Trojan-Downloaders, Trojans and AdWare.**\n * **89%** of infected files disguised as pornography on Android devices turned out to be **AdWare**.\n * In Q4 2018, there were 10 times as many attacks coming from phishing websites pretending to be popular adult content resources, compared to Q4 2017 when the overall figure reached **21,902 attacks**.\n\n## Part 1 - Malware\n\nAs mentioned above, cybercriminals put a lot of effort into delivering malware to user devices, and pornography serves as a great vehicle for this. Most malware that reaches users' computers from malicious websites is usually disguised as videos. Users who do not check the file extension and go on to download and open it, are sent to a webpage that extorts money. This is achieved by playing the video online or for free only after the user agrees to install a malicious file disguised as a software update or something similar. However, in order to download anything from this kind of website, the user first has to find the website. That is why the most common first-stage infection scenarios for both PC and mobile porn-disguised malware involve the manipulation of search query results.\n\nTo do this, cybercriminals first identify which search requests are the most popular among users looking for pornography. They then implement so-called 'black SEO' techniques. This involves changing the malicious website content and description so it appears higher up on the search results pages. Such websites can be found in third or fourth place in the list of search results.\n\nAccording to our findings, this method is still actively used but its efficiency is falling. To check this, we took 100 of the top listed pornographic websites (as suggested by search engines after entering a query for the word 'porn'), plus those that have the word 'porn' in the title. We checked if any of them pose any threat to users. It turned out that in 2017 our products stopped more than a million users from attempting to install malware from websites on the list. However, in 2018, the number of users affected decreased to 658,930. This could be the result of search engines putting processes in place to fight against 'black SEO' activities and protecting users from malicious content.\n\n### Porn tags = Malware tags\n\nOptimizing malicious websites so as to ensure that those wanting to view adult content will find them is not the only tool criminals explore in order to find the best ways of delivering infected files to victims' devices. It turned out during our research that cybercriminals are disguising malware or not-a-virus files as video files and naming them using popular porn tags. A 'porn tag' is a special term that is used to easily identify content from a specific pornographic video genre. Tags are used by pornography websites to organize their video libraries and help users to quickly and conveniently find the video they are interested in. The not-a-virus type of threats is represented here by RiskTools, Downloaders and AdWare. Each type is not typically classified as malware, yet such applications may do something unwanted to users. AdWare, for instance, can show users unsolicited advertising, alter search results and collect user data to show targeted, contextual advertising.\n\nTo check how widespread this trend is, we took the most popular classifications and tags of adult videos from three major legal websites distributing adult content. The groupings were chosen by the overall number of videos uploaded in each category on the websites. As a result, we came up with a list of around 100 tags, which between them may well cover every possible type of pornography in existence. Subsequently, we ran those tags against our database of threats and through the Kaspersky Security Network databases and figured out which of them were used in malicious attacks and how often.\n\nThe overall number of users attacked with malware and not-a-virus threats disguised as porn-themed files dropped by about half compared to 2017. While back then their total number was 168,702, the situation in 2018 was a little more positive: down to 87,227, with 8% of them downloading porn-disguised malware from corporate networks. In this sense, scammers are merely following the overall trend: according to Pornhub's statistics, the share of pornography viewed on desktops has dropped by 18%. However, we were not able to get full confirmation that the 2018 decrease in the number of users attacked with malicious pornography relates to changes in consumer habits.\n\nPerhaps one of the most interesting takeaways we got from the analysis of how malware and not-a-virus are distributed among porn tags, is that although we were able to identify as many as 100 of them, most of the attacked users (around 80%, both in 2017 and 2018) encountered threats that mention only 20 of them. The tags used most often match the most popular tags on legitimate websites. Although we couldn't find perfect correlations between the top watched types of adult video on legitimate websites and the most often encountered porn-themed threats, the match between malicious pornography and safe pornography means that malware and not-a-virus authors follow trends set by the pornography-viewing community.\n\nMoving forward, the overall picture surrounding porn-disguised threat types showed more changes in 2018 when compared to 2017. In 2018, we saw 57 variations of threats disguised as famous porn tags, from 642 families. For comparison, the figures in 2017 were 76 and 581 respectively. That means that while the number of samples of porn-malware is growing, the number of types of malware and not-a-virus that are being distributed through pornography is decreasing.\n\nThe top three most popular classes of threats turned out to be Trojan-Downloader, with 45% of files, Trojan with 20% and AdWare, which is not a virus, with 9%, while in 2017 the top three were different: Trojan-Downloader was still there with 29%, exploits took the second place with 23% and Trojans accounted for around 19%.\n\nDistribution of porn-themed threat types in 2017 | Distribution of porn-themed threat types in 2018 \n---|--- \nTrojan-Downloader | 29% | Trojan-Downloader | 45% \nExploit | 23% | Trojan | 20% \nTrojan | 19% | AdWare (not a virus) | 9% \nAdWare (not a virus) | 11% | Worm | 8% \nWorm | 6% | Virus | 2% \nVirus | 2% | Downloader (not a virus) | 2% \nRiskTool (not a virus) | 2% | Exploit | 2% \nDownloader (not a virus) | 2% | Trojan-Dropper | 2% \nTrojan-Dropper | 1% | UDS: DangerousObject | 2% \nOther | 5% | Other | 8% \n \n_Top-10 types of threat that went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network_\n\n_Top-10 verdicts which went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20151847/threats-to-users-of-adult-websites-in-2018-2.png>)\n\nThe most noticeable change in the overall picture is the large number of exploits in 2017: back then they accounted for almost a quarter of all infected files, while in 2018 they were not represented in the top 10. There is an explanation for the popularity of such threats. In 2017, exploits were represented by massive detections of Exploit.Win32.CVE-2010-2568.gen, a generic detection (the detection that describes multiple similar malware pieces) for files that exploited the vulnerability in the Windows Shell named [CVE-2010-2568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>). However, the same detection name applies for another vulnerability in LNK - [CVE-2017-8464.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>) This vulnerability, and the publicly available exploit for it, became public in 2017 and immediately raised a lot of interest amongst threat actors \u2013 thereby raising the bar in exploit detections. Within a year, the attacks on CVE-2017-8464 reduced significantly as most users patched their computers and malware writers went back to using classical malware aimed at more common file formats (such as JS, VBS, PE).