Vulnerabilities > CVE-2009-0590 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
openssl
debian
CWE-119
nessus

Summary

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_FBC8413F2F7A11DE9A3F001B77D09812.NASL
    descriptionThe following package needs to be updated: FreeBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id38706
    published2009-05-08
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38706
    titleFreeBSD : FreeBSD -- remotely exploitable crash in OpenSSL (2539)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This script contains information extracted from VuXML :
    #
    # Copyright 2003-2006 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #   copyright notice, this list of conditions and the following
    #   disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #   published online in any format, converted to PDF, PostScript,
    #   RTF and other formats) must reproduce the above copyright
    #   notice, this list of conditions and the following disclaimer
    #   in the documentation and/or other materials provided with the
    #   distribution.
    #
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    #
    #
    
    include('compat.inc');
    
    if ( description )
    {
     script_id(38706);
     script_version("1.10");
     script_cve_id("CVE-2009-0590");
    
     script_name(english:"FreeBSD : FreeBSD -- remotely exploitable crash in OpenSSL (2539)");
    
    script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');
    script_set_attribute(attribute:'description', value:'The following package needs to be updated: FreeBSD');
      script_set_attribute(attribute:'solution', value: 'Update the package on the remote host');
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
     script_cwe_id(119);
    script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/fbc8413f-2f7a-11de-9a3f-001b77d09812.html');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2009/05/08");
     script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
     script_end_attributes();
     script_summary(english:"Check for FreeBSD");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2009-2020 Tenable Network Security, Inc.");
     family["english"] = "FreeBSD Local Security Checks";
     script_family(english:family["english"]);
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/FreeBSD/pkg_info");
     exit(0);
    }
    
    include('freebsd_package.inc');
    cvss_score=5;
    
    
    holes_nb += pkg_test(pkg:"FreeBSD>=6.3<6.3_10");
    
    holes_nb += pkg_test(pkg:"FreeBSD>=6.4<6.4_4");
    
    holes_nb += pkg_test(pkg:"FreeBSD>=7.0<7.0_12");
    
    holes_nb += pkg_test(pkg:"FreeBSD>=7.1<7.1_5");
    
    if (holes_nb == 0) exit(0,"Host is not affected");
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090902_OPENSSL_ON_SL5_X.NASL
    descriptionCVE-2009-0590 openssl: ASN1 printing crash CVE-2009-1377 OpenSSL: DTLS epoch record buffer memory DoS CVE-2009-1378 OpenSSL: DTLS fragment handling memory DoS CVE-2009-1379 OpenSSL: DTLS pointer use-after-free flaw (DoS) CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec request CVE-2009-1387 openssl: DTLS out-of-sequence message handling NULL deref DoS Multiple denial of service flaws were discovered in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id60658
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60658
    titleScientific Linux Security Update : openssl on SL5.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60658);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:18");
    
      script_cve_id("CVE-2009-0590", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387");
    
      script_name(english:"Scientific Linux Security Update : openssl on SL5.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CVE-2009-0590 openssl: ASN1 printing crash
    
    CVE-2009-1377 OpenSSL: DTLS epoch record buffer memory DoS
    
    CVE-2009-1378 OpenSSL: DTLS fragment handling memory DoS
    
    CVE-2009-1379 OpenSSL: DTLS pointer use-after-free flaw (DoS)
    
    CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec
    request
    
    CVE-2009-1387 openssl: DTLS out-of-sequence message handling NULL
    deref DoS
    
    Multiple denial of service flaws were discovered in OpenSSL's DTLS
    implementation. A remote attacker could use these flaws to cause a
    DTLS server to use excessive amounts of memory, or crash on an invalid
    memory access or NULL pointer dereference. (CVE-2009-1377,
    CVE-2009-1378,
    
    CVE-2009-1379, CVE-2009-1386, CVE-2009-1387)
    
    Note: These flaws only affect applications that use DTLS. Scientific
    Linux does not ship any DTLS client or server applications.
    
    An input validation flaw was found in the handling of the BMPString
    and UniversalString ASN1 string types in OpenSSL's
    ASN1_STRING_print_ex() function. An attacker could use this flaw to
    create a specially crafted X.509 certificate that could cause
    applications using the affected function to crash when printing
    certificate contents. (CVE-2009-0590)
    
    Note: The affected function is rarely used. No application shipped
    with Scientific Linux calls this function, for example.
    
    These updated packages also fix the following bugs :
    
      - 'openssl smime -verify -in' verifies the signature of
        the input file and the '-verify' switch expects a signed
        or encrypted input file. Previously, running openssl on
        an S/MIME file that was not encrypted or signed caused
        openssl to segfault. With this update, the input file is
        now checked for a signature or encryption. Consequently,
        openssl now returns an error and quits when attempting
        to verify an unencrypted or unsigned S/MIME file.
        (BZ#472440)
    
      - when generating RSA keys, pairwise tests were called
        even in non-FIPS mode. This prevented small keys from
        being generated. With this update, generating keys in
        non-FIPS mode no longer calls the pairwise tests and
        keys as small as 32-bits can be generated in this mode.
        Note: In FIPS mode, pairwise tests are still called and
        keys generated in this mode must still be 1024-bits or
        larger. (BZ#479817)
    
