Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0120
[R1] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities
21 December 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable Passive Vulnerability Scanner (PVS)
Operating System: Windows
Red Hat
OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-7052 CVE-2016-6309 CVE-2016-6308
CVE-2016-6307 CVE-2016-6306 CVE-2016-6305
CVE-2016-6304 CVE-2016-6303 CVE-2016-6302
CVE-2016-6153 CVE-2016-5300 CVE-2016-4472
CVE-2016-2183 CVE-2016-2182 CVE-2016-2181
CVE-2016-2180 CVE-2016-2179 CVE-2016-2178
CVE-2016-2177 CVE-2016-0719 CVE-2016-0718
CVE-2015-2716 CVE-2015-1283 CVE-2012-6702
CVE-2012-0876
Member content until: Friday, January 20 2017
Reference: ASB-2016.0110
ASB-2016.0103
ESB-2016.3013
ESB-2016.3012
ESB-2016.3002
OVERVIEW
Multiple vulnerabilities have been identified in Tenable Passive
Vulnerability Scanner (PVS) prior to version 5.2.0.[1]
IMPACT
Tenable have provided the following details regarding the
vunlnerabilities:
"Tenable's Passive Vulnerability Scanner (PVS) uses third-party
libraries to provide certain standardized functionality. Four of
these libraries were found to contain vulnerabilities and were fixed
upstream. Those fixes have been integrated despite there being no
known exploitation scenarios related to PVS.
OpenSSL ssl/statem/statem.c read_state_machine() Function Message
Handling Use-after-free Remote Code Execution
OpenSSL CRL Handling Unspecified NULL Pointer Dereference DoS
OpenSSL ssl/t1_lib.c ssl_parse_clienthello_tlsext() Function OCSP
Status Request Extension Handling Memory Exhaustion Remote DoS
OpenSSL Certificate Message Handling Limited Out-of-bounds Read DoS
Weakness
OpenSSL ssl/statem/statem_dtls.c dtls1_preprocess_fragment()
Function DTLS Message Handling Memory Exhaustion Remote DoS
OpenSSL ssl/record/rec_layer_s3.c SSL_peek() Function Empty Record
Handling Remote DoS
OpenSSL ssl/statem/statem_lib.c tls_get_message_header() Function
Memory Exhaustion Remote DoS
OpenSSL crypto/mdc2/mdc2dgst.c MDC2_Update() Function Buffer
Overflow Weakness
OpenSSL ssl/t1_lib.c tls_decrypt_ticket() Function Ticket HMAC
Digest Handling Remote DoS
OpenSSL DTLS Buffered Message Saturation Queue Exhaustion Remote DoS
OpenSSL DTLS Implementation Record Epoch Sequence Number Handling
Remote DoS
OpenSSL crypto/bn/bn_print.c BN_bn2dec() Function BIGNUM Handling
Buffer Overflow DoS
OpenSSL crypto/ts/ts_lib.c TS_OBJ_print_bio() Function Out-of-bounds
Read Issue
OpenSSL crypto/dsa/dsa_ossl.c DSA Signing Algorithm Constant Time
Failure Side-channel Attack Information Disclosure
OpenSSL Integer Overflow Unspecified Weakness
Triple Data Encryption Algorithm (3DES) 64-bit Block Size Birthday
Attack HTTPS Cookie MitM Disclosure (SWEET32)
SQLite Insecure Temporary Directory Usage Local Issue
Expat XML Parser Input Document Handling Buffer Overflow
Expat lib/xmlparse.c XML_GetBuffer() Function Compressed XML Content
Handling Buffer Overflow
Expat lib/xmlparse.c generate_hash_secret_salt() Function PRNG
Non-random Output Generation Weakness
Expat xmlparse.c Hash Table Collision DoS
jQuery UI dialog() Function closeText Parameter XSS
Note that the CVSSv2 score associated with this advisory is specific
to the OpenSSL integration into PVS and assumes a worst-case
scenario. These updates are proactive; Tenable has had no reports of
exploitation and some of these issues may not impact PVS at all.
