Tenable SecurityCenter < 5.3.2 Multiple Vulnerabilities (TNS-2016-09)

High Nessus Plugin ID 91814

Synopsis

The Tenable SecurityCenter application installed on the remote host is affected by multiple vulnerabilities.

Description

The Tenable SecurityCenter application installed on the remote host is either prior to version 5.3.2 or is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP :

- A signedness error exists in the GD Graphics library in gd_gd2.c due to improper validation of user-supplied input when handling compressed GD2 data. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-3074)

- An out-of-bounds read error exists in the php_str2num() function in bcmath.c when handling negative scales. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition or the disclosure of memory contents. (CVE-2016-4537)

- A flaw exists in the bcpowmod() function in bcmath.c due to modifying certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variables. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition. (CVE-2016-4538)

- A flaw exists in the xml_parse_into_struct() function in xml.c when handling specially crafted XML contents. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-4539)

- Multiple out-of-bounds read errors exist within file ext/intl/grapheme/grapheme_string.c when handling negative offsets in the zif_grapheme_stripos() and zif_grapheme_strpos() functions. An unauthenticated, remote attacker can exploit these issues to cause a denial of service condition or disclose memory contents.
(CVE-2016-4540, CVE-2016-4541)

- A flaw exists in the exif_process_IFD_TAG() function in exif.c due to improper construction of spprintf arguments. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents.
(CVE-2016-4542)

- A flaw exists in the exif_process_IFD_in_JPEG() function in exif.c due to improper validation of IFD sizes. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4543)

- A flaw exists in the exif_process_TIFF_in_JPEG() function in exif.c due to improper validation of TIFF start data. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents.
(CVE-2016-4544)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to SecurityCenter version 5.3.2 or later. Alternatively, apply the relevant patch as referenced in the vendor advisory.

See Also

https://www.tenable.com/security/tns-2016-09

http://php.net/ChangeLog-5.php#5.6.21

Plugin Details

Severity: High

ID: 91814

File Name: securitycenter_php_5_6_21.nasl

Version: 1.9

Type: local

Family: Misc.

Published: 2016/06/24

Updated: 2018/12/14

Dependencies: 71157, 71158

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2016-3074

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:tenable:securitycenter

Required KB Items: Host/local_checks_enabled, Host/SecurityCenter/Version, installed_sw/SecurityCenter, Host/SecurityCenter/support/php/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/05/05

Vulnerability Publication Date: 2016/04/21

Reference Information

CVE: CVE-2016-3074, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544

BID: 87087, 89844, 90172, 90173, 90174