Vulnerabilities > CVE-2005-1730 - Unspecified vulnerability in Novell Imanager 1.5/2.0/2.0.2

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
novell
critical
nessus

Summary

Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novell iManager 2.0.2, allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted packets, as demonstrated by "OpenSSL ASN.1 brute forcer." NOTE: this issue might overlap CVE-2004-0079, CVE-2004-0081, or CVE-2004-0112. This vulnerability is addressed in the following product update: http://www.novell.com/products/consoles/

Vulnerable Configurations

Part Description Count
Application
Novell
4

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-136.NASL
    descriptionThe OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionally, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. CAN-2002-0655 references overflows in buffers used to hold ASCII representations of integers on 64 bit platforms. CAN-2002-0656 references buffer overflows in the SSL2 server implementation (by sending an invalid key to the server) and the SSL3 client implementation (by sending a large session id to the client). The SSL2 issue was also noticed by Neohapsis, who have privately demonstrated exploit code for this issue. CAN-2002-0659 references the ASN1 parser DoS issue. These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and openssl_0.9.6c-2.woody.1. These vulnerabilities are also present in Debian 2.2 (potato). Fixed packages are available in openssl094_0.9.4-6.potato.2 and openssl_0.9.6c-0.potato.4. A worm is actively exploiting this issue on internet-attached hosts; we recommend you upgrade your OpenSSL as soon as possible. Note that you must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.) If you are uncertain which programs are using SSL you may choose to reboot to ensure that all running daemons are using the new libraries.
    last seen2020-06-01
    modified2020-06-02
    plugin id14973
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14973
    titleDebian DSA-136-1 : openssl - multiple remote exploits
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-136. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14973);
      script_version("1.28");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2002-0655", "CVE-2002-0656", "CVE-2002-0657", "CVE-2002-0659", "CVE-2005-1730");
      script_bugtraq_id(5353, 5361, 5362, 5363, 5364, 5366);
      script_xref(name:"DSA", value:"136");
    
      script_name(english:"Debian DSA-136-1 : openssl - multiple remote exploits");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The OpenSSL development team has announced that a security audit by
    A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has
    revealed remotely exploitable buffer overflow conditions in the
    OpenSSL code. Additionally, the ASN1 parser in OpenSSL has a potential
    DoS attack independently discovered by Adi Stav and James Yonan.
    
    CAN-2002-0655 references overflows in buffers used to hold ASCII
    representations of integers on 64 bit platforms. CAN-2002-0656
    references buffer overflows in the SSL2 server implementation (by
    sending an invalid key to the server) and the SSL3 client
    implementation (by sending a large session id to the client). The SSL2
    issue was also noticed by Neohapsis, who have privately demonstrated
    exploit code for this issue. CAN-2002-0659 references the ASN1 parser
    DoS issue.
    
    These vulnerabilities have been addressed for Debian 3.0 (woody) in
    openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and
    openssl_0.9.6c-2.woody.1.
    
    These vulnerabilities are also present in Debian 2.2 (potato). Fixed
    packages are available in openssl094_0.9.4-6.potato.2 and
    openssl_0.9.6c-0.potato.4.
    