Additionally, a reflected XSS vulnerability affecting the PVS Web
GUI was fixed in the HTML 1.7.1 and Web Server 1.8.0 updates
delivered via the plugin feed on November 14, 2016. A default
install of PVS 5.2.0 includes these fixes. This issue was reported
to us by Kaustubh Padwad. Tenable thanks him for privately reporting
the issue to us."[1]
Additional details relating to the vulnerabilities as described by
NVD:
CVE-2012-0876: "The XML parser (xmlparse.c) in expat before 2.1.0
computes hash values without restricting the ability to trigger hash
collisions predictably, which allows context-dependent attackers to
cause a denial of service (CPU consumption) via an XML file with
many identifiers with the same value."[2]
CVE-2012-6702: "Expat, when used in a parser that has not called
XML_SetHashSalt or passed it a seed of 0, makes it easier for
context-dependent attackers to defeat cryptographic protection
mechanisms via vectors involving use of the srand function."[3]
CVE-2016-6302: "The tls_decrypt_ticket function in ssl/t1_lib.c in
OpenSSL before 1.1.0 does not consider the HMAC size during
validation of the ticket length, which allows remote attackers to
cause a denial of service via a ticket that is too short."[4]
CVE-2016-6303: "Integer overflow in the MDC2_Update function in
crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote
attackers to cause a denial of service (out-of-bounds write and
application crash) or possibly have unspecified other impact via
unknown vectors."[5]
CVE-2016-6304: "Multiple memory leaks in t1_lib.c in OpenSSL before
1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote
attackers to cause a denial of service (memory consumption) via
large OCSP Status Request extensions."[6]
CVE-2016-6305: "The ssl3_read_bytes function in record/rec_layer_s3.c
in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a
denial of service (infinite loop) by triggering a zero-length record
in an SSL_peek call."[7]
CVE-2016-6306: "The certificate parser in OpenSSL before 1.0.1u and
1.0.2 before 1.0.2i might allow remote attackers to cause a denial
of service (out-of-bounds read) via crafted certificate operations,
related to s3_clnt.c and s3_srvr.c."[8]
CVE-2016-6307: "The state-machine implementation in OpenSSL 1.1.0
before 1.1.0a allocates memory before checking for an excessive
length, which might allow remote attackers to cause a denial of
service (memory consumption) via crafted TLS messages, related to
statem/statem.c and statem/statem_lib.c."[9]
CVE-2016-6308: "statem/statem_dtls.c in the DTLS implementation in
OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an
excessive length, which might allow remote attackers to cause a
denial of service (memory consumption) via crafted DTLS messages."
[10]
CVE-2016-6309: "statem/statem.c in OpenSSL 1.1.0a does not consider
memory-block movement after a realloc call, which allows remote
attackers to cause a denial of service (use-after-free) or possibly
execute arbitrary code via a crafted TLS session."[11]
CVE-2016-7052: "crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows
remote attackers to cause a denial of service (NULL pointer
dereference and application crash) by triggering a CRL operation."[12]
CVE-2016-2177: "OpenSSL through 1.0.2h incorrectly uses pointer
arithmetic for heap-buffer boundary checks, which might allow remote
attackers to cause a denial of service (integer overflow and
application crash) or possibly have unspecified other impact by
leveraging unexpected malloc behavior, related to s3_srvr.c,
ssl_sess.c, and t1_lib.c."[13]
CVE-2016-2178: "The dsa_sign_setup function in crypto/dsa/dsa_ossl.c
in OpenSSL through 1.0.2h does not properly ensure the use of
constant-time operations, which makes it easier for local users to
discover a DSA private key via a timing side-channel attack."[14]
CVE-2016-2179: "The DTLS implementation in OpenSSL before 1.1.0 does
not properly restrict the lifetime of queue entries associated with
unused out-of-order messages, which allows remote attackers to cause
a denial of service (memory consumption) by maintaining many crafted
DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c,
statem_lib.c, and statem_srvr.c."[15]
CVE-2016-2180: "The TS_OBJ_print_bio function in crypto/ts/ts_lib.c
in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
implementation in OpenSSL through 1.0.2h allows remote attackers to
cause a denial of service (out-of-bounds read and application crash)
via a crafted time-stamp file that is mishandled by the "openssl ts"
command."[16]
CVE-2016-2181: "The Anti-Replay feature in the DTLS implementation in
OpenSSL before 1.1.0 mishandles early use of a new epoch number in
conjunction with a large sequence number, which allows remote
attackers to cause a denial of service (false-positive packet drops)
via spoofed DTLS records, related to rec_layer_d1.c and
ssl3_record.c."[17]
CVE-2016-2182: "The BN_bn2dec function in crypto/bn/bn_print.c in
OpenSSL before 1.1.0 does not properly validate division results,
which allows remote attackers to cause a denial of service
(out-of-bounds write and application crash) or possibly have
unspecified other impact via unknown vectors."[18]
CVE-2016-2183: "The DES and Triple DES ciphers, as used in the TLS,
SSH, and IPSec protocols and other protocols and products, have a
birthday bound of approximately four billion blocks, which makes it
easier for remote attackers to obtain cleartext data via a birthday
attack against a long-duration encrypted session, as demonstrated by
an HTTPS session using Triple DES in CBC mode, aka a "Sweet32"
attack."[19]
CVE-2016-0718: "Expat allows context-dependent attackers to cause a
denial of service (crash) or possibly execute arbitrary code via a
malformed input document, which triggers a buffer overflow."[20]
CVE-2016-0719: "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-2016-0718. Reason: This candidate is a reservation
