Newest Plugins

Cisco NX-OS DHCP POAP Command Injection Vulnerability


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

The remote Cisco device is running a version of NX-OS software that
is affected by a command injection vulnerability due to the PowerOn
Auto Provisioning (POAP) feature not properly validating the DHCP
options returned by POAP. An attacker on an adjacent network, using
crafted DHCP packets, can execute arbitrary commands as the root user
in response to the initial DHCP request made by the device during the
POAP process.

See also :

http://www.nessus.org/u?e6a5f6f1

Solution :

Apply the patch referenced in Cisco bug ID CSCur14589

Risk factor :

High / CVSS Base Score : 7.9
(CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 / 15.04 : firefox vulnerability (USN-2571-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Robert Kaiser discovered a use-after-free during plugin initialization
in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-2706).

Solution :

Update the affected firefox package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

openSUSE Security Update : Mozille Firefox (openSUSE-2015-326)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

Mozilla Firefox was updated to 37.0.2 to fix one security issue.

The following vulnerability was fixed :

- CVE-2015-2706: Memory corruption during failed plugin
initialization (bmo#1141081 MFSA 2015-45 bnc#928116)

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=928116

Solution :

Update the affected Mozille Firefox packages.

Risk factor :

Medium

This script is Copyright (C) 2015 Tenable Network Security, Inc.

openSUSE Security Update : Mozille Firefox (openSUSE-2015-325)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

Mozilla Firefox was updated to 37.0.2 to fix one security issue.

The following vulnerability was fixed :

- CVE-2015-2706 Memory corruption during failed plugin
initialization (bmo#1141081 MFSA 2015-45 bnc#928116)

Solution :

Update the affected Mozille Firefox packages.

Risk factor :

Medium

This script is Copyright (C) 2015 Tenable Network Security, Inc.

openSUSE Security Update : socat (openSUSE-2015-324)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

socat was updated 1.7.2.4 to fix one security issue and bugs.

The following vulnerabilities were fixed :

- socats PROXY-CONNECT address was vulnerable to a buffer
overflow with data from command line (CVE-2014-0019,
boo#860991)

The following bugs were fixed :

- socat would frequently crash on ppc and armv7l
(boo#927161)

- various other bug fixes in 1.7.2.4

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=860991
https://bugzilla.opensuse.org/show_bug.cgi?id=927161

Solution :

Update the affected socat packages.

Risk factor :

Low / CVSS Base Score : 1.9
(CVSS2#AV:L/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : wpa_supplicant -- P2P SSID processing vulnerability (cb9d2fcd-eb47-11e4-b03e-002590263bf5)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Jouni Malinen reports :

A vulnerability was found in how wpa_supplicant uses SSID information
parsed from management frames that create or update P2P peer entries
(e.g., Probe Response frame or number of P2P Public Action frames).
SSID field has valid length range of 0-32 octets. However, it is
transmitted in an element that has a 8-bit length field and potential
maximum payload length of 255 octets. wpa_supplicant was not
sufficiently verifying the payload length on one of the code paths
using the SSID received from a peer device.

This can result in copying arbitrary data from an attacker to a fixed
length buffer of 32 bytes (i.e., a possible overflow of up to 223
bytes). The SSID buffer is within struct p2p_device that is allocated
from heap. The overflow can override couple of variables in the
struct, including a pointer that gets freed. In addition about 150
bytes (the exact length depending on architecture) can be written
beyond the end of the heap allocation.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of
service due to wpa_supplicant process crash, exposure of memory
contents during GO Negotiation, and potentially arbitrary code
execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.4 with CONFIG_P2P build option enabled (which
is not compiled by default).

Attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a suitably constructed
management frame that triggers a P2P peer device information to be
created or updated.

The vulnerability is easiest to exploit while the device has started
an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN
control interface command in progress). However, it may be possible,
though significantly more difficult, to trigger this even without any
active P2P operation in progress.

