Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : mono vulnerabilities (USN-2547-1)

Ubuntu Security Notice (C) 2015-2016 Canonical, Inc. / NASL script (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related
patches.

Description :

It was discovered that the Mono TLS implementation was vulnerable to
the SKIP-TLS vulnerability. A remote attacker could possibly use this
issue to perform client impersonation attacks. (CVE-2015-2318)

It was discovered that the Mono TLS implementation was vulnerable to
the FREAK vulnerability. A remote attacker or a man in the middle
could possibly use this issue to force the use of insecure
ciphersuites. (CVE-2015-2319)

It was discovered that the Mono TLS implementation still supported a
fallback to SSLv2. This update removes the functionality as use of
SSLv2 is known to be insecure. (CVE-2015-2320)

It was discovered that Mono incorrectly handled memory in certain
circumstances. A remote attacker could possibly use this issue to
cause Mono to crash, resulting in a denial of service, or to obtain
sensitive information. This issue only applied to Ubuntu 12.04 LTS.
(CVE-2011-0992)

It was discovered that Mono incorrectly handled hash collisions. A
remote attacker could possibly use this issue to cause Mono to crash,
resulting in a denial of service. This issue only applied to Ubuntu
12.04 LTS. (CVE-2012-3543).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected libmono-2.0-1 and / or mono-runtime packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 82074 ()

Bugtraq ID: 47208
55251
73250
73253
73256

CVE ID: CVE-2011-0992
CVE-2012-3543
CVE-2015-2318
CVE-2015-2319
CVE-2015-2320

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now