Newest Plugins

Ubuntu 14.04 / 15.10 : nginx vulnerabilities (USN-2892-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

It was discovered that nginx incorrectly handled certain DNS server
responses when the resolver is enabled. A remote attacker could
possibly use this issue to cause nginx to crash, resulting in a denial
of service. (CVE-2016-0742)

It was discovered that nginx incorrectly handled CNAME response
processing when the resolver is enabled. A remote attacker could use
this issue to cause nginx to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2016-0746)

It was discovered that nginx incorrectly handled CNAME resolution when
the resolver is enabled. A remote attacker could possibly use this
issue to cause nginx to consume resources, resulting in a denial of
service. (CVE-2016-0747).

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

SUSE SLED11 / SLES11 Security Update : tiff (SUSE-SU-2016:0353-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

This update for tiff fixes the following issues :

- CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:
Out-of-bounds writes for invalid images (bsc#964225)

- CVE-2015-7554: Out-of-bounds Write in the thumbnail and
tiffcmp tools (bsc#960341)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/960341
https://bugzilla.suse.com/964225
https://www.suse.com/security/cve/CVE-2015-7554.html
https://www.suse.com/security/cve/CVE-2015-8781.html
https://www.suse.com/security/cve/CVE-2015-8782.html
https://www.suse.com/security/cve/CVE-2015-8783.html
http://www.nessus.org/u?89612cb2

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4 :

zypper in -t patch sdksp4-tiff-12389=1

SUSE Linux Enterprise Server 11-SP4 :

zypper in -t patch slessp4-tiff-12389=1

SUSE Linux Enterprise Desktop 11-SP4 :

zypper in -t patch sledsp4-tiff-12389=1

SUSE Linux Enterprise Debuginfo 11-SP4 :

zypper in -t patch dbgsp4-tiff-12389=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Scientific Linux Security Update : sos on SL6.x (noarch)


Synopsis:

The remote Scientific Linux host is missing a security update.

Description:

An insecure temporary file use flaw was found in the way sos created
certain sosreport files. A local attacker could possibly use this flaw
to perform a symbolic link attack to reveal the contents of sosreport
files, or in some cases modify arbitrary files and escalate their
privileges on the system. (CVE-2015-7529)

This update also fixes the following bug :

- Previously, when the hpasm plug-in ran the 'hpasmcli'
command in a Python Popen constructor or a system
pipeline, the command would hang and eventually time out
after 300 seconds. Sos was forced to wait for the time
out to finish, unnecessarily prolonging its run time.
With this update, the timeout of the 'hpasmcli' command
has been set to 0, eliminating the delay and speeding up
sos completion time.

See also :

http://www.nessus.org/u?0f7297c1

Solution :

Update the affected sos package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 6 : sos (RHSA-2016:0152)


Synopsis:

The remote Red Hat host is missing a security update.

Description:

An updated sos package that fixes one security issue and one bug is
now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The sos package contains a set of tools that gather information from
system hardware, logs and configuration files. The information can
then be used for diagnostic purposes and debugging.

An insecure temporary file use flaw was found in the way sos created
certain sosreport files. A local attacker could possibly use this flaw
to perform a symbolic link attack to reveal the contents of sosreport
files, or in some cases modify arbitrary files and escalate their
privileges on the system. (CVE-2015-7529)

This issue was discovered by Mateusz Guzik of Red Hat.

This update also fixes the following bug :

* Previously, when the hpasm plug-in ran the 'hpasmcli' command in a
Python Popen constructor or a system pipeline, the command would hang
and eventually time out after 300 seconds. Sos was forced to wait for
the time out to finish, unnecessarily prolonging its run time. With
this update, the timeout of the 'hpasmcli' command has been set to 0,
eliminating the delay and speeding up sos completion time.
(BZ#1291828)

All sos users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2015-7529.html
http://rhn.redhat.com/errata/RHSA-2016-0152.html

Solution :

Update the affected sos package.

Risk factor :

Medium / CVSS Base Score : 6.0
(CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle Linux 6 : sos (ELSA-2016-0152)


Synopsis:

The remote Oracle Linux host is missing a security update.

Description:

From Red Hat Security Advisory 2016:0152 :

An updated sos package that fixes one security issue and one bug is
now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The sos package contains a set of tools that gather information from
system hardware, logs and configuration files. The information can
then be used for diagnostic purposes and debugging.

An insecure temporary file use flaw was found in the way sos created
certain sosreport files. A local attacker could possibly use this flaw
to perform a symbolic link attack to reveal the contents of sosreport
files, or in some cases modify arbitrary files and escalate their
privileges on the system. (CVE-2015-7529)

This issue was discovered by Mateusz Guzik of Red Hat.

