Newest Plugins

Citrix XenServer Active Directory Authentication Incorrect Host Management Security Bypass (CTX213549)


Synopsis:

The remote host is affected by a security bypass vulnerability.

Description:

The version of Citrix XenServer running on the remote host is 7.x
prior to 7.0 hotfix XS70E003. It is, therefore, affected by a security
bypass vulnerability due to incorrect handling of Active Directory
(AD) credentials. An unauthenticated, remote attacker on the
management network with AD credentials for an AD account can exploit
this to compromise the XenServer host even if the credentials do not
have authorization.

See also :

https://support.citrix.com/article/CTX213549
https://support.citrix.com/article/CTX213769

Solution :

Apply hotfix XS70E003 as referenced in the vendor advisory.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 12.04 LTS : linux vulnerabilities (USN-3021-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

Andrey Konovalov discovered that the CDC Network Control Model USB
driver in the Linux kernel did not cancel work events queued if a
later error occurred, resulting in a use-after-free. An attacker with
physical access could use this to cause a denial of service (system
crash). (CVE-2016-3951)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Jann Horn discovered that the InfiniBand interfaces within the Linux
kernel could be coerced into overwriting kernel memory. A local
unprivileged attacker could use this to possibly gain administrative
privileges on systems where InifiniBand related kernel modules are
loaded. (CVE-2016-4565)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

Baozeng Ding discovered a use-after-free issue in the generic PPP
layer in the Linux kernel. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-4805)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3020-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-3.19.0-64-generic,
linux-image-3.19.0-64-generic-lpae and / or
linux-image-3.19.0-64-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-3019-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Jann Horn discovered that the InfiniBand interfaces within the Linux
kernel could be coerced into overwriting kernel memory. A local
unprivileged attacker could use this to possibly gain administrative
privileges on systems where InifiniBand related kernel modules are
loaded. (CVE-2016-4565)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-3.16.0-76-generic,
linux-image-3.16.0-76-generic-lpae and / or
linux-image-3.16.0-76-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3018-2)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

USN-3018-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Jann Horn discovered that the InfiniBand interfaces within the Linux
kernel could be coerced into overwriting kernel memory. A local
unprivileged attacker could use this to possibly gain administrative
privileges on systems where InifiniBand related kernel modules are
loaded. (CVE-2016-4565)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-3.13.0-91-generic and / or
linux-image-3.13.0-91-generic-lpae packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux vulnerabilities (USN-3018-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Jann Horn discovered that the InfiniBand interfaces within the Linux
kernel could be coerced into overwriting kernel memory. A local
unprivileged attacker could use this to possibly gain administrative
privileges on systems where InifiniBand related kernel modules are
loaded. (CVE-2016-4565)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-3.13.0-91-generic,
linux-image-3.13.0-91-generic-lpae and / or
linux-image-3.13.0-91-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-3017-3)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

USN-3017-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.2.0-41-generic,
linux-image-4.2.0-41-generic-lpae and / or
linux-image-4.2.0-41-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-3017-2)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.2.0-1033-raspi2 package.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 15.10 : linux vulnerabilities (USN-3017-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.2.0-41-generic,
linux-image-4.2.0-41-generic-lpae and / or
linux-image-4.2.0-41-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3016-4)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

USN-3016-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.4.0-28-generic,
linux-image-4.4.0-28-generic-lpae and / or
linux-image-4.4.0-28-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3016-3)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.4.0-1019-snapdragon package.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3016-2)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.4.0-1016-raspi2 package.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 16.04 LTS : linux vulnerabilities (USN-3016-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related
patches.

Description:

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32
bit compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A
local unprivileged attacker could use this to cause a denial of
service (system crash) or execute arbitrary code with administrative
privileges. (CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB
implementation in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4482)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA)
subsystem of the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request
handling in the Linux kernel. A local attacker could use this to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to
mount a malicious iso9660 file system image could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2016-4913)

Baozeng Ding discovered that the Transparent Inter-process
Communication (TIPC) implementation in the Linux kernel did not verify
socket existence before use in some situations. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-4951)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2016-4998).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected linux-image-4.4.0-28-generic,
linux-image-4.4.0-28-generic-lpae and / or
linux-image-4.4.0-28-lowlatency packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 6 : kernel-rt (RHSA-2016:1341)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for kernel-rt is now available for Red Hat Enterprise MRG
2.5.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel-rt package contain the Linux kernel, the core of any Linux
operating system.

