This script is Copyright (C) 2017 Tenable Network Security, Inc.
An infrastructure management application running on the remote host
is affected by multiple vulnerabilities.
According to its self-reported version, the IBM BigFix Platform
application running on the remote host is 9.x prior to 9.1.9, 9.2.x
prior to 9.2.9, or 9.5.x prior to 9.5.4. It is, therefore, affected by
multiple vulnerabilities :
- A remote code execution vulnerability exists due to a
use-after-free race condition. An unauthenticated, remote
attacker can exploit this to execute arbitrary code.
- A denial of service vulnerability exists that is
triggered when handling specially crafted XMLSchema
requests. An unauthenticated, adjacent attacker can
exploit this to crash the BES Server. Note that this
issue only affects 9.0.x or 9.1.x versions prior to
- A denial of service vulnerability exists in the BES Root
Server and BES Relay Memory when handling unspecified
user-supplied input. An unauthenticated, adjacent
attacker can exploit this to cause the system to crash.
Note that, additionally, several vulnerabilities possibly also exist
in the bundled version of OpenSSL included in versions 9.0.x.
IBM BigFix Platform was formerly known as Tivoli Endpoint Manager,
IBM Endpoint Manager, and IBM BigFix Endpoint Manager.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
See also :
Upgrade to IBM BigFix Platform version 9.1.9 / 9.2.9 / 9.5.4 or later.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true