    A worm is actively exploiting this issue on internet-attached hosts;
    we recommend you upgrade your OpenSSL as soon as possible. Note that
    you must restart any daemons using SSL. (E.g., ssh or ssl-enabled
    apache.) If you are uncertain which programs are using SSL you may
    choose to reboot to ensure that all running daemons are using the new
    libraries."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-136"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected openssl package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"libssl-dev", reference:"0.9.6c-0.potato.4")) flag++;
    if (deb_check(release:"2.2", prefix:"libssl0.9.6", reference:"0.9.6c-0.potato.4")) flag++;
    if (deb_check(release:"2.2", prefix:"libssl09", reference:"0.9.4-6.potato.2")) flag++;
    if (deb_check(release:"2.2", prefix:"openssl", reference:"0.9.6c-0.potato.4")) flag++;
    if (deb_check(release:"2.2", prefix:"ssleay", reference:"0.9.6c-0.potato.3")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl-dev", reference:"0.9.6c-2.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl0.9.6", reference:"0.9.6c-2.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl09", reference:"0.9.4-6.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libssl095a", reference:"0.9.5a-6.woody.1")) flag++;
    if (deb_check(release:"3.0", prefix:"openssl", reference:"0.9.6c-2.woody.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idSSLTEST.NASL
    descriptionThe remote host seems to be running a version of OpenSSL that is older than 0.9.6k or 0.9.7c. There is a heap corruption bug in this version that might be exploited by an attacker to execute arbitrary code on the remote host with the privileges of the remote service.
    last seen2020-03-18
    modified2003-10-10
    plugin id11875
    published2003-10-10
    reporterThis script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/11875
    titleOpenSSL ASN.1 Parser Multiple Remote DoS
    code
    #TRUSTED 152361311ef92c76dfe792b16fdc8198045997cb6a047ad15be00c3526b3283e5d8c89321d9ed9f7807c7af560cee5aa0b9a59b8248e3e173a881b29d4a59c5f41628ef257badd86c39e3259b5117eb2f6c035bfc65584dccb4138bc33884786234f1365e8fdce1e3d2e8459dd266479fe8978e2958de226c38906221814a0ea9d4b177730997e28f3915facfca76d84acffd44d3451adb5fe031dff0a4afd1348ce4c3280b8794ac78a4c16a1de401c8aeaf12e587dee4514671a59c2c7a384d80c0be2e23a8dbc212fb09bc98219bd0bd863fb5facc799bf34e8b2aea72fd737634e104dea15c72fba7b5511b294dc8c5108ae828e8c420b48cfbd2a2e8af062cb2a85b161347e0e0b675ac569465e63d22d4802d062f6b9ebe34d3374c41471fe8817e3d00f423afeabed988c21c44682eabc1d6122fbeb42411c52d3e407cc472c6b207384ede4b6f36cc27efcdf94ec11253621ccfe22f253084c9123b4b1cd4300e22a2f00e5b55f71feac820e0667818389f1641b8e09a59cba4e239b1c1e01049d6ba9950daadf681780449a5a72f9bbede2902a74d82b4abde082b11c7938bfb784db6e59bca73a83660f07338909109d792ec29d7162237707b63783c3dbb4b811b1ba885a60b8bb5836cf3232a8220055b3a49afb1c8656f696b345f7bd81063559b718c8fde3258c6cbb3328fccee5c3554caaa406ab85d23578
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11875);
     script_version("1.64");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
     # CANs moved into CVE, moved back (bug 899) AH
     script_cve_id("CVE-2003-0543", "CVE-2003-0544", "CVE-2003-0545", "CVE-2005-1247", "CVE-2005-1730");
     script_bugtraq_id(8732, 13359);
     script_xref(name:"RHSA", value:"2003:291-01");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:043");
    
     script_name(english:"OpenSSL ASN.1 Parser Multiple Remote DoS");
     script_summary(english:"Checks for the behavior of SSL");
    
     script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a heap corruption vulnerability.");
     script_set_attribute(attribute:"description", value:
    "The remote host seems to be running a version of OpenSSL that is older
    than 0.9.6k or 0.9.7c.
    
    There is a heap corruption bug in this version that might be exploited
    by an attacker to execute arbitrary code on the remote host with the
    privileges of the remote service.");
     script_set_attribute(attribute:"solution", value:
    "If you are running OpenSSL, upgrade to version 0.9.6k or 0.9.7c or
    newer.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_cwe_id(119);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/30");
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/10");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
     script_family(english:"Misc.");
     script_dependencies("ssl_supported_versions.nasl");
     script_require_keys("SSL/Supported");
    
     exit(0);
    }
    
    include("byte_func.inc");
    include("ftp_func.inc");
    include("global_settings.inc");
    include("kerberos_func.inc");
    include("ldap_func.inc");
    include("misc_func.inc");
    include("nntp_func.inc");
    include("smtp_func.inc");
    include("ssl_funcs.inc");
    include("telnet2_func.inc");
    
    if ( get_kb_item("CVE-2003-0543") )
    	exit(0);
    
    if ( get_kb_item("global_settings/disable_ssl_cipher_neg" ) ) exit(1, "Not negotiating the SSL ciphers, per user config");
    
    
    get_kb_item_or_exit("SSL/Supported");
    
    port = get_ssl_ports(fork:TRUE);
    if (isnull(port))
      exit(1, "The host does not appear to have any SSL-based services.");
    
    # Find out if the port is open.
    if (!get_port_state(port))
      exit(0, "Port " + port + " is not open.");
    
    #####################################################################
    # Microsoft spits an error on the packet below
    # OpenSSL processes the packet...
    
    myversion = raw_string(0x03,0x35);
    mycipherspec = raw_string(0x00,0x00,0x62,0x04,0x00,0x80,0x00,0x00,0x63,0xa0,0x00,0xe9,0xda,0x00,0x64,0x02,0x00,0x80);
    mychallenge =  raw_string(0x4E,0x45,0x53,0x53,0x55,0x53,0x4E,0x45,0x53,0x53,0x55,0x53,0x4E,0x9F,0x53,0x53);
    
    req=client_hello(version:myversion, cipherspec:mycipherspec, challenge:mychallenge);
    
    # Connect to the port, issuing the StartTLS command if necessary.
    soc = open_sock_ssl(port);
    if (!soc)
      exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
    
    send (socket:soc, data:req);
    r = recv(socket:soc, length:800);
    
    if (strlen(r) == 7)
    	exit(0);
    
    close(soc);
    
    # some *other* SSL servers (not OpenSSL) respond to the nudge below
    # we'll wean them out of the check
    
    mymlen = 0;
    mymtype = 0;
    myversion = raw_string(0x31,0x35);
    req=client_hello(mlen:mymlen, mtype:mymtype, version:myversion);
    
