Tenable SecurityCenter PHP < 5.6.31 Multiple Vulnerabilities (TNS-2017-12

High Nessus Plugin ID 103121

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The Tenable SecurityCenter application on the remote host contains a PHP library that is affected by multiple vulnerabilities.

Description

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP :

- An out-of-bounds read error exists in the PCRE library in the compile_bracket_matchingpath() function within file pcre_jit_compile.c. An unauthenticated, remote attacker can exploit this, via a specially crafted regular expression, to crash a process linked to the library, resulting in a denial of service condition.
(CVE-2017-6004)

- An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library.
(CVE-2017-7890)

- An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224)

- An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226)

- An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227)

- An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228)

- An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229)

- A denial of service condition exists in PHP when handling overlarge POST requests. An unauthenticated, remote attacker can exploit this to exhaust available CPU resources. (CVE-2017-11142)

- An extended invalid free error exists in PHP in the php_wddx_push_element() function within file ext/wddx/wddx.c when parsing empty boolean tags.
An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-11143)

- A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of '-1'. An unauthenticated, remote attacker can exploit this to cause an unspecified impact. (CVE-2017-11144)

- An out-of-bounds read error exists in PHP in the php_parse_date() function within file ext/date/lib/parse_date.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition.
(CVE-2017-11145)

- An out-of-bounds read error exists in PHP in the finish_nested_data() function within file ext/standard/var_unserializer.re. An unauthenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition.

- An off-by-one overflow condition exists in PHP in the INI parsing API, specifically in the zend_ini_do_op() function within file Zend/zend_ini_parser.y, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

- A Heap buffer overread flaw in finish_nested_data while unserializing untrusted data could lead to an unspecified impact on the integrity of PHP.
(CVE-2017-12933)

- A stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code.
(CVE-2017-11628)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the relevant patch as referenced in the vendor advisory.

See Also

https://www.tenable.com/security/tns-2017-12

http://php.net/ChangeLog-5.php#5.6.31

https://support.tenable.com/support-center/index.php?x=&mod_id=160

Plugin Details

Severity: High

ID: 103121

File Name: securitycenter_php_5_6_31.nasl

Version: 1.9

Type: combined

Agent: unix

Family: Misc.

Published: 2017/09/12

Updated: 2020/10/09

Dependencies: 71157, 71158

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS Score Source: CVE-2017-9224

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:tenable:securitycenter

Required KB Items: Host/SecurityCenter/Version, installed_sw/SecurityCenter, Host/SecurityCenter/support/php/version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/09/11

Vulnerability Publication Date: 2017/07/10

Reference Information

CVE: CVE-2017-6004, CVE-2017-7890, CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229, CVE-2017-11142, CVE-2017-11143, CVE-2017-11144, CVE-2017-11145, CVE-2017-11628, CVE-2017-12933

BID: 96295, 99489, 99490, 99492, 99501, 99550, 99553, 99601, 99605, 100320, 100538, 101244