Newest Plugins

Trihedral VTScada 6.5.x < 9.1.20 / 10.x < 10.2.22 / 11.x < 11.1.09 HTTP Server DoS


Synopsis:

An application running on the remote host is affected by a denial of
service vulnerability.

Description:

The version of Trihedral Engineering VTScada installed on the remote
host is prior to 9.1.20, 10.x prior to 10.2.22, or 11.x prior to
11.1.09. It is, therefore, affected by a denial of service
vulnerability due to an integer overflow condition in the included
HTTP server. A remote, unauthenticated attacker, using a crafted
packet containing small negative content length, can exploit this
issue to trigger a large memory allocation, resulting in a server
crash.

See also :

http://www.trihedral.com/help/#Op_Welcome/Wel_UpgradeNotes.htm
https://ics-cert.us-cert.gov/advisories/ICSA-14-343-02

Solution :

Upgrade to Trihedral Engineering VTScada version 9.1.20 / 10.2.22 /
11.1.09 or later.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Trihedral VTScada Detection


Synopsis:

Trihedral Engineering VTScada is installed on the remote host.

Description:

Trihedral Engineering VTScada, an application for managing industrial
automation control hardware, is installed on the remote host.

See also :

https://www.trihedral.com/what-is-vtscada

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

IBM Tivoli Storage Manager FastBack Mount 6.1.x < 6.1.12 Multiple Vulnerabilities


Synopsis:

The remote backup service is affected by multiple vulnerabilities.

Description:

The version of IBM Tivoli Storage Manager FastBack running on the
remote host is 6.1.x prior to 6.1.12. It is, therefore, affected by
multiple vulnerabilities :

- An overflow condition exists due to improper validation
of user-supplied input when handling opcode 1331. A
remote, unauthenticated attacker can exploit this issue
to cause a buffer overflow, resulting in a denial of
service condition or the execution of arbitrary code.
(CVE-2015-1923)

- An overflow condition exists due to improper validation
of user-supplied input when handling opcode 1329. A
remote, unauthenticated attacker can exploit this issue
to cause a stack-based buffer overflow, resulting in a
denial of service condition or the execution of
arbitrary code. (CVE-2015-1924)

- An overflow condition exists due to improper validation
of user-supplied input when handling opcode 1332. A
remote, unauthenticated attacker can exploit this issue
to cause an overflow, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1925)

- A buffer overflow condition exists in the
FXCLI_OraBR_Exec_Command() function due to improper
validation of user-supplied input. A remote,
unauthenticated attacker can exploit this issue, via a
specially crafted packet, to cause a stack-based buffer
overflow, resulting in a denial of service or the
execution of arbitrary code. (CVE-2015-1929)

- A buffer overflow condition exists in the
JOB_S_GetJobByUserFriendlyString() function due to
improper validation of user-supplied input. A remote,
unauthenticated attacker can exploit this issue, via a
specially crafted packet, to cause a stack-based buffer
overflow, resulting in a denial of service or the
execution of arbitrary code. (CVE-2015-1930)

- An overflow condition exists due to improper validation
of user-supplied input when handling opcode 1331. A
remote, unauthenticated attacker can exploit this issue,
via a specially crafted packet, to execute arbitrary
commands with a system call. (CVE-2015-1938)

- An unspecified flaw exists that occurs during the
handling of opcode 1329. A remote, unauthenticated
attacker can exploit this issue to gain access to
arbitrary files. (CVE-2015-1941)

- An unspecified flaw exists that occurs during the
handling of opcode 1332. A remote, unauthenticated
attacker can exploit this issue to write or execute
arbitrary files. (CVE-2015-1942)

- An overflow condition exists due to improper validation
of user-supplied input when handling opcode 1364. A
remote, unauthenticated attacker can exploit this
issue, via a specially crafted packet, to cause a
stack-based buffer overflow, resulting in a denial of
service condition or the execution of arbitrary code.
(CVE-2015-1948)

- An unspecified flaw exists that is triggered during the
handling of opcode 1330. A remote, unauthenticated
attacker can exploit this issue, via specially crafted
packet, to execute arbitrary commands with a system
call. (CVE-2015-1949)

- A format string flaw exists in the vsprintf() function
due to improper sanitization of user-supplied format
string specifiers when processing opcode 1335. A remote,
unauthenticated attacker can exploit this issue, via a
specially crafted packet, to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1953)

- An overflow condition exists due to improper validation
of user-supplied input. A remote, unauthenticated
attacker can exploit this issue to cause a stack-based
buffer overflow, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1954)

- An overflow condition exists due to improper validation
of user-supplied input. A remote, unauthenticated
attacker can exploit this issue to cause a stack-based
buffer overflow, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1962)

- An overflow condition exists due to improper validation
of user-supplied input. A remote, unauthenticated
attacker can exploit this issue to cause a stack-based
buffer overflow, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1963)

- An overflow condition exists due to improper validation
of user-supplied input. A remote, unauthenticated
attacker can exploit this issue to cause a stack-based
buffer overflow, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1964)

- An overflow condition exists due to improper validation
of user-supplied input. A remote, unauthenticated
attacker can exploit this issue to cause a stack-based
buffer overflow, resulting in a denial of service
condition or the execution of arbitrary code.
(CVE-2015-1965)

- A format string flaw exists in the vsprintf() function
due to improper sanitization of user-supplied format
string specifiers when processing opcode 1301. A remote,
unauthenticated attacker can exploit this issue, via a
specially crafted packet, to cause a denial of service
condition or the execution of arbitrary code. (CVE-2015-1986)

See also :

http://www.nessus.org/u?bc221f52

Solution :

Upgrade to IBM Tivoli Storage Manager FastBack Mount 6.1.12 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

VideoLAN VLC for OS X Web Plugin Installed (Mac OS X)


Synopsis:

A media player plugin is installed on the remote host.

Description:

VideoLAN VLC for OS X web plugin, a media player plugin, is installed
on the remote Mac OS X host.

See also :

https://www.videolan.org
http://www.videolan.org/vlc/download-macosx.html

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

VideoLAN VLC Media Player Installed (Mac OS X)


Synopsis:

A media player is installed on the remote host.

