EulerOS 2.0 SP2 : pidgin (EulerOS-SA-2017-1166)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote EulerOS host is missing multiple security updates.

Description :

According to the versions of the pidgin package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

- A denial of service flaw was found in the way Pidgin's
Mxit plug-in handled emoticons. A malicious remote
server or a man-in-the-middle attacker could
potentially use this flaw to crash Pidgin by sending a
specially crafted emoticon. (CVE-2014-3695)

- A denial of service flaw was found in the way Pidgin
parsed Groupwise server messages. A malicious remote
server or a man-in-the-middle attacker could
potentially use this flaw to cause Pidgin to consume an
excessive amount of memory, possibly leading to a
crash, by sending a specially crafted message.
(CVE-2014-3696)

- An information disclosure flaw was discovered in the
way Pidgin parsed XMPP messages. A malicious remote
server or a man-in-the-middle attacker could
potentially use this flaw to disclose a portion of
memory belonging to the Pidgin process by sending a
specially crafted XMPP message. (CVE-2014-3698)

- An out-of-bounds write flaw was found in the way Pidgin
processed XML content. A malicious remote server could
potentially use this flaw to crash Pidgin or execute
arbitrary code in the context of the pidgin process.
(CVE-2017-2640)

- It was found that Pidgin's SSL/TLS plug-ins had a flaw
in the certificate validation functionality. An
attacker could use this flaw to create a fake
certificate, that Pidgin would trust, which could be
used to conduct man-in-the-middle attacks against
Pidgin. (CVE-2014-3694)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?27fa3590

Solution :

Update the affected pidgin packages.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Huawei Local Security Checks

Nessus Plugin ID: 103004 ()

Bugtraq ID: 70701
70703
70705

CVE ID: CVE-2014-3694
CVE-2014-3696
CVE-2014-3698
CVE-2017-2640

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now