\n\nThe rise in popularity of Trojan-Downloaders can be explained by the fact that such malicious programs are multipurpose: once installed on a victim's device, the threat actor could additionally download virtually any payload they want: from DDoS-bots and malicious ads clickers to password stealers or banking Trojans. As a result, a criminal would need to infect the victim's device only once and would then be able to use it in multiple malicious ways.\n\n2018 has also seen some changes in the share of software that is not-a-virus. All in all, such programs accounted for 15% of all threats in 2017. In 2018, however, they were on the decline and now account for 11%, with downloaders losing their place in the top-10 most prolific threats. So, while the attackers are using porn less as a decoy, they have yet to inject the malicious files with more harmful threats, such as Trojans and worms.\n\n### Mobile malware\n\nFollowing technical changes in how we detect and analyze mobile malware, we amended our methodology for this report. Instead of trying to identify the share of porn-themed content in the overall volume of malicious applications that our users encountered, we selected 100,000 random malicious installation packages disguised as porn videos for Android, in 2017 and 2018, and checked them against the database of popular porn tags.\n\nThe landscape for types and families of mobile threats is also different than for PC. In both 2017 and 2018, the most common type of threat was AdWare: 70% in 2017 and 89% in 2018.\n\n**Malware name** | **%** | **Malware name** | **%** \n---|---|---|--- \nnot-a-virus:HEUR:AdWare.AndroidOS.Agent.n | 59.61% | not-a-virus:HEUR:AdWare.AndroidOS.Agent.f | 62.88% \nnot-a-virus:HEUR:AdWare.AndroidOS.Ewind.h | 11.02% | not-a-virus:HEUR:AdWare.AndroidOS.Agent.n | 17.09% \nHEUR:Trojan-Ransom.AndroidOS.Zebt.a | 5.33% | not-a-virus:HEUR:AdWare.AndroidOS.Ewind.h | 9.62% \nHEUR:Trojan.AndroidOS.Loapi.b | 3.76% | HEUR:Trojan-Ransom.AndroidOS.Zebt.a | 3.27% \nHEUR:Trojan-Ransom.AndroidOS.Small.snt | 2.22% | HEUR:Trojan.AndroidOS.Boogr.gsh | 0.74% \nHEUR:Trojan-Dropper.AndroidOS.Agent.hb | 1.93% | HEUR:Trojan-Ransom.AndroidOS.Small.snt | 0.74% \nnot-a-virus:HEUR:AdWare.AndroidOS.Agent.f | 1.90% | UDS:DangerousObject.Multi.Generic | 0.52% \nHEUR:Trojan-Ransom.AndroidOS.Small.as | 1.54% | HEUR:Trojan-Ransom.AndroidOS.Small.as | 0.41% \nHEUR:Trojan-Ransom.AndroidOS.Small.cj | 1.29% | not-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx | 0.36% \nnot-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx | 1.07% | HEUR:Trojan-Ransom.AndroidOS.Small.cj | 0.36% \n \n_Top-10 verdicts that represent porn-related categories, by the number of attacked mobile users, in 2017 and 2018. Source: Kaspersky Security Network_\n\nThese threats are typically distributed through affiliate programs focused on earning money as a result of users installing applications and clicking on an advertisement. As well as AdWare, pornography is also used to distribute ransomware (4% in 2018) but on a much smaller scale compared to 2017, when more than 10% of users faced such malicious programs. This decline is most likely a reflection of the overall downward trend for ransomware seen in the malware landscape.\n\n### Credential hunters\n\nA specific type of malware related to pornography, which we have been tracking throughout the year, is implemented by so-called credential hunters. We track them with the help of our botnet-tracking technology, which monitors active botnets and receives intelligence on what kind of activities are they perform, to prevent emerging threats.\n\nWe particularly track botnets that are made of malware.Upon installation on a PC, this malware can monitor which web pages are opened, or create a fake one where the user enters their login and password credentials. Usually such programs are made for stealing money from online banking accounts, but last year we were surprized to discover that there are bots in these botnets that hunt for credentials to pornography websites.\n\nBased on the data we were able to collect, in 2017 there were 27 variations of bots, belonging to three families of banking Trojans, attempting to steal credentials (Betabot, Neverquest and Panda). These Trojans were after credentials to accounts for 10 famous adult content websites (Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, X-videos). During 2017, these bots attempted to infect more than 50,000 users over 307,000 times.\n\nIn 2018, the number of attacked users doubled, reaching more than 110,000 PCs across the world. The number of attacks almost tripled, to 850,000 infection attempts. At the same time, the number of variations of malware we were able to spot fell from 27 to 22, but the number of families increased from three to five, meaning that pornography credentials are considered valuable to ever more cybercriminals.\n\nAnother important shift that happened in 2018, was that malware families do not hunt for credentials to multiple websites. Instead, they focus on just two: mostly Pornhub and XNXX, whose users were targeted by bots belonging to the Jimmy malware family.\n\nApparently Pornhub remains popular, not only to regular users of the web, but also to cybercriminals looking for another way of gaining illegal profits by selling user credentials.\n\n## Part 2 - Phishing and spam\n\nOur previous research suggested that it is relatively rare to see pornography as a topic of interest in phishing scams. Instead, criminals prefer to exploit popular sites dedicated to finding sex partners. But in 2018, our anti-phishing technologies started blocking phishing pages that resemble popular pornography websites.\n\nThese are generally pages disguised as pornhub.com, youporn.com, xhamster.com, and xvideos.com. In Q4, 2017, the overall number of attempts to access phishing pages pretending to be one of the listed websites was **1,608**. Within a year, in Q4 2018, the number of such attempts (**21,902**) was more than ten times higher.\n\nThe overall number of attempts to visit phishing webpages pretending to be one of the popular adult-content resources was **38,305**. Leading the list of accessed phishing pages were those that were disguised as a Pornhub page. There were **37,144** attempts to visit the phishing version of the website, while there were only **1,161** attempts to visit youporn.com, xhamster.com, and xvideos.com in total. These figures are still relatively low, other phishing categories may see detection results of millions of attempts per year. However, the fact that the number of detections on pornography pages is growing may mean that criminals are only just beginning to explore the topic.\n\nIt is worth mentioning that phishing pages cannot influence the original page in any way; they merely copy it. The authentic Pornhub page is not connected to the phishing. Moreover, most search engines usually successfully block such phishing pages, so the most likely way to access them is through phishing or spam e-mails, or by being redirected there by malware or a malicious frame on another website.\n\nFake versions of popular pornography websites target users' credentials and contact details, which can later be either sold or used in other fraud schemes or cyberattacks. In general, credentials capture is one of the most popular ways to target users, using pornography to implement phising fraud schemes. In such schemes, the victim is often lured to a phishing website disguised as a social network, where they are asked to authenticate their identity in order to watch an adult video which can only be accessed if the user confirms they are over 18-years-old.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160843/threats-to-users-of-adult-websites-in-2018-5.png>)\n\nAs the victim enters their password, the threat actor captures the credentials to the user's social network account.