This update also fixes the following bug :

* Previously, when the hpasm plug-in ran the 'hpasmcli' command in a
Python Popen constructor or a system pipeline, the command would hang
and eventually time out after 300 seconds. Sos was forced to wait for
the time out to finish, unnecessarily prolonging its run time. With
this update, the timeout of the 'hpasmcli' command has been set to 0,
eliminating the delay and speeding up sos completion time.
(BZ#1291828)

All sos users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

See also :

https://oss.oracle.com/pipermail/el-errata/2016-February/005774.html

Solution :

Update the affected sos package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : py-imaging, py-pillow -- Buffer overflow in PCD decoder (a8de962a-cf15-11e5-805c-5453ed2e2b49)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Pillow maintainers report :

In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, PcdDecode.c has a buffer overflow error.

The state.buffer for PcdDecode.c is allocated based on a 3 bytes per
pixel sizing, where PcdDecode.c wrote into the buffer assuming 4 bytes
per pixel. This writes 768 bytes beyond the end of the buffer into
other Python object storage. In some cases, this causes a segfault, in
others an internal Python malloc error.

See also :

http://openwall.com/lists/oss-security/2016/02/02/5
http://www.nessus.org/u?688f59da
https://github.com/python-pillow/Pillow/issues/568
http://www.nessus.org/u?2d28a46b

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : graphite2 -- code execution vulnerability (8f10fa04-cf6a-11e5-96d6-14dae9d210b8)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Talos reports :

- An exploitable denial of service vulnerability exists in the font
handling of Libgraphite. A specially crafted font can cause an
out-of-bounds read potentially resulting in an information leak or
denial of service.

- A specially crafted font can cause a buffer overflow resulting in
potential code execution.

- An exploitable NULL pointer dereference exists in the bidirectional
font handling functionality of Libgraphite. A specially crafted font
can cause a NULL pointer dereference resulting in a crash.

See also :

http://www.nessus.org/u?f9a7a2f7
http://www.nessus.org/u?88a21758

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : php -- pcre vulnerability (85eb4e46-cf16-11e5-840f-485d605f4717)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

PHP reports :

- PCRE :

- Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391,
CVE-2015-8393, CVE-2015-8394)

See also :

http://php.net/ChangeLog-5.php#5.6.18
http://php.net/ChangeLog-5.php#5.5.32
http://www.nessus.org/u?f236751f

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : py-imaging, py-pillow -- Buffer overflow in FLI decoding code (6ea60e00-cf13-11e5-805c-5453ed2e2b49)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Pillow maintainers report :

In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, FliDecode.c has a buffer overflow error.

There is a memcpy error where x is added to a target buffer address. X
is used in several internal temporary variable roles, but can take a
value up to the width of the image. Im->image[y] is a set of row
pointers to segments of memory that are the size of the row. At the
max y, this will write the contents of the line off the end of the
memory buffer, causing a segfault.

This issue was found by Alyssa Besseling at Atlassian.

See also :

http://www.nessus.org/u?80ed5742
http://www.nessus.org/u?581338d0

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : py-pillow -- Buffer overflow in TIFF decoding code (53252879-cf11-11e5-805c-5453ed2e2b49)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Pillow maintainers report :

Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
may overflow a buffer when reading a specially crafted tiff file.

Specifically, libtiff >= 4.0.0 changed the return type of
TIFFScanlineSize from int32 to machine dependent int32|64. If the
scanline is sized so that it overflows an int32, it may be interpreted
as a negative number, which will then pass the size check in
TiffDecode.c line 236. To do this, the logical scanline size has to be
> 2gb, and for the test file, the allocated buffer size is 64k against
a roughly 4gb scan line size. Any image data over 64k is written over
the heap, causing a segfault.

This issue was found by security researcher FourOne.

See also :

http://www.nessus.org/u?b93f5cad
http://www.nessus.org/u?5884976b

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : dnscrypt-proxy -- code execution (515b4327-cf8a-11e5-96d6-14dae9d210b8)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Frank Denis reports :

Malformed packets could lead to denial of service or code execution.

See also :

http://www.nessus.org/u?c0e8e160
http://www.nessus.org/u?ba8429ba

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : chromium -- multiple vulnerabilities (36034227-cf81-11e5-9c2b-00262d5ed8ee)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

Google Chrome Releases reports :

6 security fixes in this release, including :

- [546677] High CVE-2016-1622: Same-origin bypass in Extensions.
Credit to anonymous.

- [577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to
Mariusz Mlynski.

- [583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to
lukezli.

- [509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant.
Credit to Jann Horn.