See also :

http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt
http://www.nessus.org/u?8b91cc7f

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : wordpress -- multiple vulnabilities (505904d3-ea95-11e4-beaf-bcaec565249c)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

Gary Pendergast reports :

WordPress 4.1.2 is now available. This is a critical security release
for all previous versions and we strongly encourage you to update your
sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical
cross-site scripting vulnerability, which could enable anonymous users
to compromise a site. This was reported by Cedric Van Bockhaven and
fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the
WordPress security team.

We also fixed three other security issues :

- In WordPress 4.1 and higher, files with invalid or unsafe names
could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer
of HSASec.

- In WordPress 3.9 and higher, a very limited cross-site scripting
vulnerability could be used as part of a social engineering attack.
Discovered by Jakub Zoczek.

- Some plugins were vulnerable to a SQL injection vulnerability.
Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes,
Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff
Bowen.

See also :

https://wordpress.org/news/2015/04/wordpress-4-1-2/
http://www.nessus.org/u?fec71380

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : Several vulnerabilities found in PHP (1e232a0c-eb57-11e4-b595-4061861086c1)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The PHP project reports :

The PHP development team announces the immediate availability of PHP
5.4.40. 14 security-related bugs were fixed in this release, including
CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP
5.4 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP
5.5.24. Several bugs have been fixed some of them beeing security
related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users are
encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP
5.6.8. Several bugs have been fixed some of them beeing security
related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users are
encouraged to upgrade to this version.

See also :

http://php.net/archive/2015.php#id2015-04-16-2
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198739
http://www.nessus.org/u?87e09fe9

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : samba-4.2.1-4.fc22 (2015-6842)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Update to Samba 4.2.1 Fix libwbclient.so alternatives bug Fix systemd
compatibility bug

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1213373
https://bugzilla.redhat.com/show_bug.cgi?id=1214973
http://www.nessus.org/u?b2e58867

Solution :

Update the affected samba package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : curl-7.40.0-3.fc22 (2015-6695)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- require credentials to match for NTLM re-use
(CVE-2015-3143)

- fix invalid write with a zero-length host name in URL
(CVE-2015-3144)

- fix invalid write in cookie path sanitization code
(CVE-2015-3145)

- close Negotiate connections when done (CVE-2015-3148)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1213306
https://bugzilla.redhat.com/show_bug.cgi?id=1213335
https://bugzilla.redhat.com/show_bug.cgi?id=1213347
https://bugzilla.redhat.com/show_bug.cgi?id=1213351
http://www.nessus.org/u?bf32e6c7

Solution :

Update the affected curl package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : firefox-37.0.2-2.fc22 / xulrunner-37.0.2-1.fc22 (2015-6629)


Synopsis:

The remote Fedora host is missing one or more security updates.

Description:

Update to new upstream - 37.0.2 Bookmark rebuild - Bug 1210474

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1210474
http://www.nessus.org/u?502b2714
http://www.nessus.org/u?40732147

Solution :

Update the affected firefox and / or xulrunner packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : qt3-3.3.8b-63.fc22 (2015-6613)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes CVE-2015-1860, a buffer overflow when loading some
specific invalid GIF image files, which could be exploited for denial
of service (application crash) and possibly even arbitrary code
execution attacks. The security patch is backported from Qt 4.

(Please note that Qt 3 is NOT vulnerable to the simultaneously
published issues CVE-2015-1858 and CVE-2015-1859.)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1210675
http://www.nessus.org/u?ec2fcd3e

Solution :

Update the affected qt3 package.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : xen-4.5.0-8.fc22 (2015-6569)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Information leak through XEN_DOMCTL_gettscinfo [XSA-132,
CVE-2015-3340]

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1214035
http://www.nessus.org/u?bb587a16

Solution :

Update the affected xen package.

Risk factor :

Low / CVSS Base Score : 2.3
(CVSS2#AV:A/AC:M/Au:S/C:P/I:N/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : mksh-50f-1.fc22 (2015-6558)


Synopsis:

The remote Fedora host is missing a security update.