Description:

VideoLAN VLC media player is installed on the remote Mac OS X host.

See also :

https://www.videolan.org
http://www.videolan.org/vlc/download-macosx.html

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Mozilla Thunderbird < 38.1 Multiple Vulnerabilities (Logjam)


Synopsis:

The remote Windows host contains a mail client that is affected by
multiple vulnerabilities.

Description:

The version of Thunderbird installed on the remote Windows host is
prior to 38.1. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Thunderbird 38.1 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Firefox < 39.0 Multiple Vulnerabilities (Logjam)


Synopsis:

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Firefox installed on the remote Windows host is prior
to 39.0. It is, therefore, affected by multiple vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple user-after-free errors exist when using an
XMLHttpRequest object in concert with either shared or
dedicated workers. A remote attacker can exploit this
to cause a denial of service condition. (CVE-2015-2722,
CVE-2015-2733)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A security bypass vulnerability exists due to a failure
to preserve context restrictions. A remote attacker can
exploit this, via a crafted web site that is accessed
with unspecified mouse and keyboard actions, to read
arbitrary files or execute arbitrary JavaScript code.
(CVE-2015-2727)

- A type confusion flaw exists in the Indexed Database
Manager's handling of IDBDatabase. A remote attacker can
exploit this to cause a denial of service condition or
to execute arbitrary code. (CVE-2015-2728)

- An out-of-bounds read flaw exists in the
AudioParamTimeline::AudioNodeInputValue() function when
computing oscillator rending ranges. An attacker can
exploit this to disclose the contents of four bytes of
memory or cause a denial of service condition.
(CVE-2015-2729)

- A signature spoofing vulnerability exists due to a flaw
in Network Security Services (NSS) in its Elliptic Curve
Digital Signature Algorithm (ECDSA) signature
validation. A remote attacker can exploit this to forge
signatures. (CVE-2015-2730)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A privilege escalation vulnerability exists in the PDF
viewer (PDF.js) due to internal workers being executed
insecurely. An attacker can exploit this, by leveraging
a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Firefox 39.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Firefox ESR < 38.1 Multiple Vulnerabilities (Logjam)


Synopsis:

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Firefox ESR installed on the remote Windows host is
prior to 38.1. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple user-after-free errors exist when using an
XMLHttpRequest object in concert with either shared or
dedicated workers. A remote attacker can exploit this
to cause a denial of service condition. (CVE-2015-2722,
CVE-2015-2733)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A security bypass vulnerability exists due to a failure
to preserve context restrictions. A remote attacker can
exploit this, via a crafted web site that is accessed
with unspecified mouse and keyboard actions, to read
arbitrary files or execute arbitrary JavaScript code.
(CVE-2015-2727)

- A type confusion flaw exists in the Indexed Database
Manager's handling of IDBDatabase. A remote attacker can
exploit this to cause a denial of service condition or
to execute arbitrary code. (CVE-2015-2728)

- An out-of-bounds read flaw exists in the
AudioParamTimeline::AudioNodeInputValue() function when
computing oscillator rending ranges. An attacker can
exploit this to disclose the contents of four bytes of
memory or cause a denial of service condition.
(CVE-2015-2729)

- A signature spoofing vulnerability exists due to a flaw
in Network Security Services (NSS) in its Elliptic Curve
Digital Signature Algorithm (ECDSA) signature
validation. A remote attacker can exploit this to forge
signatures. (CVE-2015-2730)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A privilege escalation vulnerability exists in the PDF
viewer (PDF.js) due to internal workers being executed
insecurely. An attacker can exploit this, by leveraging
a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Firefox 38.1 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Firefox ESR < 31.8 Multiple Vulnerabilities (Logjam)


Synopsis:

The remote Windows host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Firefox ESR installed on the remote Windows host is
prior to 31.8. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple user-after-free errors exist when using an
XMLHttpRequest object in concert with either shared or
dedicated workers. A remote attacker can exploit this
to cause a denial of service condition. (CVE-2015-2722,
CVE-2015-2733)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724)

- A type confusion flaw exists in the Indexed Database
Manager's handling of IDBDatabase. A remote attacker can
exploit this to cause a denial of service condition or
to execute arbitrary code. (CVE-2015-2728)

- A signature spoofing vulnerability exists due to a flaw
in Network Security Services (NSS) in its Elliptic Curve
Digital Signature Algorithm (ECDSA) signature
validation. A remote attacker can exploit this to forge
signatures. (CVE-2015-2730)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A privilege escalation vulnerability exists in the PDF
viewer (PDF.js) due to internal workers being executed
insecurely. An attacker can exploit this, by leveraging
a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Firefox ESR 31.8 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Mozilla Thunderbird < 38.1 Multiple Vulnerabilities (Mac OS X) (Logjam)


Synopsis:

The remote Mac OS X host contains a mail client that is affected by
multiple vulnerabilities.

Description:

The version of Thunderbird installed on the remote Mac OS X host is
prior to 38.1. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Thunderbird 38.1 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Firefox < 39.0 Multiple Vulnerabilities (Mac OS X) (Logjam)


Synopsis:

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Firefox installed on the remote Mac OS X host is prior
to 39.0. It is, therefore, affected by multiple vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple user-after-free errors exist when using an
XMLHttpRequest object in concert with either shared or
dedicated workers. A remote attacker can exploit this
to cause a denial of service condition. (CVE-2015-2722,
CVE-2015-2733)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A security bypass vulnerability exists due to a failure
to preserve context restrictions. A remote attacker can
exploit this, via a crafted web site that is accessed
with unspecified mouse and keyboard actions, to read
arbitrary files or execute arbitrary JavaScript code.
(CVE-2015-2727)

- A type confusion flaw exists in the Indexed Database
Manager's handling of IDBDatabase. A remote attacker can
exploit this to cause a denial of service condition or
to execute arbitrary code. (CVE-2015-2728)

- An out-of-bounds read flaw exists in the
AudioParamTimeline::AudioNodeInputValue() function when
computing oscillator rending ranges. An attacker can
exploit this to disclose the contents of four bytes of
memory or cause a denial of service condition.
(CVE-2015-2729)