This update provides a build of the kernel-rt package for Red Hat
Enterprise MRG 2.5 that is layered on Red Hat Enterprise Linux 6, and
provides a number of bug fixes including :

* [netdrv] ixgbevf: fix spoofed packets with random MAC and use
ether_addr_copy instead of memcpy * [mm] mmu_notifier: fix memory
corruption * [mm] hugetlbfs: optimize when NUMA=n * [mm] optimize
put_mems_allowed() usage * [x86] mm: suitable memory should go to
ZONE_MOVABLE * [fs] xfs: fix splice/direct-IO deadlock * [acpi]
tables: Add acpi_subtable_proc to ACPI table parsers * [acpi] table:
Add new function to get table entries * [net] ipv6: Nonlocal bind *
[net] ipv4: bind ip_nonlocal_bind to current netns

(BZ#1332298)

Security Fix(es) :

* A flaw was found in the way certain interfaces of the Linux kernel's
Infiniband subsystem used write() as bi-directional ioctl()
replacement, which could lead to insufficient memory security checks
when being invoked using the splice() system call. A local
unprivileged user on a system with either Infiniband hardware present
or RDMA Userspace Connection Manager Access module explicitly loaded,
could use this flaw to escalate their privileges on the system.
(CVE-2016-4565, Important)

* A race condition flaw was found in the way the Linux kernel's SCTP
implementation handled sctp_accept() during the processing of
heartbeat timeout events. A remote attacker could use this flaw to
prevent further connections to be accepted by the SCTP server running
on the system, resulting in a denial of service. (CVE-2015-8767,
Moderate)

* A flaw was found in the way the realtime kernel processed specially
crafted ICMP echo requests. A remote attacker could use this flaw to
trigger a sysrql function based on values in the ICMP packet, allowing
them to remotely restart the system. Note that this feature is not
enabled by default and requires elevated privileges to be configured.
(CVE-2016-3707, Moderate)

Red Hat would like to thank Jann Horn for reporting CVE-2016-4565.

Bug Fix(es) :

* An oops can occur in the hpsa driver while submitting ioaccel2
commands when the phys_disk pointer is NULL (in
hpsa_scsi_ioaccel_raid_map). Configuration changes during I/O
operations could set the phys_disk pointer to NULL. In this case, send
the command down the RAID path for correct processing, avoiding the
oops. (BZ#1334260)

* A faulty code merge left an extra spin_lock operation in the
function fscache_invalidate_write(). The code has been correctly
updated to remove this extra lock operation, which avoids a potential
deadlock situation when looping through cache pages. (BZ#1327730)

See also :

https://www.redhat.com/security/data/cve/CVE-2015-8767.html
https://www.redhat.com/security/data/cve/CVE-2016-3707.html
https://www.redhat.com/security/data/cve/CVE-2016-4565.html
http://rhn.redhat.com/errata/RHSA-2016-1341.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : mariadb (openSUSE-2016-780)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

mariadb was updated to version 10.0.25 to fix 25 security issues.

These security issues were fixed :

- CVE-2016-0505: Unspecified vulnerability allowed remote
authenticated users to affect availability via unknown
vectors related to Options (bsc#980904).

- CVE-2016-0546: Unspecified vulnerability allowed local
users to affect confidentiality, integrity, and
availability via unknown vectors related to Client
(bsc#980904).

- CVE-2016-0596: Unspecified vulnerability allowed remote
authenticated users to affect availability via vectors
related to DML (bsc#980904).

- CVE-2016-0597: Unspecified vulnerability allowed remote
authenticated users to affect availability via unknown
vectors related to Optimizer (bsc#980904).

- CVE-2016-0598: Unspecified vulnerability allowed remote
authenticated users to affect availability via vectors
related to DML (bsc#980904).

- CVE-2016-0600: Unspecified vulnerability allowed remote
authenticated users to affect availability via unknown
vectors related to InnoDB (bsc#980904).

- CVE-2016-0606: Unspecified vulnerability allowed remote
authenticated users to affect integrity via unknown
vectors related to encryption (bsc#980904).