Description:

R50f is a required security and bugfix release :

- Add a patch marker for vendor patch versioning to mksh.1

- SECURITY: make unset HISTFILE actually work

- Document some more issues with the current history
code

- Remove some unused code

- RCSID-only sync with OpenBSD, for bogus and irrelevant
changes

- Also disable field splitting for alias
'local=
ypeset'

- Fix read -n-1 to not be identical to read -N-1

- Several fixes and improvements to lksh(1) and mksh(1)
manpages

- More code (int â


size_t), comment
and testsuite fixes

- Make dot.mkshrc more robust (LP#1441853)

- Fix issues with IFS='' read, found by edualbus

- Fix integer overflows related to file descriptor
parsing, found by Pawel Wylecial (LP#1440685)
reduce
memory usage for I/O redirs

- Document in the manpage how to set Â
±
U
according to the current locale settings via LANG/LC_*
parameters (cf. Debian #782225)

- Some code cleanup and restructuring

- Handle number parsing and storing more carefully

See also :

http://www.nessus.org/u?11c4abf0

Solution :

Update the affected mksh package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 22 : FlightGear-3.4.0-4.fc22 / FlightGear-data-3.4.0-2.fc22 (2015-6557)


Synopsis:

The remote Fedora host is missing one or more security updates.

Description:

This update provides a security fix related to the Nasal scripting
language.

See also :

http://www.nessus.org/u?2e46f540
http://www.nessus.org/u?beee0051

Solution :

Update the affected FlightGear and / or FlightGear-data packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : qt5-qtbase-5.4.1-9.fc21 (2015-6364)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Multiple vulnerabilities were found in Qt image format handling of
BMP, ICO and GIF files. The issues exposed included denial of service
and buffer overflows leading to heap corruption. It is possible the
latter could be used to perform remote code execution.

See also
http://lists.qt-project.org/pipermail/announce/2015-April/000067.html

See also :

http://lists.qt-project.org/pipermail/announce/2015-April/000067.html
https://bugzilla.redhat.com/show_bug.cgi?id=1210673
https://bugzilla.redhat.com/show_bug.cgi?id=1210674
https://bugzilla.redhat.com/show_bug.cgi?id=1210675
http://www.nessus.org/u?bce77ef2

Solution :

Update the affected qt5-qtbase package.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : spatialite-tools-4.1.1-12.fc20 / sqlite-3.8.9-1.fc20 (2015-6349)


Synopsis:

The remote Fedora host is missing one or more security updates.

Description:

Update of sqlite to latest upstream version, with spatialite-tools
rebuild.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1212353
https://bugzilla.redhat.com/show_bug.cgi?id=1212356
https://bugzilla.redhat.com/show_bug.cgi?id=1212357
http://www.nessus.org/u?bea6c2b3
http://www.nessus.org/u?4787db01

Solution :

Update the affected spatialite-tools and / or sqlite packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : qt5-qtbase-5.4.1-9.fc20 (2015-6315)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Multiple vulnerabilities were found in Qt image format handling of
BMP, ICO and GIF files. The issues exposed included denial of service
and buffer overflows leading to heap corruption. It is possible the
latter could be used to perform remote code execution.

See also
http://lists.qt-project.org/pipermail/announce/2015-April/000067.html

See also :

http://lists.qt-project.org/pipermail/announce/2015-April/000067.html
https://bugzilla.redhat.com/show_bug.cgi?id=1210673
https://bugzilla.redhat.com/show_bug.cgi?id=1210674
https://bugzilla.redhat.com/show_bug.cgi?id=1210675
http://www.nessus.org/u?d16ebcb4

Solution :

Update the affected qt5-qtbase package.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : wesnoth-1.12.2-1.fc21 (2015-6295)


Synopsis:

The remote Fedora host is missing a security update.

Description:

http://forums.wesnoth.org/viewtopic.php?t=41872

See also :

http://forums.wesnoth.org/viewtopic.php?t=41872
https://bugzilla.redhat.com/show_bug.cgi?id=1211238
http://www.nessus.org/u?1cc1829a

Solution :

Update the affected wesnoth package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : wesnoth-1.12.2-1.fc20 (2015-6280)


Synopsis:

The remote Fedora host is missing a security update.