- A signature spoofing vulnerability exists due to a flaw
in Network Security Services (NSS) in its Elliptic Curve
Digital Signature Algorithm (ECDSA) signature
validation. A remote attacker can exploit this to forge
signatures. (CVE-2015-2730)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- An information disclosure vulnerability exists due to
crash reports containing key press information.
(CVE-2015-2742)

- A privilege escalation vulnerability exists in the PDF
viewer (PDF.js) due to internal workers being executed
insecurely. An attacker can exploit this, by leveraging
a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-68/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Firefox 39.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Firefox ESR < 38.1 Multiple Vulnerabilities (Mac OS X) (Logjam)


Synopsis:

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Firefox ESR installed on the remote Mac OS X host is\
prior to 38.1. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple user-after-free errors exist when using an
XMLHttpRequest object in concert with either shared or
dedicated workers. A remote attacker can exploit this
to cause a denial of service condition. (CVE-2015-2722,
CVE-2015-2733)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724,
CVE-2015-2725)

- A security bypass vulnerability exists due to a failure
to preserve context restrictions. A remote attacker can
exploit this, via a crafted web site that is accessed
with unspecified mouse and keyboard actions, to read
arbitrary files or execute arbitrary JavaScript code.
(CVE-2015-2727)

- A type confusion flaw exists in the Indexed Database
Manager's handling of IDBDatabase. A remote attacker can
exploit this to cause a denial of service condition or
to execute arbitrary code. (CVE-2015-2728)

- An out-of-bounds read flaw exists in the
AudioParamTimeline::AudioNodeInputValue() function when
computing oscillator rending ranges. An attacker can
exploit this to disclose the contents of four bytes of
memory or cause a denial of service condition.
(CVE-2015-2729)

- A signature spoofing vulnerability exists due to a flaw
in Network Security Services (NSS) in its Elliptic Curve
Digital Signature Algorithm (ECDSA) signature
validation. A remote attacker can exploit this to forge
signatures. (CVE-2015-2730)

- A use-after-free error exists in the
CSPService::ShouldLoad() function when modifying the
Document Object Model to remove a DOM object. An
attacker can exploit this to dereference already freed
memory, potentially resulting in the execution of
arbitrary code. (CVE-2015-2731)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A security bypass vulnerability exists due to a flaw in
certificate pinning checks. Key pinning is not enforced
upon encountering an X.509 certificate problem that
generates a user dialog. A man-in-the-middle attacker
can exploit this to bypass intended access restrictions.
(CVE-2015-2741)

- A privilege escalation vulnerability exists in the PDF
viewer (PDF.js) due to internal workers being executed
insecurely. An attacker can exploit this, by leveraging
a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-60/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-62/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-63/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-67/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Firefox 38.1 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Firefox ESR < 31.8 Multiple Vulnerabilities (Mac OS X) (Logjam)


Synopsis:

The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.

Description:

The version of Firefox ESR installed on the remote Mac OS X host i
prior to 31.8. It is, therefore, affected by multiple
vulnerabilities :

- A security downgrade vulnerability exists due to a flaw
in Network Security Services (NSS). When a client allows
for a ECDHE_ECDSA exchange, but the server does not send
a ServerKeyExchange message, the the NSS client will
take the EC key from the ECDSA certificate. A remote
attacker can exploit this to silently downgrade the
exchange to a non-forward secret mixed-ECDH exchange.
(CVE-2015-2721)

- Multiple user-after-free errors exist when using an
XMLHttpRequest object in concert with either shared or
dedicated workers. A remote attacker can exploit this
to cause a denial of service condition. (CVE-2015-2722,
CVE-2015-2733)

- Multiple memory corruption issues exist that allow an
attacker to cause a denial of service condition or
potentially execute arbitrary code. (CVE-2015-2724)

- A type confusion flaw exists in the Indexed Database
Manager's handling of IDBDatabase. A remote attacker can
exploit this to cause a denial of service condition or
to execute arbitrary code. (CVE-2015-2728)

- A signature spoofing vulnerability exists due to a flaw
in Network Security Services (NSS) in its Elliptic Curve
Digital Signature Algorithm (ECDSA) signature
validation. A remote attacker can exploit this to forge
signatures. (CVE-2015-2730)

- An uninitialized memory use issue exists in the
CairoTextureClientD3D9::BorrowDrawTarget() function, the
::d3d11::SetBufferData() function, and the
YCbCrImageDataDeserializer::ToDataSourceSurface()
function. The impact is unspecified. (CVE-2015-2734,
CVE-2015-2737, CVE-2015-2738)

- A memory corruption issue exists in the
nsZipArchive::GetDataOffset() function due to improper
string length checks. An attacker can exploit this, via
a crafted ZIP archive, to potentially execute arbitrary
code. (CVE-2015-2735)

- A memory corruption issue exists in the
nsZipArchive::BuildFileList() function due to improper
validation of user-supplied input. An attacker can
exploit this, via a crafted ZIP archive, to potentially
execute arbitrary code. (CVE-2015-2736)

- An unspecified memory corruption issue exists in the
ArrayBufferBuilder::append() function due to improper
validation of user-supplied input. An attacker can
exploit this to potentially execute arbitrary code.
(CVE-2015-2739)

- A buffer overflow condition exists in the
nsXMLHttpRequest::AppendToResponseText() function due to
improper validation of user-supplied input. An attacker
can exploit this to potentially execute arbitrary code.
(CVE-2015-2740)

- A privilege escalation vulnerability exists in the PDF
viewer (PDF.js) due to internal workers being executed
insecurely. An attacker can exploit this, by leveraging
a Same Origin Policy bypass, to execute arbitrary code.
(CVE-2015-2743)

- A man-in-the-middle vulnerability, known as Logjam,
exists due to a flaw in the SSL/TLS protocol. A remote
attacker can exploit this flaw to downgrade connections
using ephemeral Diffie-Hellman key exchange to 512-bit
export-grade cryptography. (CVE-2015-4000)

See also :

https://www.mozilla.org//en-US/security/advisories/mfsa2015-59/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-61/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-64/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-65/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-66/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-69/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-70/
https://www.mozilla.org//en-US/security/advisories/mfsa2015-71/
https://weakdh.org/

Solution :

Upgrade to Firefox ESR 31.8 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Backported Security Patch Detection (PHP)


Synopsis:

Security patches have been backported.