    As well, these updated packages add the following enhancements :
    
      - both the libcrypto and libssl shared libraries, which
        are part of the OpenSSL FIPS module, are now checked for
        integrity on initialization of FIPS mode. (BZ#475798)
    
      - an issuing Certificate Authority (CA) allows multiple
        certificate templates to inherit the CA's Common Name
        (CN). Because this CN is used as a unique identifier,
        each template had to have its own Certificate Revocation
        List (CRL). With this update, multiple CRLs with the
        same subject name can now be stored in a X509_STORE
        structure, with their signature field being used to
        distinguish between them. (BZ#457134)
    
      - the fipscheck library is no longer needed for rebuilding
        the openssl source RPM. (BZ#475798)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=457134"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=472440"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=475798"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=479817"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0909&L=scientific-linux-errata&T=0&P=1445
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?df0d6dcf"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected openssl, openssl-devel and / or openssl-perl
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(119, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL5", reference:"openssl-0.9.8e-12.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"openssl-devel-0.9.8e-12.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"openssl-perl-0.9.8e-12.el5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_COMPAT-OPENSSL097G-110721.NASL
    descriptionThis update adds openssl patches since 2007 for : - CVE-2008-5077 - CVE-2009-0590 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen2020-06-01
    modified2020-06-02
    plugin id75802
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75802
    titleopenSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update compat-openssl097g-4909.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75802);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/25 13:36:42");
    
      script_cve_id("CVE-2008-5077", "CVE-2009-0590", "CVE-2009-0789", "CVE-2009-3555", "CVE-2010-4180");
    
      script_name(english:"openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)");
      script_summary(english:"Check for the compat-openssl097g-4909 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update adds openssl patches since 2007 for :
    
      - CVE-2008-5077
    
      - CVE-2009-0590
    
      - CVE-2009-0789
    
      - CVE-2009-3555
    
      - CVE-2010-4180"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=707069"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2011-07/msg00037.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected compat-openssl097g packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_cwe_id(20, 119, 189, 310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:compat-openssl097g");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:compat-openssl097g-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:compat-openssl097g-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:compat-openssl097g-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:compat-openssl097g-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.4", reference:"compat-openssl097g-0.9.7g-158.159.1") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"compat-openssl097g-debuginfo-0.9.7g-158.159.1") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"compat-openssl097g-debugsource-0.9.7g-158.159.1") ) flag++;
    if ( rpm_check(release:"SUSE11.4", cpu:"x86_64", reference:"compat-openssl097g-32bit-0.9.7g-158.159.1") ) flag++;
    if ( rpm_check(release:"SUSE11.4", cpu:"x86_64", reference:"compat-openssl097g-debuginfo-32bit-0.9.7g-158.159.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "compat-openssl097g");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_LIBOPENSSL-DEVEL-090415.NASL
    descriptionThis update of openssl fixes the following problems : - ASN1_STRING_print_ex() function allows remote denial of service. (CVE-2009-0590) - CMS_verify() function allows signatures to look valid. (CVE-2009-0591) - denial of service due to malformed ASN.1 structures. (CVE-2009-0789)
    last seen2020-06-01
    modified2020-06-02
    plugin id41423
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41423
    titleSuSE 11 Security Update : OpenSSL (SAT Patch Number 772)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41423);
      script_version("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:35");
    
      script_cve_id("CVE-2009-0590", "CVE-2009-0591", "CVE-2009-0789");
    
      script_name(english:"SuSE 11 Security Update : OpenSSL (SAT Patch Number 772)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of openssl fixes the following problems :
    
      - ASN1_STRING_print_ex() function allows remote denial of
        service. (CVE-2009-0590)
    
      - CMS_verify() function allows signatures to look valid.
        (CVE-2009-0591)
    
      - denial of service due to malformed ASN.1 structures.
        (CVE-2009-0789)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=489641"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0590.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0591.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0789.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 772.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_cwe_id(119, 189, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssl-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (pl) audit(AUDIT_OS_NOT, "SuSE 11.0");
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libopenssl0_9_8-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"openssl-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libopenssl0_9_8-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libopenssl0_9_8-32bit-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"openssl-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"libopenssl0_9_8-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"openssl-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"openssl-doc-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libopenssl0_9_8-32bit-0.9.8h-30.12.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libopenssl0_9_8-32bit-0.9.8h-30.12.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20100325_OPENSSL_ON_SL3_X.NASL
    descriptionA flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id60758
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60758
    titleScientific Linux Security Update : openssl on SL3.x, SL4.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60758);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:18");
    
      script_cve_id("CVE-2009-0590", "CVE-2009-2409", "CVE-2009-3555");
    
      script_name(english:"Scientific Linux Security Update : openssl on SL3.x, SL4.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A flaw was found in the way the TLS/SSL (Transport Layer
    Security/Secure Sockets Layer) protocols handled session
    renegotiation. A man-in-the-middle attacker could use this flaw to
    prefix arbitrary plain text to a client's session (for example, an
    HTTPS connection to a website). This could force the server to process
    an attacker's request as if authenticated using the victim's
    credentials. This update addresses this flaw by implementing the TLS
    Renegotiation Indication Extension, as defined in RFC 5746.
    (CVE-2009-3555)
    
