Newest Plugins

Default Password (password) for 'emcupdate' Account


Synopsis:

The remote EMC PowerPath virtual appliance can be accessed with a
built-in account.

Description:

The account 'emcupdate' on the remote EMC PowerPath virtual appliance
has the default password 'password'. An attacker can leverage this
issue to gain access to the affected system and launch further attacks
against it.

See also :

http://www.securityfocus.com/archive/1/535155/30/270/threaded

Solution :

Change the password for this account or disable it.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco ANI Configuration Overwrite DoS (CSCup62167)


Synopsis:

The remote device is affected by an denial of service vulnerability.

Description:

The remote Cisco device is affected by a vulnerability in the
Autonomic Networking Infrastructure (ANI) due to insufficient
validation of received Autonomic Networking (AN) messages. A remote,
unauthenticated attacker, by sending specially crafted AN messages,
can exploit this to overwrite configuration settings, resulting in a
denial of service condition in a limited set of router services.

See also :

http://tools.cisco.com/security/center/viewAlert.x?alertId=37935

Solution :

Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCup62167.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

ESXi 5.5 < Build 1623387 Multiple Vulnerabilities (remote check)


Synopsis:

The remote VMware ESXi 5.5 host is affected by multiple
vulnerabilities.

Description:

The remote VMware ESXi host is version 5.5 prior to build 1623387. It
is, therefore, affected by multiple vulnerabilities :

- Multiple integer overflow conditions exist in the
bundled GNU C Library (glibc) due to improper validation
of user-supplied input. A remote attacker can exploit
these issues to cause a buffer overflow, resulting in a
denial of service condition. (CVE-2013-4332)

- A flaw exists in the monlist feature in NTP. A remote
attacker can exploit this flaw, using a specially
crafted packet to load the query function in monlist, to
conduct a distributed denial of service attack.
(CVE-2013-5211)

See also :

https://www.vmware.com/security/advisories/VMSA-2014-0002.html
http://kb.vmware.com/kb/2065826

Solution :

Apply patch ESXi550-201403101-SG for ESXi 5.5.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 14.04 / 14.10 / 15.04 : python-dbusmock vulnerability (USN-2618-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

It was discovered that python-dbusmock incorrectly handled template
loading from shared directories. A local attacker could possibly use
this issue to execute arbitrary code.

Solution :

Update the affected python-dbusmock and / or python3-dbusmock
packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 / 15.04 : fuse vulnerability (USN-2617-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Tavis Ormandy discovered that FUSE incorrectly filtered environment
variables. A local attacker could use this issue to gain
administrative privileges.

Solution :

Update the affected fuse package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 14.04 / 14.10 / 15.04 : oxide-qt vulnerabilities (USN-2610-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Several security issues were discovered in the DOM implementation in
Blink. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to bypass Same
Origin Policy restrictions. (CVE-2015-1253, CVE-2015-1254)

A use-after-free was discovered in the WebAudio implementation in
Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial
of service via renderer crash, or execute arbitrary code with the
privileges of the sandboxed render process. (CVE-2015-1255)

A use-after-free was discovered in the SVG implementation in Blink. If
a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service
via renderer crash, or execute arbitrary code with the privileges of
the sandboxed render process. (CVE-2015-1256)

A security issue was discovered in the SVG implementation in Blink. If
a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service
via renderer crash. (CVE-2015-1257)

An issue was discovered with the build of libvpx. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2015-1258)

Multiple use-after-free issues were discovered in the WebRTC
implementation in Chromium. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these
to cause a denial of service via renderer crash, or execute arbitrary
code with the privileges of the sandboxed render process.
(CVE-2015-1260)

An uninitialized value bug was discovered in the font shaping code in
Blink. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial
of service via renderer crash. (CVE-2015-1262)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1265)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via renderer crash or execute arbitrary code with the
privileges of the sandboxed render process. (CVE-2015-3910).

Solution :

Update the affected liboxideqtcore0, oxideqt-codecs and / or
oxideqt-codecs-extra packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 / 15.04 : apport vulnerabilities (USN-2609-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Sander Bos discovered that Apport incorrectly handled permissions when
the system was configured to generate core dumps for setuid binaries.
A local attacker could use this issue to gain elevated privileges.
(CVE-2015-1324)

Philip Pettersson discovered that Apport contained race conditions
resulting core dumps to be generated with incorrect permissions in
arbitrary locations. A local attacker could use this issue to gain
elevated privileges. (CVE-2015-1325).