- CVE-2016-0608: Unspecified vulnerability allowed remote
authenticated users to affect availability via vectors
related to UDF (bsc#980904).

- CVE-2016-0609: Unspecified vulnerability allowed remote
authenticated users to affect availability via unknown
vectors related to privileges (bsc#980904).

- CVE-2016-0616: Unspecified vulnerability allowed remote
authenticated users to affect availability via unknown
vectors related to Optimizer (bsc#980904).

- CVE-2016-0640: Unspecified vulnerability allowed local
users to affect integrity and availability via vectors
related to DML (bsc#980904).

- CVE-2016-0641: Unspecified vulnerability allowed local
users to affect confidentiality and availability via
vectors related to MyISAM (bsc#980904).

- CVE-2016-0642: Unspecified vulnerability allowed local
users to affect integrity and availability via vectors
related to Federated (bsc#980904).

- CVE-2016-0643: Unspecified vulnerability allowed local
users to affect confidentiality via vectors related to
DML (bsc#980904).

- CVE-2016-0644: Unspecified vulnerability allowed local
users to affect availability via vectors related to DDL
(bsc#980904).

- CVE-2016-0646: Unspecified vulnerability allowed local
users to affect availability via vectors related to DML
(bsc#980904).

- CVE-2016-0647: Unspecified vulnerability allowed local
users to affect availability via vectors related to FTS
(bsc#980904).

- CVE-2016-0648: Unspecified vulnerability allowed local
users to affect availability via vectors related to PS
(bsc#980904).

- CVE-2016-0649: Unspecified vulnerability allowed local
users to affect availability via vectors related to PS
(bsc#980904).

- CVE-2016-0650: Unspecified vulnerability allowed local
users to affect availability via vectors related to
Replication (bsc#980904).

- CVE-2016-0651: Unspecified vulnerability allowed local
users to affect availability via vectors related to
Optimizer (bsc#980904).

- CVE-2016-0655: Unspecified vulnerability allowed local
users to affect availability via vectors related to
InnoDB (bsc#980904).

- CVE-2016-0666: Unspecified vulnerability allowed local
users to affect availability via vectors related to
Security: Privileges (bsc#980904).

- CVE-2016-0668: Unspecified vulnerability allowed local
users to affect availability via vectors related to
InnoDB (bsc#980904).

- CVE-2016-2047: The ssl_verify_server_cert function in
sql-common/client.c did not properly verify that the
server hostname matches a domain name in the subject's
Common Name (CN) or subjectAltName field of the X.509
certificate, which allowed man-in-the-middle attackers
to spoof SSL servers via a '/CN=' string in a field in a
certificate, as demonstrated by
'/OU=/CN=bar.com/CN=foo.com (bsc#963806).

These non-security issues were fixed :

- bsc#961935: Remove the leftovers of 'openSUSE' string in
the '-DWITH_COMMENT' and 'DCOMPILATION_COMMENT' options

- bsc#970287: remove ha_tokudb.so plugin and
tokuft_logprint and tokuftdump binaries as TokuDB
storage engine requires the jemalloc library that isn't
present in SLE-12-SP1

- bsc#970295: Fix the leftovers of 'logrotate.d/mysql'
string in the logrotate error message. Occurrences of
this string were changed to 'logrotate.d/mariadb'

- bsc#963810: Add 'log-error' and 'secure-file-priv'
configuration options

- add '/etc/my.cnf.d/error_log.conf' that specifies
'log-error = /var/log/mysql/mysqld.log'. If no path is
set, the error log is written to
'/var/lib/mysql/$HOSTNAME.err', which is not picked up
by logrotate.

- add '/etc/my.cnf.d/secure_file_priv.conf' which
specifies that 'LOAD DATA', 'SELECT ... INTO' and 'LOAD
FILE()' will only work with files in the directory
specified by 'secure-file-priv' option
(='/var/lib/mysql-files').

