This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.
An infrastructure management application running on the remote host
is affected by multiple vulnerabilities.
According to its self-reported version, the IBM BigFix Platform
application running on the remote host is 9.0.x or 9.1.x prior to
126.96.36.1991, 9.2.x prior to 188.8.131.52, or 9.5.x prior to 184.108.40.206. It
is, therefore, affected by multiple vulnerabilities :
- A remote code execution vulnerability exists due to a
use-after-free race condition. An unauthenticated, remote
attacker can exploit this to execute arbitrary code.
- A denial of service vulnerability exists that is
triggered when handling specially crafted XMLSchema
requests. An unauthenticated, adjacent attacker can
exploit this to crash the BES Server. Note that this
issue only affects 9.0.x or 9.1.x versions prior to
- A denial of service vulnerability exists in the BES Root
Server and BES Relay Memory due to improper handling of
user-supplied input. An unauthenticated, adjacent
attacker can exploit this to cause the system to crash.
Note that, additionally, several vulnerabilities possibly also exist
in the bundled version of OpenSSL included in versions 9.0.x.
IBM BigFix Platform was formerly known as Tivoli Endpoint Manager,
IBM Endpoint Manager, and IBM BigFix Endpoint Manager.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
See also :
Upgrade to IBM BigFix Platform version 220.127.116.111 / 18.104.22.168 /
22.214.171.124 or later.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true