Solution :

Update the affected apport package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Oracle Linux 6 / 7 : docker (ELSA-2015-3037)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

Description of changes:

[1.6.1-1.0.1]
- Update source to 1.6.1 from
https://github.com/docker/docker/releases/tag/v1.6.1
Symlink traversal on container respawn allows local privilege
escalation (CVE-2015-3629)
Insecure opening of file-descriptor 1 leading to privilege escalation
(CVE-2015-3627)
Read/write proc paths allow host modification information
disclosure (CVE-2015-3630)
Volume mounts allow LSM profile escalation (CVE-2015-3631)
AppArmor policy improvements

See also :

https://oss.oracle.com/pipermail/el-errata/2015-May/005087.html
https://oss.oracle.com/pipermail/el-errata/2015-May/005088.html

Solution :

Update the affected docker packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3266-1 : fuse - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does
not scrub the environment before executing mount or umount with
elevated privileges. A local user can take advantage of this flaw to
overwrite arbitrary files and gain elevated privileges by accessing
debugging features via the environment that would not normally be safe
for unprivileged users.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786439
https://packages.debian.org/source/wheezy/fuse
https://packages.debian.org/source/jessie/fuse
http://www.debian.org/security/2015/dsa-3266

Solution :

Upgrade the fuse packages.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.9.0-2+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.9.3-15+deb8u1.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

WellinTech KingSCADA < 31.2.1048.1 'kxClientDownload.ocx' ActiveX Vulnerability


Synopsis:

The WellinTech KingSCADA server installed on the remote host is
affected by a remote code execution vulnerability.

Description:

The version of WellinTech KingSCADA installed on remote host is prior
to 31.2.1048.1. It is, therefore, affected by a flaw in the
'kxClientDownload.ocx' ActiveX control that allows a remote attacker
to set the ProjectURL property to download an DLL file from a remote
location. The attacker can then exploit this to inject and execute
arbitrary code in the context of the target process.

See also :

https://ics-cert.us-cert.gov/advisories/ICSA-13-344-01
http://www.nessus.org/u?a3d3b3e4

Solution :

Upgrade KingSCADA to version 3.1.2.13-EN.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence Server Command Injection Vulnerability


Synopsis:

The remote host is affected by command injection vulnerability.

Description:

According to the self-reported version, the remote Cisco TelePresence
Server contains a vulnerability in its web framework, which can allow
an authenticated, remote attacker to inject arbitrary commands on the
device with root permissions.

See also :

http://www.nessus.org/u?3bd0b238
https://tools.cisco.com/bugsearch/bug/CSCur08993

Solution :

Upgrade to the appropriate software version referenced in the
vendor's advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence Server Detection


Synopsis:

The remote host is running as a management server for teleconferencing
devices.

Description:

The remote host is running Cisco TelePresence Server, which is a
management engine for other Cisco TelePresence equipment.

See also :

http://www.nessus.org/u?6eec7d8b

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence MSE 8050 Command Injection Vulnerability


Synopsis:

The remote device is affected by a command injection vulnerability.

Description:

According to the self-reported version, the remote Cisco TelePresence
MSE device contains a vulnerability in its web framework, which can
allow an authenticated, remote attacker to inject arbitrary commands
on the device with root permissions.

See also :

http://www.nessus.org/u?3bd0b238
https://tools.cisco.com/bugsearch/bug/CSCur15807

Solution :

Upgrade to the appropriate software version referenced in the
vendor's advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence MCU Command Injection Vulnerability


Synopsis:

The remote device is affected by a command injection vulnerability.

Description:

According to the self-reported version, the remote Cisco TelePresence
MCU device contains a vulnerability in its web framework, which can
allow an authenticated, remote attacker to inject arbitrary commands
on the device with root permissions.

See also :

http://www.nessus.org/u?3bd0b238
https://tools.cisco.com/bugsearch/bug/CSCur15825

Solution :

Upgrade to the appropriate software version referenced in the
vendor's advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence IP VCR Command Injection Vulnerability


Synopsis:

The remote device is affected by a command injection vulnerability.

Description:

According to the self-reported version, the remote Cisco TelePresence
IP VCR device contains a vulnerability in its web framework, which
can allow an authenticated, remote attacker to inject arbitrary
commands on the device with root permissions.

See also :

http://www.nessus.org/u?3bd0b238
https://tools.cisco.com/bugsearch/bug/CSCul55968

Solution :

Upgrade to the appropriate software version referenced in the
vendor's advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence IP VCR Detection


Synopsis:

Nessus detected a remote video conferencing device.

Description:

Nessus has determined that the remote host is a multipoint control
unit video teleconferencing device.

See also :

http://www.nessus.org/u?28dd74bc

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco TelePresence ISDN Gateway Command Injection Vulnerability


Synopsis:

The remote device is affected by a command injection vulnerability.

Description:

According to its self-reported version, the remote Cisco TelePresence
ISDN Gateway device contains a vulnerability in its web framework,
which can allow an authenticated, remote attacker to inject arbitrary
commands on the device with root permissions.

