EulerOS 2.0 SP2 : gnutls (EulerOS-SA-2017-1204)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote EulerOS host is missing multiple security updates.

Description :

According to the versions of the gnutls packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

- A double-free flaw was found in the way GnuTLS parsed
certain X.509 certificates with Proxy Certificate
Information extension. An attacker could create a
specially-crafted certificate which, when processed by
an application compiled against GnuTLS, could cause
that application to crash. (CVE-2017-5334)

- Multiple flaws were found in the way gnutls processed
OpenPGP certificates. An attacker could create
specially crafted OpenPGP certificates which, when
parsed by gnutls, would cause it to crash.
(CVE-2017-5335, CVE-2017-5336, CVE-2017-5337,
CVE-2017-7869)

- A null pointer dereference flaw was found in the way
GnuTLS processed ClientHello messages with
status_request extension. A remote attacker could use
this flaw to cause an application compiled with GnuTLS
to crash. (CVE-2017-7507)

- A flaw was found in the way GnuTLS validated
certificates using OCSP responses. This could falsely
report a certificate as valid under certain
circumstances. (CVE-2016-7444)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?c5407e26

Solution :

Update the affected gnutls packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Huawei Local Security Checks

Nessus Plugin ID: 103062 ()

Bugtraq ID:

CVE ID: CVE-2016-7444
CVE-2017-5334
CVE-2017-5335
CVE-2017-5336
CVE-2017-5337
CVE-2017-7507
CVE-2017-7869

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now