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=961935
https://bugzilla.opensuse.org/show_bug.cgi?id=963806
https://bugzilla.opensuse.org/show_bug.cgi?id=963810
https://bugzilla.opensuse.org/show_bug.cgi?id=970287
https://bugzilla.opensuse.org/show_bug.cgi?id=970295
https://bugzilla.opensuse.org/show_bug.cgi?id=980904

Solution :

Update the affected mariadb packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : libav (openSUSE-2016-779)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This update for libav fixes the two following security issues :

- CVE-2016-3062: A MP4 memory corruption was fixed that
could lead to crashes or code execution. (boo#984487)

- CVE-2015-5479: A crash due to a divide by zero was fixed
in ff_h263_decode_mba() that could lead to decoder
crashes. (boo#949760)

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=949760
https://bugzilla.opensuse.org/show_bug.cgi?id=984487

Solution :

Update the affected libav packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : php5 (openSUSE-2016-776)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This update for php5 fixes the following issues :

- CVE-2013-7456: imagescale out-of-bounds read
(bnc#982009).

- CVE-2016-5093: get_icu_value_internal out-of-bounds read
(bnc#982010).

- CVE-2016-5094: Don't create strings with lengths outside
of valid range (bnc#982011).

- CVE-2016-5095: Don't create strings with lengths outside
of valid range (bnc#982012).

- CVE-2016-5096: int/size_t confusion in fread
(bsc#982013).

- CVE-2015-8877: The gdImageScaleTwoPass function in
gd_interpolation.c in the GD Graphics Library (aka
libgd) as used in PHP used inconsistent allocate and
free approaches, which allowed remote attackers to cause
a denial of service (memory consumption) via a crafted
call, as demonstrated by a call to the PHP imagescale
function (bsc#981061).

- CVE-2015-8876: Zend/zend_exceptions.c in PHP did not
validate certain Exception objects, which allowed remote
attackers to cause a denial of service (NULL pointer
dereference and application crash) or trigger unintended
method execution via crafted serialized data
(bsc#981049).

- CVE-2015-8879: The odbc_bindcols function in
ext/odbc/php_odbc.c in PHP mishandles driver behavior
for SQL_WVARCHAR columns, which allowed remote attackers
to cause a denial of service (application crash) in
opportunistic circumstances by leveraging use of the
odbc_fetch_array function to access a certain type of
Microsoft SQL Server table (bsc#981050).

This update was imported from the SUSE:SLE-12:Update update project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=981049
https://bugzilla.opensuse.org/show_bug.cgi?id=981050
https://bugzilla.opensuse.org/show_bug.cgi?id=981061
https://bugzilla.opensuse.org/show_bug.cgi?id=982009
https://bugzilla.opensuse.org/show_bug.cgi?id=982010
https://bugzilla.opensuse.org/show_bug.cgi?id=982011
https://bugzilla.opensuse.org/show_bug.cgi?id=982012
https://bugzilla.opensuse.org/show_bug.cgi?id=982013

Solution :

Update the affected php5 packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : libtasn1 (openSUSE-2016-773)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This update for libtasn1 fixes the following issues :

- Malformed asn1 definitions could have caused a
segmentation fault in the asn1 definition parser
(bsc#961491)

- CVE-2015-3622: Fixed invalid read in octet string
decoding (bsc#929414)

- CVE-2016-4008: Fixed infinite loop while parsing DER
certificates (bsc#982779)

This update was imported from the SUSE:SLE-12:Update update project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=929414
https://bugzilla.opensuse.org/show_bug.cgi?id=961491
https://bugzilla.opensuse.org/show_bug.cgi?id=982779

Solution :

Update the affected libtasn1 packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : p7zip (openSUSE-2016-771)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This update for p7zip fixes one security issue.

This security issue was fixed :

- CVE-2016-2335: UDF CInArchive::ReadFileItem code
execution vulnerability (bsc#979823)

This update was imported from the SUSE:SLE-12:Update update project.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=979823

Solution :

Update the affected p7zip packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : libarchive (openSUSE-2016-770)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

libarchive was updated to fix one security issue.

This security issue was fixed :

- CVE-2016-4809: Memory allocation error with gigantic
symbolic links in cpio archives (bsc#984990).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=984990

Solution :

Update the affected libarchive packages.

Risk factor :

Low

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : rsync (openSUSE-2016-764)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

rsync was updated to fix one security issue.