- [571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit
to anonymous, working with HP's Zero Day Initiative.

- [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing
and other initiatives.

See also :

http://www.nessus.org/u?07c1f641
http://www.nessus.org/u?50aa9f4f

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : xymon-server -- multiple vulnerabilities (1cecd5e0-c372-11e5-96d6-14dae9d210b8)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

J.C. Cleaver reports :

- CVE-2016-2054: Buffer overflow in xymond handling of 'config'
command

- CVE-2016-2055: Access to possibly confidential files in the Xymon
configuration directory

- CVE-2016-2056: Shell command injection in the 'useradm' and
'chpasswd' web applications

- CVE-2016-2057: Incorrect permissions on IPC queues used by the
xymond daemon can bypass IP access filtering

- CVE-2016-2058: JavaScript injection in 'detailed status webpage' of
monitoring items
XSS vulnerability via malformed acknowledgment
messages

See also :

http://lists.xymon.com/pipermail/xymon/2016-February/042986.html
http://www.nessus.org/u?c52fc75f

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : py-pillow -- Integer overflow in Resample.c (0519db18-cf15-11e5-805c-5453ed2e2b49)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The Pillow maintainers report :

If a large value was passed into the new size for an image, it is
possible to overflow an int32 value passed into malloc, leading the
malloc’d buffer to be undersized. These allocations are followed by
a loop that writes out of bounds. This can lead to corruption on the
heap of the Python process with attacker controlled float data.

This issue was found by Ned Williamson.

See also :

http://www.nessus.org/u?77a6304d
https://github.com/python-pillow/Pillow/issues/1710
http://www.nessus.org/u?d40e630f

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : curl (ALAS-2016-652)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

The ConnectionExists function in lib/url.c in libcurl before 7.47.0
does not properly re-use NTLM-authenticated proxy connections, which
might allow remote attackers to authenticate as other users via a
request, a similar issue to CVE-2014-0015 . (CVE-2016-0755)

See also :

https://alas.aws.amazon.com/ALAS-2016-652.html

Solution :

Run 'yum update curl' to update your system.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : gnutls (ALAS-2016-651)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

A flaw was found in the way TLS 1.2 could use the MD5 hash function
for signing ServerKeyExchange and Client Authentication packets during
a TLS handshake. A man-in-the-middle attacker able to force a TLS
connection to use the MD5 hash function could use this flaw to conduct
collision attacks to impersonate a TLS server or an authenticated TLS
client. (CVE-2015-7575)

See also :

https://alas.aws.amazon.com/ALAS-2016-651.html

Solution :

Run 'yum update gnutls' to update your system.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : mod24_nss (ALAS-2016-650)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

It was found that the parsing of the NSSCipherSuite option of
mod24_nss, which accepts OpenSSL-style cipherstrings, is flawed. If
the option is used to disable insecure ciphersuites using the common
'!' syntax, it will actually enable those insecure ciphersuites.
(CVE-2015-5244)

See also :

https://alas.aws.amazon.com/ALAS-2016-650.html

Solution :

Run 'yum update mod24_nss' to update your system.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : ntp (ALAS-2016-649)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

It was discovered that ntpd as a client did not correctly check the
originate timestamp in received packets. A remote attacker could use
this flaw to send a crafted packet to an ntpd client that would
effectively disable synchronization with the server, or push arbitrary
offset/delay measurements to modify the time on the client.
(CVE-2015-8138)

A NULL pointer dereference flaw was found in the way ntpd processed
'ntpdc reslist' commands that queried restriction lists with a large
amount of entries. A remote attacker could use this flaw to crash the
ntpd process. (CVE-2015-7977)

It was found that NTP does not verify peer associations of symmetric
keys when authenticating packets, which might allow remote attackers
to conduct impersonation attacks via an arbitrary trusted key.
(CVE-2015-7974)

A stack-based buffer overflow was found in the way ntpd processed
'ntpdc reslist' commands that queried restriction lists with a large
amount of entries. A remote attacker could use this flaw to crash the
ntpd process. (CVE-2015-7978)

It was found that when NTP is configured in broadcast mode, an
off-path attacker could broadcast packets with bad authentication
(wrong key, mismatched key, incorrect MAC, etc) to all clients. The
clients, upon receiving the malformed packets, would break the
association with the broadcast server. This could cause the time on
affected clients to become out of sync over a longer period of time.
(CVE-2015-7979)

A flaw was found in the way the ntpq client certain processed incoming
packets in a loop in the getresponse() function. A remote attacker
could potentially use this flaw to crash an ntpq client instance.
(CVE-2015-8158)

