Tenable SecurityCenter PHP < 5.6.30 Multiple Vulnerabilities (TNS-2017-04)

critical Nessus Plugin ID 101050
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The Tenable SecurityCenter application on the remote host contains a PHP library that is affected by multiple vulnerabilities.

Description

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP :

- A seg fault when loading hostile phar could be used to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
(CVE-2017-11147)

- A floating pointer exception flaw exists in the exif_convert_any_to_int() function in exif.c that is triggered when handling TIFF and JPEG image tags. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10158)

- An integer overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper validation when handling phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10159)

- An off-by-one overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10160)

- An out-of-bounds read error exists in the finish_nested_data() function in var_unserializer.c due to improper validation of unserialized data. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition or the disclosure of memory contents.
(CVE-2016-10161)

- An out-of-bounds read error exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition.

- A denial of service vulnerability exists in the bundled GD Graphics Library (LibGD) in the gdImageCreateFromGd2Ctx() function in gd_gd2.c due to improper validation of images. An unauthenticated, remote attacker can exploit this, via a specially crafted image, to crash the process.

- The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library could allow a remote attacker to cause a denial of service via a crafted image file.
(CVE-2016-10167)

- An integer overflow in gd_io.c in the GD Graphics Library before could allow a remote attacker to have an unspecified impact on PHP. (CVE-2016-10168)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to SecurityCenter version 5.4.3 or later. Alternatively, contact the vendor for a patch.

See Also

https://www.tenable.com/security/tns-2017-04

http://php.net/ChangeLog-5.php#5.6.30

Plugin Details

Severity: Critical

ID: 101050

File Name: securitycenter_php_5_6_30.nasl

Version: 1.9

Type: combined

Agent: unix

Family: Misc.

Published: 6/26/2017

Updated: 10/9/2020

Dependencies: securitycenter_installed.nbin, securitycenter_detect.nbin

Risk Information

CVSS Score Source: CVE-2016-10160

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:tenable:securitycenter

Required KB Items: Host/SecurityCenter/Version, installed_sw/SecurityCenter, Host/SecurityCenter/support/php/version

Exploit Ease: No known exploits are available

Patch Publication Date: 2/9/2017

Vulnerability Publication Date: 12/13/2016

Reference Information

CVE: CVE-2017-11147, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10167, CVE-2016-10168

BID: 95764, 95768, 95774, 95783, 95869, 99607