Description:

http://forums.wesnoth.org/viewtopic.php?t=41872

See also :

http://forums.wesnoth.org/viewtopic.php?t=41872
https://bugzilla.redhat.com/show_bug.cgi?id=1211238
http://www.nessus.org/u?1ccf6bdd

Solution :

Update the affected wesnoth package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : chrony-1.31.1-1.fc20 (2015-5809)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1209572
https://bugzilla.redhat.com/show_bug.cgi?id=1209631
https://bugzilla.redhat.com/show_bug.cgi?id=1209632
http://www.nessus.org/u?f07aa6bc

Solution :

Update the affected chrony package.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : resteasy-3.0.6-3.fc20 (2014-16845)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2014-3490

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1107901
http://www.nessus.org/u?4b80cdee

Solution :

Update the affected resteasy package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3237-1 : linux - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

- CVE-2014-8159
It was found that the Linux kernel's InfiniBand/RDMA
subsystem did not properly sanitize input parameters
while registering memory regions from user space via the
(u)verbs API. A local user with access to a
/dev/infiniband/uverbsX device could use this flaw to
crash the system or, potentially, escalate their
privileges on the system.

- CVE-2014-9715
It was found that the netfilter connection tracking
subsystem used too small a type as an offset within each
connection's data structure, following a bug fix in
Linux 3.2.33 and 3.6. In some configurations, this would
lead to memory corruption and crashes (even without
malicious traffic). This could potentially also result
in violation of the netfilter policy or remote code
execution.

This can be mitigated by disabling connection tracking
accounting:sysctl net.netfilter.nf_conntrack_acct=0

- CVE-2015-2041
Sasha Levin discovered that the LLC subsystem exposed
some variables as sysctls with the wrong type. On a
64-bit kernel, this possibly allows privilege escalation
from a process with CAP_NET_ADMIN capability
it also
results in a trivial information leak.

- CVE-2015-2042
Sasha Levin discovered that the RDS subsystem exposed
some variables as sysctls with the wrong type. On a
64-bit kernel, this results in a trivial information
leak.

- CVE-2015-2150
Jan Beulich discovered that Xen guests are currently
permitted to modify all of the (writable) bits in the
PCI command register of devices passed through to them.
This in particular allows them to disable memory and I/O
decoding on the device unless the device is an SR-IOV
virtual function, which can result in denial of service
to the host.

- CVE-2015-2830
Andrew Lutomirski discovered that when a 64-bit task on
an amd64 kernel makes a fork(2) or clone(2) system call
using int $0x80, the 32-bit compatibility flag is set
(correctly) but is not cleared on return. As a result,
both seccomp and audit will misinterpret the following
system call by the task(s), possibly leading to a
violation of security policy.

- CVE-2015-2922
Modio AB discovered that the IPv6 subsystem would
process a router advertisement that specifies no route
but only a hop limit, which would then be applied to the
interface that received it. This can result in loss of
IPv6 connectivity beyond the local network.

This may be mitigated by disabling processing of IPv6 router
advertisements if they are not needed:sysctl
net.ipv6.conf.default.accept_ra=0sysctl net.ipv6.conf..accept_ra=0

- CVE-2015-3331
Stephan Mueller discovered that the optimised
implementation of RFC4106 GCM for x86 processors that
support AESNI miscalculated buffer addresses in some
cases. If an IPsec tunnel is configured to use this mode
(also known as AES-GCM-ESP) this can lead to memory
corruption and crashes (even without malicious traffic).
This could potentially also result in remote code
execution.

- CVE-2015-3332
Ben Hutchings discovered that the TCP Fast Open feature
regressed in Linux 3.16.7-ckt9, resulting in a kernel
BUG when it is used. This can be used as a local denial
of service.