\n\nPornographic content phishing can also be used to install malicious software. For example, to access an alleged adult video, the phishing page requires the user to download and update a video player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160919/threats-to-users-of-adult-websites-in-2018-6.png>)\n\nNeedless to say, instead of downloading a video player, the user downloads malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160946/threats-to-users-of-adult-websites-in-2018-7.png>)\n\nSometimes phishing fraudsters target e-wallet credentials with the help of pornographic content. The victim is lured to the pornographic website to watch a video broadcast. In order to view the content, the user is asked to enter their payment credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21093209/threats-to-users-of-adult-websites-in-2018-8.png>)\n\n### **Spam-scam**\n\nWe have rarely seen pornographic content used in any special or specific way when it comes to spam. Apart from the mass distribution of 'standard' advertising offering adult content on legitimate and illegal websites, this type of threat hasn't been spotted using pornography in a creative way. However, there is one exception. Beginning in 2017, an infamous sextortion scam started to happen. Users started to receive messages containing an extortion letter with a demand to transfer bitcoins to fraudsters.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143648/threats-to-users-of-adult-websites-in-2018-9.png>)\n\nThe scammers claimed to have personal messages and recordings of the victim watching porn. The letters even claimed that the threat actor could combine the video that the supposed victim was watching with what was recorded through their webcam. This extortion is based purely on making threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143709/threats-to-users-of-adult-websites-in-2018-10.png>)\n\n2018, however, saw an increase in the volume of such e-mails. Moreover, they became more sophisticated and were not only threatening the user, but also 'proving' the legitimacy of the scammers claims by providing the user with actual information about them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143739/threats-to-users-of-adult-websites-in-2018-11.png>)\n\nIn most cases, it was either a password, or a phone number, or a combination of both with an e-mail address. Since people tend to use the same passwords for different websites, the victim was often likely to believe that paired passwords and e-mail addresses found by the criminal on the dark web were authentic, even if they were not actually correct for the adult-content account in question.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143805/threats-to-users-of-adult-websites-in-2018-12.png>)\n\nFurthermore, these e-mails have been sent out in more languages than previously found.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143826/threats-to-users-of-adult-websites-in-2018-13.png>) | [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143902/threats-to-users-of-adult-websites-in-2018-14.png>) \n---|--- \n \nIn reality, these mailings were based purely on the assumption that the target of such e-mails would hand over their credentials and that these would become profitable. The number of such scams grew in 2018.\n\n## Part 3 - Darknet insights\n\nOne of the burning topics of the adult-content industry is the controversy surrounding paid subscriptions to access websites. It is often the case that users can register for pornography accounts through a 'premium' subscription model (that includes no advertisements and unlimited access to the adult website content). Otherwise, the website they want to access does not allow them to watch any free content at all unless they pay. At most, the user may see video previews for free but still be expected to make a payment to watch the full video. The opinions around such practice vary. Some people [claim](<https://fightthenewdrug.org/problem-with-paying-for-porn-or-watching-for-free/>) that money paid for porn \"directly fuels the industry that supports the abuse, exploitation, and trafficking around the world\". [Others argue](<https://www.self.com/story/this-is-why-you-should-pay-for-porn>) that pornography is like most other commodities and people are willing to exchange money for it just as they would other kinds of entertainment, such as tv-series or music. Some though prefer to highlight examples of when adult content can result in people being denied their human rights.\n\nWhether it is worth it or not, [some](<https://www.die-screaming.com/porn-memberships-expensive-429291/>) users agree that the price of premium accounts to popular pornography websites is rather high. For example, monthly memberships can vary from $20 to $30, and annual unlimited access costs might scale from $120 to $150. This is where cybercriminals enter the fray.\n\nThe research on porn-related cyberthreats we did previously proved that there is a very well developed supply and demand chain for stolen credentials on the dark web. We conducted research on this issue again in 2018, analyzing 20 of the top-rated Tor marketplaces listed on DeepDotWeb - an open Tor site that contains a dynamic ranking of dark markets evaluated by Tor administrators based on customers' feedback. All of them contained one to more than 3,000 offers for credentials to adult content websites. In total, 29 websites displayed more than 15,000 offers to buy one or more accounts to pornography websites (with of course, no legal guarantees of delivering on their promise).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143918/threats-to-users-of-adult-websites-in-2018-15.jpg>) | [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21093226/threats-to-users-of-adult-websites-in-2018-16.jpg>) \n---|--- \n \nThe results of the research conducted in the last year showed that four of the researched markets that offered the widest range of stolen credentials provided users with more than 5,239 unique offers. The figure for 2018 showed that their number doubled, accounting for more than 10,000 offers on sale.\n\nThe quantity of accounts available ranged from 1 to 30, with a few exceptions mostly from poorly rated sellers. However, the majority of offers promised to deliver credentials to only one account. Regardless of the type of account, the prices vary from $3 to $9 per offer, very rarely exceeding $10 \u2013 the same as back in 2017, with the vast majority of prices being limited to $6-$7 or the equal amount in bitcoins, which is 20 times cheaper than the most modest annual memberships. Getting access to an account illegally for a lower cost than a legal subscription is not the only appeal of buying such credentials on the dark web. There is the added appeal of anonymity, hiding behind other people's credentials while watching pornography.\n\n## Conclusions and advice\n\nOverall, the amount of downloadable malware disguised as pornography detected on users' devices significantly decreased in 2018 in comparison with record activity in 2017. While at first glance this looks like good news, a worrying trend has appeared. The number of users being attacked with malware that hunts for their pornographic content credentials is on the rise and this means premium subscriptions are now a valuable asset for cybercriminals. There is also the fact that many modern pornography websites include social functionality, allowing people to share their own private content in different ways through the website. Some people make it freely available for all, some decide to limit who can see it. There has also been a significant rise in the number of cases where people suffer from sextortion. In other words, the sphere of adult-content may contain cybersecurity challenges other than the 'classic' infected pornography websites and video files armed with malware. These challenges should be addressed properly.\n\nAnother cybersecurity risk that adult content brings, which may be less obvious, is the misuse of corporate resources. As mentioned at the beginning of this report, the unsafe consumption of pornography from the workplace may result in the corporate network being hit by a massive infection. While most malicious attacks using pornography are aimed at consumers not corporations, the fact that most consumers have job to go to every day, brings a certain risk to IT administrators responsible for securing corporate networks.