Description:

Security patches may have been 'backported' to the remote PHP install
without changing its version number.

Banner-based checks have been disabled to avoid false positives.

Note that this test is informational only and does not denote any
security problem.

See also :

https://access.redhat.com/security/updates/backporting/?sc_cid=3093

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

IBM WebSphere Portal Active Content Filtering XSS (PI38732)


Synopsis:

The remote Windows host has web portal software installed that is
affected by a cross-site scripting vulnerability.

Description:

The version of IBM WebSphere Portal installed on the remote Windows
host is affected by a cross-site scripting vulnerability in the Active
Content Filtering component due to improperly validating user-supplied
input. A remote attacker can exploit this by creating a specially
crafted URL designed to execute script code in the victim's web
browser.

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21958024

Solution :

Apply the vendor supplied interim fix, or upgrade to the appropriate
cumulative fix referenced in the vendor advisory.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

IBM WebSphere Portal JCR Information Disclosure (PI36150)


Synopsis:

The remote Windows host has web portal software installed that is
affected by an information disclosure vulnerability.

Description:

The version of IBM WebSphere Portal installed on the remote Windows
host is affected by an information disclosure vulnerability due to
improper access control enforcement of the JCR component. A remote,
unauthenticated attacker, using a specially crafted request, can
exploit this to gain access to potentially sensitive information.

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21958024

Solution :

Apply the vendor supplied interim fix, or upgrade to the appropriate
cumulative fix referenced in the vendor advisory.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

IBM WebSphere Portal 8.0.0.x < 8.0.0.1 CF17 Multiple Vulnerabilities


Synopsis:

The remote Windows host has web portal software installed that is
affected by multiple vulnerabilities.

Description:

The version of IBM WebSphere Portal installed on the remote host is
8.0.0.x prior to 8.0.0.1 CF17. It is, therefore, affected by multiple
vulnerabilities :

- An unspecified flaw exists in the Outside In Filters
subcomponent. An attacker, using a specially crafted
DOCX file, can exploit this to corrupt memory, resulting
in a denial of service or the execution of arbitrary
code. (CVE-2015-0474)

- An buffer overflow flaw exists in the Outside In Filters
subcomponent due to 'ibpsd2.dll' not properly validating
user-supplied input in PSD files. An attacker can
exploit this to cause a denial of service or possibly
execute arbitrary code. (CVE-2015-0493)

- A flaw exists in the access control enforcement of the
JCR component that allows a remote, unauthenticated
attacker, using a specially crafted request, to gain
access to potentially sensitive information.
(CVE-2015-1887)

- A cross-site scripting vulnerability exists in the
Active Content Filtering component due to improperly
validating user-supplied input. A remote attacker can
exploit this by creating a specially crafted URL
designed to execute script code in the victim's web
browser. (CVE-2015-1917)

- A flaw exists that allows a cross-site redirection
attack due to a failure to validate certain unspecified
input before returning it to the user. An attacker,
using specially crafted URL, can exploit this to
redirect victims to a website of the attacker's own
choosing. (CVE-2015-1921)

- A flaw exists that allows a reflected cross-site
scripting attack due to a failure to validate input
before returning it back to the user. A remote attacker,
using a crafted URL, can exploit this to execute code
or HTML within the user's browser. (CVE-2015-1944)

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg24034497#CF17

Solution :

Upgrade to IBM WebSphere Portal 8.0.0.1 Cumulative Fix 17 (CF17) or
later.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Rockwell Automation MicroLogix 1100 PLC < FRN 10.0 Authentication Mechanism DoS


Synopsis:

The remote web server running on the MicroLogix 1100 PLC is affected
by an denial of service vulnerability in the web server's password
mechanism.

Description:

The Rockwell Automation MicroLogix 1100 PLC integrated web server is
a firmware version that is prior to FRN 10.0. It is, therefore,
affected by a denial of service vulnerability due to a failure of the
authentication mechanism to properly handle remote connections or
commands. A remote attacker can exploit this, using a crafted request,
to cause the product to enter a predefined fault mode, resulting in
the device being reset to a factory-default state.

Note that Nessus has not attempted to exploit this issue but has
instead relied only on the self-reported version number.

See also :

http://www.nessus.org/u?e156598d

Solution :

Upgrade to MicroLogix 1100 PLC firmware release version FRN 10.0 or
later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Rockwell Automation MicroLogix 1100 PLC Web Server Detection


Synopsis:

A web server used for managing and monitoring PLC systems was detected
on the remote device.

Description:

The remote device is running an integrated web server that is part of
the software platform for managing and monitoring the Rockwell
Automation MicroLogix 1100 Programmable Logic Controller (PLC).

See also :

http://www.nessus.org/u?717b3e8c

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Rockwell Automation MicroLogix 1100 PLC < Series B FRN 12.0 MitM Replay Authentication Bypass


Synopsis:

The remote web server running on the MicroLogix 1100 PLC is affected
by an authentication bypass vulnerability.

Description:

The Rockwell Automation MicroLogix 1100 PLC integrated web server has
a firmware version that is prior to Series B FRN 12.0. It is,
therefore, affected by an authentication bypass vulnerability due to a
failure to properly restrict session replays. A man-in-the-middle
attacker via HTTP traffic can use a session replay attack to bypass
the web server's authentication mechanism.

Note that Nessus has not attempted to exploit this issue but has
instead relied only on the self-reported version number.

See also :

http://www.nessus.org/u?1ed704af
http://www.nessus.org/u?8764efc3

Solution :

Upgrade to MicroLogix 1100 PLC firmware release version Series B FRN
12.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Rockwell Automation MicroLogix 1100 PLC < Series B FRN 13.0 Multiple Vulnerabilities


Synopsis:

The MicroLogix 1100 PLC is affected by multiple vulnerabilities.

