Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0065 A number of vulnerabilities in OpenSSL affect Tenable Nessus and Nessus Enterprise 1 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Nessus Tenable Nessus Enterprise Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-1792 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 Member content until: Friday, July 31 2015 Reference: ESB-2015.1699 ESB-2015.1670 ESB-2015.1569 ESB-2015.1561 ESB-2015.1557 ESB-2015.1540 ESB-2015.1544.2 OVERVIEW Tenable has identified a number of vulnerabilities in Tenable Nessus and Nessus Enterprise prior to version 6.4. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "CVE-2015-1788 - OpenSSL crypto/bn/bn_gf2m.c BN_GF2m_mod_inv() Function ECParameters Structure Binary Polynomial Field Parsing Infinite Loop Remote DoS CVE-2015-1789 - OpenSSL crypto/x509/x509_vfy.c X509_cmp_time() Function ASN1_TIME String Handling Out-of-bounds Read Issue CVE-2015-1790 - OpenSSL crypto/pkcs7/pk7_doit.c PKCS7_dataDecode() Function ASN.1-encoded PKCS#7 Blob Handling NULL Pointer Dereference Remote DoS CVE-2015-1792 - OpenSSL signedData Message Unknown Hash Function Processing Infinte Loop Remote DoS CVE-2014-8176 - OpenSSL DTLS Application Data Buffering Invalid Free Remote Memory Corruption" [1] MITIGATION The vendor advises users should upgrade to the latest version of Tenable Nessus and Nessus Enterprise to resolve these issues. [1] REFERENCES [1] [R1] OpenSSL 'secadv_20150611' Vulnerabilities Affect Tenable Nessus http://www.tenable.com/security/tns-2015-07 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVZM2BX6ZAP0PgtI9AQIcmhAAgonUFUvSl5zbivYcsQ9bqErVRk6M9az1 9TGuEvFzoPYpJmU5HjUiFuwiWDkwr0oDMd9ZK+junVub87LDo2ngcqDcFXbI4SX4 FFSf1NQfHX1Anh+QhcENfMpRpdTJ8h80nZd+045RAxi4LusZ56EafRAft7/cnclG hIKVN1WP0u4m1ApTcLT7i7LV6sWZPXyQTzCIEwu2g9H1eNiCI5Oj0SkMSQC/O9lV y+wHM149wK2LOSxe46O6egHWLvOoFuh9CeKJ//Dugy7i5ZCEBAdaGsdi58HYWFOw ke4hriL2pNVrvLOXkmODf1YlA4S0f8/V5E/7KkAEDTOuJSuKf0shgXpJilVzcJ/R 2HITP79ou7Ysav4hhnLZRupc1jNjdprt5/f5EuWufwk4LPRPosu1mdZ0+y/8JXLu uYmMASksO2Rw6NsKTwTEWP5OIZnwtjrafDSjsGLIrA9gax+RAp+iTArtBk0gXq1m UHawmx3IigFZQbs/j+ZCDJkvlCt/uk0DqSigyELtoikBPE0gbWDS4GkFnC0k2Zur WnOvyl1aB3e4ypV8gxAPaBNF0QDufTXuNmQJyxe08kdYVlXC31OHn/F7mkqRGesD Sn86SVlaiJSeSQWtyF1yrFtqJ9xtdcGs0OXx+Cbz37ozFE/lvZF+husLbqT+JXzP UY1IBO3L32I= =Nrby -----END PGP SIGNATURE-----