- CVE-2015-3339
It was found that the execve(2) system call can race
with inode attribute changes made by chown(2). Although
chown(2) clears the setuid/setgid bits of a file if it
changes the respective owner ID, this race condition
could result in execve(2) setting effective uid/gid to
the new owner ID, a privilege escalation.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741667
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782515
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782561
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782698
https://security-tracker.debian.org/tracker/CVE-2014-8159
https://security-tracker.debian.org/tracker/CVE-2014-9715
https://security-tracker.debian.org/tracker/CVE-2015-2041
https://security-tracker.debian.org/tracker/CVE-2015-2042
https://security-tracker.debian.org/tracker/CVE-2015-2150
https://security-tracker.debian.org/tracker/CVE-2015-2830
https://security-tracker.debian.org/tracker/CVE-2015-2922
https://security-tracker.debian.org/tracker/CVE-2015-3331
https://security-tracker.debian.org/tracker/CVE-2015-3332
https://security-tracker.debian.org/tracker/CVE-2015-3339
https://security-tracker.debian.org/tracker/CVE-2015-3332
https://packages.debian.org/source/wheezy/linux
http://www.debian.org/security/2015/dsa-3237

Solution :

Upgrade the linux packages.

For the oldstable distribution (wheezy), these problems have been
fixed in version 3.2.68-1+deb7u1. The linux package in wheezy is not
affected by CVE-2015-3332.

For the stable distribution (jessie), these problems have been fixed
in version 3.16.7-ckt9-3~deb8u1 or earlier versions. Additionally,
this version fixes a regression in the xen-netfront driver (#782698).

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3236-1 : libreoffice - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

It was discovered that missing input sanitising in Libreoffice's
filter for HWP documents may result in the execution of arbitrary code
if a malformed document is opened.

See also :

https://packages.debian.org/source/wheezy/libreoffice
http://www.debian.org/security/2015/dsa-3236

Solution :

Upgrade the libreoffice packages.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1:3.5.4+dfsg2-0+deb7u4.

For the stable distribution (jessie), this problem has been fixed in
version 1:4.3.3-2+deb8u1.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3235-1 : openjdk-7 - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information
disclosure or denial of service.

See also :

https://packages.debian.org/source/wheezy/openjdk-7
http://www.debian.org/security/2015/dsa-3235

Solution :

Upgrade the openjdk-7 packages.

For the stable distribution (wheezy), these problems have been fixed
in version 7u79-2.5.5-1~deb7u1.

For the upcoming stable distribution (jessie), these problems will be
fixed soon in version 7u79-2.5.5-1~deb8u1 (the update will be
available shortly after the final jessie release).

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3234-1 : openjdk-6 - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information
disclosure or denial of service.

See also :

https://packages.debian.org/source/wheezy/openjdk-6
http://www.debian.org/security/2015/dsa-3234

Solution :

Upgrade the openjdk-6 packages.

For the stable distribution (wheezy), these problems have been fixed
in version 6b35-1.13.7-1~deb7u1.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3233-1 : wpa - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

The Google security team and the smart hardware research group of
Alibaba security team discovered a flaw in how wpa_supplicant used
SSID information when creating or updating P2P peer entries. A remote
attacker can use this flaw to cause wpa_supplicant to crash, expose
memory contents, and potentially execute arbitrary code.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783148
https://packages.debian.org/source/wheezy/wpa
http://www.debian.org/security/2015/dsa-3233

Solution :

Upgrade the wpa packages.

For the stable distribution (wheezy), this problem has been fixed in
version 1.0-3+deb7u2. Note that this issue does not affect the binary
packages distributed in Debian as the CONFIG_P2P is not enabled for
the build.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 2.3-1+deb8u1.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DLA-207-1 : subversion security update


Synopsis:

The remote Debian host is missing a security update.

Description:

Several vulnerabilities were discovered in Subversion, a version
control system. The Common Vulnerabilities and Exposures project
identifies the following problems :

CVE-2015-0248

Subversion mod_dav_svn and svnserve were vulnerable to a remotely
triggerable assertion DoS vulnerability for certain requests with
dynamically evaluated revision numbers.

CVE-2015-0251

Subversion HTTP servers allow spoofing svn:author property values for
new revisions via specially crafted v1 HTTP protocol request
sequences.

CVE-2013-1845

Subversion mod_dav_svn was vulnerable to a denial of service attack
through a remotely triggered memory exhaustion.

