Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0120 [R1] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities 21 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable Passive Vulnerability Scanner (PVS) Operating System: Windows Red Hat OS X Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-7052 CVE-2016-6309 CVE-2016-6308 CVE-2016-6307 CVE-2016-6306 CVE-2016-6305 CVE-2016-6304 CVE-2016-6303 CVE-2016-6302 CVE-2016-6153 CVE-2016-5300 CVE-2016-4472 CVE-2016-2183 CVE-2016-2182 CVE-2016-2181 CVE-2016-2180 CVE-2016-2179 CVE-2016-2178 CVE-2016-2177 CVE-2016-0719 CVE-2016-0718 CVE-2015-2716 CVE-2015-1283 CVE-2012-6702 CVE-2012-0876 Member content until: Friday, January 20 2017 Reference: ASB-2016.0110 ASB-2016.0103 ESB-2016.3013 ESB-2016.3012 ESB-2016.3002 OVERVIEW Multiple vulnerabilities have been identified in Tenable Passive Vulnerability Scanner (PVS) prior to version 5.2.0.[1] IMPACT Tenable have provided the following details regarding the vunlnerabilities: "Tenable's Passive Vulnerability Scanner (PVS) uses third-party libraries to provide certain standardized functionality. Four of these libraries were found to contain vulnerabilities and were fixed upstream. Those fixes have been integrated despite there being no known exploitation scenarios related to PVS. OpenSSL ssl/statem/statem.c read_state_machine() Function Message Handling Use-after-free Remote Code Execution OpenSSL CRL Handling Unspecified NULL Pointer Dereference DoS OpenSSL ssl/t1_lib.c ssl_parse_clienthello_tlsext() Function OCSP Status Request Extension Handling Memory Exhaustion Remote DoS OpenSSL Certificate Message Handling Limited Out-of-bounds Read DoS Weakness OpenSSL ssl/statem/statem_dtls.c dtls1_preprocess_fragment() Function DTLS Message Handling Memory Exhaustion Remote DoS OpenSSL ssl/record/rec_layer_s3.c SSL_peek() Function Empty Record Handling Remote DoS OpenSSL ssl/statem/statem_lib.c tls_get_message_header() Function Memory Exhaustion Remote DoS OpenSSL crypto/mdc2/mdc2dgst.c MDC2_Update() Function Buffer Overflow Weakness OpenSSL ssl/t1_lib.c tls_decrypt_ticket() Function Ticket HMAC Digest Handling Remote DoS OpenSSL DTLS Buffered Message Saturation Queue Exhaustion Remote DoS OpenSSL DTLS Implementation Record Epoch Sequence Number Handling Remote DoS OpenSSL crypto/bn/bn_print.c BN_bn2dec() Function BIGNUM Handling Buffer Overflow DoS OpenSSL crypto/ts/ts_lib.c TS_OBJ_print_bio() Function Out-of-bounds Read Issue OpenSSL crypto/dsa/dsa_ossl.c DSA Signing Algorithm Constant Time Failure Side-channel Attack Information Disclosure OpenSSL Integer Overflow Unspecified Weakness Triple Data Encryption Algorithm (3DES) 64-bit Block Size Birthday Attack HTTPS Cookie MitM Disclosure (SWEET32) SQLite Insecure Temporary Directory Usage Local Issue Expat XML Parser Input Document Handling Buffer Overflow Expat lib/xmlparse.c XML_GetBuffer() Function Compressed XML Content Handling Buffer Overflow Expat lib/xmlparse.c generate_hash_secret_salt() Function PRNG Non-random Output Generation Weakness Expat xmlparse.c Hash Table Collision DoS jQuery UI dialog() Function closeText Parameter XSS Note that the CVSSv2 score associated with this advisory is specific to the OpenSSL integration into PVS and assumes a worst-case scenario. These updates are proactive; Tenable has had no reports of exploitation and some of these issues may not impact PVS at all. Additionally, a reflected XSS vulnerability affecting the PVS Web GUI was fixed in the HTML 1.7.1 and Web Server 1.8.0 updates delivered via the plugin feed on November 14, 2016. A default install of PVS 5.2.0 includes these fixes. This issue was reported to us by Kaustubh Padwad. Tenable thanks him for privately reporting the issue to us."[1] Additional details relating to the vulnerabilities as described by NVD: CVE-2012-0876: "The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value."[2] CVE-2012-6702: "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function."[3] CVE-2016-6302: "The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short."[4] CVE-2016-6303: "Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors."[5] CVE-2016-6304: "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions."[6] CVE-2016-6305: "The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call."[7] CVE-2016-6306: "The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c."[8] CVE-2016-6307: "The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c."[9] CVE-2016-6308: "statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages." [10] CVE-2016-6309: "statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session."[11] CVE-2016-7052: "crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation."[12] CVE-2016-2177: "OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c."[13] CVE-2016-2178: "The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack."[14] CVE-2016-2179: "The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c."[15] CVE-2016-2180: "The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command."