\n\nIn order to consume and produce adult content safely, Kaspersky Lab advises the following:\n\n**For consumers:**\n\n * Before clicking any link, check the link address shown, even in the search results of trusted search engines. If the address was received in an e-mail, check if it is the same as the actual hyperlink.\n * Do not click on questionable websites when they are offered in search results and do not install anything that comes from them.\n * If you wish to buy a paid subscription to an adult content website \u2013 purchase it only on the official website. Double check the URL of the website and make sure it is authentic.\n * Check any email attachments with a security solution before opening them \u2013especially from dark web entities (even if they are expected to come from an anonymous source).\n * Patch the software on your PC as soon as security updates for the latest bugs are available.\n * Do not download pirated software and other illegal content. Even if you were redirected to the webpage from a legitimate website.\n * Use a reliable security solution with behavior-based anti-phishing technologies \u2013 such as [Kaspersky Total Security](<https://www.kaspersky.com/downloads/thank-you/total-security-free-trial>), to detect and block spam and phishing attacks.\n * Use a robust security solution to protect you from malicious software and its actions \u2013 such as the [Kaspersky Internet Security for Android](<https://www.kaspersky.com/android-security>).\n\n**For businesses:**\n\n * Educate employees in basic security hygiene, and explain the policies on accessing web sites potentially containing illegal or restricted content, as well as not opening emails or clicking on links from unknown sources.\n * Businesses can also block access to web sites that contravene corporate policy, such as porn sites, by using a dedicated endpoint solution such as [Kaspersky Endpoint Security for Business](<https://www.kaspersky.com/small-to-medium-business-security/endpoint-advanced>). In addition to anti-spam and anti-phishing, it must include application and web controls, and web threat protection that can detect and block access to malicious or phishing web addresses.", "modified": "2019-02-21T10:00:01", "published": "2019-02-21T10:00:01", "id": "SECURELIST:82490B192CB8F0CC0E1B0205E044FDB8", "href": "https://securelist.com/threats-to-users-of-adult-websites-in-2018/89634/", "type": "securelist", "title": "Threats to users of adult websites in 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:46:11", "bulletinFamily": "scanner", "description": "A denial of service (DoS) vulnerability exists in Integrated Lights-Out (iLO) 2 due to incorrect handling of https traffic. An unauthenticated, remote attacker can exploit this issue to cause the application to stop responding.", "modified": "2019-02-18T00:00:00", "id": "ILO_HPSBHF_03006.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122257", "published": "2019-02-18T00:00:00", "title": "iLO 2 <= 2.23 Denial of Service Vulnerability", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122257);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/18 9:00:12\");\n\n script_cve_id(\"CVE-2014-2601\");\n\n script_bugtraq_id(67054);\n\n script_name(english:\"iLO 2 <= 2.23 Denial of Service Vulnerability\");\n script_summary(english:\"Checks version of HP Integrated Lights-Out (iLO).\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote HP Integrated Lights-Out (iLO) server's web interface is\naffected by a denial of service vulnerability.\") ;\n script_set_attribute(attribute:\"description\", value:\n\"A denial of service (DoS) vulnerability exists in Integrated Lights-Out\n(iLO) 2 due to incorrect handling of https traffic. \nAn unauthenticated, remote attacker can exploit this issue to cause\nthe application to stop responding.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04244787\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5f729249\");\n script_set_attribute(attribute:\"solution\", value:\n \"Upgrade firmware of iLO 2 to 2.25 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-2601\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\n\"cpe:/o:hp:integrated_lights-out_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ilo_detect.nasl\");\n script_require_keys(\"www/ilo\", \"ilo/generation\", \"ilo/firmware\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('http.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\ninclude('vcf.inc');\n\ngeneration = get_kb_item_or_exit('ilo/generation');\nport = get_http_port(default:80, embedded: TRUE);\napp_info = vcf::get_app_info(app:'ilo', port:port, webapp:TRUE);\n\n# Firmware versions are different across generations so additional if check is required. \nif (generation != 2)\n audit(\n AUDIT_WEB_APP_NOT_AFFECTED,\n 'iLO ' + generation, \n build_url2(qs:app_info.path, port:port),\n app_info.version);\n\nconstraints = [{'max_version':'2.23', 'fixed_version': '2.25'}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:46:11", "bulletinFamily": "scanner", "description": "The version of the remote MongoDB server is 2.6.x prior to 2.6.9, is 3.0.x < 3.0.14 or is 3.2.x < 3.2.8. It is, therefore, affected by multiple vulnerabilities.\n\n - A credentials disclosure vulnerability exists in the PEMKeyPassword, clusterPassword and Windows servicePassword. An unauthenticated local attacker can exploit this to get access to user credentials. (CVE-2014-2917)\n\n - A denial of service (DoS) vulnerability exist in the CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod. An unauthenticated remote attacker can exploit this to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate. (CVE-2014-3971)\n\n - A heap-based buffer overflow condition exists in PCRE. An unauthenticated remote attacker can exploit this via a crafted regular expression, related to an assertion that allows zero repeats to cause a denial of service or to cause other unspecified impact. (CVE-2014-8964)\n\n - A DoS vulnerability exists due to failure to check for missing values. An authenticated remote attacker can exploit this to cause the application to crash. The attacker needs write access to a database to be able to exploit this vulnerability.\n (CVE-2015-2705)\n\n - A breach of data integrity vulnerability exists in the WiredTiger storage engine. An authenticated remote attacker can exploit this by issuing an admin command to write statistic logs to a specific file and may compromise data integrity. (CVE-2017-12926)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "modified": "2019-02-15T00:00:00", "id": "MONGODB_3_2_8.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122243", "published": "2019-02-15T00:00:00", "title": "MongoDB 2.6.x < 2.6.9, 3.0.x < 3.0.14, 3.2.x < 3.2.8 mongod", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122243);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/15 11:49:10\");\n\n script_cve_id(\n \"CVE-2014-2917\",\n \"CVE-2014-3971\",\n \"CVE-2014-8964\",\n \"CVE-2015-2705\",\n \"CVE-2017-12926\"\n );\n script_bugtraq_id(71206);\n\n script_name(english:\"MongoDB 2.6.x < 2.6.9, 3.0.x < 3.0.14, 3.2.x < 3.2.8 mongod\");\n script_summary(english:\"Checks the version of MongoDB.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by a vulnerability that may\nresult in a denial of service or in the compromise of the server\nmemory integrity.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote MongoDB server is 2.6.x prior to 2.6.9,\nis 3.0.x < 3.0.14 or is 3.2.x < 3.2.8. It is, therefore, affected by\nmultiple vulnerabilities.