See also :

https://alas.aws.amazon.com/ALAS-2016-649.html

Solution :

Run 'yum update ntp' to update your system.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : kernel (ALAS-2016-648)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

The Linux kernel before 4.4.1 allows local users to bypass
file-descriptor limits and cause a denial of service (memory
consumption) by sending each descriptor over a UNIX socket before
closing it, related to net/unix/af_unix.c and net/unix/garbage.c.
(CVE-2013-4312)

A race condition in the tty_ioctl function in drivers/tty/tty_io.c in
the Linux kernel through 4.4.1 was found that allows local users to
obtain sensitive information from kernel memory or cause a denial of
service (use-after-free and system crash) by making a TIOCGETD ioctl
call during processing of a TIOCSETD ioctl call. (CVE-2016-0723)

A privilege-escalation vulnerability was discovered in the Linux
kernel built with User Namespace (CONFIG_USER_NS) support. The flaw
occurred when the ptrace() system call was used on a root-owned
process to enter a user namespace. A privileged namespace user could
exploit this flaw to potentially escalate their privileges on the
system, outside the original namespace. (CVE-2015-8709)

net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not
properly manage the relationship between a lock and a socket, which
allows local users to cause a denial of service (deadlock) via a
crafted sctp_accept call. (CVE-2015-8767)

See also :

https://alas.aws.amazon.com/ALAS-2016-648.html

Solution :

Run 'yum clean all' followed by 'yum update kernel' to update your
system. You will need to reboot your system in order for the new
kernel to be running.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-647)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

An out-of-bounds write flaw was found in the JPEG image format decoder
in the AWT component in OpenJDK. A specially crafted JPEG image could
cause a Java application to crash or, possibly execute arbitrary code.
An untrusted Java application or applet could use this flaw to bypass
Java sandbox restrictions. (CVE-2016-0483)

A flaw was found in the way TLS 1.2 could use the MD5 hash function
for signing ServerKeyExchange and Client Authentication packets during
a TLS handshake. A man-in-the-middle attacker able to force a TLS
connection to use the MD5 hash function could use this flaw to conduct
collision attacks to impersonate a TLS server or an authenticated TLS
client. (CVE-2015-7575)

Integer signedness issues were discovered in
IndicRearrangementProcessor and IndicRearrangementProcessor2 in the
ICU Layout Engine. A specially crafted font file could cause an
application using ICU to parse untrusted fonts to crash and, possibly,
execute arbitrary code. (CVE-2016-0494)

It was discovered that the password-based encryption (PBE)
implementation in the Libraries component in OpenJDK used an incorrect
key length. This could, in certain cases, lead to generation of keys
that were weaker than expected. (CVE-2016-0475)

A flaw was found in the deserialization of the URL class in the
Networking component of OpenJDK. Deserialization of the specially
crafted data could result in creation of the URL object with an
inconsistent state. An untrusted Java application or applet could use
this flaw to bypass certain Java sandbox restrictions. (CVE-2016-0402)

It was discovered that the JAXP component in OpenJDK did not properly
enforce the totalEntitySizeLimit limit. An attacker able to make a
Java application process a specially crafted XML file could use this
flaw to make the application consume an excessive amount of memory.
(CVE-2016-0466)

It was discovered that the RMIConnector and RMIConnectionImpl classes
in the JMX component of OpenJDK could log sensitive information such
as user passwords in its debug log, possibly leading the exposure of
the information. (CVE-2016-0448)

See also :

https://alas.aws.amazon.com/ALAS-2016-647.html

Solution :

Run 'yum update java-1.8.0-openjdk' to update your system.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : pngcrush (ALAS-2016-646)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

A double-free bug was discovered in pngcrush's handling of the sPLT
chunk. A malicious PNG could crash the pngcrush process.
(CVE-2015-7700)

See also :

https://alas.aws.amazon.com/ALAS-2016-646.html

Solution :

Run 'yum update pngcrush' to update your system.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : nss (ALAS-2016-645)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

A flaw was found in the way TLS 1.2 could use the MD5 hash function
for signing ServerKeyExchange and Client Authentication packets during
a TLS handshake. A man-in-the-middle attacker able to force a TLS
connection to use the MD5 hash function could use this flaw to conduct
collision attacks to impersonate a TLS server or an authenticated TLS
client. (CVE-2015-7575)

See also :

https://alas.aws.amazon.com/ALAS-2016-645.html

Solution :

Run 'yum update nss' to update your system.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : python-rsa (ALAS-2016-644)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

It was found that python-rsa is vulnerable to Bleichenbacher'06
attack, allowing attacker to fake signatures for any public key with
low exponent. (CVE-2016-1494)

