Tenable SecurityCenter < 5.3.2 Multiple Vulnerabilities (TNS-2016-09)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The Tenable SecurityCenter application installed on the remote host is
affected by multiple vulnerabilities.

Description :

The Tenable SecurityCenter application installed on the remote host is
either prior to version 5.3.2 or is missing a security patch. It is,
therefore, affected by multiple vulnerabilities in the bundled version
of PHP :

- A signedness error exists in the GD Graphics library in
gd_gd2.c due to improper validation of user-supplied
input when handling compressed GD2 data. An
unauthenticated, remote attacker can exploit this to
cause a heap-based buffer overflow, resulting in a
denial of service condition or the execution of
arbitrary code. (CVE-2016-3074)

- An out-of-bounds read error exists in the php_str2num()
function in bcmath.c when handling negative scales. An
unauthenticated, remote attacker can exploit this, via a
crafted call, to cause a denial of service condition or
the disclosure of memory contents. (CVE-2016-4537)

- A flaw exists in the bcpowmod() function in bcmath.c due
to modifying certain data structures without considering
whether they are copies of the _zero_, _one_, or _two_
global variables. An unauthenticated, remote attacker
can exploit this, via a crafted call, to cause a denial
of service condition. (CVE-2016-4538)

- A flaw exists in the xml_parse_into_struct() function in
xml.c when handling specially crafted XML contents. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition. (CVE-2016-4539)

- Multiple out-of-bounds read errors exist within file
ext/intl/grapheme/grapheme_string.c when handling
negative offsets in the zif_grapheme_stripos() and
zif_grapheme_strpos() functions. An unauthenticated,
remote attacker can exploit these issues to cause a
denial of service condition or disclose memory contents.
(CVE-2016-4540, CVE-2016-4541)

- A flaw exists in the exif_process_IFD_TAG() function in
exif.c due to improper construction of spprintf
arguments. An unauthenticated, remote attacker can
exploit this, via crafted header data, to cause an
out-of-bounds read error, resulting in a denial of
service condition or the disclosure of memory contents.
(CVE-2016-4542)

- A flaw exists in the exif_process_IFD_in_JPEG() function
in exif.c due to improper validation of IFD sizes. An
unauthenticated, remote attacker can exploit this, via
crafted header data, to cause an out-of-bounds read
error, resulting in a denial of service condition or the
disclosure of memory contents. (CVE-2016-4543)

- A flaw exists in the exif_process_TIFF_in_JPEG()
function in exif.c due to improper validation of TIFF
start data. An unauthenticated, remote attacker can
exploit this, via crafted header data, to cause an
out-of-bounds read error, resulting in a denial of
service condition or the disclosure of memory contents.
(CVE-2016-4544)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

https://www.tenable.com/security/tns-2016-09
http://php.net/ChangeLog-5.php#5.6.21

Solution :

Upgrade to SecurityCenter version 5.3.2 or later. Alternatively, apply
the relevant patch as referenced in the vendor advisory.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now