[16] CVE-2016-2181: "The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c."[17] CVE-2016-2182: "The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors."[18] CVE-2016-2183: "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack."[19] CVE-2016-0718: "Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow."[20] CVE-2016-0719: "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-0718. Reason: This candidate is a reservation duplicate of CVE-2016-0718. Notes: All CVE users should reference CVE-2016-0718 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."[21] CVE-2015-1283: "Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716."[22] CVE-2015-2716: "Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283."[23] CVE-2016-4472: "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716."[24] CVE-2016-5300: "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876."[25] CVE-2016-6153: "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files."[26] MITIGATION Tenable recommends upgrading to the latest version to address these issues: "Tenable has released version 5.2.0 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.2j), jQuery UI (1.12.0), Expat (2.2.0), and SQLite (3.13.0), which are not affected. The new version is available at: https://support.tenable.com/support-center/index.php?x=&mod_id=170 Additional References http://static.tenable.com/prod_docs/upgrade_pvs.html#520 https://www.openssl.org/news/secadv/20160922.txt https://www.openssl.org/news/secadv/20160926.txt https://nodesecurity.io/advisories/127"[1] REFERENCES [1] [R1] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities http://www.tenable.com/security/tns-2016-20 [2] Vulnerability Summary for CVE-2012-0876 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0876 [3] Vulnerability Summary for CVE-2012-6702 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6702 [4] Vulnerability Summary for CVE-2016-6302 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6302 [5] Vulnerability Summary for CVE-2016-6303 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6303 [6] Vulnerability Summary for CVE-2016-6304 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304 [7] Vulnerability Summary for CVE-2016-6305 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6305 [8] Vulnerability Summary for CVE-2016-6306 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6306 [9] Vulnerability Summary for CVE-2016-6307 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6307 [10] Vulnerability Summary for CVE-2016-6308 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6308 [11] Vulnerability Summary for CVE-2016-6309 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6309 [12] Vulnerability Summary for CVE-2016-7052 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7052 [13] Vulnerability Summary for CVE-2016-2177 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177 [14] Vulnerability Summary for CVE-2016-2178 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2178 [15] Vulnerability Summary for CVE-2016-2179 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2179 [16] Vulnerability Summary for CVE-2016-2180 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2180 [17] Vulnerability Summary for CVE-2016-2181 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2181 [18] Vulnerability Summary for CVE-2016-2182 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2182 [19] Vulnerability Summary for CVE-2016-2183 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183 [20] Vulnerability Summary for CVE-2016-0718 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718 [21] Vulnerability Summary for CVE-2016-0719 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0719 [22] Vulnerability Summary for CVE-2015-1283 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283 [23] Vulnerability Summary for CVE-2015-2716 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2716 [24] Vulnerability Summary for CVE-2016-4472 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4472 [25] Vulnerability Summary for CVE-2016-5300 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5300 [26] Vulnerability Summary for CVE-2016-6153 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6153 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWFnnM4x+lLeg9Ub1AQjtVRAAi7b4SsECIUbluRDYjuEki/OzP6I969Bk InkVNfCUZXBnmmCdZHJqosfW7iGvxPwhX0QD/tatrq7D1ztAMeXspVu+SkNSSybv hQiD8rd/IHpzsA1CldTLhD829CXPh1GOL8AaEgg91iGbtHSJYzvJtFMUY838rYfk q2KlE10aAT2otQrBlSki+tusNH5jDrcTz9DdSlNugeg0UL/wao39CLt2EXLI/Vx4 5h1FlQpgmua2WFmDyLPN6tX3y1AW5+vUPEBTYzvayq2W7XTP/mw9sjbnY3DVfgt4 VeRyDBM/KCXNVQBF6uqIHCnzu356PAw9oMmrQxgreJ0EiugRElTArqfyEim392DY IIPmRyHa8nBQA9rEfQHBZrkzJ84TOLig1W2yyQpYBrlh2JzV+04Bkkh4V77E/q3a VvDKlCRw3R0+IGvXZvuAqjxY5wpOHldPEfrkV9RO3bzlQUMXEX5kplGuHxBr7sik DywvDikM9pIyVcI8buMfaQUVxZhAWqqVJo+iw8p/GaYD9FT0NGY2ueMrFEAp1LS6 Mba9leTo4qP7ebETcqWfCDbRFtpEej8zbi3XIgyhCs1B2aLj1Kh6+U4CWsXbY8ef 0JIvWgUf4GyZaBb0rKeg+0Fq13mivVCE55pzd6d5VSbabCvM42L3HC24amA4fTFQ gWofFaZNtcM= =ZQGX -----END PGP SIGNATURE-----