    Refer to the following Knowledgebase article for additional details
    about the CVE-2009-3555 flaw:
    http://kbase.redhat.com/faq/docs/DOC-20491
    
    Dan Kaminsky found that browsers could accept certificates with MD2
    hash signatures, even though MD2 is no longer considered a
    cryptographically strong algorithm. This could make it easier for an
    attacker to create a malicious certificate that would be treated as
    trusted by a browser. OpenSSL now disables the use of the MD2
    algorithm inside signatures by default. (CVE-2009-2409)
    
    An input validation flaw was found in the handling of the BMPString
    and UniversalString ASN1 string types in OpenSSL's
    ASN1_STRING_print_ex() function. An attacker could use this flaw to
    create a specially crafted X.509 certificate that could cause
    applications using the affected function to crash when printing
    certificate contents. (CVE-2009-0590)
    
    For the update to take effect, all services linked to the OpenSSL
    library must be restarted, or the system rebooted."
      );
      # http://kbase.redhat.com/faq/docs/DOC-20491
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/20490"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1003&L=scientific-linux-errata&T=0&P=2100
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?cf2d4da3"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected openssl, openssl-devel and / or openssl-perl
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_cwe_id(119, 310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL3", reference:"openssl-0.9.7a-33.26")) flag++;
    if (rpm_check(release:"SL3", reference:"openssl-devel-0.9.7a-33.26")) flag++;
    if (rpm_check(release:"SL3", reference:"openssl-perl-0.9.7a-33.26")) flag++;
    
    if (rpm_check(release:"SL4", reference:"openssl-0.9.7a-43.17.el4_8.5")) flag++;
    if (rpm_check(release:"SL4", reference:"openssl-devel-0.9.7a-43.17.el4_8.5")) flag++;
    if (rpm_check(release:"SL4", reference:"openssl-perl-0.9.7a-43.17.el4_8.5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-087.NASL
    descriptionA security vulnerability has been identified and fixed in OpenSSL, which could crash applications using OpenSSL library when parsing malformed certificates (CVE-2009-0590). The updated packages have been patched to prevent this.
    last seen2020-06-01
    modified2020-06-02
    plugin id37282
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37282
    titleMandriva Linux Security Advisory : openssl (MDVSA-2009:087)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2009:087. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37282);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:51");
    
      script_cve_id("CVE-2009-0590");
      script_xref(name:"MDVSA", value:"2009:087");
    
      script_name(english:"Mandriva Linux Security Advisory : openssl (MDVSA-2009:087)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A security vulnerability has been identified and fixed in OpenSSL,
    which could crash applications using OpenSSL library when parsing
    malformed certificates (CVE-2009-0590).
    
    The updated packages have been patched to prevent this."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.8-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.8-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.8-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.8-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64openssl0.9.8-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64openssl0.9.8-devel-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64openssl0.9.8-static-devel-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libopenssl0.9.8-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libopenssl0.9.8-devel-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libopenssl0.9.8-static-devel-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"openssl-0.9.8e-8.3mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64openssl0.9.8-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64openssl0.9.8-devel-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64openssl0.9.8-static-devel-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libopenssl0.9.8-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libopenssl0.9.8-devel-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libopenssl0.9.8-static-devel-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"openssl-0.9.8g-4.3mdv2008.1", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64openssl0.9.8-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64openssl0.9.8-devel-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64openssl0.9.8-static-devel-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libopenssl0.9.8-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libopenssl0.9.8-devel-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libopenssl0.9.8-static-devel-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"openssl-0.9.8h-3.2mdv2009.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0004.NASL
    descriptiona. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in
    last seen2020-06-01
    modified2020-06-02
    plugin id44993
    published2010-03-05
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44993
    titleVMSA-2010-0004 : ESX Service Console and vMA third-party updates
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2010-0004. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44993);
      script_version("1.31");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id("CVE-2008-3916", "CVE-2008-4316", "CVE-2008-4552", "CVE-2009-0115", "CVE-2009-0590", "CVE-2009-1189", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387", "CVE-2009-2695", "CVE-2009-2849", "CVE-2009-2904", "CVE-2009-2905", "CVE-2009-2908", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3560", "CVE-2009-3563", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3720", "CVE-2009-3726", "CVE-2009-4022");
      script_bugtraq_id(30815, 31602, 31823, 34100, 34256, 35001, 35138, 35174, 36304, 36515, 36552, 36639, 36706, 36723, 36824, 36827, 36901, 36936, 37118, 37203, 37255);
      script_xref(name:"VMSA", value:"2010-0004");
    
      script_name(english:"VMSA-2010-0004 : ESX Service Console and vMA third-party updates");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESX host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1
    
       Newt is a programming library for color text mode, widget based
       user interfaces. Newt can be used to add stacked windows, entry
       widgets, checkboxes, radio buttons, labels, plain text fields,
       scrollbars, etc., to text mode user interfaces.
    