Description:

The Rockwell Automation MicroLogix 1100 PLC integrated web server has
a firmware version that is prior to Series B FRN 13.0. It is,
therefore, affected by multiple vulnerabilities :

- An improper access control vulnerability exists when
sending a 'stop' command, which causes a denial of
service condition leaving the device in an unresponsive
state, resulting in a loss of availability for any
device connected to the MicroLogix 1100 PLC.
(CVE-2012-6435)

- An improper validation vulnerability exists when the
device attempts to parse a CIP packet sent to affected
ports, which causes a buffer overflow that crashes the
device's CPU, resulting in a loss of availability for
any device connected to the MicroLogix 1100 PLC.
(CVE-2012-6436)

- An improper authentication vulnerability exists in the
module providing source and data authentication, which
can allow a remote attacker to upload an arbitrary
firmware image to the ethernet card, resulting in the
execution of code or causing a denial of service and a
loss of availability for any device connected to the
MicroLogix 1100 PLC. (CVE-2012-6437)

- An improper validation vulnerability exists when the
device attempts to parse a malformed CIP packet, which
causes an overflow condition in the network interface
card (NIC), resulting in a denial of service condition
and a loss of availability for any device connected to
the MicroLogix 1100 PLC. (CVE-2012-6438)

- An improper access control vulnerability exists when
parsing a CIP message that changes the device's network
or configuration parameters, resulting in a denial of
service condition and a loss of communication for any
device connected to the MicroLogix 1100 PLC.
(CVE-2012-6439)

- An information exposure vulnerability exists when
sending a 'dump' command, which results in the improper
disclosure of boot code information from the MicroLogix
1100 PLC. (CVE-2012-6441)

- An improper access control vulnerability exists when
sending a 'reset' command, which causes a denial of
service condition leaving the device in an unresponsive
state, resulting in a loss of availability for any
device connected to the MicroLogix 1100 PLC.
(CVE-2012-6442)

See also :

http://www.nessus.org/u?7437094d
http://www.nessus.org/u?411feaaa
http://www.nessus.org/u?8764efc3

Solution :

Upgrade to MicroLogix 1100 PLC firmware release version Series B FRN
13.0 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Rockwell Automation MicroLogix 1100 PLC Default Credentials


Synopsis:

The remote device can be accessed with default credentials.

Description:

The remote device appears to be a Rockwell Automation MicroLogix 1100
PLC that can be accessed using default HTTP credentials. An attacker
can utilize this to gain administrative access to the affected device.

Solution :

Change the default password or block access to the port.

Risk factor :

High / CVSS Base Score : 8.3
(CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Mac OS X Multiple EFI Vulnerabilities (EFI Security Update 2015-001)


Synopsis:

The remote host is affected by multiple vulnerabilities.

Description:

The remote Mac OS X host is running EFI firmware that is affected by
multiple vulnerabilities :

- An insufficient locking issue exists, when resuming from
sleep states, which allows a local attacker to write to
the EFI flash memory by using an crafted application
with root privileges. (CVE-2015-3692)

- A flaw exists due to lax restrictions on memory refresh
rates, which allows a specially crafted process to
corrupt the memory of some DDR3 SDRAM devices by
inducing bit flips in page table entries (PTEs), also
known as a 'row-hammer attack'. An attacker can exploit
this to gain elevated privileges by manipulating the
PTEs. (CVE-2015-3693)

See also :

https://support.apple.com/en-us/HT204934

Solution :

Install Mac EFI Security Update 2015-001.

Risk factor :

Low / CVSS Base Score : 1.7
(CVSS2#AV:L/AC:L/Au:S/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 / 15.04 : cups-filters vulnerabilities (USN-2659-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Petr Sklenar discovered that the cups-filters texttopdf filter
incorrectly handled line sizes. A remote attacker could use this issue
to cause a denial of service, or possibly execute arbitrary code as
the lp user. (CVE-2015-3258, CVE-2015-3279).

Solution :

Update the affected cups-filters package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:A/AC:H/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 3.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 14.10 / 15.04 : php5 vulnerabilities (USN-2658-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Neal Poole and Tomas Hoger discovered that PHP incorrectly handled
NULL bytes in file paths. A remote attacker could possibly use this
issue to bypass intended restrictions and create or obtain access to
sensitive files. (CVE-2015-3411, CVE-2015-3412, CVE-2015-4025,
CVE-2015-4026, CVE-2015-4598)

Emmanuel Law discovered that the PHP phar extension incorrectly
handled filenames starting with a NULL byte. A remote attacker could
use this issue with a crafted tar archive to cause a denial of
service. (CVE-2015-4021)

Max Spelsberg discovered that PHP incorrectly handled the LIST command
when connecting to remote FTP servers. A malicious FTP server could
possibly use this issue to execute arbitrary code. (CVE-2015-4022,
CVE-2015-4643)

Shusheng Liu discovered that PHP incorrectly handled certain malformed
form data. A remote attacker could use this issue with crafted form
data to cause CPU consumption, leading to a denial of service.
(CVE-2015-4024)

Andrea Palazzo discovered that the PHP Soap client incorrectly
validated data types. A remote attacker could use this issue with
crafted serialized data to possibly execute arbitrary code.
(CVE-2015-4147)

Andrea Palazzo discovered that the PHP Soap client incorrectly
validated that the uri property is a string. A remote attacker could
use this issue with crafted serialized data to possibly obtain
sensitive information. (CVE-2015-4148)

Taoguang Chen discovered that PHP incorrectly validated data types in
multiple locations. A remote attacker could possibly use these issues
to obtain sensitive information or cause a denial of service.
(CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602,
CVE-2015-4603)

It was discovered that the PHP Fileinfo component incorrectly handled
certain files. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service. This issue only affected
Ubuntu 15.04. (CVE-2015-4604, CVE-2015-4605)

It was discovered that PHP incorrectly handled table names in
php_pgsql_meta_data. A local attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2015-4644).

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED12 / SLES12 Security Update : strongswan (SUSE-SU-2015:1196-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

Strongswan was updated to fix one security issue.

