IBM General Parallel File System 3.5 < 3.5.0.17 Multiple OpenSSL Vulnerabilities (Heartbleed)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

A clustered file system on the remote host is affected by multiple
vulnerabilities related to OpenSSL.

Description :

A version of IBM General Parallel File System (GPFS) prior to 3.5.0.17
is installed on the remote host. It is, therefore, affected by
multiple vulnerabilities related to OpenSSL:

- An information disclosure vulnerability exists due to a
flaw in the OpenSSL library, due to an implementation
error in ECDSA (Elliptic Curve Digital Signature
Algorithm). An attacker could potentially exploit this
vulnerability to recover ECDSA nonces. (CVE-2014-0076)

- An information disclosure vulnerability exists due to a
flaw in the OpenSSL library, commonly known as the
Heartbleed bug. An attacker could potentially exploit
this vulnerability repeatedly to read up to 64KB of
memory from the device. (CVE-2014-0160)

See also :

http://www.heartbleed.com
https://eprint.iacr.org/2014/140
https://www.openssl.org/news/vulnerabilities.html#2014-0160
https://www.openssl.org/news/secadv/20140407.txt
https://www-304.ibm.com/support/docview.wss?uid=isg3T1020683
http://www.nessus.org/u?20bb9fde

Solution :

Upgrade to 3.5.0.17 or later.

Risk factor :

High / CVSS Base Score : 9.4
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
CVSS Temporal Score : 7.4
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 74104 ()

Bugtraq ID: 66363
66690

CVE ID: CVE-2014-0076
CVE-2014-0160

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now