Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0065 Security Advisory - AlienVault v5.2.5 addresses 26 vulnerabilities 13 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: AlienVault USM AlienVault OSSIM Operating System: Debian GNU/Linux Network Appliance Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-4483 CVE-2016-4449 CVE-2016-4447 CVE-2016-4425 CVE-2016-4085 CVE-2016-4082 CVE-2016-4081 CVE-2016-4080 CVE-2016-4079 CVE-2016-4006 CVE-2016-3705 CVE-2016-3627 CVE-2016-2073 CVE-2016-1840 CVE-2016-1839 CVE-2016-1838 CVE-2016-1837 CVE-2016-1836 CVE-2016-1835 CVE-2016-1834 CVE-2016-1833 CVE-2016-1762 CVE-2016-0718 CVE-2015-8875 CVE-2015-8806 CVE-2015-7552 CVE-2015-2059 Member content until: Wednesday, July 13 2016 Reference: ESB-2016.1398 ESB-2016.1356 ESB-2016.1285 ESB-2016.1250 ESB-2016.1211 ESB-2016.1210 ESB-2016.0741 OVERVIEW Multiple vulnerabilities have been identified in AlienVault USM and OSSIM prior to version 5.2.5. [1] IMPACT The vendor has provided the following informtion: "Debian Security Update AlienVault ID: ENG-102048 Description: The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read. CVE ID: CVE-2015-2059 CVSS: 6.4 Debian Security Update AlienVault ID: ENG-103101 Description: An insecure sudoers configuration allows the 'avapi' user to execute arbitrary python code or arbitrary commands as root. The following screenshots detail the insecure sudoers configuration and a proof-of-concept exploit. The use of wild cards within the sudoers configuration makes this attack possible. Reported by: Denis Andzakovic (Security-assessment.com) CVSS: 6.6 Debian Security Update AlienVault ID: ENG-103540 Description: Vulnerability in libexpat CVE ID: CVE-2016-0718 Debian Security Update AlienVault ID: ENG-103541 Description: Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data. CVE ID: CVE-2016-4425 CVSS: 3.7 Debian Security Update AlienVault ID: ENG-103564 Description: epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree depth, which allows remote attackers to cause a denial of service (stack memory consumption and application crash) via a crafted packet. CVE ID: CVE-2016-4006 CVSS: 3.2 Debian Security Update AlienVault ID: ENG-103564 Description: epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted packet. CVE ID: CVE-2016-4079 CVSS: 3.2 Debian Security Update AlienVault ID: ENG-103564 Description: epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVE ID: CVE-2016-4080 CVSS: 3.2 Debian Security Update AlienVault ID: ENG-103564 Description: epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVE ID: CVE-2016-4081 CVSS: 3.2 Debian Security Update AlienVault ID: ENG-103564 Description: epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of service (out-of-bounds access and application crash) via a crafted packet. CVE ID: CVE-2016-4082 CVSS: 3.2 Debian Security Update AlienVault ID: ENG-103564 Description: Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet. CVE ID: CVE-2016-4085 CVSS: 3.2 Debian Security Update AlienVault ID: ENG-103599 Description: Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. CVE ID: CVE-2015-7552 CVSS: 6.3 Debian Security Update AlienVault ID: ENG-103599 Description: Integer overlows in pixops_* functions CVE ID: CVE-2015-8875 Debian Security Update AlienVault ID: ENG-103626 Description: dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the " < !DOCTYPE html" substring in a crafted HTML document. CVE ID: CVE-2015-8806 CVSS: 5.0 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2 in Apple iOS before 9.3, OS X before 10.11.4, Safari before 9.1, tvOS before 9.2, and watchOS before 2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE ID: CVE-2016-1762 CVSS: 10 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. CVE ID: CVE-2016-1833 CVSS: 7.5 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. CVE ID: CVE-2016-1834 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE ID: CVE-2016-1835 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. CVE ID: CVE-2016-1836 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. CVE ID: CVE-2016-1837 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840. CVE ID: CVE-2016-1838 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840. CVE ID: CVE-2016-1839 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839. CVE ID: CVE-2016-1840 CVSS: 6.8 Debian Security Update AlienVault ID: ENG-103626 Description: The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document. CVE ID: CVE-2016-2073 CVSS: 4.3 Debian Security Update AlienVault ID: ENG-103626 Description: The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. CVE ID: CVE-2016-3627 CVSS: 5.0 Debian Security Update AlienVault ID: ENG-103626 Description: The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. CVE ID: CVE-2016-3705 CVSS: 5.0 Debian Security Update AlienVault ID: ENG-103626 Description: Reserved vulnerability in libxml2 CVE ID: CVE-2016-4447 Debian Security Update AlienVault ID: ENG-103626 Description: Reserved vulnerability in libxml2 CVE ID: CVE-2016-4449 Debian Security Update AlienVault ID: ENG-103626 Description: Reserved vulnerability in libxml2 CVE ID: CVE-2016-4483." [1] MITIGATION The vendor recommends updating to the latest version. [1] REFERENCES [1] Security Advisory - AlienVault v5.2.5 addresses 26 vulnerabilities https://www.alienvault.com/forums/discussion/7243/security-advisory-alienvault-v5-2-5-addresses-26-vulnerabilities AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV147Zox+lLeg9Ub1AQh/tg//Xi3zhi528BWJyGcBdcCpPaLjnOk/5fja fA3Av3qm/Pqnv+/M0S9OI3VoeQr143kvkvB+cIR3eb6Sz7ljq+4HvjXI0L1MpTEM bDyj2Seemtl6AtgP4syaRrNLQxui5ZkrCcIeg/FWeIqvONlKhKQIh3tGjYQTg0wP eIF2gm+e2SqV574912qjugdrmbTll1rg3MGbEoWxU9gdn7DCEFskpdc1NknJnQf1 QjdigqM4APoBFSKzjqFH6hoZgi5Y0Cyjki42/Mn6DZUtCbHfJ05Ynn2vpAFnNSDp +nSMHdMtwZroGQpbdVgpuAdvHqeCRZBA4dEUeNz5A1+vuV3XZQcuQauccsoKKLlP k7n7TFzT1PClApdWCMzQ8wE+sMUrK7I2kOVSEQTkSOyD8rlqt9312638Aza2Hq/h DDATCKjrFLwnAX3URDDTt9wBSR5OfX25sWhDO2Z1YOg0oYjPbZ+za3ex3wznz0T+ CJW1LAhgFoGKUNNfYeFYjEbZVEqBBwknj1pFlN+YWJasUyujzV1sT8gHkxUV7O8i QSk6WjR8fatRk03E/26L/M0AfceLBgwA7O9w4okkfngICoFm8oKHDISuqMHaJKgO pw16cVE5kShMcxrIBmy8EGa99xqGvm4V6QVdIsXUa1HsbExp2NAPOTBO4e7XBYth jwIjyvdhS3M= =cz1S -----END PGP SIGNATURE-----