Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0065
Security Advisory - AlienVault v5.2.5 addresses 26 vulnerabilities
13 June 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AlienVault USM
AlienVault OSSIM
Operating System: Debian GNU/Linux
Network Appliance
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-4483 CVE-2016-4449 CVE-2016-4447
CVE-2016-4425 CVE-2016-4085 CVE-2016-4082
CVE-2016-4081 CVE-2016-4080 CVE-2016-4079
CVE-2016-4006 CVE-2016-3705 CVE-2016-3627
CVE-2016-2073 CVE-2016-1840 CVE-2016-1839
CVE-2016-1838 CVE-2016-1837 CVE-2016-1836
CVE-2016-1835 CVE-2016-1834 CVE-2016-1833
CVE-2016-1762 CVE-2016-0718 CVE-2015-8875
CVE-2015-8806 CVE-2015-7552 CVE-2015-2059
Member content until: Wednesday, July 13 2016
Reference: ESB-2016.1398
ESB-2016.1356
ESB-2016.1285
ESB-2016.1250
ESB-2016.1211
ESB-2016.1210
ESB-2016.0741
OVERVIEW
Multiple vulnerabilities have been identified in AlienVault USM and
OSSIM prior to version 5.2.5. [1]
IMPACT
The vendor has provided the following informtion:
"Debian Security Update
AlienVault ID: ENG-102048
Description: The stringprep_utf8_to_ucs4 function in libin before
1.31, as used in jabberd2, allows context-dependent attackers to
read system memory and possibly have other unspecified impact via
invalid UTF-8 characters in a string, which triggers an
out-of-bounds read.
CVE ID: CVE-2015-2059
CVSS: 6.4
Debian Security Update
AlienVault ID: ENG-103101
Description: An insecure sudoers configuration allows the 'avapi'
user to execute arbitrary python code or arbitrary commands as root.
The following screenshots detail the insecure sudoers configuration
and a proof-of-concept exploit. The use of wild cards within the
sudoers configuration makes this attack possible.
Reported by: Denis Andzakovic (Security-assessment.com)
CVSS: 6.6
Debian Security Update
AlienVault ID: ENG-103540
Description: Vulnerability in libexpat
CVE ID: CVE-2016-0718
Debian Security Update
AlienVault ID: ENG-103541
Description: Jansson 2.7 and earlier allows context-dependent
attackers to cause a denial of service (deep recursion, stack
consumption, and crash) via crafted JSON data.
CVE ID: CVE-2016-4425
CVSS: 3.7
Debian Security Update
AlienVault ID: ENG-103564
Description: epan/proto.c in Wireshark 1.12.x before 1.12.11 and
2.0.x before 2.0.3 does not limit the protocol-tree depth, which
allows remote attackers to cause a denial of service (stack memory
consumption and application crash) via a crafted packet.
CVE ID: CVE-2016-4006
CVSS: 3.2
Debian Security Update
AlienVault ID: ENG-103564
Description: epan/dissectors/packet-pktc.c in the PKTC dissector in
Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not
verify BER identifiers, which allows remote attackers to cause a
denial of service (out-of-bounds write and application crash) via a
crafted packet.
CVE ID: CVE-2016-4079
CVSS: 3.2
Debian Security Update
AlienVault ID: ENG-103564
Description: epan/dissectors/packet-pktc.c in the PKTC dissector in
Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses
timestamp fields, which allows remote attackers to cause a denial of
service (out-of-bounds read and application crash) via a crafted
packet.
CVE ID: CVE-2016-4080
CVSS: 3.2
Debian Security Update
AlienVault ID: ENG-103564
Description: epan/dissectors/packet-iax2.c in the IAX2 dissector in
Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an
incorrect integer data type, which allows remote attackers to cause
a denial of service (infinite loop) via a crafted packet.
CVE ID: CVE-2016-4081
CVSS: 3.2
Debian Security Update
AlienVault ID: ENG-103564
Description: epan/dissectors/packet-gsm_cbch.c in the GSM CBCH
dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3
uses the wrong variable to index an array, which allows remote
attackers to cause a denial of service (out-of-bounds access and
application crash) via a crafted packet.
CVE ID: CVE-2016-4082
CVSS: 3.2
Debian Security Update
AlienVault ID: ENG-103564
Description: Stack-based buffer overflow in
epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark
1.12.x before 1.12.11 allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other
impact via a long string in a packet.
CVE ID: CVE-2016-4085
CVSS: 3.2
Debian Security Update
AlienVault ID: ENG-103599
Description: Heap-based buffer overflow in the gdk_pixbuf_flip
function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote
attackers to cause a denial of service or possibly execute arbitrary
code via a crafted BMP file.