duplicate of CVE-2016-0718. Notes: All CVE users should reference
CVE-2016-0718 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent
accidental usage."[21]
CVE-2015-1283: "Multiple integer overflows in the XML_GetBuffer
function in Expat through 2.1.0, as used in Google Chrome before
44.0.2403.89 and other products, allow remote attackers to cause a
denial of service (heap-based buffer overflow) or possibly have
unspecified other impact via crafted XML data, a related issue to
CVE-2015-2716."[22]
CVE-2015-2716: "Buffer overflow in the XML parser in Mozilla Firefox
before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before
31.7 allows remote attackers to execute arbitrary code by providing
a large amount of compressed XML data, a related issue to
CVE-2015-1283."[23]
CVE-2016-4472: "The overflow protection in Expat is removed by
compilers with certain optimization settings, which allows remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via crafted XML data. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716."[24]
CVE-2016-5300: "The XML parser in Expat does not use sufficient
entropy for hash initialization, which allows context-dependent
attackers to cause a denial of service (CPU consumption) via crafted
identifiers in an XML document. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2012-0876."[25]
CVE-2016-6153: "os_unix.c in SQLite before 3.13.0 improperly
implements the temporary directory search algorithm, which might
allow local users to obtain sensitive information, cause a denial of
service (application crash), or have unspecified other impact by
leveraging use of the current working directory for temporary files."[26]
MITIGATION
Tenable recommends upgrading to the latest version to address these
issues:
"Tenable has released version 5.2.0 that corresponds to the
supported operating systems and architectures. This version bundles
the updated OpenSSL library (1.0.2j), jQuery UI (1.12.0), Expat
(2.2.0), and SQLite (3.13.0), which are not affected. The new
version is available at:
https://support.tenable.com/support-center/index.php?x=&mod_id=170
Additional References
http://static.tenable.com/prod_docs/upgrade_pvs.html#520
https://www.openssl.org/news/secadv/20160922.txt
https://www.openssl.org/news/secadv/20160926.txt
https://nodesecurity.io/advisories/127"[1]
REFERENCES
[1] [R1] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities
http://www.tenable.com/security/tns-2016-20
[2] Vulnerability Summary for CVE-2012-0876
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0876
[3] Vulnerability Summary for CVE-2012-6702
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6702
[4] Vulnerability Summary for CVE-2016-6302
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6302
[5] Vulnerability Summary for CVE-2016-6303
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6303
[6] Vulnerability Summary for CVE-2016-6304
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304
[7] Vulnerability Summary for CVE-2016-6305
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6305
[8] Vulnerability Summary for CVE-2016-6306
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6306
[9] Vulnerability Summary for CVE-2016-6307
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6307
[10] Vulnerability Summary for CVE-2016-6308
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6308
[11] Vulnerability Summary for CVE-2016-6309
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6309
[12] Vulnerability Summary for CVE-2016-7052
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7052
[13] Vulnerability Summary for CVE-2016-2177
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177
[14] Vulnerability Summary for CVE-2016-2178
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2178
[15] Vulnerability Summary for CVE-2016-2179
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2179
[16] Vulnerability Summary for CVE-2016-2180
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2180
[17] Vulnerability Summary for CVE-2016-2181
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2181
[18] Vulnerability Summary for CVE-2016-2182
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2182
[19] Vulnerability Summary for CVE-2016-2183
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183
[20] Vulnerability Summary for CVE-2016-0718
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718
[21] Vulnerability Summary for CVE-2016-0719
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0719
[22] Vulnerability Summary for CVE-2015-1283
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283
[23] Vulnerability Summary for CVE-2015-2716
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2716
[24] Vulnerability Summary for CVE-2016-4472
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4472
[25] Vulnerability Summary for CVE-2016-5300
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5300
[26] Vulnerability Summary for CVE-2016-6153
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6153
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWFnnM4x+lLeg9Ub1AQjtVRAAi7b4SsECIUbluRDYjuEki/OzP6I969Bk
InkVNfCUZXBnmmCdZHJqosfW7iGvxPwhX0QD/tatrq7D1ztAMeXspVu+SkNSSybv
hQiD8rd/IHpzsA1CldTLhD829CXPh1GOL8AaEgg91iGbtHSJYzvJtFMUY838rYfk
q2KlE10aAT2otQrBlSki+tusNH5jDrcTz9DdSlNugeg0UL/wao39CLt2EXLI/Vx4
5h1FlQpgmua2WFmDyLPN6tX3y1AW5+vUPEBTYzvayq2W7XTP/mw9sjbnY3DVfgt4
VeRyDBM/KCXNVQBF6uqIHCnzu356PAw9oMmrQxgreJ0EiugRElTArqfyEim392DY
IIPmRyHa8nBQA9rEfQHBZrkzJ84TOLig1W2yyQpYBrlh2JzV+04Bkkh4V77E/q3a
VvDKlCRw3R0+IGvXZvuAqjxY5wpOHldPEfrkV9RO3bzlQUMXEX5kplGuHxBr7sik
DywvDikM9pIyVcI8buMfaQUVxZhAWqqVJo+iw8p/GaYD9FT0NGY2ueMrFEAp1LS6
Mba9leTo4qP7ebETcqWfCDbRFtpEej8zbi3XIgyhCs1B2aLj1Kh6+U4CWsXbY8ef
0JIvWgUf4GyZaBb0rKeg+0Fq13mivVCE55pzd6d5VSbabCvM42L3HC24amA4fTFQ
gWofFaZNtcM=
=ZQGX
-----END PGP SIGNATURE-----