This security issue was fixed :

- CVE-2014-9512: rsync allowed remote attackers to write
to arbitrary files via a symlink attack on a file in the
synchronization path (boo#915410).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=915410

Solution :

Update the affected rsync packages.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

GLSA-201606-19 : kwalletd: Information disclosure


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201606-19
(kwalletd: Information disclosure)

Kwalletd in KWallet uses Blowfish with ECB mode instead of CBC mode when
encrypting the password store.

Impact :

Local attackers, with access to the password store, could conduct a
codebook attack in order to obtain confidential passwords.

Workaround :

There is no known workaround at this time.

See also :

https://security.gentoo.org/glsa/201606-19

Solution :

All kwalletd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=kde-apps/kwalletd-4.14.3-r1'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

GLSA-201606-18 : IcedTea: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201606-18
(IcedTea: Multiple vulnerabilities)

Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot,
Libraries, and JAXP, exist which allows remote attackers to affect the
confidentiality, integrity, and availability of vulnerable systems. Many
of the vulnerabilities can only be exploited through sandboxed Java Web
Start applications and java applets. Please review the CVE identifiers
referenced below for details.

Impact :

Remote attackers may execute arbitrary code, compromise information, or
cause Denial of Service.

Workaround :

There is no known work around at this time.

See also :

https://security.gentoo.org/glsa/201606-18

Solution :

Gentoo Security is no longer supporting dev-java/icedtea, as it has been
officially dropped from the stable tree.
Users of the IcedTea 3.x binary package should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-java/icedtea-bin-3.0.1'
Users of the IcedTea 7.x binary package should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-java/icedtea-7.2.6.6'

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

GLSA-201606-17 : hostapd and wpa_supplicant: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201606-17
(hostapd and wpa_supplicant: Multiple vulnerabilities)

Multiple vulnerabilities exist in both hostapd and wpa_supplicant.
Please review the CVE identifiers for more information.

Impact :

Remote attackers could execute arbitrary code with the privileges of the
process or cause Denial of Service.

Workaround :

There is no known workaround at this time.

See also :

https://security.gentoo.org/glsa/201606-17

Solution :

All hostapd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-wireless/hostapd-2.5'
All wpa_supplicant users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
'>=net-wireless/wpa_supplicant-2.5-r1'

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

F5 Networks BIG-IP : Apache Struts 2 vulnerability (SOL23432135)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method
references when used with OGNL before 3.0.12, which allows remote
attackers to cause a denial of service (block access to a website) via
unspecified vectors.

See also :

http://support.f5.com/kb/en-us/solutions/public/k/23/sol23432135.html

Solution :

Upgrade to one of the non-vulnerable versions listed in the F5
Solution SOL23432135.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Debian DLA-532-1 : movabletype-opensource security update


Synopsis:

The remote Debian host is missing a security update.

Description:

It was discovered that there was a SQL injection vulnerability in the
XML-RPC interface in MovableType, a blogging engine.

For Debian 7 'Wheezy', this issue has been fixed in
movabletype-opensource version 5.1.4+dfsg-4+deb7u4.

We recommend that you upgrade your movabletype-opensource packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.

See also :

https://lists.debian.org/debian-lts-announce/2016/06/msg00032.html
https://packages.debian.org/source/wheezy/movabletype-opensource

Solution :

Upgrade the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Debian DLA-531-1 : spice security update


Synopsis:

The remote Debian host is missing a security update.

Description:

A vulnerability has been found in the Simple Protocol for Independent
Computing Environments, SPICE.

Frediano Ziglio from Red Hat discovered that SPICE allowed local guest
OS users to read from or write to arbitrary host memory locations via
crafted primary surface parameters.

For Debian 7 'Wheezy', this problem has been fixed in version
0.11.0-1+deb7u3.

We recommend you to upgrade your spice packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.

See also :

https://lists.debian.org/debian-lts-announce/2016/06/msg00033.html
https://packages.debian.org/source/wheezy/spice

Solution :

Upgrade the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.4
(CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 4.4
(CVSS2#E:U/RL:ND/RC:UR)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Amazon Linux AMI : kernel (ALAS-2016-718)


Synopsis:

The remote Amazon Linux AMI host is missing a security update.