CVE ID: CVE-2015-7552
CVSS: 6.3
Debian Security Update
AlienVault ID: ENG-103599
Description: Integer overlows in pixops_* functions
CVE ID: CVE-2015-8875
Debian Security Update
AlienVault ID: ENG-103626
Description: dict.c in libxml2 allows remote attackers to cause a
denial of service (heap-based buffer over-read and application
crash) via an unexpected character immediately after the " <
!DOCTYPE html" substring in a crafted HTML document.
CVE ID: CVE-2015-8806
CVSS: 5.0
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2 in Apple iOS before 9.3, OS X before 10.11.4,
Safari before 9.1, tvOS before 9.2, and watchOS before 2.2 allows
remote attackers to execute arbitrary code or cause a denial of
service (memory corruption) via a crafted XML document.
CVE ID: CVE-2016-1762
CVSS: 10
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837,
CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
CVE ID: CVE-2016-1833
CVSS: 7.5
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837,
CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
CVE ID: CVE-2016-1834
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2 and OS X
before 10.11.5, allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via a crafted XML
document.
CVE ID: CVE-2016-1835
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837,
CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
CVE ID: CVE-2016-1836
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836,
CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
CVE ID: CVE-2016-1837
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836,
CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840.
CVE ID: CVE-2016-1838
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836,
CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840.
CVE ID: CVE-2016-1839
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote
attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted XML document, a different
vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836,
CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839.
CVE ID: CVE-2016-1840
CVSS: 6.8
Debian Security Update
AlienVault ID: ENG-103626
Description: The htmlParseNameComplex function in HTMLparser.c in
libxml2 allows attackers to cause a denial of service (out-of-bounds
read) via a crafted XML document.
CVE ID: CVE-2016-2073
CVSS: 4.3
Debian Security Update
AlienVault ID: ENG-103626
Description: The xmlStringGetNodeList function in tree.c in libxml2
2.9.3 and earlier, when used in recovery mode, allows
context-dependent attackers to cause a denial of service (infinite
recursion, stack consumption, and application crash) via a crafted
XML document.
CVE ID: CVE-2016-3627
CVSS: 5.0
Debian Security Update
AlienVault ID: ENG-103626
Description: The (1) xmlParserEntityCheck and (2)
xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do
not properly keep track of the recursion depth, which allows
context-dependent attackers to cause a denial of service (stack
consumption and application crash) via a crafted XML document
containing a large number of nested entity references.
CVE ID: CVE-2016-3705
CVSS: 5.0
Debian Security Update
AlienVault ID: ENG-103626
Description: Reserved vulnerability in libxml2
CVE ID: CVE-2016-4447
Debian Security Update
AlienVault ID: ENG-103626
Description: Reserved vulnerability in libxml2
CVE ID: CVE-2016-4449
Debian Security Update
AlienVault ID: ENG-103626
Description: Reserved vulnerability in libxml2
CVE ID: CVE-2016-4483." [1]
MITIGATION
The vendor recommends updating to the latest version. [1]
REFERENCES
[1] Security Advisory - AlienVault v5.2.5 addresses 26 vulnerabilities
https://www.alienvault.com/forums/discussion/7243/security-advisory-alienvault-v5-2-5-addresses-26-vulnerabilities
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV147Zox+lLeg9Ub1AQh/tg//Xi3zhi528BWJyGcBdcCpPaLjnOk/5fja
fA3Av3qm/Pqnv+/M0S9OI3VoeQr143kvkvB+cIR3eb6Sz7ljq+4HvjXI0L1MpTEM
bDyj2Seemtl6AtgP4syaRrNLQxui5ZkrCcIeg/FWeIqvONlKhKQIh3tGjYQTg0wP
eIF2gm+e2SqV574912qjugdrmbTll1rg3MGbEoWxU9gdn7DCEFskpdc1NknJnQf1
QjdigqM4APoBFSKzjqFH6hoZgi5Y0Cyjki42/Mn6DZUtCbHfJ05Ynn2vpAFnNSDp
+nSMHdMtwZroGQpbdVgpuAdvHqeCRZBA4dEUeNz5A1+vuV3XZQcuQauccsoKKLlP
k7n7TFzT1PClApdWCMzQ8wE+sMUrK7I2kOVSEQTkSOyD8rlqt9312638Aza2Hq/h
DDATCKjrFLwnAX3URDDTt9wBSR5OfX25sWhDO2Z1YOg0oYjPbZ+za3ex3wznz0T+
CJW1LAhgFoGKUNNfYeFYjEbZVEqBBwknj1pFlN+YWJasUyujzV1sT8gHkxUV7O8i
QSk6WjR8fatRk03E/26L/M0AfceLBgwA7O9w4okkfngICoFm8oKHDISuqMHaJKgO
pw16cVE5kShMcxrIBmy8EGa99xqGvm4V6QVdIsXUa1HsbExp2NAPOTBO4e7XBYth
jwIjyvdhS3M=
=cz1S
-----END PGP SIGNATURE-----