FreeBSD : upnp -- multiple vulnerabilities (244c8288-cc4a-11e6-a475-bcaec524bf84)

critical Nessus Plugin ID 96163

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Matthew Garett reports :

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem.
Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

Scott Tenaglia reports :

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.

Solution

Update the affected package.

See Also

https://twitter.com/mjg59/status/755062278513319936

https://sourceforge.net/p/pupnp/bugs/133/

http://www.nessus.org/u?ba3457fb

https://www.tenable.com/security/research/tra-2017-10

Plugin Details

Severity: Critical

ID: 96163

File Name: freebsd_pkg_244c8288cc4a11e6a475bcaec524bf84.nasl

Version: 3.8

Type: local

Published: 12/28/2016

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:upnp, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/27/2016

Vulnerability Publication Date: 2/23/2016

Reference Information

CVE: CVE-2016-6255, CVE-2016-8863