See also :

http://www.nessus.org/u?3bd0b238
https://tools.cisco.com/bugsearch/bug/CSCur15832

Solution :

Upgrade to the appropriate software version referenced in the
vendor's advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cisco Wireless LAN Controller Web Authentication DoS (CSCum03269)


Synopsis:

The remote device is missing a vendor-supplied security update.

Description:

The remote Cisco Wireless LAN Controller (WLC) is affected by a denial
of service vulnerability in the web authentication subsystem due to
improper validation of user-supplied input. An unauthenticated,
adjacent attacker can exploit this, via a specially crafted request,
to cause a process crash and a restart of the system.

See also :

http://tools.cisco.com/security/center/viewAlert.x?alertId=38749

Solution :

Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCum03269.

Risk factor :

Medium / CVSS Base Score : 6.1
(CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 5.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Apache Tomcat 8.0.x < 8.0.17 Security Manager Bypass


Synopsis:

The remote Apache Tomcat server is affected by a security bypass
vulnerability.

Description:

According to its self-reported version number, the Apache Tomcat
server listening on the remote host is version 8.0.x prior to 8.0.17.
It is, therefore, affected by a security bypass vulnerability due to a
flaw that occurs when handling expression language. A remote attacker
can exploit this, via a crafted web application, to bypass the
security manager protection and execute arbitrary code.

Note that Nessus has not attempted to exploit this issue but has
instead relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?20b9636e
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
http://seclists.org/bugtraq/2015/May/94

Solution :

Upgrade to Apache Tomcat version 8.0.17 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Apache Tomcat 7.0.x < 7.0.59 Security Manager Bypass


Synopsis:

The remote Apache Tomcat server is affected by a security bypass
vulnerability.

Description:

According to its self-reported version number, the Apache Tomcat
server listening on the remote host is version 7.0.x prior to 7.0.59.
It is, therefore, affected by a security bypass vulnerability due to a
flaw that occurs when handling expression language. A remote attacker
can exploit this, via a crafted web application, to bypass the
security manager protection and execute arbitrary code.

Note that Nessus has not attempted to exploit this issue but has
instead relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?edd653ec
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
http://seclists.org/bugtraq/2015/May/94

Solution :

Upgrade to Apache Tomcat version 7.0.59 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Citrix XenServer QEMU FDC Buffer Overflow RCE (VENOM)


Synopsis:

The remote host is affected by a buffer overflow vulnerability.

Description:

The remote host is running a version of Citrix XenServer that is
affected by a flaw in the Floppy Disk Controller (FDC) in the bundled
QEMU software due to an overflow condition in 'hw/block/fdc.c' when
handling certain commands. An attacker, with access to an account on
the guest operating system with privilege to access the FDC, can
exploit this flaw to execute arbitrary code in the context of the
hypervisor process on the host system.

See also :

http://support.citrix.com/article/CTX201078
http://venom.crowdstrike.com/

Solution :

Apply the relevant hotfix referenced in the vendor advisory.

Risk factor :

High / CVSS Base Score : 7.7
(CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 14.10 : linux vulnerabilities (USN-2616-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Alexandre Oliva reported a race condition flaw in the btrfs file
system's handling of extended attributes (xattrs). A local attacker
could exploit this flaw to bypass ACLs and potentially escalate
privileges. (CVE-2014-9710)

A memory corruption issue was discovered in AES decryption when using
the Intel AES-NI accelerated code path. A remote attacker could
exploit this flaw to cause a denial of service (system crash) or
potentially escalate privileges on Intel base machines with AEC-GCM
mode IPSec security association. (CVE-2015-3331)

A flaw was discovered in the Linux kernel's IPv4 networking when using
TCP fast open to initiate a connection. An unprivileged local user
could exploit this flaw to cause a denial of service (system crash).
(CVE-2015-3332).

Solution :

Update the affected linux-image-3.16.0-38-generic,
linux-image-3.16.0-38-generic-lpae and / or
linux-image-3.16.0-38-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 14.04 : linux-lts-utopic vulnerabilities (USN-2615-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Alexandre Oliva reported a race condition flaw in the btrfs file
system's handling of extended attributes (xattrs). A local attacker
could exploit this flaw to bypass ACLs and potentially escalate
privileges. (CVE-2014-9710)

A memory corruption issue was discovered in AES decryption when using
the Intel AES-NI accelerated code path. A remote attacker could
exploit this flaw to cause a denial of service (system crash) or
potentially escalate privileges on Intel base machines with AEC-GCM
mode IPSec security association. (CVE-2015-3331)

A flaw was discovered in the Linux kernel's IPv4 networking when using
TCP fast open to initiate a connection. An unprivileged local user
could exploit this flaw to cause a denial of service (system crash).
(CVE-2015-3332).

