Tenable Log Correlation Engine (LCE) < 4.8.1 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A data aggregation application installed on the remote host is
affected by multiple vulnerabilities.

Description :

The version of Tenable Log Correlation Engine (LCE) installed on the
remote host is prior to 4.8.1. It is, therefore, affected by the
following vulnerabilities :

- Multiple cross-site scripting (XSS) vulnerabilities
exist in the Handlebars library in the
lib/handlebars/utils.js script due to a failure to
properly escape input passed as unquoted attributes to
templates. An unauthenticated, remote attacker can
exploit these vulnerabilities, via a specially crafted
request, to execute arbitrary script code in a user's
browser session. (CVE-2015-8861, CVE-2015-8862)

- A heap-based buffer overflow condition exists in the
Perl-Compatible Regular Expressions (PCRE) component
that is triggered when processing nested back references
in a duplicate named group. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-1283)

- An out-of-bounds read error exists in the libxml2
component in parserInternals.c due to improper parsing
of characters in an XML file. An unauthenticated, remote
attacker can exploit this to disclose sensitive
information or cause a denial of service condition.
(CVE-2016-1833)

- An overflow condition exists in the libxml2 component in
xmlstring.c due to improper validation of user-supplied
input when handling a string with NULL. An
unauthenticated, remote attacker can exploit this, via a
specially crafted file, to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-1834)

- Multiple use-after-free errors exist in the libxml2
component in parser.c that is triggered when parsing
complex names. An unauthenticated, remote attacker can
exploit these issues, via a specially crafted file, to
dereference already freed memory and potentially execute
arbitrary code. (CVE-2016-1835, CVE-2016-1836)

- Multiple heap-based buffer overflow conditions exist in
the libxml2 component in HTMLparser.c and xmlregexp.c
due to improper validation of user-supplied input when
parsing characters in a range. An unauthenticated,
remote attacker can exploit these issues, via a
specially crafted file, to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2016-1837, CVE-2016-1839, CVE-2016-1840)

- Multiple out-of-bounds read errors exist in the libxml2
component in parser.c. An unauthenticated, remote
attacker can exploit these issues to disclose sensitive
information or cause a denial of service condition.
(CVE-2016-1838, CVE-2016-4447)

- A heap buffer overflow condition exists in the OpenSSL
component in the EVP_EncodeUpdate() function within file
crypto/evp/encode.c that is triggered when handling a
large amount of input data. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition. (CVE-2016-2105)

- A heap buffer overflow condition exists in the OpenSSL
component in the EVP_EncryptUpdate() function within
file crypto/evp/evp_enc.c that is triggered when
handling a large amount of input data after a previous
call occurs to the same function with a partial block.
An unauthenticated, remote attacker can exploit this to
cause a denial of service condition. (CVE-2016-2106)

- Flaws exist in the aesni_cbc_hmac_sha1_cipher()
function in file crypto/evp/e_aes_cbc_hmac_sha1.c and
the aesni_cbc_hmac_sha256_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered
when the connection uses an AES-CBC cipher and AES-NI
is supported by the server. A man-in-the-middle attacker
can exploit these to conduct a padding oracle attack,
resulting in the ability to decrypt the network traffic.
(CVE-2016-2107)

- A remote code execution vulnerability exists in the
OpenSSL component in the ASN.1 encoder due to an
underflow condition that occurs when attempting to
encode the value zero represented as a negative integer.
An unauthenticated, remote attacker can exploit this to
corrupt memory, resulting in the execution of arbitrary
code. (CVE-2016-2108)

- Multiple unspecified flaws exist in the d2i BIO
functions when reading ASN.1 data from a BIO due to
invalid encoding causing a large allocation of memory.
An unauthenticated, remote attacker can exploit these to
cause a denial of service condition through resource
exhaustion. (CVE-2016-2109)

- An out-of-bounds read error exists in the
X509_NAME_oneline() function within file
crypto/x509/x509_obj.c when handling very long ASN1
strings. An unauthenticated, remote attacker can exploit
this to disclose the contents of stack memory.
(CVE-2016-2176)

- An overflow condition exists in the Perl-Compatible
Regular Expressions (PCRE) component due to improper
validation of user-supplied input when handling the
(*ACCEPT) verb. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2016-3191)

- A flaw exists in the libxml2 component in parser.c that
occurs when handling XML content in recovery mode. An
unauthenticated, remote attacker can exploit this to
cause a stack exhaustion, resulting in a denial of
service condition. (CVE-2016-3627)

- A flaw exists in the libxml2 component in parser.c due
to improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
cause a stack exhaustion, resulting in a denial of
service condition. (CVE-2016-3705)

- A format string flaw exists in the libxml2 component due
to improper use of string format specifiers (e.g. %s and
%x). An unauthenticated, remote attacker can exploit
this to cause a denial of service condition or the
execution of arbitrary code. (CVE-2016-4448)

- An XML external entity injection vulnerability exists in
parser.c due to improper parsing of XML data. An
unauthenticated, remote attacker can exploit this, via
specially crafted XML data, to disclose arbitrary files
or cause a denial of service condition. (CVE-2016-4449)

- An out-of-bounds read error exists in the libxml2
component in xmlsave.c that occurs when handling XML
content in recovery mode. An unauthenticated, remote
attacker can exploit this to disclose sensitive
information or cause a denial of service condition.
(CVE-2016-4483)

- A security bypass vulnerability exists in the libcurl
component due to the program attempting to resume TLS
sessions even if the client certificate fails. An
unauthenticated, remote attacker can exploit this to
bypass validation mechanisms. (CVE-2016-5419)

- An information disclosure vulnerability exists in the
libcurl component due to the program reusing TLS
connections with different client certificates. An
unauthenticated, remote attacker can exploit this to
disclose sensitive cross-realm information.
(CVE-2016-5420)

- A use-after-free error exists in the libcurl component
that is triggered as connection pointers are not
properly cleared for easy handles. An unauthenticated,
remote attacker can exploit this to dereference already
freed memory, potentially resulting in the execution of
arbitrary code. (CVE-2016-5421)

- Multiple stored cross-site scripting (XSS)
vulnerabilities exist due to improper validation of
user-supplied input. An authenticated, remote attacker
can exploit these, via a specially crafted request, to
execute arbitrary script code in a user's browsers
session. (CVE-2016-9261, VulnDB 151706)

See also :

https://www.tenable.com/security/tns-2016-18
https://www.openssl.org/news/secadv/20160503.txt

Solution :

Upgrade to Tenable LCE version 4.8.1 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true