       A heap-based buffer overflow flaw was found in the way newt
       processes content that is to be displayed in a text dialog box.
       A local attacker could issue a specially crafted text dialog box
       display request (direct or via a custom application), leading to a
       denial of service (application crash) or, potentially, arbitrary
       code execution with the privileges of the user running the
       application using the newt library.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-2905 to this issue.
    
    b. vMA and Service Console update for vMA package nfs-utils to
       1.0.9-42.el5
    
       The nfs-utils package provides a daemon for the kernel NFS server
       and related tools.
    
       It was discovered that nfs-utils did not use tcp_wrappers
       correctly.  Certain hosts access rules defined in '/etc/hosts.allow'
       and '/etc/hosts.deny' may not have been honored, possibly allowing
       remote attackers to bypass intended access restrictions.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2008-4552 to this issue.
    
    c. vMA and Service Console package glib2 updated to 2.12.3-4.el5_3.1
    
       GLib is the low-level core library that forms the basis for
       projects such as GTK+ and GNOME. It provides data structure
       handling for C, portability wrappers, and interfaces for such
       runtime functionality as an event loop, threads, dynamic loading,
       and an object system.
    
       Multiple integer overflows in glib/gbase64.c in GLib before 2.20
       allow context-dependent attackers to execute arbitrary code via a
       long string that is converted either from or to a base64
       representation.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2008-4316 to this issue.
    
    d. vMA and Service Console update for openssl to 0.9.8e-12.el5
    
       SSL is a toolkit implementing SSL v2/v3 and TLS protocols with full-
       strength cryptography world-wide.
    
       Multiple denial of service flaws were discovered in OpenSSL's DTLS
       implementation. A remote attacker could use these flaws to cause a
       DTLS server to use excessive amounts of memory, or crash on an
       invalid memory access or NULL pointer dereference.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2009-1377, CVE-2009-1378,
       CVE-2009-1379, CVE-2009-1386, CVE-2009-1387 to these issues.
    
       An input validation flaw was found in the handling of the BMPString
       and UniversalString ASN1 string types in OpenSSL's
       ASN1_STRING_print_ex() function. An attacker could use this flaw to
       create a specially crafted X.509 certificate that could cause
       applications using the affected function to crash when printing
       certificate contents.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-0590 to this issue.
    
    e. vMA and Service Console package bind updated to 9.3.6-4.P1.el5_4.1
    
       It was discovered that BIND was incorrectly caching responses
       without performing proper DNSSEC validation, when those responses
       were received during the resolution of a recursive client query
       that requested DNSSEC records but indicated that checking should be
       disabled. A remote attacker could use this flaw to bypass the DNSSEC
       validation check and perform a cache poisoning attack if the target
       BIND server was receiving such client queries.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-4022 to this issue.
    
    f. vMA and Service Console package expat updated to 1.95.8-8.3.el5_4.2.
    
       Two buffer over-read flaws were found in the way Expat handled
       malformed UTF-8 sequences when processing XML files. A specially-
       crafted XML file could cause applications using Expat to fail while
       parsing the file.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2009-3560 and CVE-2009-3720 to these
       issues.
    
    g. vMA and Service Console package openssh update to 4.3p2-36.el5_4.2
    
       A Red Hat specific patch used in the openssh packages as shipped in
       Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain
       ownership requirements for directories used as arguments for the
       ChrootDirectory configuration options. A malicious user that also
       has or previously had non-chroot shell access to a system could
       possibly use this flaw to escalate their privileges and run
       commands as any system user.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-2904 to this issue.
    
    h. vMA and Service Console package ntp updated to
       ntp-4.2.2p1-9.el5_4.1.i386.rpm
    
       A flaw was discovered in the way ntpd handled certain malformed NTP
       packets. ntpd logged information about all such packets and replied
       with an NTP packet that was treated as malformed when received by
       another ntpd. A remote attacker could use this flaw to create an NTP
       packet reply loop between two ntpd servers through a malformed packet
       with a spoofed source IP address and port, causing ntpd on those
       servers to use excessive amounts of CPU time and fill disk space with
       log messages.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-3563 to this issue.   
    
    i. vMA update for package kernel to 2.6.18-164.9.1.el5
    
       Updated vMA package kernel addresses the security issues listed
       below.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2009-2849 to the security issue fixed in
       kernel 2.6.18-128.2.1
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
       CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
       fixed in kernel 2.6.18-128.6.1
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
       CVE-2009-3726 to the security issues fixed in kernel
       2.6.18-128.9.1
    
    j. vMA 4.0 updates for the packages kpartx, libvolume-id,
       device-mapper-multipath, fipscheck, dbus, dbus-libs, and ed
    