Solution :

Update the affected linux-image-3.16.0-38-generic,
linux-image-3.16.0-38-generic-lpae and / or
linux-image-3.16.0-38-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.2
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 14.04 : linux vulnerabilities (USN-2614-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Vincent Tondellier discovered an integer overflow in the Linux
kernel's netfilter connection tracking accounting of loaded
extensions. An attacker on the local area network (LAN) could
potential exploit this flaw to cause a denial of service (system crash
of targeted system). (CVE-2014-9715)

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A
local guest user could exploit this flaw to cause a denial of service
(host crash). (CVE-2015-2150)

A privilege escalation was discovered in the fork syscal vi the int80
entry on 64 bit kernels with 32 bit emulation support. An unprivileged
local attacker could exploit this flaw to increase their privileges on
the system. (CVE-2015-2830)

A memory corruption issue was discovered in AES decryption when using
the Intel AES-NI accelerated code path. A remote attacker could
exploit this flaw to cause a denial of service (system crash) or
potentially escalate privileges on Intel base machines with AEC-GCM
mode IPSec security association. (CVE-2015-3331).

Solution :

Update the affected linux-image-3.13.0-53-generic,
linux-image-3.13.0-53-generic-lpae and / or
linux-image-3.13.0-53-lowlatency packages.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ubuntu Security Notice (C) 2015 Canonical, Inc. / NASL script (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2613-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Vincent Tondellier discovered an integer overflow in the Linux
kernel's netfilter connection tracking accounting of loaded
extensions. An attacker on the local area network (LAN) could
potential exploit this flaw to cause a denial of service (system crash
of targeted system). (CVE-2014-9715)

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A
local guest user could exploit this flaw to cause a denial of service
(host crash). (CVE-2015-2150)

A privilege escalation was discovered in the fork syscal vi the int80
entry on 64 bit kernels with 32 bit emulation support. An unprivileged
local attacker could exploit this flaw to increase their privileges on
the system. (CVE-2015-2830)

A memory corruption issue was discovered in AES decryption when using
the Intel AES-NI accelerated code path. A remote attacker could
exploit this flaw to cause a denial of service (system crash) or
potentially escalate privileges on Intel base machines with AEC-GCM
mode IPSec security association. (CVE-2015-3331).

Solution :

Update the affected linux-image-3.13.0-53-generic and / or
linux-image-3.13.0-53-generic-lpae packages.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ubuntu Security Notice (C) 2015 Canonical, Inc. / NASL script (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS : linux vulnerability (USN-2611-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Vincent Tondellier discovered an integer overflow in the Linux
kernel's netfilter connection tracking accounting of loaded
extensions. An attacker on the local area network (LAN) could
potential exploit this flaw to cause a denial of service (system crash
of targeted system).

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:0923-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

XEN was updated to fix two security issues and bugs.

Security issues fixed :

- CVE-2015-3340: Xen did not initialize certain fields,
which allowed certain remote service domains to obtain
sensitive information from memory via a (1)
XEN_DOMCTL_gettscinfo or (2)
XEN_SYSCTL_getdomaininfolist request.

- CVE-2015-2751: Xen, when using toolstack disaggregation,
allowed remote domains with partial management control
to cause a denial of service (host lock) via unspecified
domctl operations.

- CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall
in Xen, when using a PCI passthrough device, was not
preemptable, which allowed local x86 HVM domain users to
cause a denial of service (host CPU consumption) via a
crafted request to the device model (qemu-dm).

- CVE-2015-3456: Fixed a buffer overflow in the floppy
drive emulation, which could be used to denial of
service attacks or potential code execution against the
host.

Bugs fixed :

- xentop: Fix memory leak on read failure

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/922705
https://bugzilla.suse.com/922709
https://bugzilla.suse.com/927967
https://bugzilla.suse.com/929339
https://www.suse.com/security/cve/CVE-2015-2751.html
https://www.suse.com/security/cve/CVE-2015-2752.html
https://www.suse.com/security/cve/CVE-2015-3340.html
https://www.suse.com/security/cve/CVE-2015-3456.html
http://www.nessus.org/u?bbe2b7e6

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2015-206=1

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2015-206=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2015-206=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.7
(CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED11 / SLES11 Security Update : OpenSLP (SUSE-SU-2015:0922-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

This update for OpenSLP fixes a bug in SLPIntersectStringList that
could lead to an out-of-bounds read (CVE-2012-4428). Additionally, the
SLP daemon now always use localtime(3) when writing to log files to
avoid having timestamps with different timezones.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/778508
https://bugzilla.suse.com/855385
http://www.nessus.org/u?5a30c0a0
https://www.suse.com/security/cve/CVE-2012-4428.html
http://www.nessus.org/u?f4ab4bdc