See also :

https://alas.aws.amazon.com/ALAS-2016-644.html

Solution :

Run 'yum update python-rsa' to update your system.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-643)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

An out-of-bounds write flaw was found in the JPEG image format decoder
in the AWT component in OpenJDK. A specially crafted JPEG image could
cause a Java application to crash or, possibly execute arbitrary code.
An untrusted Java application or applet could use this flaw to bypass
Java sandbox restrictions. (CVE-2016-0483)

An integer signedness issue was found in the font parsing code in the
2D component in OpenJDK. A specially crafted font file could possibly
cause the Java Virtual Machine to execute arbitrary code, allowing an
untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2016-0494)

It was discovered that the JAXP component in OpenJDK did not properly
enforce the totalEntitySizeLimit limit. An attacker able to make a
Java application process a specially crafted XML file could use this
flaw to make the application consume an excessive amount of memory.
(CVE-2016-0466)

A flaw was found in the way TLS 1.2 could use the MD5 hash function
for signing ServerKeyExchange and Client Authentication packets during
a TLS handshake. A man-in-the-middle attacker able to force a TLS
connection to use the MD5 hash function could use this flaw to conduct
collision attacks to impersonate a TLS server or an authenticated TLS
client. (CVE-2015-7575)

Multiple flaws were discovered in the Libraries, Networking, and JMX
components in OpenJDK. An untrusted Java application or applet could
use these flaws to bypass certain Java sandbox restrictions.
(CVE-2015-4871 , CVE-2016-0402 , CVE-2016-0448)

Note: This update also disallows the use of the MD5 hash algorithm in
the certification path processing. The use of MD5 can be re-enabled by
removing MD5 from the jdk.certpath.disabledAlgorithms security
property defined in the java.security file.

See also :

https://alas.aws.amazon.com/ALAS-2016-643.html

Solution :

Run 'yum update java-1.7.0-openjdk' to update your system.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-022: Security Update for Adobe Flash Player (3135782)


Synopsis:

The remote Windows host has a browser plugin installed that is
affected by multiple vulnerabilities.

Description:

The remote Windows host is missing KB3135782. It is, therefore,
affected by multiple vulnerabilities :

- A type confusion error exists that allows a remote
attacker to execute arbitrary code. (CVE-2016-0985)

- Multiple use-after-free errors exist that allow a remote
attacker to execute arbitrary code. (CVE-2016-0973,
CVE-2016-0974, CVE-2016-0975, CVE-2016-0982,
CVE-2016-0983, CVE-2016-0984)

- A heap buffer overflow condition exist that allows an
attacker to execute arbitrary code. (CVE-2016-0971)

- Multiple memory corruption issues exist that allow a
remote attacker to execute arbitrary code.
(CVE-2016-0964, CVE-2016-0965, CVE-2016-0966,
CVE-2016-0967, CVE-2016-0968, CVE-2016-0969,
CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979,
CVE-2016-0980, CVE-2016-0981)

See also :

https://technet.microsoft.com/library/security/MS16-022
https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

Solution :

Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1,
2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-021: Security Update for NPS RADIUS Server to Address Denial of Service (3133043)


Synopsis:

The remote Windows host is affected by a denial of service
vulnerability.

Description:

The remote Windows host is affected by a denial of service
vulnerability in the Network Policy Server (NPS) due to improper
handling of RADIUS authentication requests. An unauthenticated, remote
attacker can exploit this, via specially crafted username strings, to
cause a denial of service condition for RADIUS authentication on the
NPS.

See also :

https://technet.microsoft.com/library/security/MS16-021

Solution :

Microsoft has released a set of patches for Windows 2008, 2008 R2,
2012, and 2012 R2.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-020: Security Update for Active Directory Federation Services to Address Denial of Service (3134222)


Synopsis:

The remote Windows host is affected by a denial of service
vulnerability.

Description:

The remote Windows host is missing a security update. It is,
therefore, affected by a denial of service vulnerability in Active
Directory Federation Services (ADFS) due to a failure to properly
process certain input during forms-based authentication. A remote
attacker can exploit this, via crafted input, to cause the server to
become unresponsive.

See also :

https://technet.microsoft.com/library/security/ms16-020

Solution :

Microsoft has released a set of patches for Windows Server 2012 R2.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-019: Security Update for .NET Framework to Address Denial of Service (3137893)


Synopsis:

The remote host is affected by multiple vulnerabilities.