The following vulnerability was fixed :

- CVE-2015-4171: Rogue servers were able to authenticate
themselves with certificate issued by any CA the client
trusts, to gain user credentials from a client in
certain IKEv2 setups (bsc#933591)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/933591
https://www.suse.com/security/cve/CVE-2015-4171.html
http://www.nessus.org/u?ee07acfb

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2015-297=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2015-297=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 2.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLES11 Security Update : OpenSSL (SUSE-SU-2015:1184-2)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

OpenSSL 0.9.8j was updated to fix several security issues.

CVE-2015-4000: The Logjam Attack ( weakdh.org ) has been addressed by
rejecting connections with DH parameters shorter than 1024 bits. We
now also generate 2048-bit DH parameters by default.

CVE-2015-1788: Malformed ECParameters could cause an infinite loop.

CVE-2015-1789: An out-of-bounds read in X509_cmp_time was fixed.

CVE-2015-1790: A PKCS7 decoder crash with missing EnvelopedContent was
fixed.

CVE-2015-1792: A CMS verification infinite loop when using an unknown
hash function was fixed.

CVE-2015-1791: Fixed a race condition in NewSessionTicket creation.

CVE-2015-3216: Fixed a potential crash in ssleay_rand_bytes due to
locking regression.

fixed a timing side channel in RSA decryption (bnc#929678)

Additional changes :

In the default SSL cipher string EXPORT ciphers are now disabled. This
will only get active if applications get rebuilt and actually use this
string. (bnc#931698)

Added the ECC ciphersuites to the DEFAULT cipher class (bnc#879179)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/929678
https://bugzilla.suse.com/931698
https://bugzilla.suse.com/933911
https://bugzilla.suse.com/934487
https://bugzilla.suse.com/934489
https://bugzilla.suse.com/934491
https://bugzilla.suse.com/934493
http://www.nessus.org/u?bba27a17
https://www.suse.com/security/cve/CVE-2015-1788.html
https://www.suse.com/security/cve/CVE-2015-1789.html
https://www.suse.com/security/cve/CVE-2015-1790.html
https://www.suse.com/security/cve/CVE-2015-1791.html
https://www.suse.com/security/cve/CVE-2015-1792.html
https://www.suse.com/security/cve/CVE-2015-3216.html
https://www.suse.com/security/cve/CVE-2015-4000.html
http://www.nessus.org/u?1071f86d

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11 SP2 LTSS :

zypper in -t patch slessp2-libopenssl-devel=10795

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED11 / SLES10 Security Update : OpenSSL (SUSE-SU-2015:1183-2)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

OpenSSL was updated to fix several security issues.

CVE-2015-4000: The Logjam Attack ( weakdh.org ) has been addressed by
rejecting connections with DH parameters shorter than 1024 bits. We
now also generate 2048-bit DH parameters by default.

CVE-2015-1789: An out-of-bounds read in X509_cmp_time was fixed.

CVE-2015-1790: A PKCS7 decoder crash with missing EnvelopedContent was
fixed.

fixed a timing side channel in RSA decryption (bnc#929678)

Additional changes :

In the default SSL cipher string EXPORT ciphers are now disabled. This
will only get active if applications get rebuilt and actually use this
string. (bnc#931698)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/929678
https://bugzilla.suse.com/931698
https://bugzilla.suse.com/934489
https://bugzilla.suse.com/934491
http://www.nessus.org/u?157a7562
http://www.nessus.org/u?c5987976
https://www.suse.com/security/cve/CVE-2015-1789.html
https://www.suse.com/security/cve/CVE-2015-1790.html
https://www.suse.com/security/cve/CVE-2015-4000.html
http://www.nessus.org/u?36e9e59a

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Desktop 11 SP3 :

zypper in -t patch sledsp3-compat-openssl097g=10790

SLES for SAP Applications :

zypper in -t patch slesappsp3-compat-openssl097g=10790

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLED11 / SLES11 Security Update : OpenSSL (SUSE-SU-2015:1182-2)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

OpenSSL 0.9.8k was updated to fix several security issues :

CVE-2015-4000: The Logjam Attack (weakdh.org) has been addressed by
rejecting connections with DH parameters shorter than 1024 bits.
2048-bit DH parameters are now generated by default.

CVE-2015-1788: Malformed ECParameters could cause an infinite loop.

CVE-2015-1789: An out-of-bounds read in X509_cmp_time was fixed.

CVE-2015-1790: A PKCS7 decoder crash with missing EnvelopedContent was
fixed.

CVE-2015-1792: A CMS verification infinite loop when using an unknown
hash function was fixed.

CVE-2015-1791: Fixed a race condition in NewSessionTicket creation.

CVE-2015-3216: Fixed a potential crash in ssleay_rand_bytes due to
locking regression.

Fixed a timing side channel in RSA decryption. (bsc#929678)

Additional changes :

In the default SSL cipher string EXPORT ciphers are now disabled. This
will only get active if applications get rebuilt and actually use this
string. (bsc#931698)

Added the ECC ciphersuites to the DEFAULT cipher class. (bsc#879179)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/879179
https://bugzilla.suse.com/929678
https://bugzilla.suse.com/931698
https://bugzilla.suse.com/933898
https://bugzilla.suse.com/933911
https://bugzilla.suse.com/934487
https://bugzilla.suse.com/934489
https://bugzilla.suse.com/934491
https://bugzilla.suse.com/934493
http://www.nessus.org/u?1bcc8915
https://www.suse.com/security/cve/CVE-2015-1788.html
https://www.suse.com/security/cve/CVE-2015-1789.html
https://www.suse.com/security/cve/CVE-2015-1790.html
https://www.suse.com/security/cve/CVE-2015-1791.html
https://www.suse.com/security/cve/CVE-2015-1792.html
https://www.suse.com/security/cve/CVE-2015-3216.html
https://www.suse.com/security/cve/CVE-2015-4000.html
http://www.nessus.org/u?46cf76fa

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11 SP3 :

zypper in -t patch sdksp3-libopenssl-devel=10781

SUSE Linux Enterprise Server 11 SP3 for VMware :

zypper in -t patch slessp3-libopenssl-devel=10781

SUSE Linux Enterprise Server 11 SP3 :

zypper in -t patch slessp3-libopenssl-devel=10781

SUSE Linux Enterprise Desktop 11 SP3 :

zypper in -t patch sledsp3-libopenssl-devel=10781

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLES10 Security Update : OpenSSL (SUSE-SU-2015:1181-2)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

OpenSSL was updated to fix several security issues.