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11 SP3 :

zypper in -t patch sdksp3-openslp=10654

SUSE Linux Enterprise Server 11 SP3 for VMware :

zypper in -t patch slessp3-openslp=10654

SUSE Linux Enterprise Server 11 SP3 :

zypper in -t patch slessp3-openslp=10654

SUSE Linux Enterprise Desktop 11 SP3 :

zypper in -t patch sledsp3-openslp=10654

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.2
(CVSS2#E:U/RL:U/RC:ND)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED11 Security Update : gstreamer-0_10-plugins-bad (SUSE-SU-2015:0921-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

gstreamer-0_10-plugins-bad was updated to fix a security issue, a
buffer overflow in mp4 parsing (bnc#927559 CVE-2015-0797).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/927559
http://www.nessus.org/u?c4b515d3
https://www.suse.com/security/cve/CVE-2015-0797.html
http://www.nessus.org/u?d9ac9fed

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Desktop 11 SP3 :

zypper in -t patch sledsp3-gstreamer-0_10-plugins-bad=10643

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:1021)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated java-1.5.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the
IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2005-1080,
CVE-2015-0138, CVE-2015-0192, CVE-2015-0459, CVE-2015-0469,
CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0488,
CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher
suites by default to address the CVE-2015-2808 issue. Refer to Red Hat
Bugzilla bug 1207101, linked to in the References section, for
additional details about this change.

IBM Java SDK and JRE 5.0 will not receive software updates after
September 2015. This date is referred to as the End of Service (EOS)
date. Customers are advised to migrate to current versions of IBM Java
at this time. IBM Java SDK and JRE versions 6 and 7 are available via
the Red Hat Enterprise Linux 5 and 6 Supplementary content sets and
will continue to receive updates based on IBM's lifecycle policy,
linked to in the References section.

Customers can also consider OpenJDK, an open source implementation of
the Java SE specification. OpenJDK is available by default on
supported hardware architectures.

All users of java-1.5.0-ibm are advised to upgrade to these updated
packages, containing the IBM J2SE 5.0 SR16-FP10 release. All running
instances of IBM Java must be restarted for this update to take
effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2005-1080.html
https://www.redhat.com/security/data/cve/CVE-2015-0138.html
https://www.redhat.com/security/data/cve/CVE-2015-0192.html
https://www.redhat.com/security/data/cve/CVE-2015-0459.html
https://www.redhat.com/security/data/cve/CVE-2015-0469.html
https://www.redhat.com/security/data/cve/CVE-2015-0477.html
https://www.redhat.com/security/data/cve/CVE-2015-0478.html
https://www.redhat.com/security/data/cve/CVE-2015-0480.html
https://www.redhat.com/security/data/cve/CVE-2015-0488.html
https://www.redhat.com/security/data/cve/CVE-2015-0491.html
https://www.redhat.com/security/data/cve/CVE-2015-1914.html
https://www.redhat.com/security/data/cve/CVE-2015-2808.html
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4
https://www.ibm.com/developerworks/java/jdk/lifecycle/
http://rhn.redhat.com/errata/RHSA-2015-1021.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2015:1020)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated java-1.7.1-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 6 and 7 Supplementary.

Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime
Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2005-1080,
CVE-2015-0138, CVE-2015-0192, CVE-2015-0458, CVE-2015-0459,
CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,
CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher
suites by default to address the CVE-2015-2808 issue. Refer to Red Hat
Bugzilla bug 1207101, linked to in the References section, for
additional details about this change.

All users of java-1.7.1-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7R1 SR3 release. All running
instances of IBM Java must be restarted for the update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2005-1080.html
https://www.redhat.com/security/data/cve/CVE-2015-0138.html
https://www.redhat.com/security/data/cve/CVE-2015-0192.html
https://www.redhat.com/security/data/cve/CVE-2015-0458.html
https://www.redhat.com/security/data/cve/CVE-2015-0459.html
https://www.redhat.com/security/data/cve/CVE-2015-0469.html
https://www.redhat.com/security/data/cve/CVE-2015-0477.html
https://www.redhat.com/security/data/cve/CVE-2015-0478.html
https://www.redhat.com/security/data/cve/CVE-2015-0480.html
https://www.redhat.com/security/data/cve/CVE-2015-0488.html
https://www.redhat.com/security/data/cve/CVE-2015-0491.html
https://www.redhat.com/security/data/cve/CVE-2015-1914.html
https://www.redhat.com/security/data/cve/CVE-2015-2808.html
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4
http://rhn.redhat.com/errata/RHSA-2015-1020.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : proftpd -- arbitrary code execution vulnerability with chroot (d0034536-ff24-11e4-a072-d050996490d0)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

ProFTPd development team reports :

Vadim Melihow reported a critical issue with proftpd installations
that use the mod_copy module's SITE CPFR/SITE CPTO commands
mod_copy
allows these commands to be used by *unauthenticated clients*.

See also :

http://bugs.proftpd.org/show_bug.cgi?id=4169
http://www.nessus.org/u?7dfc4564

Solution :

Update the affected package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 21 : wordpress-4.2.2-1.fc21 (2015-6808)


Synopsis:

The remote Fedora host is missing a security update.