CVE-2013-1846 / CVE-2013-1847 / CVE-2013-1849 / CVE-2014-0032

Subversion mod_dav_svn was vulnerable to multiple remotely triggered
crashes.

This update has been prepared by James McCoy.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.

See also :

https://lists.debian.org/debian-lts-announce/2015/04/msg00021.html
https://packages.debian.org/source/squeeze-lts/subversion

Solution :

Upgrade the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2015-516)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

An off-by-one flaw, leading to a buffer overflow, was found in the
font parsing code in the 2D component in OpenJDK. A specially crafted
font file could possibly cause the Java Virtual Machine to execute
arbitrary code, allowing an untrusted Java application or applet to
bypass Java sandbox restrictions. (CVE-2015-0469)

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0460)

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE
to raise an exception, possibly causing an application using JSSE to
exit unexpectedly. (CVE-2015-0488)

A flaw was discovered in the Beans component in OpenJDK. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions. (CVE-2015-0477)

A directory traversal flaw was found in the way the jar tool extracted
JAR archive files. A specially crafted JAR archive could cause jar to
overwrite arbitrary files writable by the user running jar when the
archive was extracted. (CVE-2005-1080 , CVE-2015-0480)

It was found that the RSA implementation in the JCE component in
OpenJDK did not follow recommended practices for implementing RSA
signatures. (CVE-2015-0478)

See also :

https://alas.aws.amazon.com/ALAS-2015-516.html

Solution :

Run 'yum update java-1.7.0-openjdk' to update your system.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2015-515)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

An off-by-one flaw, leading to a buffer overflow, was found in the
font parsing code in the 2D component in OpenJDK. A specially crafted
font file could possibly cause the Java Virtual Machine to execute
arbitrary code, allowing an untrusted Java application or applet to
bypass Java sandbox restrictions. (CVE-2015-0469)

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use
this flaw to corrupt the Java Virtual Machine memory and, possibly,
execute arbitrary code, bypassing Java sandbox restrictions.
(CVE-2015-0460)

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE
to raise an exception, possibly causing an application using JSSE to
exit unexpectedly. (CVE-2015-0488)

A flaw was discovered in the Beans component in OpenJDK. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions. (CVE-2015-0477)

A directory traversal flaw was found in the way the jar tool extracted
JAR archive files. A specially crafted JAR archive could cause jar to
overwrite arbitrary files writable by the user running jar when the
archive was extracted. (CVE-2005-1080 , CVE-2015-0480)

It was found that the RSA implementation in the JCE component in
OpenJDK did not follow recommended practices for implementing RSA
signatures. (CVE-2015-0478)

See also :

https://alas.aws.amazon.com/ALAS-2015-515.html

Solution :

Run 'yum update java-1.6.0-openjdk' to update your system.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Amazon Linux AMI : curl (ALAS-2015-514)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

It was discovered that libcurl could incorrectly reuse
NTLM-authenticated connections for subsequent unauthenticated requests
to the same host. If an application using libcurl established an
NTLM-authenticated connection to a server, and sent subsequent
unauthenticed requests to the same server, the unauthenticated
requests could be sent over the NTLM-authenticated connection,
appearing as if they were sent by the NTLM authenticated user.
(CVE-2015-3143)

It was discovered that libcurl could incorrectly reuse Negotiate
authenticated HTTP connections for subsequent requests. If an
application using libcurl established a Negotiate authenticated HTTP
connection to a server and sent subsequent requests with different
credentials, the connection could be re-used with the initial set of
credentials instead of using the new ones. (CVE-2015-3148)

It was discovered that libcurl did not properly process cookies with a
specially crafted 'path' element. If an application using libcurl
connected to a malicious HTTP server sending specially crafted
'Set-Cookies' headers, this could lead to an out-of-bounds read, and
possibly cause that application to crash. (CVE-2015-3145)

It was discovered that libcurl did not properly process zero-length
host names. If an attacker could trick an application using libcurl
into processing zero-length host names, this could lead to an
out-of-bounds read, and possibly cause that application to crash.
(CVE-2015-3144)