CVE-2015-4000: The Logjam Attack ( weakdh.org ) has been addressed by
rejecting connections with DH parameters shorter than 1024 bits. We
now also generate 2048-bit DH parameters by default.

CVE-2015-1788: Malformed ECParameters could cause an infinite loop.

CVE-2015-1789: An out-of-bounds read in X509_cmp_time was fixed.

CVE-2015-1790: A PKCS7 decoder crash with missing EnvelopedContent was
fixed.

fixed a timing side channel in RSA decryption (bnc#929678)

Additional changes :

In the default SSL cipher string EXPORT ciphers are now disabled. This
will only get active if applications get rebuilt and actually use this
string. (bnc#931698)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/929678
https://bugzilla.suse.com/931698
https://bugzilla.suse.com/934487
https://bugzilla.suse.com/934489
https://bugzilla.suse.com/934491
http://www.nessus.org/u?cfee53bc
https://www.suse.com/security/cve/CVE-2015-1788.html
https://www.suse.com/security/cve/CVE-2015-1789.html
https://www.suse.com/security/cve/CVE-2015-1790.html
https://www.suse.com/security/cve/CVE-2015-4000.html
http://www.nessus.org/u?564cd0d6

Solution :

Update the affected OpenSSL packages

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

openSUSE Security Update : php5 (openSUSE-2015-471)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

The PHP script interpreter was updated to receive various security
fixes :

- CVE-2015-4602 [bnc#935224]: Fixed an incomplete Class
unserialization type confusion.

- CVE-2015-4599, CVE-2015-4600, CVE-2015-4601
[bnc#935226]: Fixed type confusion issues in
unserialize() with various SOAP methods.

- CVE-2015-4603 [bnc#935234]: Fixed
exception::getTraceAsString type confusion issue after
unserialize.

- CVE-2015-4644 [bnc#935274]: Fixed a crash in
php_pgsql_meta_data.

- CVE-2015-4643 [bnc#935275]: Fixed an integer overflow in
ftp_genlist() that could result in a heap overflow.

- CVE-2015-3411, CVE-2015-3412, CVE-2015-4598
[bnc#935227], [bnc#935232]: Added missing null byte
checks for paths in various PHP extensions.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=935224
https://bugzilla.opensuse.org/show_bug.cgi?id=935225
https://bugzilla.opensuse.org/show_bug.cgi?id=935226
https://bugzilla.opensuse.org/show_bug.cgi?id=935227
https://bugzilla.opensuse.org/show_bug.cgi?id=935232
https://bugzilla.opensuse.org/show_bug.cgi?id=935234
https://bugzilla.opensuse.org/show_bug.cgi?id=935274
https://bugzilla.opensuse.org/show_bug.cgi?id=935275

Solution :

Update the affected php5 packages.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

GLSA-201507-02 : Tor: Denial of Service


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201507-02
(Tor: Denial of Service)

Tor does not handle data correctly when specifically crafted data is
sent, and also fails to properly verify a descriptor provided by a hidden
service directory.

Impact :

A remote attacker could cause a Denial of Service condition in both a
Tor client or a Tor server.

Workaround :

There is no known workaround at this time.

See also :

https://blog.torproject.org/blog/tor-02512-and-0267-are-released
https://security.gentoo.org/glsa/201507-02

Solution :

All Tor users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-misc/tor-0.2.6.7'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : squid -- client-first SSL-bump does not correctly validate X509 server certificate (b6da24da-23f7-11e5-a4a5-002590263bf5)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

Squid security advisory 2015:1 reports :

Squid configured with client-first SSL-bump does not correctly
validate X509 server certificate domain / hostname fields.

The bug is important because it allows remote servers to bypass client
certificate validation. Some attackers may also be able to use valid
certificates for one domain signed by a global Certificate Authority
to abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the 'client-first' or 'bump' mode of
operation.

Sites that do not use SSL-Bump are not vulnerable.

All Squid built without SSL support are not vulnerable to the problem.

The FreeBSD port does not use SSL by default and is not vulnerable in
the default configuration.

See also :

http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
http://www.nessus.org/u?4d319b0e

Solution :

Update the affected packages.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : turnserver -- SQL injection vulnerability (543b5939-2067-11e5-a4a5-002590263bf5)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Oleg Moskalenko reports :

SQL injection security hole fixed.

See also :

http://turnserver.open-sys.org/downloads/v4.4.5.3/ChangeLog
http://www.nessus.org/u?4dad4ff8
http://www.nessus.org/u?829ef6be

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

FreeBSD : squid -- multiple vulnerabilities (150d1538-23fa-11e5-a4a5-002590263bf5)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Amos Jeffries, Squid-3 release manager, reports :

Due to incorrect handling of peer responses in a hierarchy of 2 or
more proxies remote clients (or scripts run on a client) are able to
gain unrestricted access through a gateway proxy to its backend proxy.

If the two proxies have differing levels of security this could lead
to authentication bypass or unprivileged access to supposedly secure
resources.

Squid up to and including 3.5.5 are apparently vulnerable to DoS
attack from malicious clients using repeated TLS renegotiation
messages. This has not been verified as it also seems to require
outdated (0.9.8l and older) OpenSSL libraries.

See also :

http://openwall.com/lists/oss-security/2015/07/06/8
http://www.nessus.org/u?a7e74b0a

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DSA-3302-1 : libwmf - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Insufficient input sanitising in libwmf, a library to process Windows
metafile data, may result in denial of service or the execution of
arbitrary code if a malformed WMF file is opened.

See also :

https://packages.debian.org/source/wheezy/libwmf
https://packages.debian.org/source/jessie/libwmf
http://www.debian.org/security/2015/dsa-3302

Solution :

Upgrade the libwmf packages.

For the oldstable distribution (wheezy), these problems have been
fixed in version 0.2.8.4-10.3+deb7u1.

For the stable distribution (jessie), these problems have been fixed
in version 0.2.8.4-10.3+deb8u1.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Debian DLA-268-1 : virtualbox-ose security update


Synopsis:

The remote Debian host is missing a security update.