Description:

**WordPress 4.2 'Powell' **

- Upstream announcement
https://wordpress.org/news/2015/04/powell/

**WordPress 4.2.1 Security Release**

- Upstream announcement
https://wordpress.org/news/2015/04/wordpress-4-2-1/

**WordPress 4.2.2 Security and Maintenance Release**

- Upstream announcement
https://wordpress.org/news/2015/05/wordpress-4-2-2/

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1214650
https://bugzilla.redhat.com/show_bug.cgi?id=1216069
https://bugzilla.redhat.com/show_bug.cgi?id=1219368
http://www.nessus.org/u?746720e2
https://wordpress.org/news/2015/04/powell/
https://wordpress.org/news/2015/04/wordpress-4-2-1/
https://wordpress.org/news/2015/05/wordpress-4-2-2/

Solution :

Update the affected wordpress package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Fedora 20 : wordpress-4.2.2-1.fc20 (2015-6790)


Synopsis:

The remote Fedora host is missing a security update.

Description:

**WordPress 4.2 'Powell' **

- Upstream announcement
https://wordpress.org/news/2015/04/powell/

**WordPress 4.2.1 Security Release**

- Upstream announcement
https://wordpress.org/news/2015/04/wordpress-4-2-1/

**WordPress 4.2.2 Security and Maintenance Release**

- Upstream announcement
https://wordpress.org/news/2015/05/wordpress-4-2-2/

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1214650
https://bugzilla.redhat.com/show_bug.cgi?id=1216069
https://bugzilla.redhat.com/show_bug.cgi?id=1219368
http://www.nessus.org/u?043c46fc
https://wordpress.org/news/2015/04/powell/
https://wordpress.org/news/2015/04/wordpress-4-2-1/
https://wordpress.org/news/2015/05/wordpress-4-2-2/

Solution :

Update the affected wordpress package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

F5 Networks BIG-IP : QEMU vulnerability (SOL16620)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

An out-of-bounds memory access flaw, also known as 'VENOM,' was found
in the way QEMU's virtual Floppy Disk Controller (FDC) handled FIFO
buffer access while processing certain FDC commands. A privileged
guest user could use this flaw to crash the guest or, potentially,
execute arbitrary code on the host with the privileges of the host's
QEMU process corresponding to the guest.

See also :

http://www.nessus.org/u?fdf59c7f

Solution :

Upgrade to one of the non-vulnerable versions listed in the F5
Solution SOL16620.

Risk factor :

High / CVSS Base Score : 7.7
(CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3265-1 : zendframework - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Multiple vulnerabilities were discovered in Zend Framework, a PHP
framework. Except for CVE-2015-3154, all these issues were already
fixed in the version initially shipped with Jessie.

- CVE-2014-2681
Lukas Reschke reported a lack of protection against XML
External Entity injection attacks in some functions.
This fix extends the incomplete one from CVE-2012-5657.

- CVE-2014-2682
Lukas Reschke reported a failure to consider that the
libxml_disable_entity_loader setting is shared among
threads in the PHP-FPM case. This fix extends the
incomplete one from CVE-2012-5657.

- CVE-2014-2683
Lukas Reschke reported a lack of protection against XML
Entity Expansion attacks in some functions. This fix
extends the incomplete one from CVE-2012-6532.

- CVE-2014-2684
Christian Mainka and Vladislav Mladenov from the
Ruhr-University Bochum reported an error in the
consumer's verify method that lead to acceptance of
wrongly sourced tokens.

- CVE-2014-2685
Christian Mainka and Vladislav Mladenov from the
Ruhr-University Bochum reported a specification
violation in which signing of a single parameter is
incorrectly considered sufficient.

- CVE-2014-4914
Cassiano Dal Pizzol discovered that the implementation
of the ORDER BY SQL statement in Zend_Db_Select contains
a potential SQL injection when the query string passed
contains parentheses.

- CVE-2014-8088
Yury Dyachenko at Positive Research Center identified
potential XML eXternal Entity injection vectors due to
insecure usage of PHP's DOM extension.

- CVE-2014-8089
Jonas Sandström discovered a SQL injection vector when
manually quoting value for sqlsrv extension, using null
byte.

- CVE-2015-3154
Filippo Tessarotto and Maks3w reported potential CRLF
injection attacks in mail and HTTP headers.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743175
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754201
https://security-tracker.debian.org/tracker/CVE-2015-3154
https://security-tracker.debian.org/tracker/CVE-2014-2681
https://security-tracker.debian.org/tracker/CVE-2012-5657
https://security-tracker.debian.org/tracker/CVE-2014-2682
https://security-tracker.debian.org/tracker/CVE-2012-5657
https://security-tracker.debian.org/tracker/CVE-2014-2683
https://security-tracker.debian.org/tracker/CVE-2012-6532
https://security-tracker.debian.org/tracker/CVE-2014-2684
https://security-tracker.debian.org/tracker/CVE-2014-2685
https://security-tracker.debian.org/tracker/CVE-2014-4914
https://security-tracker.debian.org/tracker/CVE-2014-8088
https://security-tracker.debian.org/tracker/CVE-2014-8089
https://security-tracker.debian.org/tracker/CVE-2015-3154
https://packages.debian.org/source/wheezy/zendframework
https://packages.debian.org/source/jessie/zendframework
http://www.debian.org/security/2015/dsa-3265

Solution :

Upgrade the zendframework packages.