See also :

https://alas.aws.amazon.com/ALAS-2015-514.html

Solution :

Run 'yum update curl' to update your system.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Amazon Linux AMI : glibc (ALAS-2015-513)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

A buffer overflow flaw was found in the way glibc's gethostbyname_r()
and other related functions computed the size of a buffer when passed
a misaligned buffer as input. An attacker able to make an application
call any of these functions with a misaligned buffer could use this
flaw to crash the application or, potentially, execute arbitrary code
with the permissions of the user running the application.
(CVE-2015-1781)

It was discovered that, under certain circumstances, glibc's
getaddrinfo() function would send DNS queries to random file
descriptors. An attacker could potentially use this flaw to send DNS
queries to unintended recipients, resulting in information disclosure
or data loss due to the application encountering corrupted data.
(CVE-2013-7423)

See also :

https://alas.aws.amazon.com/ALAS-2015-513.html

Solution :

Run 'yum update glibc' to update your system.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

IBM WebSphere Portal Multiple Vulnerabilities (PI37356, PI37661)


Synopsis:

The web portal software installed on the remote Windows host is
affected by multiple vulnerabilities.

Description:

The IBM WebSphere Portal installed on the remote host is version
6.1.0.x prior to 6.1.0.6 CF27, 6.1.5.x prior to 6.1.5.3 CF27, 7.0.0.x
prior to 7.0.0.2 CF29, 8.0.0.x prior to 8.0.0.1 CF16, or 8.5.0.0 prior
to 8.5.0.0 CF05. It is, therefore, affected by multiple
vulnerabilities :

- An unspecified flaw exists due to improper validation of
user-supplied input. A remote attacker, using specially
crafted requests, can exploit this to cause a denial of
service by consuming all memory resources. Note that
this only affects hosts in which the 'Remote Document
Conversion Service' is enabled. (CVE-2015-1886, PI37356)

- An unspecified cross-site scripting vulnerability exists
due to improper validation of user-supplied input. A
remote attacker, using a specially crafted URL, can
exploit this to execute code in a victim's web browser
within the security context of the hosted site, possibly
resulting in access to the cookie-based authentication
credentials. (CVE-2015-1908, PI37661)

See also :

https://www-304.ibm.com/support/docview.wss?uid=swg21701566

Solution :

Upgrade IBM WebSphere Portal as noted in the referenced IBM advisory.

- Versions 6.1.0.x should upgrade to 6.1.0.6 CF27 and then
apply interim fixes PI37356 and PI37661.

- Versions 6.1.5.x should upgrade to 6.1.5.3 CF27 and then
apply interim fixes PI37356 and PI37661.

- Versions 7.0.0.x should upgrade to 7.0.0.2 CF29 and then
apply interim fixes PI37356 and PI37661.

- Versions 8.0.0.x should upgrade to 8.0.0.1 CF16.

- Versions 8.5.0.x should upgrade to 8.5.0.0 CF05 and then
apply interim fixes PI37356 and PI37661.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco IOS XR Typhoon-based Line Cards and Network Processor (NP) Chip DoS


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

The remote Cisco device is running a version of Cisco IOS XR software
that is affected by an error due to the improper processing of IPv4
packets routed through the bridge-group virtual interface (BVI)
whenever Unicast Reverse Path Forwarding (uRPF), policy-based routing
(PBR), quality of service (QoS), or access control lists (ACLs) are
enabled. A remote, unauthenticated attacker can exploit this error to
cause the device to lock up, forcing it to eventually reload the
network processor chip and line card that are processing traffic.

Note that this issue only affects Cisco ASR 9000 series devices using
Typhoon-based line cards.

See also :

http://www.nessus.org/u?6dfc693f
http://tools.cisco.com/security/center/viewAlert.x?alertId=38182
https://tools.cisco.com/bugsearch/bug/CSCur62957

Solution :

Apply the relevant patch referenced in Cisco bug ID CSCur62957.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

WordPress < 4.1.2 Multiple Vulnerabilities


Synopsis:

The remote web server contains a PHP application that is affected by
multiple vulnerabilities.