       kpartx updated to 0.4.7-23.el5_3.4, libvolume-id updated to
       095-14.20.el5 device-mapper-multipath package updated to
       0.4.7-23.el5_3.4, fipscheck updated to 1.0.3-1.el5, dbus
       updated to 1.1.2-12.el5, dbus-libs updated to 1.1.2-12.el5,
       and ed package updated to 0.2-39.el5_2.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2008-3916, CVE-2009-1189 and
       CVE-2009-0115 to these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2010/000104.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/03/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2010-03-03");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006407-SG")) flag++;
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201008406-SG")) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201002404-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201002406-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201002407-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005403-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005404-SG",
        patch_updates : make_list("ESX400-201404402-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0020_OPENSSL098E.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl098e packages installed that are affected by multiple vulnerabilities: - OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. (CVE-2006-2937) - OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) public exponent or (2) public modulus values in X.509 certificates that require extra time to process when using RSA signature verification. (CVE-2006-2940) - Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. (CVE-2006-3738) - OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. (CVE-2006-4339) - The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. (CVE-2006-4343) - The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. (CVE-2007-3108) - Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2007-4995) - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. (CVE-2007-5135) - OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. (CVE-2008-5077) - The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. (CVE-2009-0590) - The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of future epoch DTLS records that are buffered in a queue, aka DTLS record buffer limitation bug. (CVE-2009-1377) - Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka DTLS fragment handling memory leak. (CVE-2009-1378) - Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. (CVE-2009-1379) - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. (CVE-2009-1386) - The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of- sequence DTLS handshake message, related to a fragment bug. (CVE-2009-1387) - The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. (CVE-2009-2409) - OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors. (CVE-2009-3245) - The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post- renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue. (CVE-2009-3555) - Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678. (CVE-2009-4355) - The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot. (CVE-2010-0433) - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. (CVE-2012-2110) - The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the- middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a CRIME attack. (CVE-2012-4929) - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. (CVE-2013-0166) - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side- channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue. (CVE-2013-0169) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127177
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127177
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0020. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127177);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2006-2937",
        "CVE-2006-2940",
        "CVE-2006-3738",
        "CVE-2006-4339",
        "CVE-2006-4343",
        "CVE-2007-3108",
        "CVE-2007-4995",
        "CVE-2007-5135",
        "CVE-2008-5077",
        "CVE-2009-0590",
        "CVE-2009-1377",
        "CVE-2009-1378",
        "CVE-2009-1379",
        "CVE-2009-1386",
        "CVE-2009-1387",
        "CVE-2009-2409",
        "CVE-2009-3245",
        "CVE-2009-3555",
        "CVE-2009-4355",
        "CVE-2010-0433",
        "CVE-2012-2110",
        "CVE-2012-4929",
        "CVE-2013-0166",
        "CVE-2013-0169"
      );
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl098e packages installed that are
    affected by multiple vulnerabilities:
    
      - OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d
        allows remote attackers to cause a denial of service
        (infinite loop and memory consumption) via malformed
        ASN.1 structures that trigger an improperly handled
        error condition. (CVE-2006-2937)
    
      - OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and
        earlier versions allows attackers to cause a denial of
        service (CPU consumption) via parasitic public keys with
        large (1) public exponent or (2) public modulus
        values in X.509 certificates that require extra time to
        process when using RSA signature verification.
        (CVE-2006-2940)
    
      - Buffer overflow in the SSL_get_shared_ciphers function
        in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and
        earlier versions has unspecified impact and remote
        attack vectors involving a long list of ciphers.
        (CVE-2006-3738)
    
      - OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8
        before 0.9.8c, when using an RSA key with exponent 3,
        removes PKCS-1 padding before generating a hash, which
        allows remote attackers to forge a PKCS #1 v1.5
        signature that is signed by that RSA key and prevents
        OpenSSL from correctly verifying X.509 and other
        certificates that use PKCS #1. (CVE-2006-4339)
    
      - The get_server_hello function in the SSLv2 client code
        in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and
        earlier versions allows remote servers to cause a denial
        of service (client crash) via unknown vectors that
        trigger a null pointer dereference. (CVE-2006-4343)
    
      - The BN_from_montgomery function in crypto/bn/bn_mont.c
        in OpenSSL 0.9.8e and earlier does not properly perform
        Montgomery multiplication, which might allow local users
        to conduct a side-channel attack and retrieve RSA
        private keys. (CVE-2007-3108)
    
      - Off-by-one error in the DTLS implementation in OpenSSL
        0.9.8 before 0.9.8f allows remote attackers to execute
        arbitrary code via unspecified vectors. (CVE-2007-4995)
    
      - Off-by-one error in the SSL_get_shared_ciphers function
        in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f,
        might allow remote attackers to execute arbitrary code
        via a crafted packet that triggers a one-byte buffer
        underflow. NOTE: this issue was introduced as a result
        of a fix for CVE-2006-3738. As of 20071012, it is
        unknown whether code execution is possible.
        (CVE-2007-5135)
    
      - OpenSSL 0.9.8i and earlier does not properly check the
        return value from the EVP_VerifyFinal function, which
        allows remote attackers to bypass validation of the
        certificate chain via a malformed SSL/TLS signature for
        DSA and ECDSA keys. (CVE-2008-5077)
    
      - The ASN1_STRING_print_ex function in OpenSSL before
        0.9.8k allows remote attackers to cause a denial of
        service (invalid memory access and application crash)
        via vectors that trigger printing of a (1) BMPString or
        (2) UniversalString with an invalid encoded length.
        (CVE-2009-0590)
    
      - The dtls1_buffer_record function in ssl/d1_pkt.c in
        OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote
        attackers to cause a denial of service (memory
        consumption) via a large series of future epoch DTLS
        records that are buffered in a queue, aka DTLS record
        buffer limitation bug. (CVE-2009-1377)
    