Description:

A flaw was discovered in processing setsockopt for 32 bit processes on
64 bit systems. This flaw will allow attackers to alter arbitary
kernel memory when unloading a kernel module. This action is usually
restricted to root-priveledged users but can also be leveraged if the
kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS.
(CVE-2016-4997)

See also :

https://alas.aws.amazon.com/ALAS-2016-718.html

Solution :

Run 'yum update kernel' to update your system.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Microsoft Office Unsupported Version Detection (Mac OS X)


Synopsis:

The remote host contains an unsupported version of Microsoft Office.

Description:

According to its version, the installation of Microsoft Office on the
remote Mac OS X host is no longer supported.

Lack of support implies that no new security patches for the product
will be released by the vendor. As a result, it is likely to contain
security vulnerabilities.

See also :

https://support.microsoft.com/en-us/lifecycle
https://support.microsoft.com/en-us/gp/lifeoffice
https://support.microsoft.com/en-us/gp/lifeselect

Solution :

Upgrade to a version of Microsoft Office that is currently supported.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

MediaWiki 1.23.x < 1.23.14 / 1.25.x < 1.25.6 / 1.26.x < 1.26.3 Multiple Vulnerabilities


Synopsis:

An application running on the remote web server is affected by
multiple vulnerabilities.

Description:

According to its version number, the MediaWiki application running on
the remote web server is 1.23.x prior to 1.23.14, 1.25.x prior to
1.25.6, or 1.26.x prior to 1.26.3. It is, therefore, affected by the
following vulnerabilities :

- A flaw exists in the includes/DefaultSettings.php script
due to the 'pdkdf2' parameter not being hashed in a more
secure manner, which can result in password hashes being
less secure. A remote attacker can exploit this, using
brute-force methods, to disclose the passwords.
(VulnDB 139097)

- A cross-site scripting vulnerability exists in the
includes/upload/UploadBase.php script within the
UploadBase::checkSvgScriptCallback() function, when
uploading SVG files, due to a failure to validate input
before returning it to the user. An unauthenticated,
remote attacker can exploit this, via a specially
crafted request, to execute arbitrary script code in the
user's browser session. (VulnDB 139098)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.nessus.org/u?937cb355
https://www.mediawiki.org/wiki/Release_notes/1.23#MediaWiki_1.23.13
https://www.mediawiki.org/wiki/Release_notes/1.25#MediaWiki_1.25.6
https://www.mediawiki.org/wiki/Release_notes/1.26#MediaWiki_1.26.3
https://phabricator.wikimedia.org/T116030
https://phabricator.wikimedia.org/T123071
https://phabricator.wikimedia.org/T122653

Solution :

Upgrade to MediaWiki version 1.23.14 / 1.25.6 / 1.26.3 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Cisco IOS-XE Zone-Based Firewall Feature Security Bypass (CSCun96847)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version, the Cisco IOS-XE software
running on the remote device is affected by a security bypass
vulnerability in the Zone-Based Firewall feature due to insufficient
zone checking for traffic belonging to existing sessions. An
unauthenticated, remote attacker can exploit this, by injecting
spoofed traffic that matches existing connections, to bypass security
access restrictions on the device and gain access to resources.

See also :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun96847
https://tools.cisco.com/security/center/viewAlert.x?alertId=39129

Solution :

Apply the relevant patch referenced in the Cisco security advisory.
Alternatively, disable the Zone-Based Firewall feature according to
the vendor advisory

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Cisco IOS Zone-Based Firewall Feature Security Bypass (CSCun94946)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version, the Cisco IOS software running
on the remote device is affected by a security bypass vulnerability
in the Zone-Based Firewall feature due to insufficient zone checking
for traffic belonging to existing sessions. An unauthenticated, remote
attacker can exploit this, by injecting spoofed traffic that matches
existing connections, to bypass security access restrictions on the
device and gain access to resources.