Description:

The remote Windows host is missing a security update. It is,
therefore, affected by multiple vulnerabilities in the .NET
Framework :

- A denial of service vulnerability exists due to improper
handling of certain Extensible Stylesheet Language
Transformations (XSLT). A remote attacker can exploit
this, via specially crafted XSLT inserted into a
client-side web part, to cause the server to recursively
compile XSLT transforms, resulting in significant
degradation of server performance. (CVE-2016-0033)

- An information disclosure vulnerability exists in
Windows Forms due to improper handling of icon data.
An remote attacker can exploit this, by uploading a
specially crafted icon, to capture information that is
returned within the icon's data. (CVE-2016-0047)

See also :

https://technet.microsoft.com/en-us/library/MS16-019.aspx

Solution :

Microsoft has released a set of patches for .NET framework 2.0 SP2,
3.5, 3.5.1, 4, 4.5.1, 4.5.2, 4.6, and 4.6.1.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-018: Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3136082)


Synopsis:

The remote Windows host is affected by an elevation of privilege
vulnerability.

Description:

The remote Windows host is missing a security update. It is,
therefore, affected by an elevation of privilege vulnerability in the
Windows kernel-mode driver due to improper handling of objects in
memory. An authenticated, remote attacker can exploit this, via a
specially crafted application, to execute arbitrary code in kernel
mode.

See also :

https://technet.microsoft.com/en-us/library/security/MS16-018

Solution :

Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-017: Security Update for Remote Desktop Display Driver to Address Elevation of Privilege (3134700)


Synopsis:

The remote Windows host is affected by an elevation of privilege
vulnerability.

Description:

The remote Windows host is affected by an elevation of privilege
vulnerability in the Remote Desktop Protocol (RDP) due to improper
handling of objects in memory. An authenticated, remote attacker can
exploit this by logging on via RDP and sending specially crafted data
over the authenticated connection, resulting in an elevation of
privilege.

See also :

https://technet.microsoft.com/library/security/ms16-017

Solution :

Microsoft has released a set of patches for Windows 7, 2012, 8.1,
2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041)


Synopsis:

The remote host is affected by an elevation of privilege
vulnerability.

Description:

The remote Windows host is missing a security update. It is,
therefore, affected by a flaw in the Microsoft Web Distributed
Authoring and Versioning (WebDAV) client due to improper validation of
user-supplied input. A local attacker can exploit this, via a
specially crafted application, to execute arbitrary code with elevated
privileges.

See also :

https://technet.microsoft.com/library/security/MS16-016

Solution :

Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-015: Security Update for Microsoft Office to Address Remote Code Execution (3134226)


Synopsis:

The remote Windows host is affected by multiple vulnerabilities.

Description:

The remote Windows host has a version of Microsoft Office, Word, Word
Viewer, Excel, Excel Viewer, SharePoint, Microsoft Office
Compatibility Pack, or Office Web Apps installed that is affected by
multiple vulnerabilities :

- Multiple remote code execution vulnerabilities exist due
to improper handling of objects in memory. A remote
attacker can exploit these vulnerabilities by convincing
a user to open a specially crafted file in Microsoft
Office, resulting in the execution of arbitrary code in
the context of the current user. (CVE-2016-0022,
CVE-2016-0052, CVE-2016-0053, CVE-2016-0054,
CVE-2016-0055, CVE-2015-0056)

- A cross-site scripting vulnerability exists in
SharePoint due to improper sanitization of specially
crafted web requests. An authenticated, remote attacker
can exploit this, via a specially crafted web request,
to execute arbitrary script code in a user's browser
session. (CVE-2016-0039)

See also :

https://technet.microsoft.com/en-us/library/security/ms16-015

Solution :

Microsoft has released a set of patches for Office 2007, 2010, 2013,
2013 RT, and 2016
Word, Word Viewer, Excel, Excel Viewer
SharePoint
Server 2007, 2010, and 2013
SharePoint Foundation 2013, Microsoft
Office Compatibility Pack, and Office Web Apps.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228)


Synopsis:

The remote Windows host is affected by multiple vulnerabilities.

Description:

The remote Windows host is missing a security update. It is,
therefore, affected by multiple vulnerabilities :

- An elevation of privilege vulnerability exists in the
Windows kernel due to improper handling of objects in
memory. A local attacker can exploit this, via a crafted
application, to run arbitrary code in kernel mode and
therefore take control of the affected system.
(CVE-2016-0040)

- Multiple code execution vulnerabilities exist due to
improper validation of user-supplied input when loading
DLL files. A local attacker can exploit these, via a
specially crafted application, to execute arbitrary
code. (CVE-2016-0041, CVE-2016-0042)

- A denial of service vulnerability exists in Microsoft
Sync Framework due to improper processing of crafted
input that uses the 'change batch' structure. An
authenticated, remote attacker can exploit this, via
specially crafted packets sent to the SyncShareSvc
service, to cause the service to stop responding.
(CVE-2016-0044)