      - Multiple memory leaks in the
        dtls1_process_out_of_seq_message function in
        ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8
        versions allow remote attackers to cause a denial of
        service (memory consumption) via DTLS records that (1)
        are duplicates or (2) have sequence numbers much greater
        than current sequence numbers, aka DTLS fragment
        handling memory leak. (CVE-2009-1378)
    
      - Use-after-free vulnerability in the
        dtls1_retrieve_buffered_fragment function in
        ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote
        attackers to cause a denial of service (openssl s_client
        crash) and possibly have unspecified other impact via a
        DTLS packet, as demonstrated by a packet from a server
        that uses a crafted server certificate. (CVE-2009-1379)
    
      - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote
        attackers to cause a denial of service (NULL pointer
        dereference and daemon crash) via a DTLS
        ChangeCipherSpec packet that occurs before ClientHello.
        (CVE-2009-1386)
    
      - The dtls1_retrieve_buffered_fragment function in
        ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows
        remote attackers to cause a denial of service (NULL
        pointer dereference and daemon crash) via an out-of-
        sequence DTLS handshake message, related to a fragment
        bug. (CVE-2009-1387)
    
      - The Network Security Services (NSS) library before
        3.12.3, as used in Firefox; GnuTLS before 2.6.4 and
        2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products
        support MD2 with X.509 certificates, which might allow
        remote attackers to spoof certificates by using MD2
        design flaws to generate a hash collision in less than
        brute-force time. NOTE: the scope of this issue is
        currently limited because the amount of computation
        required is still large. (CVE-2009-2409)
    
      - OpenSSL before 0.9.8m does not check for a NULL return
        value from bn_wexpand function calls in (1)
        crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3)
        crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which
        has unspecified impact and context-dependent attack
        vectors. (CVE-2009-3245)
    
      - The TLS protocol, and the SSL protocol 3.0 and possibly
        earlier, as used in Microsoft Internet Information
        Services (IIS) 7.0, mod_ssl in the Apache HTTP Server
        2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5
        and earlier, Mozilla Network Security Services (NSS)
        3.12.4 and earlier, multiple Cisco products, and other
        products, does not properly associate renegotiation
        handshakes with an existing connection, which allows
        man-in-the-middle attackers to insert data into HTTPS
        sessions, and possibly other types of sessions protected
        by TLS or SSL, by sending an unauthenticated request
        that is processed retroactively by a server in a post-
        renegotiation context, related to a plaintext
        injection attack, aka the Project Mogul issue.
        (CVE-2009-3555)
    
      - Memory leak in the zlib_stateful_finish function in
        crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and
        1.0.0 Beta through Beta 4 allows remote attackers to
        cause a denial of service (memory consumption) via
        vectors that trigger incorrect calls to the
        CRYPTO_cleanup_all_ex_data function, as demonstrated by
        use of SSLv3 and PHP with the Apache HTTP Server, a
        related issue to CVE-2008-1678. (CVE-2009-4355)
    
      - The kssl_keytab_is_available function in ssl/kssl.c in
        OpenSSL before 0.9.8n, when Kerberos is enabled but
        Kerberos configuration files cannot be opened, does not
        check a certain return value, which allows remote
        attackers to cause a denial of service (NULL pointer
        dereference and daemon crash) via SSL cipher
        negotiation, as demonstrated by a chroot installation of
        Dovecot or stunnel without Kerberos configuration files
        inside the chroot. (CVE-2010-0433)
    
      - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c
        in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1
        before 1.0.1a does not properly interpret integer data,
        which allows remote attackers to conduct buffer overflow
        attacks, and cause a denial of service (memory
        corruption) or possibly have unspecified other impact,
        via crafted DER data, as demonstrated by an X.509
        certificate or an RSA public key. (CVE-2012-2110)
    
      - The TLS protocol 1.2 and earlier, as used in Mozilla
        Firefox, Google Chrome, Qt, and other products, can
        encrypt compressed data without properly obfuscating the
        length of the unencrypted data, which allows man-in-the-
        middle attackers to obtain plaintext HTTP headers by
        observing length differences during a series of guesses
        in which a string in an HTTP request potentially matches
        an unknown string in an HTTP header, aka a CRIME
        attack. (CVE-2012-4929)
    
      - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1
        before 1.0.1d does not properly perform signature
        verification for OCSP responses, which allows remote
        OCSP servers to cause a denial of service (NULL pointer
        dereference and application crash) via an invalid key.
        (CVE-2013-0166)
    
      - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0
        and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and
        other products, do not properly consider timing side-
        channel attacks on a MAC check requirement during the
        processing of malformed CBC padding, which allows remote
        attackers to conduct distinguishing attacks and
        plaintext-recovery attacks via statistical analysis of
        timing data for crafted packets, aka the Lucky
        Thirteen issue. (CVE-2013-0169)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0020");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL openssl098e packages. Note that updated packages may not be available yet. Please contact
    ZTE for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3245");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(20, 119, 189, 310, 399);
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "openssl098e-0.9.8e-29.el7.centos.3",
        "openssl098e-debuginfo-0.9.8e-29.el7.centos.3"
      ],
      "CGSL MAIN 5.04": [
        "openssl098e-0.9.8e-29.el7.centos.3",
        "openssl098e-debuginfo-0.9.8e-29.el7.centos.3"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl098e");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_COMPAT-OPENSSL097G-7645.NASL
    descriptionThis update adds openssl patches since 2007 for : - CVE-2009-0590 - CVE-2008-5077 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen2020-06-01
    modified2020-06-02
    plugin id57170
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57170
    titleSuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7645)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57170);
      script_version ("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:43");
    
      script_cve_id("CVE-2008-5077", "CVE-2009-0590", "CVE-2009-0789", "CVE-2009-3555", "CVE-2010-4180");
    
      script_name(english:"SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7645)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update adds openssl patches since 2007 for :
    
