Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0186 [R1] SecurityCenter 5.6.0 Fixes One Vulnerability 2 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable SecurityCenter Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-11508 Member content until: Saturday, December 2 2017 OVERVIEW An SQL Injection vulnerability has been identified in Tenable SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2. [1] IMPACT Tenable have provided the following details regarding the vunlnerability: "An attacker could exploit this vulnerability by entering a crafted SQL query into the password field of a diagnostic scan within SecurityCenter. Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the SecurityCenter database." [1] "CVE ID: CVE-2017-11508 Tenable Advisory ID: TNS-2017-13 Risk Factor: Medium CVSSv2 Base / Temporal Score: 6.5/6.2 CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:ND/RC:ND/CDP:L/TD:L/CR:L/IR:L/AR:L" [1] MITIGATION Tenable recommends upgrading to the latest version to address these issues. [1] REFERENCES [1] SecurityCenter 5.6.0 Fixes One Vulnerability http://www.tenable.com/security/tns-2017-13 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBWfq7pYx+lLeg9Ub1AQij0Q/4jaYye+zmuzusy+HJAJ8ziTZKTi0h2ZIO Lhq0HnacEN7B+WMuLyT5sQw68oDAC681vczZ+2XA8HAa+z8cgdCrnJgMXHUQn5DK SOfMajzyCtKWlNi3vdwO9iyUuqZWcq1tO7iF9n3aGFfe4lhiMWbEoj5tgUBMhzLp QCwvEl2R900wuJWVLTKxcXfVVUGhMyCdqiuqdLHgEjP+11TwPXX3y4cWVPWCKAxN xqOQecyNcd1M7o2SrquJC4sAv1G+rJmhgY/yeIAxuiMqEkUOhqe20uH8dtuiu8cf 3b+mh4H4LP8zPKSaKo8hAEigN0d5+vAsLdoQwpay4+bI4XzbL16Izh5WS6j1HKEB lwhrDrFyVYhRcq/BOwXFLqpJQLudbgH0NuX+qW00gZivGBt5WLLDikoCtSjj3S+k +k6fqP/oPGanUfIOzWo4t0CvObyjVhVTAFD7Bx+FPBIPjJQ6DkSO38LG5Uws/w3M EeYzRsSk2+clT7SyJqB4NMn0z95ifhzVKZ9uDhiWvg9SFVm/iEu6v5YHjLBCivNh Jqqi2fxNe5qoVsplbSdnrrB5hA3S0LQueke41SFosY61jNsZZNtyuDnDSx8w4VGn kQz4gORcrrjTV/X+XsQ9A++C91feZWgL8fGO0JvEeBTQFm2uyYXDY9ckEBC8IBwj l9e3mC2cPg== =xJCv -----END PGP SIGNATURE-----