See also :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun94946
https://tools.cisco.com/security/center/viewAlert.x?alertId=39129
http://www.nessus.org/u?6e66b42d

Solution :

Apply the relevant patch referenced in the Cisco security advisory.
Alternatively, disable the Zone-Based Firewall feature according to
the vendor advisory.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Scientific Linux Security Update : kernel on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

To see the complete list of bug fixes, users are directed to the
related Knowledge Article :

Security Fixes :

- A flaw was found in the way certain interfaces of the
Linux kernel's Infiniband subsystem used write() as
bi-directional ioctl() replacement, which could lead to
insufficient memory security checks when being invoked
using the splice() system call. A local unprivileged
user on a system with either Infiniband hardware present
or RDMA Userspace Connection Manager Access module
explicitly loaded, could use this flaw to escalate their
privileges on the system. (CVE-2016-4565, Important)

- A race condition flaw was found in the way the Linux
kernel's SCTP implementation handled sctp_accept()
during the processing of heartbeat timeout events. A
remote attacker could use this flaw to prevent further
connections to be accepted by the SCTP server running on
the system, resulting in a denial of service.
(CVE-2015-8767, Moderate)

Bug Fixes :

- When Small Computer System Interface (SCSI) devices were
removed or deleted, a system crash could occur due to a
race condition between listing all SCSI devices and SCSI
device removal. The provided patch ensures that the
starting node for the klist_iter_init_node() function is
actually a member of the list before using it. As a
result, a system crash no longer occurs in the described
scenario.

- This update offers a reworked series of patches for the
resizable hash table (rhashtable) including a number of
backported bug fixes and enhancements from upstream.

- Previously, the same value of the mperf Model-Specific
Register (MSR) read twice in a row could lead to a
kernel panic due to the divide-by-zero error. The
provided patch fixes this bug, and the kernel now
handles two identical values of mperf gracefully.

- When a transparent proxy application was running and the
number of established connections on the computer
exceeded one million, unrelated processes, such as curl
or ssh, were unable to bind to a local IP on the box to
initiate a connection. The provided patch fixes the
cooperation of the REUSEADDR/NOREUSEADDR socket option,
and thus prevents the local port from being exhausted.
As a result, the aforementioned bug no longer occurs in
the described scenario.

- Previously, the kernel support for non-local bind for
the IPv6 protocol was incomplete. As a consequence, an
attempt to bind a socket to an IPv6 address that is not
assigned to the host could fail. The provided patch
includes changes in the ip_nonlocal_bind variable, which
is now set to allow binding to an IPv6 address that is
not assigned to the host. As a result, Linux servers are
now able to bind to non-local IPv6 addresses as
expected.

- On some servers with a faster CPU, USB initialization
could previously lead to a kernel hang during boot. If
this inconvenience occurred when booting the second
kernel during the kdump operation, the kdump service
failed and the vmcore was lost. The provided upstream
patch fixes this bug, and the kernel no longer hangs
after USB initialization.

- Previously, when running iperf servers using the mlx4_en
module, a kernel panic occurred. The underlying source
code has been fixed, and the kernel panic no longer
occurs in the described scenario.

See also :

http://www.nessus.org/u?ae5dd2f0

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 5 / 6 : JBoss EAP (RHSA-2016:1330)


Synopsis:

The remote Red Hat host is missing a security update.

Description:

A security update is now available for Red Hat JBoss Enterprise
Application Platform from the Customer Portal.

Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

This asynchronous patch is a security update for JGroups package in
Red Hat JBoss Enterprise Application Platform 6.4 More information
about this vulnerability is available at:
https://access.redhat.com/articles/2360521

Security Fix(es) :

* It was found that JGroups did not require necessary headers for
encrypt and auth protocols from new nodes joining the cluster. An
attacker could use this flaw to bypass security restrictions, and use
this vulnerability to send and receive messages within the cluster,
leading to information disclosure, message spoofing, or further
possible attacks. (CVE-2016-2141)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

See also :

https://www.redhat.com/security/data/cve/CVE-2016-2141.html
https://access.redhat.com/documentation/en/
https://access.redhat.com/articles/2360521
http://rhn.redhat.com/errata/RHSA-2016-1330.html

Solution :

Update the affected jgroups package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 4 / 5 / 6 : JBoss EAP (RHSA-2016:1328)


Synopsis:

The remote Red Hat host is missing a security update.

Description:

A security update is now available for Red Hat JBoss Enterprise
Application Platform 5.2.0 from the Customer Portal.

Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications, which integrates the JBoss Application Server with JBoss
Hibernate and JBoss Seam.