- A security feature bypass vulnerability exists when
Kerberos fails to check the password change of a user
signing into a workstation. An attacker can exploit
this, by connecting the workstation to a malicious
Kerberos Key distribution Center, to bypass Kerberos
authentication on a target machine, thus allowing
decryption of drives protected by BitLocker.
(CVE-2016-0049)

See also :

https://technet.microsoft.com/library/security/MS16-014

Solution :

Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-013: Security Update for Windows Journal to Address Remote Code Execution (3134811)


Synopsis:

The remote Windows host is affected by a remote code execution
vulnerability.

Description:

The remote Windows host is affected by a remote code execution
vulnerability in Windows Journal due to improper parsing of Journal
files. An unauthenticated, remote attacker can exploit this by
convincing a user to open a specially crafted Journal file, resulting
in the execution of arbitrary code in the context of the current user.

See also :

https://technet.microsoft.com/library/security/MS16-013

Solution :

Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, 2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-012: Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3138938)


Synopsis:

The remote Windows host is affected by multiple vulnerabilities.

Description:

The remote Windows host is missing a security update. It is,
therefore, affected by multiple code execution vulnerabilities :

- A remote code execution vulnerability exists in Windows
Reader. An attacker can exploit this, by convincing a
user to open a specially crafted file, to execute
arbitrary code in the context of the current user.
(CVE-2016-0046)

- A flaw exists in the Microsoft Windows PDF Library due
to improper handling of API calls. An attacker can
exploit this, by convincing a user to open a specially
crafted file, to execute arbitrary code in the context
of the current user. (CVE-2016-0058).

See also :

https://technet.microsoft.com/library/security/MS16-012

Solution :

Microsoft has released a set of patches for Windows 2012, 8.1, 2012
R2, and 10.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-011: Cumulative Security Update for Microsoft Edge (3134225)


Synopsis:

The remote host has a web browser installed that is affected by
multiple vulnerabilities.

Description:

The version of Microsoft Edge installed on the remote host is missing
Cumulative Security Update 3134225. It is, therefore, affected by
multiple vulnerabilities :

- Multiple remote code execution vulnerabilities exist due
to improper handling of objects in memory. An attacker
can exploit these vulnerabilities by convincing a user
to visit a specially crafted website, resulting in
execution of arbitrary code in the context of the
current user. (CVE-2016-0060, CVE-2016-0061,
CVE-2016-0062, CVE-2016-0084)

- A spoofing vulnerability exists due to improper parsing
of HTTP responses. An unauthenticated, remote attacker
can exploit this, via a specially crafted URL, to
redirect a user to a malicious website. (CVE-2016-0077)

- An information disclosure vulnerability exists due to
improper handling of exceptions when dispatching certain
window messages. An unauthenticated, remote attacker can
exploit this, via a specially crafted website, to bypass
the Address Space Layout Randomization (ASLR) feature,
resulting in the ability to predict memory offsets in a
call stack. (CVE-2016-0080)

See also :

https://technet.microsoft.com/library/security/MS16-011

Solution :

Microsoft has released a set of patches for Windows 10.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MS16-009: Cumulative Security Update for Internet Explorer (3134220)


Synopsis:

The remote host has a web browser installed that is affected by
multiple vulnerabilities.

Description:

The version of Internet Explorer installed on the remote host is
missing Cumulative Security Update 3134220. It is, therefore, affected
by multiple vulnerabilities :

- A remote code execution vulnerability exists due to
improper validation of input when loading dynamic link
library (DLL) files. A local attacker can exploit this,
via a specially crafted application, to execute
arbitrary code. (CVE-2016-0041)

- An information disclosure vulnerability exists in the
Hyperlink Object Library due to improper handling of
objects in memory. A remote attacker can exploit this by
convincing a user to click a link in an email or Office
file, resulting in the disclosure of memory contents.
(CVE-2016-0059)

- Multiple remote code execution vulnerabilities exist due
to improper handling of objects in memory. A remote
attacker can exploit these vulnerabilities by convincing
a user to visit a specially crafted website, resulting
in the execution of arbitrary code in the context of the
current user. (CVE-2016-0060, CVE-2016-0061,
CVE-2016-0062, CVE-2016-0063, CVE-2016-0064,
CVE-2016-0067, CVE-2016-0071, CVE-2016-0072)

- A spoofing vulnerability exists due to improper parsing
of HTTP responses. An unauthenticated, remote attacker
can exploit this, via a specially crafted URL, to
redirect a user to a malicious website. (CVE-2016-0077)

- Multiple elevation of privilege vulnerabilities exist
due to improper enforcement of cross-domain policies. An
unauthenticated, remote attacker can exploit this by
convincing a user to visit a specially crafted website,
resulting in an elevation of privilege. (CVE-2016-0068,
CVE-2016-0069)

See also :

https://technet.microsoft.com/en-us/library/security/MS16-009

Solution :

Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Adobe Flash Player for Mac <= 20.0.0.286 Multiple Vulnerabilities (APSB16-04)


Synopsis:

The remote Mac OS X host has a browser plugin installed that is
affected by multiple vulnerabilities.