      - CVE-2009-0590
    
      - CVE-2008-5077
    
      - CVE-2009-0789
    
      - CVE-2009-3555
    
      - CVE-2010-4180"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-5077.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0590.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0789.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-3555.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-4180.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7645.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_cwe_id(20, 119, 189, 310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:4, reference:"compat-openssl097g-0.9.7g-13.21.1")) flag++;
    if (rpm_check(release:"SLED10", sp:4, cpu:"x86_64", reference:"compat-openssl097g-32bit-0.9.7g-13.21.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, reference:"compat-openssl097g-0.9.7g-13.21.1")) flag++;
    if (rpm_check(release:"SLES10", sp:4, cpu:"x86_64", reference:"compat-openssl097g-32bit-0.9.7g-13.21.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0004_REMOTE.NASL
    descriptionThe remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bind - expat - glib2 - Kernel - newt - nfs-utils - NTP - OpenSSH - OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id89737
    published2016-03-08
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89737
    titleVMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(89737);
      script_version("1.5");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id(
        "CVE-2008-3916",
        "CVE-2008-4316",
        "CVE-2008-4552",
        "CVE-2009-0115",
        "CVE-2009-0590",
        "CVE-2009-1189",
        "CVE-2009-1377",
        "CVE-2009-1378",
        "CVE-2009-1379",
        "CVE-2009-1386",
        "CVE-2009-1387",
        "CVE-2009-2695",
        "CVE-2009-2849",
        "CVE-2009-2904",
        "CVE-2009-2905",
        "CVE-2009-2908",
        "CVE-2009-3228",
        "CVE-2009-3286",
        "CVE-2009-3547",
        "CVE-2009-3560",
        "CVE-2009-3563",
        "CVE-2009-3612",
        "CVE-2009-3613",
        "CVE-2009-3620",
        "CVE-2009-3621",
        "CVE-2009-3720",
        "CVE-2009-3726",
        "CVE-2009-4022"
      );
      script_bugtraq_id(
        30815,
        31602,
        31823,
        34100,
        34256,
        35001,
        35138,
        35174,
        36304,
        36515,
        36552,
        36639,
        36706,
        36723,
        36824,
        36827,
        36901,
        36936,
        37118,
        37203,
        37255
      );
      script_xref(name:"VMSA", value:"2010-0004");
    
      script_name(english:"VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check)");
      script_summary(english:"Checks the ESX / ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESX host is missing a security-related patch.");
      script_set_attribute(attribute:"description", value:
    "The remote VMware ESX host is missing a security-related patch. It is,
    therefore, affected by multiple vulnerabilities, including remote code
    execution vulnerabilities, in several third-party components and
    libraries :
    
      - bind
      - expat
      - glib2
      - Kernel
      - newt
      - nfs-utils
      - NTP
      - OpenSSH
      - OpenSSL");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2010-0004");
      script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000104.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the vendor advisory that
    pertains to ESX version 3.5 / 4.0.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/03/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
      script_require_ports("Host/VMware/vsphere");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    port = get_kb_item_or_exit("Host/VMware/vsphere");
    esx = '';
    
    if ("ESX" >!< rel)
      audit(AUDIT_OS_NOT, "VMware ESX/ESXi");
    
    extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver);
    if (isnull(extract))
      audit(AUDIT_UNKNOWN_APP_VER, "VMware ESX/ESXi");
    else
    {
      esx = extract[1];
      ver = extract[2];
    }
    
    # fixed build numbers are the same for ESX and ESXi
    fixes = make_array(
              "4.0", "236512",
              "3.5", "283373"
            );
    
    fix = FALSE;
    fix = fixes[ver];
    
    # get the build before checking the fix for the most complete audit trail
    extract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel);
    if (isnull(extract))
      audit(AUDIT_UNKNOWN_BUILD, "VMware " + esx, ver);
    
    build = int(extract[1]);
    
