Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0015 A number of vulnerabilities in PHP and OpenSSL affect Tenable Security Center and Tenable Appliance 5 February 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Security Center Tenable Appliance Operating System: Linux variants Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-0232 CVE-2015-0231 CVE-2014-9427 CVE-2014-8142 CVE-2014-3570 CVE-2014-3571 CVE-2015-0205 CVE-2015-0206 Member content until: Saturday, March 7 2015 Reference: ESB-2015.0149 ESB-2015.0101 ESB-2015.0056 ESB-2015.0048.2 ESB-2015.0005 OVERVIEW A number of vulnerabilities in PHP and OpenSSL affect Tenable Security Center versions 4.6.2.2, 4.7.0, 4.7.1, 4.8.0, 4.8.1, 4.8.2 and Tenable Appliance versions 2.x.x, 3.0.0, 3.1.0, 3.2.0. [1, 2] IMPACT The vendor has provided the following details regarding these issues: "PHP contains a use-after-free error in the process_nested_data() function in ext/standard/var_unserializer.re. With specially crafted input passed to the unserialize() method, a remote attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2014-8142 / CVE-2015-0231) PHP contains a flaw in the exif_process_unicode() function in ext/exif/exif.c when parsing JPEG EXIF entries. This may allow a remote attacker to trigger freeing of an uninitialized pointer, causing a crash or potentially execution of arbitrary code. (CVE-2015-0232) PHP contains a flaw in the main() function in sapi/cgi/cgi_main.c that is triggered when handling input consisting solely of a single "#" character. With a specially crafted PHP file, a remote attacker can cause a crash or potentially disclose memory contents. (CVE-2014-9427) The process_nested_data() function is used within Tenable's SecurityCenter, but is only exposed to authenticated users. Note that the affiliated CVSSv2 score is specific to the PHP implementation within SecurityCenter and the process_nested_data() issue." [1] "OpenSSL contains a flaw in the dtls1_buffer_record() function that is triggered when handling a saturation of DTLS records that contain the same sequence number, but for the next epoch. This may allow a remote attacker to cause a memory leak and exhaust memory resources. OpenSSL contains a NULL pointer dereference flaw in dtls1_get_record that is triggered when handling DTLS messages. This may allow a remote attacker to cause a segmentation fault. OpenSSL contains a flaw that is due to it accepting DH certificates for client authentication when they are missing certificate verify messages. This may allow a remote attacker to authenticate without the use of a private key. OpenSSL contains a flaw in bignum squaring (BN_sqr) that can cause incorrect results to be produced on certain platforms, including x86_64. This may allow attackers to have an unspecified impact." [2] MITIGATION The vendor has released patches to correct these issues. [1, 2] REFERENCES [1] [R2] PHP < 5.5.21 / 5.4.37 Vulnerabilities Affect Tenable Products http://www.tenable.com/security/tns-2015-02 [2] [R2] OpenSSL Vulnerabilities (20150108) Affect Tenable Products http://www.tenable.com/security/tns-2015-03 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVNLUzBLndAQH1ShLAQLdHQ/+IX/GWMhiVxVo7f0yYHm/c2OJv5vuEFfS z0KpJDgsZHbodHZbDz1ssTBWytkTAUNC1puvPLkjLXVgAcy2FdsoYCiqpftGXypv W6FtGFS8WxTXBycJ42o9tySM7+BsEQurhWLHrQqraEmmtDpjxh5RLgp9AW5D6sny m3uB4GhzWfkKVonS2Tt9Jrsm/Ld26m3LrtSLWrLzLECCE5+jLt6ofty+ozUK75HU NyvwazNs4ldqiYrZOs3ensG8k2CKqjh8xjs87e98utl49yKpMIJ3Ve/0QRugrlTt rJ28e3iBJatrT6SFyW76N8UsaD2aYvmdOhutzXMJCC6C0OcC5XhE9T00yxsG3hGH civ7WsjOpjPY18Bzy1qQyNLWHnCFnwkrZAjWEdNPVENtDfpuwf2QHixDjS82JnLv n31l0k+q/LMJDhNz3FNVTzYrfq0/mZIk3rDUmi7rC8DbXEo8rZSwiGI/KCF2xHxc qrVA/7IKBImg3oS/IXhFOu1rULMYetdsp7538SaC5hcfUWVouWa6ZfterurVLoFC Nx7Tf7+xux7F6xaEwBVXKYgGPdg4sPHRVqkpqqroPiG9VdEF2KXHSWl9AVvMBSYe 3q0kmWPcELBTYnSLoX/WKwHCjYS6nN/sII5/yMiFumiWku9lY0oYPBLKZw/aXEro xU0zRf3YYfs= =TKQ3 -----END PGP SIGNATURE-----