Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0072 A number of vulnerabilities have been identified in Tenable SecurityCenter 22 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable SecurityCenter Operating System: Linux variants VMware ESX Server Network Appliance Impact/Access: Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-1793 Member content until: Friday, August 21 2015 OVERVIEW A number of vulnerabilities have been identified in Tenable SecurityCenter prior to version 5.0.0.1. [1, 2] IMPACT The vendor has provided the following details regarding these issues: CVE-2015-1793: "SecurityCenter is potentially impacted by a vulnerability in OpenSSL that was recently disclosed and fixed. Note that due to the time involved in doing a full analysis of the issue, Tenable has opted to patch the included version of OpenSSL as a precaution, and to save time. OpenSSL crypto/x509/x509_vfy.c X509_verify_cert() Function Alternative Certificate Chain Handling Certificate Validation Bypass OpenSSL contains a flaw in the X509_verify_cert() function in crypto/x509/x509_vfy.c that is triggered when locating alternate certificate chains in cases where the first attempt to build such a chain fails. This may allow a remote attacker to cause certain certificate checks to be bypassed, leading to an invalid presented certificate being considered as valid." [1] "SecurityCenter is potentially impacted by a vulnerability in PHP that was recently disclosed and fixed. Note that due to the time involved in doing a full analysis of the issue, Tenable has opted to patch the included version of PHP as a precaution, and to save time. PHP escapeshellcmd() / escapeshellarg() ! Character Handling Unspecified Issue PHP contains a flaw in the escapeshellcmd() and escapeshellarg() functions. The issue is triggered as the ! character is not properly handled. This may allow an attacker to e.g. substitute environment variables and have an unspecified impact." [2] MITIGATION It is recommended that users upgrade to the latest version of Tenable SecurityCenter to correct these issues. [1, 2] REFERENCES [1] [R1] OpenSSL 'secadv_20150709' Vulnerability Affects Tenable SecurityCenter http://www.tenable.com/security/tns-2015-08 [2] [R1] PHP < 5.4.43 Vulnerability Affects Tenable SecurityCenter http://www.tenable.com/security/tns-2015-09 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVa7zm36ZAP0PgtI9AQL/HhAA0tNCnS2b9rGQ9ePg5NUC+VMB5aR43kpv UK3c4y0Uapnz1BTm7QpEoODhAQeJz/etJmUKURUtOPBWqRUq/jmCp6YlyCYBEyhY yLgu4rF2ErzwXuQTKlRiJ7OvRRcr1Op56uOyTnzmt8KT1dr88nu5nlv5ebmR2OL1 fyT7AC9yfqVFlDQ3yBXPxIRPc+0UPDiQJkYNuPGJj+VDqHse6NcpPT19xHP51piR ufEh4qSTOQwuQn/7oKS0H0ITvoJv7i89OqMUpzFm8IHbGLUPnXumNoF/o2jWJyrL VI7vbHR+/dTH7wWIix8etZ6gzD+GsUXQ/llNUmShH4RLkfyfEZLSyWWu73KkhMDE 3vcrcf+iCHpmyK2kYS2rXxnnZ3MbYVm76CZ4o5f4Lh0VfGZq0LuAyOaIVEfWNIwa 6l/3hWggjpid6np4j6nmsgMqkNOjYSVGs+WYSZ7d2lDonnYMKlMgspoh+uWNTmtc dvaCFa7e4IW5EsPEIL+kkzY92K1x7Fr1avYwIOAkBnsrOHuhc+bX+4u6J8OzXJ/R RmN4U+fIOf26EjA/TgIYDoSwyftUBSEncWIhFU7tMW2SdAaSQUHxHNbOTTS2ZiIL aHBKtVKwcE4Cn0K1wRzhHSa0ZiONGYHm2NDh532JKxDL9aLJIW/BLhh3tCZRLjxs sH0bNdsP0is= =HFdm -----END PGP SIGNATURE-----