-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0186
             [R1] SecurityCenter 5.6.0 Fixes One Vulnerability
                              2 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Tenable SecurityCenter
Operating System:     Linux variants
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account
                      Access Confidential Data        -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-11508  
Member content until: Saturday, December  2 2017

OVERVIEW

        An SQL Injection vulnerability has been identified in Tenable 
        SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2. [1]


IMPACT

        Tenable have provided the following details regarding the 
        vunlnerability:
        
        "An attacker could exploit this vulnerability by entering a crafted
        SQL query into the password field of a diagnostic scan within 
        SecurityCenter. Successful exploitation of this vulnerability could
        allow an attacker to gain unauthorized access to the SecurityCenter
        database." [1]
        
        "CVE ID: CVE-2017-11508 
        Tenable Advisory ID: TNS-2017-13 Risk 
        Factor: Medium 
        CVSSv2 Base / Temporal Score: 6.5/6.2 
        CVSSv2 Vector:
        AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:ND/RC:ND/CDP:L/TD:L/CR:L/IR:L/AR:L"
        [1]


MITIGATION

        Tenable recommends upgrading to the latest version to address these
        issues. [1]


REFERENCES

        [1] SecurityCenter 5.6.0 Fixes One Vulnerability
            http://www.tenable.com/security/tns-2017-13

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIUAwUBWfq7pYx+lLeg9Ub1AQij0Q/4jaYye+zmuzusy+HJAJ8ziTZKTi0h2ZIO
Lhq0HnacEN7B+WMuLyT5sQw68oDAC681vczZ+2XA8HAa+z8cgdCrnJgMXHUQn5DK
SOfMajzyCtKWlNi3vdwO9iyUuqZWcq1tO7iF9n3aGFfe4lhiMWbEoj5tgUBMhzLp
QCwvEl2R900wuJWVLTKxcXfVVUGhMyCdqiuqdLHgEjP+11TwPXX3y4cWVPWCKAxN
xqOQecyNcd1M7o2SrquJC4sAv1G+rJmhgY/yeIAxuiMqEkUOhqe20uH8dtuiu8cf
3b+mh4H4LP8zPKSaKo8hAEigN0d5+vAsLdoQwpay4+bI4XzbL16Izh5WS6j1HKEB
lwhrDrFyVYhRcq/BOwXFLqpJQLudbgH0NuX+qW00gZivGBt5WLLDikoCtSjj3S+k
+k6fqP/oPGanUfIOzWo4t0CvObyjVhVTAFD7Bx+FPBIPjJQ6DkSO38LG5Uws/w3M
EeYzRsSk2+clT7SyJqB4NMn0z95ifhzVKZ9uDhiWvg9SFVm/iEu6v5YHjLBCivNh
Jqqi2fxNe5qoVsplbSdnrrB5hA3S0LQueke41SFosY61jNsZZNtyuDnDSx8w4VGn
kQz4gORcrrjTV/X+XsQ9A++C91feZWgL8fGO0JvEeBTQFm2uyYXDY9ckEBC8IBwj
l9e3mC2cPg==
=xJCv
-----END PGP SIGNATURE-----