Description:

The version of Adobe Flash Player installed on the remote Mac OS X
host is prior or equal to version 20.0.0.286. It is, therefore,
affected by multiple vulnerabilities :

- A type confusion error exists that allows a remote
attacker to execute arbitrary code. (CVE-2016-0985)

- Multiple use-after-free errors exist that allow a remote
attacker to execute arbitrary code. (CVE-2016-0973,
CVE-2016-0974, CVE-2016-0975, CVE-2016-0982,
CVE-2016-0983, CVE-2016-0984)

- A heap buffer overflow condition exist that allows an
attacker to execute arbitrary code. (CVE-2016-0971)

- Multiple memory corruption issues exist that allow a
remote attacker to execute arbitrary code.
(CVE-2016-0964, CVE-2016-0965, CVE-2016-0966,
CVE-2016-0967, CVE-2016-0968, CVE-2016-0969,
CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979,
CVE-2016-0980, CVE-2016-0981)

See also :

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
http://www.nessus.org/u?0cb17c10

Solution :

Upgrade to Adobe Flash Player version 20.0.0.306 or later.

Alternatively, Adobe has made version 18.0.0.329 available for those
installs that cannot be upgraded to the latest version.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Adobe AIR for Mac <= 20.0.0.233 Multiple Vulnerabilities (APSB16-04)


Synopsis:

The remote Mac OS X host has a browser plugin installed that is
affected by multiple vulnerabilities.

Description:

The version of Adobe AIR installed on the remote Mac OS X host is
prior or equal to version 20.0.0.233. It is, therefore, affected by
multiple vulnerabilities :

- A type confusion error exists that allows a remote
attacker to execute arbitrary code. (CVE-2016-0985)

- Multiple use-after-free errors exist that allow a remote
attacker to execute arbitrary code. (CVE-2016-0973,
CVE-2016-0974, CVE-2016-0975, CVE-2016-0982,
CVE-2016-0983, CVE-2016-0984)

- A heap buffer overflow condition exist that allows an
attacker to execute arbitrary code. (CVE-2016-0971)

- Multiple memory corruption issues exist that allow a
remote attacker to execute arbitrary code.
(CVE-2016-0964, CVE-2016-0965, CVE-2016-0966,
CVE-2016-0967, CVE-2016-0968, CVE-2016-0969,
CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979,
CVE-2016-0980, CVE-2016-0981)

See also :

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html

Solution :

Upgrade to Adobe AIR version 20.0.0.260 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Adobe Flash Player <= 20.0.0.286 Multiple Vulnerabilities (APSB16-04)


Synopsis:

The remote Windows host has a browser plugin installed that is
affected by multiple vulnerabilities.

Description:

The version of Adobe Flash Player installed on the remote Windows host
is prior or equal to version 20.0.0.286. It is, therefore, affected by
multiple vulnerabilities :

- A type confusion error exists that allows a remote
attacker to execute arbitrary code. (CVE-2016-0985)

- Multiple use-after-free errors exist that allow a remote
attacker to execute arbitrary code. (CVE-2016-0973,
CVE-2016-0974, CVE-2016-0975, CVE-2016-0982,
CVE-2016-0983, CVE-2016-0984)

- A heap buffer overflow condition exist that allows an
attacker to execute arbitrary code. (CVE-2016-0971)

- Multiple memory corruption issues exist that allow a
remote attacker to execute arbitrary code.
(CVE-2016-0964, CVE-2016-0965, CVE-2016-0966,
CVE-2016-0967, CVE-2016-0968, CVE-2016-0969,
CVE-2016-0970, CVE-2016-0972, CVE-2016-0976,
CVE-2016-0977, CVE-2016-0978, CVE-2016-0979,
CVE-2016-0980, CVE-2016-0981)

See also :

https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
http://www.nessus.org/u?0cb17c10

Solution :

Upgrade to Adobe Flash Player version 20.0.0.306 or later.

Alternatively, Adobe has made version 18.0.0.329 available for those
installs that cannot be upgraded to the latest version.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.