\n\n - A credentials disclosure vulnerability exists in the\n PEMKeyPassword, clusterPassword and Windows servicePassword. An\n unauthenticated local attacker can exploit this to get access \n to user credentials. (CVE-2014-2917)\n\n - A denial of service (DoS) vulnerability exist in the\n CmdAuthenticate::_authenticateX509 function in\n db/commands/authentication_commands.cpp in mongod. An\n unauthenticated remote attacker can exploit this to cause a denial\n of service (daemon crash) by attempting authentication with an\n invalid X.509 client certificate. (CVE-2014-3971)\n\n - A heap-based buffer overflow condition exists in PCRE. An \n unauthenticated remote attacker can exploit this via a crafted\n regular expression, related to an assertion that allows zero\n repeats to cause a denial of service or to cause other unspecified\n impact. (CVE-2014-8964)\n\n - A DoS vulnerability exists due to failure to check for missing\n values. An authenticated remote attacker can exploit this to\n cause the application to crash. The attacker needs write access\n to a database to be able to exploit this vulnerability.\n (CVE-2015-2705)\n\n - A breach of data integrity vulnerability exists in the WiredTiger\n storage engine. An authenticated remote attacker can exploit this\n by issuing an admin command to write statistic logs to a specific\n file and may compromise data integrity. (CVE-2017-12926)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\n\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.mongodb.org/browse/SERVER-13644\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.mongodb.org/browse/SERVER-13753\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.mongodb.org/browse/SERVER-17252\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.mongodb.org/browse/SERVER-17521\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.mongodb.org/browse/WT-2711\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mongodb.com/alerts\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MongoDB version 2.6.9 / 3.0.14 / 3.2.8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-2917\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mongodb:mongodb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mongodb_detect.nasl\");\n script_require_keys(\"Services/mongodb\");\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'MongoDB';\nport = get_service(svc:'mongodb', default:27017, exit_on_fail:TRUE);\nkbVer = 'mongodb/' + port + '/Version';\n\napp_info = vcf::get_app_info(app:app, kb_ver:kbVer, port: port);\n\nconstraints = [\n { 'min_version' : '2.6.0', 'fixed_version' : '2.6.9' },\n { 'min_version' : '3.0.0', 'fixed_version' : '3.0.14' },\n { 'min_version' : '3.2.0', 'fixed_version' : '3.2.8' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:46:09", "bulletinFamily": "scanner", "description": "A denial of service (DoS) vulnerability exists in Integrated Lights-Out (iLO) due to an undisclosed vulnerability. An unauthenticated, remote attacker can exploit this issue to cause the application to stop responding.", "modified": "2019-02-14T00:00:00", "id": "ILO_HPSSRT_101886.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122190", "published": "2019-02-14T00:00:00", "title": "iLO 2 < 2.27 / iLO 3 < 1.82 / iLO 4 < 2.10 Denial of Service Vulnerability", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122190);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/14 14:52:48\");\n\n script_cve_id(\"CVE-2015-2106\");\n\n script_name(english:\"iLO 2 < 2.27 / iLO 3 < 1.82 / iLO 4 < 2.10 Denial of Service Vulnerability\");\n script_summary(english:\"Checks version of HP Integrated Lights-Out (iLO).\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote HP Integrated Lights-Out (iLO) server's web interface is\naffected by a denial of service vulnerability.\") ;\n script_set_attribute(attribute:\"description\", value:\n\"A denial of service (DoS) vulnerability exists in Integrated Lights-Out\n(iLO) due to an undisclosed vulnerability. \nAn unauthenticated, remote attacker can exploit this issue to cause \nthe application to stop responding.\");\n # https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04582368\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c250bedf\");\n # https://nvd.nist.gov/vuln/detail/CVE-2015-2106\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01654ca1\");\n script_set_attribute(attribute:\"solution\", value:\n \"For iLO 2, upgrade firmware to 2.27 or later. For iLO 3, upgrade firmware to 1.82 or later.\nFor iLO 4, upgrade firmware to 2.10 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-2106\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:integrated_lights-out_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ilo_detect.nasl\");\n script_require_keys(\"www/ilo\", \"ilo/generation\", \"ilo/firmware\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('http.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\ninclude('vcf.inc');\n\ngeneration = get_kb_item_or_exit('ilo/generation');\nport = get_http_port(default:80, embedded: TRUE);\napp_info = vcf::get_app_info(app:'ilo', port:port, webapp:TRUE);\n\n# Firmware versions are different across generations so additional if check is required.\nif (generation == 2)\n fixed_version = '2.27';\nelse if (generation == 3)\n fixed_version = '1.82';\nelse if (generation == 4)\n fixed_version = '2.10';\nelse\n audit(\n AUDIT_WEB_APP_NOT_AFFECTED,\n 'iLO ' + generation, \n build_url2(qs:app_info.path, port:port),\n app_info.version);\n\nconstraints = [{'fixed_version':fixed_version}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:46:09", "bulletinFamily": "scanner", "description": "An information disclosure vulnerability exists in Integrated Lights-Out due to an unspecified vulnerability. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information.", "modified": "2019-02-14T00:00:00", "id": "ILO_HPSBHF_02821.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122189", "published": "2019-02-14T00:00:00", "title": "iLO 3 < 1.50 / iLO 4 < 1.13 Information Disclosure Vulnerability", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122189);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/14 14:04:59\");\n\n script_cve_id(\"CVE-2012-3271\");\n\n script_bugtraq_id(56597);\n\n script_name(english:\"iLO 3 < 1.50 / iLO 4 < 1.13 Information Disclosure Vulnerability\");\n script_summary(english:\"Checks version of HP Integrated Lights-Out (iLO).\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote HP Integrated Lights-Out (iLO) server's web interface is\naffected by an information disclosure vulnerability.\") ;\n script_set_attribute(attribute:\"description\", value:\n\"An information disclosure vulnerability exists in Integrated \nLights-Out due to an unspecified vulnerability. \nAn unauthenticated, remote attacker can exploit this to \ndisclose potentially sensitive information.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03515413&docLocale=en_US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d1b5324\");\n script_set_attribute(attribute:\"solution\", value:\n \"For iLO 3, upgrade firmware to 1.50 or later. \n For iLO 4, upgrade firmware to 1.13 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-3271\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:integrated_lights-out_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ilo_detect.nasl\");\n script_require_keys(\"www/ilo\", \"ilo/generation\", \"ilo/firmware\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('http.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\ninclude('vcf.inc');\n\ngeneration = get_kb_item_or_exit('ilo/generation');\nport = get_http_port(default:80, embedded: TRUE);\napp_info = vcf::get_app_info(app:'ilo', port:port, webapp:TRUE);\n\n# Firmware versions are different across generations so additional if check is required.\nif (generation == 3)\n fixed_version = '1.50';\nelse if (generation == 4)\n fixed_version = '1.13';\nelse\n audit(\n AUDIT_WEB_APP_NOT_AFFECTED,\n 'iLO ' + generation, \n build_url2(qs:app_info.path, port:port),\n app_info.version);\n\nconstraints = [{'fixed_version':fixed_version}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:46:09", "bulletinFamily": "scanner", "description": "According to its version number, the firmware of Integrated Lights-Out running on the remote web server is iLO 3 prior to 1.65 or iLO 4 prior to 1.32. It is, therefore, affected by multiple vulnerabilities:\n - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session (CVE-2013-4842).\n\n - An information disclosure vulnerability exists in Integrated Lights-Out (iLO) 3 & 4 due to an undisclosed vulnerability. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information (CVE-2013-4843).", "modified": "2019-02-14T00:00:00", "id": "ILO_HPSBHF_02939.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122188", "published": "2019-02-14T00:00:00", "title": "iLO 3 < 1.65 / iLO 4 < 1.32 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122188);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/14 13:48:00\");\n\n script_cve_id(\n \"CVE-2013-4842\",\n \"CVE-2013-4843\"\n );\n\n script_bugtraq_id(\n 63689,\n 63691\n );\n\n script_name(english:\"iLO 3 < 1.65 / iLO 4 < 1.32 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of HP Integrated Lights-Out (iLO).\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote HP Integrated Lights-Out (iLO) server's web interface is\naffected by multiple vulnerabilities.\") ;\n script_set_attribute(attribute:\"description\", value:\n\"According to its version number, the firmware of Integrated Lights-Out\nrunning on the remote web server is iLO 3 prior to 1.65 or iLO 4 \nprior to 1.32. It is, therefore, affected by multiple vulnerabilities:\n - A cross-site scripting (XSS) vulnerability exists due to improper\n validation of user-supplied input before returning it to users. \n An unauthenticated, remote attacker can exploit this, by convincing\n a user to click a specially crafted URL, to execute arbitrary script\n code in a user's browser session (CVE-2013-4842).\n\n - An information disclosure vulnerability exists in Integrated \n Lights-Out (iLO) 3 & 4 due to an undisclosed vulnerability. \n An unauthenticated, remote attacker can exploit this to disclose\n potentially sensitive information (CVE-2013-4843).\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03996804&docLocale=en_US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aaf46ad1\");\n script_set_attribute(attribute:\"solution\", value:\n \"For iLO 3, upgrade firmware to 1.65 or later. \n For iLO 4, upgrade firmware to 1.32 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4842\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:integrated_lights-out_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ilo_detect.nasl\");\n script_require_keys(\"www/ilo\", \"ilo/generation\", \"ilo/firmware\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('http.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\ninclude('vcf.inc');\n\ngeneration = get_kb_item_or_exit('ilo/generation');\nport = get_http_port(default:80, embedded: TRUE);\napp_info = vcf::get_app_info(app:'ilo', port:port, webapp:TRUE);\n\n# Firmware versions are different across generations so additional if check is required.\nif (generation == 3)\n fixed_version = '1.65';\nelse if (generation == 4)\n fixed_version = '1.32';\nelse\n audit(\n AUDIT_WEB_APP_NOT_AFFECTED,\n 'iLO ' + generation, \n build_url2(qs:app_info.path, port:port),\n app_info.version);\n\nconstraints = [{'fixed_version':fixed_version}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:46:06", "bulletinFamily": "scanner", "description": "The version of Samba running on the remote host is prior to 3.4.0. It is, therefore, affected by a remote code execution vulnerability in process.c due to a heap-based buffer overflow. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands via Batched / AndX request.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "modified": "2019-02-08T00:00:00", "id": "SAMBA_3_4_0.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122058", "published": "2019-02-08T00:00:00", "title": "Samba < 3.4.0 Remote Code Execution Vulnerability", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122058);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/08 15:02:57\");\n\n script_cve_id(\n \"CVE-2012-0870\"\n );\n script_bugtraq_id(52103);\n\n script_name(english:\"Samba < 3.4.0 Remote Code Execution Vulnerability\");\n script_summary(english:\"Checks the version of Samba.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Samba running on the remote host is prior to\n3.4.0. It is, therefore, affected by a remote code execution\nvulnerability in process.c due to a heap-based buffer overflow. An \nunauthenticated, remote attacker can exploit this to bypass authentication \nand execute arbitrary commands via Batched / AndX request.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-0870.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Samba version 3.4.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0870\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = vcf::samba::get_app_info();\nvcf::check_granularity(app_info:app, sig_segments:3);\n\nconstraints = \n[\n {\"fixed_version\" : \"3.4.0\"}\n];\n\nvcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);\n", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-08T12:51:57", "bulletinFamily": "scanner", "description": "An update of the libtar package has been released.", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2018-2_0-0029_LIBTAR.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=121929", "title": "Photon OS 2.0: Libtar PHSA-2018-2.0-0029", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0029. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121929);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 18:14:47\");\n\n script_cve_id(\"CVE-2013-4420\");\n\n script_name(english:\"Photon OS 2.0: Libtar PHSA-2018-2.0-0029\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the libtar package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-29.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-4420\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:libtar\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"libtar-1.2.20-5.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"libtar-debuginfo-1.2.20-5.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"libtar-devel-1.2.20-5.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtar\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-08T12:51:52", "bulletinFamily": "scanner", "description": "An update of the libtar package has been released.", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2017-0040_LIBTAR.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=121744", "title": "Photon OS 1.0: Libtar PHSA-2017-0040", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0040. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121744);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 18:14:47\");\n\n script_cve_id(\"CVE-2013-4420\");\n\n script_name(english:\"Photon OS 1.0: Libtar PHSA-2017-0040\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the libtar package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-80.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10309\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:libtar\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"libtar-1.2.20-3.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"libtar-devel-1.2.20-3.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtar\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-08T12:51:50", "bulletinFamily": "scanner", "description": "An update of the unzip package has been released.", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2016-0013_UNZIP.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=121657", "title": "Photon OS 1.0: Unzip PHSA-2016-0013", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2016-0013. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121657);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 18:14:47\");\n\n script_cve_id(\"CVE-2015-7696\", \"CVE-2015-7697\");\n\n script_name(english:\"Photon OS 1.0: Unzip PHSA-2016-0013\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the unzip package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-13.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-2774\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:unzip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"unzip-6.0-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"unzip-6.0-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"unzip-debuginfo-6.0-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"unzip-debuginfo-6.0-7.