For the oldstable distribution (wheezy), these problems have been
fixed in version 1.11.13-1.1+deb7u1.

For the stable distribution (jessie), these problems have been fixed
in version 1.12.9+dfsg-2+deb8u1.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DLA-225-1 : dnsmasq security update


Synopsis:

The remote Debian host is missing a security update.

Description:

The following vulnerability vulnerability was found in dnsmasq :

CVE-2015-3294

Remote attackers could read process memory and cause DoS via malformed
DNS requests.

For Debian 6 'Squeeze', these issues have been fixed in
dnsmasq version 2.55-2+deb6u1.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.

See also :

https://lists.debian.org/debian-lts-announce/2015/05/msg00009.html

Solution :

Upgrade the affected dnsmasq package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Google Chrome < 43.0.2357.65 Multiple Vulnerabilities (Mac OS X)


Synopsis:

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Google Chrome installed on the remote Mac OS X host is
prior to 43.0.2357.65. It is, therefore, affected by multiple
vulnerabilities :

- A Use-after-free memory error exists in the
SpeechRecognitionClient implementation that allows
remote attackers, using a crafted document, to execute
arbitrary code. (CVE-2015-1251)

- The Write() and DoWrite() methods of the class
PartialCircularBuffer do not properly handle wraps.
A remote attacker, by using write operations with a
large amount of data, can exploit this to bypass the
sandbox protection or cause a denial of service.
(CVE-2015-1252)

- The DOM implementation in Blink does not properly
handle SCRIPT elements during adjustment of DOM node
locations. A remote attacker, using crafted JavaScript
code that appends a child to a SCRIPT element, can
exploit this flaw to bypass the same origin policy.
(CVE-2015-1253)

- The 'core/dom/Document.cpp' in Blink enables the
inheritance of the 'designMode' attribute. A remote
attacker, using a crafted web page, can utilize this to
bypass the same origin policy via the availability of
editing. (CVE-2015-1254)

- A use-after-free memory error exists in the WebAudio
implementation when handling the stop action for an
audio track. A remote attacker can exploit this to
cause a denial of service or possibly execute
arbitrary code. (CVE-2015-1255)

- A use-after-free memory error exists in the SVG
implementation in Blink, related to the improper
handling of a shadow tree for a use element. A remote
attacker, using a crafted document, can exploit this
to cause a denial of service or possibly execute
arbitrary code. (CVE-2015-1256)

- The SVG implementation in Blink does not properly handle
an insufficient number of values in an feColorMatrix
filter. A remote attacker, using a crafted document, can
exploit this to cause a denial of service via a
container overflow. (CVE-2015-1257)

- The libvpx library code was not compiled with an
appropriate '--size-limit' value. This allows a remote
attacker, using a crafted frame size in VP9 video data,
to trigger a negative value for a size field, thus
causing a denial of service or possibly having other
impact. (CVE-2015-1258)

- Google PDFium does not properly initialize memory. A
remote attacker can exploit this to cause a denial of
service or possibly have other unspecified impact.
(CVE-2015-1259)

- Multiple use-after-free memory errors exist the WebRTC
implementation. A remote attacker can exploit these, by
using a crafted JavaScript code that executes upon
completion of a getUserMedia request, to cause a denial
of service or possibly have other unspecified impact.
(CVE-2015-1260)

- The file 'HarfBuzzShaper.cpp' in Blink does not properly
initialize a certain width field. A remote attacker,
using crafted Unicode text, can exploit this to cause a
denial of service or have other unspecified impact.
(CVE-2015-1262)

- The Spellcheck API implementation does not use an HTTPS
session for downloading a Hunspell dictionary. A
man-in-the-middle attacker, using a crafted file, can
exploit this flaw to deliver incorrect spelling
suggestions or possibly have other unspecified impact.
(CVE-2015-1263)

- A cross-site scripting (XSS) vulnerability exists that
is related to the Bookmarks feature. A remote attacker,
using crafted data, can exploit this to inject arbitrary
web script or HTML. (CVE-2015-1264)

- Multiple unspecified vulnerabilities exist that allow an
attacker to cause a denial of service or possibly have
other impact via unknown vectors. (CVE-2015-1265)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?b9eefd81

Solution :