Description:

According to its version number, the WordPress application running
on the remote web server is affected by multiple vulnerabilities :

- An unspecified flaw exists that allows an attacker to
upload arbitrary files with invalid or unsafe names.
Note that this only affects versions 4.1 and higher.
(OSVDB 121085)

- A cross-site scripting vulnerability exists due to
improper validation of user-supplied input. A remote
attacker can exploit this to create a specially crafted
request that executes arbitrary script code in a user's
browser session. (OSVDB 121086)

- A limited cross-site scripting vulnerability exists due
to improper validation of user-supplied input. A remote
attacker can exploit this to create a specially crafted
request that executes arbitrary script code in a user's
browser session. Note that this only affects versions
3.9 and higher. (OSVDB 121087)

- An unspecified SQL injection vulnerability exists in
some plugins.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

https://wordpress.org/news/2015/04/wordpress-4-1-2/
https://codex.wordpress.org/Version_4.1.2

Solution :

Upgrade to WordPress 4.1.2 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 14.04 / 14.10 / 15.04 : wpa vulnerability (USN-2577-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

It was discovered that wpa_supplicant incorrectly handled SSID
information when creating or updating P2P peer entries. A remote
attacker could use this issue to cause wpa_supplicant to crash,
resulting in a denial of service, expose memory contents, or possibly
execute arbitrary code.

Solution :

Update the affected wpasupplicant package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ubuntu Security Notice (C) 2015 Canonical, Inc. / NASL script (C) 2015 Tenable Network Security, Inc.

Ubuntu 15.04 : usb-creator vulnerability (USN-2576-2)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

USN-2576-1 fixed a vulnerability in usb-creator. This update provides
the corresponding fix for Ubuntu 15.04.

Tavis Ormandy discovered that usb-creator was missing an
authentication check. A local attacker could use this issue to gain
elevated privileges.

Solution :

Update the affected usb-creator-common package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 : usb-creator vulnerability (USN-2576-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Tavis Ormandy discovered that usb-creator was missing an
authentication check. A local attacker could use this issue to gain
elevated privileges.

Solution :

Update the affected usb-creator-common package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SuSE 11.3 Security Update : mutt (SAT Patch Number 10435)


Synopsis:

The remote SuSE 11 host is missing a security update.

Description:

The mutt mail client has been updated to fix a heap-based buffer
overflow in mutt_substrdup(). (CVE-2014-9116)

Additionally, a patch has been added to allow users to override the
'From' address when executing mutt in batch mode.

See also :

https://bugzilla.novell.com/show_bug.cgi?id=905481
https://bugzilla.novell.com/show_bug.cgi?id=907453
http://support.novell.com/security/cve/CVE-2014-9116.html

Solution :

Apply SAT patch number 10435.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

RHEL 6 : qemu-kvm-rhev (RHSA-2015:0868)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated qemu-kvm-rhev packages that fix one security issue and one bug
are now available for Red Hat Enterprise Virtualization.

Red Hat Product Security has rated this update as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution
for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package
provides the user-space component for running virtual machines using
KVM in environments managed by Red Hat Enterprise Virtualization
Manager.

It was found that the Cirrus blit region checks were insufficient. A
privileged guest user could use this flaw to write outside of
VRAM-allocated buffer boundaries in the host's QEMU process address
space with attacker-provided data. (CVE-2014-8106)

This issue was discovered by Paolo Bonzini of Red Hat.

This update also fixes the following bug :

* Previously, the effective downtime during the last phase of a live
migration would sometimes be much higher than the maximum downtime
specified by 'migration_downtime' in vdsm.conf. This problem has been
corrected. The value of 'migration_downtime' is now honored and the
migration is aborted if the downtime cannot be achieved. (BZ#1142756)

All users of qemu-kvm-rhev are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.
After installing this update, shut down all running virtual machines.
Once all virtual machines have shut down, start them again for this
update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-8106.html
http://rhn.redhat.com/errata/RHSA-2015-0868.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.