    # Connect to the port, issuing the StartTLS command if necessary.
    soc = open_sock_ssl(port);
    if (!soc)
      exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
    
    send (socket:soc, data:req);
    r = recv(socket:soc, length:65535);
    if (r)
    	exit(0);
    close(soc);
    #####################################################################
    
    
    req = client_hello();
    
    # Connect to the port, issuing the StartTLS command if necessary.
    soc = open_sock_ssl(port);
    if (!soc)
      exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
    
    send (socket:soc, data:req);
    r = recv(socket:soc, length:65535);
    if (r)
    {
            # Thanks to Brad Hazledine for submitting report that:
            #> By removing weak ciphers from the SSLCipherSuite on Apache 1.3.29/mod_ssl
            #> 2.8.16/Openssl 0.9.7c it reports a false (vulnerable) version of openssl.
            # So, We'll look for error message 0x02 0x28 which denotes a failed handshake
    
        if ( (ord(r[5]) == 0x02) && (ord(r[6]) == 0x28) )
    	exit(0);
    
            # Thanks to Steve (ssg4605 [at] yahoo.com)
            # for reporting anomalous behavior from apple xserve
        if ( (ord(r[1]) != 22) && (ord(r[1]) != 3) )
    	exit(0);
    
        localcert = hex2raw(s: tolower("03CB0003C8308203C43082032DA003020102020100300D06092A864886F70D01010405003081A3310B30090603550406130255533112301006035504081309536F6D6553544154453111300F06035504071308536F6D654349545931173015060355040A130E4E6573737573205363616E6E6572311C301A060355040B1313536563757269747920436F6D706C69616E6365311430120603550403130B4E657373757320557365723120301E06092A864886F70D01090116116E6F6F6E65406E6F77686572652E636F6D301E170D3033313031303031313433395A170D3033313130393031313433395A3081A3310B30090603550406130255533112301006035504081309536F6D6553544154453111300F06035504071308536F6D654349545931173015060355040A130E4E6573737573205363616E6E6572311C301A060355040B1313536563757269747920436F6D706C69616E6365311430120603550403130B4E657373757320557365723120301E06092A864886F70D01090116116E6F6F6E65406E6F77686572652E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100DCA93F62D5088026DBBAD24A551F136289E39CA34AD9C0EEE0493A7E3103884572ADE53ACE68416FAB0CE44F3291A71A7FA3B89E6490E622F61B71140FCA37F2C5C8AD0D96CF1DEC454960B70582918BE96C5DEEC5B2E2A58CC8506FEAE7941C5DA8AF2EF6225F903350AB54743F48FE3322D7383FD6B2B619D2045476C7C6550203010001A382010430820100301D0603551D0E04160414FA4DD1D034857B04784BCAA4A708E004F2DFCD063081D00603551D230481C83081C58014FA4DD1D034857B04784BCAA4A708E004F2DFCD06A181A9A481A63081A3310B30090603550406130255533112301006035504081309536F6D6553544154453111300F06035504071308536F6D654349545931173015060355040A130E4E6573737573205363616E6E6572311C301A060355040B1313536563757269747920436F6D706C69616E6365311430120603550403130B4E657373757320557365723120301E06092A864886F70D01090116116E6F6F6E65406E6F77686572652E636F6D820100300C0603551D13040530030101FF300D06092A864886F70D0101040500038181001214A295E71DAF8EEAB4A9E19499B98D766A02A1F62B1F388C635A8D2A08B3F678CF952ACE0D57F8C4510C2F22C3CB3EBAFEBBE8E3DAF83183898EAA27858D0CFB1B4121C3FE750EEC740FFF46452B90D5473200B7121343990B185CF8698A2115B62D57CFD9C9EA220054EF4CF49513C25B63B07C38D126F4CAF98B37EAB0EC"));
    
        req2 = client_send_cert(certificate:localcert);
        send (socket:soc, data:req2);
        r2 = recv(socket:soc, length:65535);
        if (r2) {
            if ( ord(r2[6]) == 0x0A || ord(r2[6]) == 0x2a  || ord(r2[6]) == 0x2f)
    	{               # the 7th byte must == 0x0A which is an error
               exit(0);                                      		# message stating "Unexpected message"
            } else {
               security_hole(port);
            }
        }
        # MA 2008-11-16: otherwise, the server abruptly closed the connection
        # after we sent the cert. Nothing proves this is a security bug, and
        # we do not report unknown problems without patch or workaround.
    }
    exit(0);
    
    

Statements

contributorMark J Cox
lastmodified2007-04-02
organizationRed Hat
statementBased on our research we believe that the "OpenSSL ASN.1 brute forcer." is actually exploiting flaws CVE-2003-0543, CVE-2003-0544, CVE-2003-0545. Those issues are all addressed in Red Hat Enterprise Linux and therefore CVE-2005-1730 is a duplicate assignment.