Upgrade to Google Chrome 43.0.2357.65 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Google Chrome < 43.0.2357.65 Multiple Vulnerabilities


Synopsis:

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Google Chrome installed on the remote Windows host is
prior to 43.0.2357.65. It is, therefore, affected by multiple
vulnerabilities :

- A Use-after-free memory error exists in the
SpeechRecognitionClient implementation that allows
remote attackers, using a crafted document, to execute
arbitrary code. (CVE-2015-1251)

- The Write() and DoWrite() methods of the class
PartialCircularBuffer do not properly handle wraps.
A remote attacker, by using write operations with a
large amount of data, can exploit this to bypass the
sandbox protection or cause a denial of service.
(CVE-2015-1252)

- The DOM implementation in Blink does not properly
handle SCRIPT elements during adjustment of DOM node
locations. A remote attacker, using crafted JavaScript
code that appends a child to a SCRIPT element, can
exploit this flaw to bypass the same origin policy.
(CVE-2015-1253)

- The 'core/dom/Document.cpp' in Blink enables the
inheritance of the 'designMode' attribute. A remote
attacker, using a crafted web page, can utilize this to
bypass the same origin policy via the availability of
editing. (CVE-2015-1254)

- A use-after-free memory error exists in the WebAudio
implementation when handling the stop action for an
audio track. A remote attacker can exploit this to
cause a denial of service or possibly execute
arbitrary code. (CVE-2015-1255)

- A use-after-free memory error exists in the SVG
implementation in Blink, related to the improper
handling of a shadow tree for a use element. A remote
attacker, using a crafted document, can exploit this
to cause a denial of service or possibly execute
arbitrary code. (CVE-2015-1256)

- The SVG implementation in Blink does not properly handle
an insufficient number of values in an feColorMatrix
filter. A remote attacker, using a crafted document, can
exploit this to cause a denial of service via a
container overflow. (CVE-2015-1257)

- The libvpx library code was not compiled with an
appropriate '--size-limit' value. This allows a remote
attacker, using a crafted frame size in VP9 video data,
to trigger a negative value for a size field, thus
causing a denial of service or possibly having other
impact. (CVE-2015-1258)

- Google PDFium does not properly initialize memory. A
remote attacker can exploit this to cause a denial of
service or possibly have other unspecified impact.
(CVE-2015-1259)

- Multiple use-after-free memory errors exist the WebRTC
implementation. A remote attacker can exploit these, by
using a crafted JavaScript code that executes upon
completion of a getUserMedia request, to cause a denial
of service or possibly have other unspecified impact.
(CVE-2015-1260)

- The file 'HarfBuzzShaper.cpp' in Blink does not properly
initialize a certain width field. A remote attacker,
using crafted Unicode text, can exploit this to cause a
denial of service or have other unspecified impact.
(CVE-2015-1262)

- The Spellcheck API implementation does not use an HTTPS
session for downloading a Hunspell dictionary. A
man-in-the-middle attacker, using a crafted file, can
exploit this flaw to deliver incorrect spelling
suggestions or possibly have other unspecified impact.
(CVE-2015-1263)

- A cross-site scripting (XSS) vulnerability exists that
is related to the Bookmarks feature. A remote attacker,
using crafted data, can exploit this to inject arbitrary
web script or HTML. (CVE-2015-1264)

- Multiple unspecified vulnerabilities exist that allow an
attacker to cause a denial of service or possibly have
other impact via unknown vectors. (CVE-2015-1265)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?b9eefd81

Solution :

Upgrade to Google Chrome 43.0.2357.65 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Network Time Protocol Daemon (ntpd) < 4.2.8p2 Multiple Vulnerabilities


Synopsis:

The remote NTP server is affected by multiple vulnerabilities.

Description:

The version of the remote NTP server is prior to version 4.2.8p2. It
is, therefore, potentially affected by multiple vulnerabilities :

- The symmetric-key feature in the receive function
requires a correct message authentication code (MAC)
only if the MAC field has a nonzero length. This makes
it easier for a man-in-the-middle attackers to spoof
packets by omitting the MAC. (CVE-2015-1798)

- A flaw exists in the symmetric-key feature in the
receive function when handling a specially crafted
packet sent to one of two hosts that are peering with
each other. This may allow an attacker to cause the
next attempt by the servers to synchronize to fail.
(CVE-2015-1799)

- A flaw exists in 'util/ntp-keygen.c' due to the way that
the ntp-keygen utility generates MD5 symmetric keys
on big-endian systems. This may allow remote attackers
to more easily guess MD5 symmetric keys, enabling them
to spoof an NTP server or client. (CVE-2015-3405)

See also :

http://support.ntp.org/bin/view/Main/SecurityNotice
http://www.nessus.org/u?9fd24f37
https://bugs.ntp.org/show_bug.cgi?id=2797

Solution :

Upgrade to NTP version 4.2.8p2 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.