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"unzip\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:45:52", "bulletinFamily": "scanner", "description": "Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library.\n\nCVE-2014-8542\n\nlibavcodec/utils.c omitted a certain codec ID during enforcement of alignment, which allowed remote attackers to cause a denial of ervice (out-of-bounds access) or possibly have unspecified other impact via crafted JV data.\n\nCVE-2015-1207\n\nDouble-free vulnerability in libavformat/mov.c allowed remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file.\n\nCVE-2017-7863\n\nlibav had an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c.\n\nCVE-2017-7865\n\nlibav had an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c.\n\nCVE-2017-14169\n\nIn the mxf_read_primer_pack function in libavformat/mxfdec.c in, an integer signedness error might have occured when a crafted file, claiming a large 'item_num' field such as 0xffffffff, was provided. As a result, the variable 'item_num' turned negative, bypassing the check for a large value.\n\nCVE-2017-14223\n\nIn libavformat/asfdec_f.c a DoS in asf_build_simple_index() due to lack of an EOF (End of File) check might have caused huge CPU consumption. When a crafted ASF file, claiming a large 'ict' field in the header but not containing sufficient backing data, was provided, the for loop would have consumed huge CPU and memory resources, since there was no EOF check inside the loop.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 6:11.12-1~deb8u5.\n\nWe recommend that you upgrade your libav packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-07T00:00:00", "id": "DEBIAN_DLA-1654.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=121622", "published": "2019-02-07T00:00:00", "title": "Debian DLA-1654-1 : libav security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1654-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121622);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 9:34:54\");\n\n script_cve_id(\"CVE-2014-8542\", \"CVE-2015-1207\", \"CVE-2017-14169\", \"CVE-2017-14223\", \"CVE-2017-7863\", \"CVE-2017-7865\");\n script_bugtraq_id(70881);\n\n script_name(english:\"Debian DLA-1654-1 : libav security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security issues have been corrected in multiple demuxers and\ndecoders of the libav multimedia library.\n\nCVE-2014-8542\n\nlibavcodec/utils.c omitted a certain codec ID during enforcement of\nalignment, which allowed remote attackers to cause a denial of ervice\n(out-of-bounds access) or possibly have unspecified other impact via\ncrafted JV data.\n\nCVE-2015-1207\n\nDouble-free vulnerability in libavformat/mov.c allowed remote\nattackers to cause a denial of service (memory corruption and crash)\nvia a crafted .m4a file.\n\nCVE-2017-7863\n\nlibav had an out-of-bounds write caused by a heap-based buffer\noverflow related to the decode_frame_common function in\nlibavcodec/pngdec.c.\n\nCVE-2017-7865\n\nlibav had an out-of-bounds write caused by a heap-based buffer\noverflow related to the ipvideo_decode_block_opcode_0xA function in\nlibavcodec/interplayvideo.c and the avcodec_align_dimensions2 function\nin libavcodec/utils.c.\n\nCVE-2017-14169\n\nIn the mxf_read_primer_pack function in libavformat/mxfdec.c in, an\ninteger signedness error might have occured when a crafted file,\nclaiming a large 'item_num' field such as 0xffffffff, was provided. As\na result, the variable 'item_num' turned negative, bypassing the check\nfor a large value.\n\nCVE-2017-14223\n\nIn libavformat/asfdec_f.c a DoS in asf_build_simple_index() due to\nlack of an EOF (End of File) check might have caused huge CPU\nconsumption. When a crafted ASF file, claiming a large 'ict' field in\nthe header but not containing sufficient backing data, was provided,\nthe for loop would have consumed huge CPU and memory resources, since\nthere was no EOF check inside the loop.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n6:11.12-1~deb8u5.\n\nWe recommend that you upgrade your libav packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/02/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libav\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libav-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libav-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libav-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavcodec-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavcodec-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavcodec-extra-56\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavcodec56\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavdevice-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavdevice55\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavfilter-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavfilter5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavformat-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavformat56\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavresample-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavresample2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavutil-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libavutil54\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libswscale-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libswscale3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/11/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libav-dbg\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libav-doc\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libav-tools\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavcodec-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavcodec-extra\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavcodec-extra-56\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavcodec56\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavdevice-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavdevice55\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavfilter-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavfilter5\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavformat-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavformat56\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavresample-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavresample2\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavutil-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libavutil54\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libswscale-dev\", reference:\"6:11.12-1~deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libswscale3\", reference:\"6:11.12-1~deb8u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-02-20T12:22:00", "bulletinFamily": "NVD", "description": "Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables", "modified": "2019-02-19T10:29:18", "published": "2019-02-15T16:29:00", "id": "CVE-2015-4615", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4615", "title": "CVE-2015-4615", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-20T12:22:00", "bulletinFamily": "NVD", "description": "Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory.", "modified": "2019-02-19T15:56:55", "published": "2019-02-15T16:29:00", "id": "CVE-2015-4617", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4617", "title": "CVE-2015-4617", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "f5": [{"lastseen": "2019-02-20T21:07:47", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2019-02-11T23:55:00", "published": "2019-02-11T23:55:00", "id": "F5:K07052904", "href": "https://support.f5.com/csp/article/K07052904", "title": "PHP vulnerability CVE-2015-3307", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-20T21:07:52", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2019-02-07T23:23:00", "published": "2019-02-07T23:23:00", "id": "F5:K19916307", "href": "https://support.f5.com/csp/article/K19916307", "title": "glibc vulnerability CVE-2015-1473", "type": "f5", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-20T21:07:50", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2019-02-05T20:03:00", "published": "2019-02-05T20:03:00", "id": "F5:K54423555", "href": "https://support.f5.com/csp/article/K54423555", "title": "PHP vulnerability CVE-2015-4147", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-20T21:07:45", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2019-02-05T19:33:00", "published": "2019-02-05T19:33:00", "id": "F5:K41036924", "href": "https://support.f5.com/csp/article/K41036924", "title": "Linux kernel vulnerability CVE-2014-7843", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-02-07T01:57:13", "bulletinFamily": "unix", "description": "Package : libav\nVersion : 6:11.12-1~deb8u5\nCVE ID : CVE-2014-8542 CVE-2015-1207 CVE-2017-7863 CVE-2017-7865 \n CVE-2017-14169 CVE-2017-14223\n\n\nSeveral security issues have been corrected in multiple demuxers and\ndecoders of the libav multimedia library.