This asynchronous patch is a security update for JGroups package in
Red Hat JBoss Enterprise Application Platform 5.2. More information
about this vulnerability is available at:
https://access.redhat.com/articles/2360521

Security Fix(es) :

* It was found that JGroups did not require necessary headers for
encrypt and auth protocols from new nodes joining the cluster. An
attacker could use this flaw to bypass security restrictions, and use
this vulnerability to send and receive messages within the cluster,
leading to information disclosure, message spoofing, or further
possible attacks. (CVE-2016-2141)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

See also :

https://www.redhat.com/security/data/cve/CVE-2016-2141.html
https://access.redhat.com/documentation/en/
https://access.redhat.com/articles/2360521
http://rhn.redhat.com/errata/RHSA-2016-1328.html

Solution :

Update the affected jgroups package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2016-3579)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

Description of changes:

kernel-uek
[2.6.32-400.37.18.el6uek]
- IB/security: Restrict use of the write() interface (Jason Gunthorpe)
[Orabug: 23641666] {CVE-2016-4565}

See also :

https://oss.oracle.com/pipermail/el-errata/2016-June/006162.html
https://oss.oracle.com/pipermail/el-errata/2016-June/006163.html

Solution :

Update the affected unbreakable enterprise kernel packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : libtorrent-rasterbar (openSUSE-2016-774)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This update for libtorrent-rasterbar fixes the following issues :

- CVE-2016-5301: Crash on invalid input in http_parser
could have allowed a remote attacker to perform a denial
of service attack (boo#983228).

In addition, the package was updated to 1.0.9 / 1.16.19,
fixing various upstream bugs.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=983228

Solution :

Update the affected libtorrent-rasterbar packages.

Risk factor :

Medium

This script is Copyright (C) 2016 Tenable Network Security, Inc.

openSUSE Security Update : Chromium (openSUSE-2016-756)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

Chromium was updated to 51.0.2704.103 to fix three vulnerabilities :

- CVE-2016-1704: Various fixes from internal audits,
fuzzing and other initiatives (shared identifier)
(boo#985397)

Includes vulnerability fixes from 50.0.2661.102 (boo#979859) :

- CVE-2016-1667: Same origin bypass in DOM

- CVE-2016-1668: Same origin bypass in Blink V8 bindings

- CVE-2016-1669: Buffer overflow in V8

- CVE-2016-1670: Race condition in loader

Includes vulnerability fixes from 50.0.2661.94 (boo#977830) :

- CVE-2016-1660: Out-of-bounds write in Blink

- CVE-2016-1661: Memory corruption in cross-process frames

- CVE-2016-1662: Use-after-free in extensions

- CVE-2016-1663: Use-after-free in Blink&rsquo
s V8
bindings

- CVE-2016-1664: Address bar spoofing

- CVE-2016-1665: Information leak in V8

- CVE-2016-1666: Various fixes from internal audits,
fuzzing and other initiatives

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=977830
https://bugzilla.opensuse.org/show_bug.cgi?id=979859
https://bugzilla.opensuse.org/show_bug.cgi?id=985397

Solution :

Update the affected Chromium packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

GLSA-201606-16 : PLIB: Buffer overflow vulnerability


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201606-16
(PLIB: Buffer overflow vulnerability)

A buffer overflow in PLIB allows user-assisted remote attackers to
execute arbitrary code via vectors involving a long error message, as
demonstrated by a crafted acc file for TORCS.

Impact :

Remote attackers could execute arbitrary code with the privileges of the
process.

Workaround :

There is no known workaround at this time.

See also :

https://security.gentoo.org/glsa/201606-16

Solution :

All PLIB users should upgrade to the latest version:
# emerge --sync
# emerge --ask --verbose --oneshot '>=media-libs/plib-1.8.5-r1'

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

GLSA-201606-15 : FreeXL: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201606-15
(FreeXL: Multiple vulnerabilities)

FreeXL&rsquo
s shared strings and workbook functions are vulnerable to the
remote execution of arbitrary code and Denial of Service. This can be
achieved through specially crafted workbooks from attackers.

Impact :

Remote attackers could potentially execute arbitrary code or cause
Denial of Service.

Workaround :

There is no known workaround at this time.

See also :

https://security.gentoo.org/glsa/201606-15

Solution :

All FreeXL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose 'dev-libs/freexl-1.0.1'

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.