Description:

Three vulnerabilities have been fixed in the Debian squeeze-lts
version of VirtualBox (package name: virtualbox-ose), a x86
virtualisation solution.

CVE-2015-0377

Avoid VirtualBox allowing local users to affect availability via
unknown vectors related to Core, which might result in denial of
service. (Other issue than CVE-2015-0418).

CVE-2015-0418

Avoid VirtualBox allowing local users to affect availability via
unknown vectors related to Core, which might result in denial of
service. (Other issue than CVE-2015-0377).

CVE-2015-3456

The Floppy Disk Controller (FDC) in QEMU, also used in VirtualBox and
other virtualization products, allowed local guest users to cause a
denial of service (out-of-bounds write and guest crash) or possibly
execute arbitrary code via the (1) FD_CMD_READ_ID, (2)
FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka
VENOM.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.

See also :

https://lists.debian.org/debian-lts-announce/2015/07/msg00006.html
https://packages.debian.org/source/squeeze-lts/virtualbox-ose

Solution :

Upgrade the affected packages.

Risk factor :

High / CVSS Base Score : 7.7
(CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

CentOS 5 / 6 / 7 : firefox (CESA-2015:1207)


Synopsis:

The remote CentOS host is missing a security update.

Description:

Updated firefox packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the
XUL Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722,
CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2731,
CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,
CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740)

It was found that Firefox skipped key-pinning checks when handling an
error that could be overridden by the user (for example an expired
certificate error). This flaw allowed a user to override a pinned
certificate, which is an action the user should not be able to
perform. (CVE-2015-2741)

A flaw was discovered in Mozilla's PDF.js PDF file viewer. When
combined with another vulnerability, it could allow execution of
arbitrary code with the privileges of the user running Firefox.
(CVE-2015-2743)

Red Hat would like to thank the Mozilla project for reporting these
issues. Upstream acknowledges Bob Clary, Christian Holler, Bobby
Holley, Andrew McCreight, Terrence Cole, Steve Fink, Mats Palmgren,
Wes Kocher, Andreas Pehrson, Jann Horn, Paul Bandha, Holger
Fuhrmannek, Herre, Looben Yan, Ronald Crane, and Jonas Jenwald as the
original reporters of these issues.

All Firefox users should upgrade to these updated packages, which
contain Firefox version 38.1 ESR, which corrects these issues. After
installing the update, Firefox must be restarted for the changes to
take effect.

See also :

http://www.nessus.org/u?d3dd95aa
http://www.nessus.org/u?654a6b34
http://www.nessus.org/u?dddc8351

Solution :

Update the affected firefox package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Cacti < 0.8.8d Multiple Vulnerabilities


Synopsis:

The remote web server is running a PHP application that is affected by
multiple vulnerabilities.

Description:

According to its self-reported version number, the Cacti application
running on the remote web server is prior to version 0.8.8d. It is,
therefore, potentially affected by multiple vulnerabilities :

- A stored cross-site scripting vulnerability exists due
to improper validation of user-supplied input in
graphs.php. A remote attacker can exploit this to inject
arbitrary web script or HTML. (CVE-2015-2665)

- A SQL injection vulnerability exists due to improper
validation of user-supplied input to the 'cdef'
parameter in cdef.php. A remote attacker can exploit
this to execute arbitrary SQL commands. (CVE-2015-4342)

- A SQL injection vulnerability exists due to improper
validation of user-supplied input to the
'graph_template_id' parameter in graph_templates.php. A
remote attacker can exploit this to execute arbitrary
SQL commands. (CVE-2015-4454)

See also :

http://www.cacti.net/release_notes_0_8_8d.php
http://www.fortiguard.com/advisory/FG-VD-15-017/
http://svn.cacti.net/viewvc?view=rev&revision=7719
http://bugs.cacti.net/view.php?id=2572

Solution :

Upgrade to Cacti 0.8.8d or later.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.

SUSE SLES11 Security Update : OpenSSL (SUSE-SU-2015:1184-1)


Synopsis:

The remote SUSE host is missing one or more security updates.

Description:

OpenSSL 0.9.8j was updated to fix several security issues.

CVE-2015-4000: The Logjam Attack ( weakdh.org ) has been addressed by
rejecting connections with DH parameters shorter than 1024 bits. We
now also generate 2048-bit DH parameters by default.

CVE-2015-1788: Malformed ECParameters could cause an infinite loop.

CVE-2015-1789: An out-of-bounds read in X509_cmp_time was fixed.

CVE-2015-1790: A PKCS7 decoder crash with missing EnvelopedContent was
fixed.

CVE-2015-1792: A CMS verification infinite loop when using an unknown
hash function was fixed.

CVE-2015-1791: Fixed a race condition in NewSessionTicket creation.

CVE-2015-3216: Fixed a potential crash in ssleay_rand_bytes due to
locking regression.

fixed a timing side channel in RSA decryption (bnc#929678)

Additional changes :

In the default SSL cipher string EXPORT ciphers are now disabled. This
will only get active if applications get rebuilt and actually use this
string. (bnc#931698)

Added the ECC ciphersuites to the DEFAULT cipher class (bnc#879179)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/929678
https://bugzilla.suse.com/931698
https://bugzilla.suse.com/933911
https://bugzilla.suse.com/934487
https://bugzilla.suse.com/934489
https://bugzilla.suse.com/934491
https://bugzilla.suse.com/934493
http://www.nessus.org/u?0e541e2a
https://www.suse.com/security/cve/CVE-2015-1788.html
https://www.suse.com/security/cve/CVE-2015-1789.html
https://www.suse.com/security/cve/CVE-2015-1790.html
https://www.suse.com/security/cve/CVE-2015-1791.html
https://www.suse.com/security/cve/CVE-2015-1792.html
https://www.suse.com/security/cve/CVE-2015-3216.html
https://www.suse.com/security/cve/CVE-2015-4000.html
http://www.nessus.org/u?6d18e8f2

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11 SP1 LTSS :

zypper in -t patch slessp1-libopenssl-devel=10794

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2015 Tenable Network Security, Inc.