\n\nCVE-2014-8542\n\n libavcodec/utils.c omitted a certain codec ID during enforcement of\n alignment, which allowed remote attackers to cause a denial of ervice\n (out-of-bounds access) or possibly have unspecified other impact via\n crafted JV data.\n\nCVE-2015-1207\n\n Double-free vulnerability in libavformat/mov.c allowed remote\n attackers to cause a denial of service (memory corruption and crash)\n via a crafted .m4a file.\n\nCVE-2017-7863\n\n libav had an out-of-bounds write caused by a heap-based buffer\n overflow related to the decode_frame_common function in\n libavcodec/pngdec.c.\n\nCVE-2017-7865\n\n libav had an out-of-bounds write caused by a heap-based buffer\n overflow related to the ipvideo_decode_block_opcode_0xA function in\n libavcodec/interplayvideo.c and the avcodec_align_dimensions2\n function in libavcodec/utils.c.\n\nCVE-2017-14169\n\n In the mxf_read_primer_pack function in libavformat/mxfdec.c in, an\n integer signedness error might have occured when a crafted file,\n claiming a large "item_num" field such as 0xffffffff, was provided.\n As a result, the variable "item_num" turned negative, bypassing the\n check for a large value.\n\nCVE-2017-14223\n\n In libavformat/asfdec_f.c a DoS in asf_build_simple_index() due to\n lack of an EOF (End of File) check might have caused huge CPU\n consumption. When a crafted ASF file, claiming a large "ict" field in\n the header but not containing sufficient backing data, was provided,\n the for loop would have consumed huge CPU and memory resources, since\n there was no EOF check inside the loop.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n6:11.12-1~deb8u5.\n\nWe recommend that you upgrade your libav packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "modified": "2019-02-06T12:42:33", "published": "2019-02-06T12:42:33", "id": "DEBIAN:DLA-1654-1:B472E", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201902/msg00005.html", "title": "[SECURITY] [DLA 1654-1] libav security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-02-07T18:17:33", "bulletinFamily": "scanner", "description": "Several security issues have been corrected in multiple demuxers and\ndecoders of the libav multimedia library.\n\nCVE-2014-8542\n\nlibavcodec/utils.c omitted a certain codec ID during enforcement of\nalignment, which allowed remote attackers to cause a denial of ervice\n(out-of-bounds access) or possibly have unspecified other impact via\ncrafted JV data.\n\nCVE-2015-1207\n\nDouble-free vulnerability in libavformat/mov.c allowed remote\nattackers to cause a denial of service (memory corruption and crash)\nvia a crafted .m4a file.\n\nCVE-2017-7863\n\nlibav had an out-of-bounds write caused by a heap-based buffer\noverflow related to the decode_frame_common function in\nlibavcodec/pngdec.c.\n\nCVE-2017-7865\n\nlibav had an out-of-bounds write caused by a heap-based buffer\noverflow related to the ipvideo_decode_block_opcode_0xA function in\nlibavcodec/interplayvideo.c and the avcodec_align_dimensions2\nfunction in libavcodec/utils.c.\n\nCVE-2017-14169\n\nIn the mxf_read_primer_pack function in libavformat/mxfdec.c in, an\ninteger signedness error might have occurred when a crafted file,\nclaiming a large ", "modified": "2019-02-07T00:00:00", "published": "2019-02-06T00:00:00", "id": "OPENVAS:1361412562310891654", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891654", "title": "Debian LTS Advisory ([SECURITY] [DLA 1654-1] libav security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891654\");\n script_version(\"$Revision: 13517 $\");\n script_cve_id(\"CVE-2014-8542\", \"CVE-2015-1207\", \"CVE-2017-14169\", \"CVE-2017-14223\", \"CVE-2017-7863\", \"CVE-2017-7865\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1654-1] libav security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-07 08:51:12 +0100 (Thu, 07 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-06 00:00:00 +0100 (Wed, 06 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/02/msg00005.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"libav on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n6:11.12-1~deb8u5.\n\nWe recommend that you upgrade your libav packages.\");\n script_tag(name:\"summary\", value:\"Several security issues have been corrected in multiple demuxers and\ndecoders of the libav multimedia library.\n\nCVE-2014-8542\n\nlibavcodec/utils.c omitted a certain codec ID during enforcement of\nalignment, which allowed remote attackers to cause a denial of ervice\n(out-of-bounds access) or possibly have unspecified other impact via\ncrafted JV data.\n\nCVE-2015-1207\n\nDouble-free vulnerability in libavformat/mov.c allowed remote\nattackers to cause a denial of service (memory corruption and crash)\nvia a crafted .m4a file.\n\nCVE-2017-7863\n\nlibav had an out-of-bounds write caused by a heap-based buffer\noverflow related to the decode_frame_common function in\nlibavcodec/pngdec.c.\n\nCVE-2017-7865\n\nlibav had an out-of-bounds write caused by a heap-based buffer\noverflow related to the ipvideo_decode_block_opcode_0xA function in\nlibavcodec/interplayvideo.c and the avcodec_align_dimensions2\nfunction in libavcodec/utils.c.\n\nCVE-2017-14169\n\nIn the mxf_read_primer_pack function in libavformat/mxfdec.c in, an\ninteger signedness error might have occurred when a crafted file,\nclaiming a large 'item_num' field such as 0xffffffff, was provided.\nAs a result, the variable 'item_num' turned negative, bypassing the\ncheck for a large value.\n\nCVE-2017-14223\n\nIn libavformat/asfdec_f.c a DoS in asf_build_simple_index() due to\nlack of an EOF (End of File) check might have caused huge CPU\nconsumption. When a crafted ASF file, claiming a large 'ict' field in\nthe header but not containing sufficient backing data, was provided,\nthe for loop would have consumed huge CPU and memory resources, since\nthere was no EOF check inside the loop.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libav-dbg\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libav-doc\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libav-tools\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavcodec-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavcodec-extra\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavcodec-extra-56\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavcodec56\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavdevice-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavdevice55\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavfilter-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavfilter5\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavformat-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavformat56\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavresample-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavresample2\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavutil-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libavutil54\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libswscale-dev\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libswscale3\", ver:\"6:11.12-1~deb8u5\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}