Vulnerabilities > CVE-2003-0147

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(11267);
 script_version("1.43");
 script_cvs_date("Date: 2018/07/16 14:09:14");

 script_cve_id("CVE-2003-0078", "CVE-2003-0131", "CVE-2003-0147");
 script_bugtraq_id(6884, 7148);
 script_xref(name:"RHSA", value:"2003:101-01");
 script_xref(name:"SuSE", value:"SUSE-SA:2003:024");
 
 script_name(english:"OpenSSL < 0.9.6j / 0.9.7b Multiple Vulnerabilities");
 script_summary(english:"Checks for version of OpenSSL");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the remote host is using a version
of OpenSSL older than 0.9.6j or 0.9.7b.

This version is vulnerable to a timing-based attack that could
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.

An attacker may use this implementation flaw to sniff the
data going to this host and decrypt some parts of it, as well
as impersonate the server and perform man-in-the-middle attacks." );
 script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20030219.txt" );
 script_set_attribute(attribute:"see_also", value:"http://eprint.iacr.org/2003/052/" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 0.9.6j (0.9.7b) or newer." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 
 script_set_attribute(attribute:"vuln_publication_date", value:"2003/02/19");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/04/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/02/20");
 
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 443);
 exit(0);
}

#
# The script code starts here - we rely on Apache to spit OpenSSL's
# version. That sucks.
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("backport.inc");

if ( get_kb_item("CVE-2003-0078") ) exit(0);

ports = add_port_in_list(list:get_kb_list("Services/www"), port:443);

foreach port (ports)
{
 banner = get_backport_banner(banner:get_http_banner(port:port));
 if ( ! banner || backported  )  continue;
 if(egrep(pattern:"^Server.*OpenSSL/0\.9\.([0-5][^0-9]|6[^a-z]|6[a-i])", string:banner) || egrep(pattern:"^Server.*OpenSSL/0\.9\.7(-beta|a| )", string:banner)) security_warning(port);
}

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-288. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15125);
  script_version("1.25");
  script_cvs_date("Date: 2019/08/02 13:32:17");

  script_cve_id("CVE-2003-0131", "CVE-2003-0147");
  script_bugtraq_id(7101, 7148);
  script_xref(name:"CERT", value:"888801");
  script_xref(name:"DSA", value:"288");

  script_name(english:"Debian DSA-288-1 : openssl - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Researchers discovered two flaws in OpenSSL, a Secure Socket Layer
(SSL) library and related cryptographic tools. Applications that are
linked against this library are generally vulnerable to attacks that
could leak the server's private key or make the encrypted session
decryptable otherwise. The Common Vulnerabilities and Exposures (CVE)
project identified the following vulnerabilities :

 CAN-2003-0147 OpenSSL does not use RSA blinding by default, which
 allows local and remote attackers to obtain the server's private key.
 CAN-2003-0131 The SSL allows remote attackers to perform an
 unauthorized RSA private key operation that causes OpenSSL to leak
 information regarding the relationship between ciphertext and the
 associated plaintext."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2003/dsa-288"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the openssl packages immediately and restart the applications
that use OpenSSL.

For the stable distribution (woody) these problems have been fixed in
version 0.9.6c-2.woody.3.

For the old stable distribution (potato) these problems have been
fixed in version 0.9.6c-0.potato.6.

Unfortunately, RSA blinding is not thread-safe and will cause failures
for programs that use threads and OpenSSL such as stunnel. However,
since the proposed fix would change the binary interface (ABI),
programs that are dynamically linked against OpenSSL won't run
anymore. This is a dilemma we can't solve.

You will have to decide whether you want the security update which is
not thread-safe and recompile all applications that apparently fail
after the upgrade, or fetch the additional source packages at the end
of this advisory, recompile it and use a thread-safe OpenSSL library
again, but also recompile all applications that make use of it (such
as apache-ssl, mod_ssl, ssh etc.).

However, since only very few packages use threads and link against the
OpenSSL library most users will be able to use packages from this
update without any problems."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"2.2", prefix:"libssl-dev", reference:"0.9.6c-0.potato.6")) flag++;
if (deb_check(release:"2.2", prefix:"libssl0.9.6", reference:"0.9.6c-0.potato.6")) flag++;
if (deb_check(release:"2.2", prefix:"openssl", reference:"0.9.6c-0.potato.6")) flag++;
if (deb_check(release:"2.2", prefix:"ssleay", reference:"0.9.6c-0.potato.6")) flag++;
if (deb_check(release:"3.0", prefix:"libssl-dev", reference:"0.9.6c-2.woody.3")) flag++;
if (deb_check(release:"3.0", prefix:"libssl0.9.6", reference:"0.9.6c-2.woody.3")) flag++;
if (deb_check(release:"3.0", prefix:"openssl", reference:"0.9.6c-2.woody.3")) flag++;
if (deb_check(release:"3.0", prefix:"ssleay", reference:"0.9.6c-2.woody.3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");