Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0015
A number of vulnerabilities in PHP and OpenSSL affect
Tenable Security Center and Tenable Appliance
5 February 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable Security Center
Tenable Appliance
Operating System: Linux variants
Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0232 CVE-2015-0231 CVE-2014-9427
CVE-2014-8142 CVE-2014-3570 CVE-2014-3571
CVE-2015-0205 CVE-2015-0206
Member content until: Saturday, March 7 2015
Reference: ESB-2015.0149
ESB-2015.0101
ESB-2015.0056
ESB-2015.0048.2
ESB-2015.0005
OVERVIEW
A number of vulnerabilities in PHP and OpenSSL affect Tenable Security
Center versions 4.6.2.2, 4.7.0, 4.7.1, 4.8.0, 4.8.1, 4.8.2 and Tenable
Appliance versions 2.x.x, 3.0.0, 3.1.0, 3.2.0. [1, 2]
IMPACT
The vendor has provided the following details regarding these
issues:
"PHP contains a use-after-free error in the process_nested_data()
function in ext/standard/var_unserializer.re. With specially crafted
input passed to the unserialize() method, a remote attacker can
dereference already freed memory and potentially execute arbitrary
code. (CVE-2014-8142 / CVE-2015-0231)
PHP contains a flaw in the exif_process_unicode() function in
ext/exif/exif.c when parsing JPEG EXIF entries. This may allow a
remote attacker to trigger freeing of an uninitialized pointer,
causing a crash or potentially execution of arbitrary code.
(CVE-2015-0232)
PHP contains a flaw in the main() function in sapi/cgi/cgi_main.c
that is triggered when handling input consisting solely of a single
"#" character. With a specially crafted PHP file, a remote attacker
can cause a crash or potentially disclose memory contents.
(CVE-2014-9427)
The process_nested_data() function is used within Tenable's
SecurityCenter, but is only exposed to authenticated users. Note
that the affiliated CVSSv2 score is specific to the PHP
implementation within SecurityCenter and the process_nested_data()
issue." [1]
"OpenSSL contains a flaw in the dtls1_buffer_record() function that
is triggered when handling a saturation of DTLS records that contain
the same sequence number, but for the next epoch. This may allow a
remote attacker to cause a memory leak and exhaust memory resources.
OpenSSL contains a NULL pointer dereference flaw in dtls1_get_record
that is triggered when handling DTLS messages. This may allow a
remote attacker to cause a segmentation fault.
OpenSSL contains a flaw that is due to it accepting DH certificates
for client authentication when they are missing certificate verify
messages. This may allow a remote attacker to authenticate without
the use of a private key.
OpenSSL contains a flaw in bignum squaring (BN_sqr) that can cause
incorrect results to be produced on certain platforms, including
x86_64. This may allow attackers to have an unspecified impact." [2]
MITIGATION
The vendor has released patches to correct these issues. [1, 2]
REFERENCES
[1] [R2] PHP < 5.5.21 / 5.4.37 Vulnerabilities Affect Tenable Products
http://www.tenable.com/security/tns-2015-02
[2] [R2] OpenSSL Vulnerabilities (20150108) Affect Tenable Products
http://www.tenable.com/security/tns-2015-03
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVNLUzBLndAQH1ShLAQLdHQ/+IX/GWMhiVxVo7f0yYHm/c2OJv5vuEFfS
z0KpJDgsZHbodHZbDz1ssTBWytkTAUNC1puvPLkjLXVgAcy2FdsoYCiqpftGXypv
W6FtGFS8WxTXBycJ42o9tySM7+BsEQurhWLHrQqraEmmtDpjxh5RLgp9AW5D6sny
m3uB4GhzWfkKVonS2Tt9Jrsm/Ld26m3LrtSLWrLzLECCE5+jLt6ofty+ozUK75HU
NyvwazNs4ldqiYrZOs3ensG8k2CKqjh8xjs87e98utl49yKpMIJ3Ve/0QRugrlTt
rJ28e3iBJatrT6SFyW76N8UsaD2aYvmdOhutzXMJCC6C0OcC5XhE9T00yxsG3hGH
civ7WsjOpjPY18Bzy1qQyNLWHnCFnwkrZAjWEdNPVENtDfpuwf2QHixDjS82JnLv
n31l0k+q/LMJDhNz3FNVTzYrfq0/mZIk3rDUmi7rC8DbXEo8rZSwiGI/KCF2xHxc
qrVA/7IKBImg3oS/IXhFOu1rULMYetdsp7538SaC5hcfUWVouWa6ZfterurVLoFC
Nx7Tf7+xux7F6xaEwBVXKYgGPdg4sPHRVqkpqqroPiG9VdEF2KXHSWl9AVvMBSYe
3q0kmWPcELBTYnSLoX/WKwHCjYS6nN/sII5/yMiFumiWku9lY0oYPBLKZw/aXEro
xU0zRf3YYfs=
=TKQ3
-----END PGP SIGNATURE-----