    # if there is no fix in the array, fix is FALSE
    if (!fix)
      audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);
    
    if (build < fix)
    {
    
      report = '\n  Version         : ' + esx + " " + ver +
               '\n  Installed build : ' + build +
               '\n  Fixed build     : ' + fix +
               '\n';
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
      exit(0);
    }
    else
      audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1548.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A race condition was found in the session handling code of OpenSSL. This issue could possibly cause a multi-threaded TLS/SSL client using OpenSSL to double free session ticket data and crash.(CVE-2015-1791) - An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially crafted SSL/TLS certificate or CRL (Certificate Revocation List), which when parsed by an application would cause that application to crash.(CVE-2015-1789) - The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.(CVE-2009-0590) - An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially crafted message to the peer, which could cause the application to crash or potentially result in arbitrary code execution.(CVE-2014-8176) - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.(CVE-2011-4108) - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.(CVE-2007-5135) - A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote attacker could send a specially crafted DTLS message, which would cause an OpenSSL server to crash.(CVE-2014-3571) - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.(CVE-2012-2110) - It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.(CVE-2016-0703) - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.(CVE-2009-1386) - Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.(CVE-2009-4355) - A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.(CVE-2014-3507) - The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of
    last seen2020-06-01
    modified2020-06-02
    plugin id125001
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125001
    titleEulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125001);
      script_version("1.4");
      script_cvs_date("Date: 2019/06/27 13:33:26");
    
      script_cve_id(
        "CVE-2007-5135",
        "CVE-2009-0590",
        "CVE-2009-1377",
        "CVE-2009-1386",
        "CVE-2009-4355",
        "CVE-2011-4108",
        "CVE-2012-2110",
        "CVE-2014-3507",
        "CVE-2014-3571",
        "CVE-2014-8176",
        "CVE-2014-8275",
        "CVE-2015-0209",
        "CVE-2015-0286",
        "CVE-2015-0293",
        "CVE-2015-1789",
        "CVE-2015-1791",
        "CVE-2015-1792",
        "CVE-2015-4000",
        "CVE-2016-0703",
        "CVE-2019-1559"
      );
      script_bugtraq_id(
        25831,
        31692,
        34256,
        35001,
        35174,
        51281,
        53158,
        69078,
        71935,
        71937,
        73196,
        73225,
        73232,
        73239,
        74107,
        74733,
        75154,
        75156,
        75159,
        75161,
        75769
      );
    
      script_name(english:"EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the openssl packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - A race condition was found in the session handling code
        of OpenSSL. This issue could possibly cause a
        multi-threaded TLS/SSL client using OpenSSL to double
        free session ticket data and crash.(CVE-2015-1791)
    
      - An out-of-bounds read flaw was found in the
        X509_cmp_time() function of OpenSSL, which is used to
        test the expiry dates of SSL/TLS certificates. An
        attacker could possibly use a specially crafted SSL/TLS
        certificate or CRL (Certificate Revocation List), which
        when parsed by an application would cause that
        application to crash.(CVE-2015-1789)
    
      - The ASN1_STRING_print_ex function in OpenSSL before
        0.9.8k allows remote attackers to cause a denial of
        service (invalid memory access and application crash)
        via vectors that trigger printing of a (1) BMPString or
        (2) UniversalString with an invalid encoded
        length.(CVE-2009-0590)
    
      - An invalid-free flaw was found in the way OpenSSL
        handled certain DTLS handshake messages. A malicious
        DTLS client or server could send a specially crafted
        message to the peer, which could cause the application
        to crash or potentially result in arbitrary code
        execution.(CVE-2014-8176)
    
      - The DTLS implementation in OpenSSL before 0.9.8s and
        1.x before 1.0.0f performs a MAC check only if certain
        padding is valid, which makes it easier for remote
        attackers to recover plaintext via a padding oracle
        attack.(CVE-2011-4108)
    
      - Off-by-one error in the SSL_get_shared_ciphers function
        in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f,
        might allow remote attackers to execute arbitrary code
        via a crafted packet that triggers a one-byte buffer
        underflow. NOTE: this issue was introduced as a result
        of a fix for CVE-2006-3738. As of 20071012, it is
        unknown whether code execution is
        possible.(CVE-2007-5135)
    
      - A NULL pointer dereference flaw was found in the DTLS
        implementation of OpenSSL. A remote attacker could send
        a specially crafted DTLS message, which would cause an
        OpenSSL server to crash.(CVE-2014-3571)
    
      - The asn1_d2i_read_bio function in
        crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0
        before 1.0.0i, and 1.0.1 before 1.0.1a does not
        properly interpret integer data, which allows remote
        attackers to conduct buffer overflow attacks, and cause
        a denial of service (memory corruption) or possibly
        have unspecified other impact, via crafted DER data, as
        demonstrated by an X.509 certificate or an RSA public
        key.(CVE-2012-2110)
    
      - It was discovered that the SSLv2 servers using OpenSSL
        accepted SSLv2 connection handshakes that indicated
        non-zero clear key length for non-export cipher suites.
        An attacker could use this flaw to decrypt recorded
        SSLv2 sessions with the server by using it as a
        decryption oracle.(CVE-2016-0703)
    
      - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote
        attackers to cause a denial of service (NULL pointer
        dereference and daemon crash) via a DTLS
        ChangeCipherSpec packet that occurs before
        ClientHello.(CVE-2009-1386)
    
      - Memory leak in the zlib_stateful_finish function in
        crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and
        1.0.0 Beta through Beta 4 allows remote attackers to
        cause a denial of service (memory consumption) via
        vectors that trigger incorrect calls to the
        CRYPTO_cleanup_all_ex_data function, as demonstrated by
        use of SSLv3 and PHP with the Apache HTTP Server, a
        related issue to CVE-2008-1678.(CVE-2009-4355)
    
      - A flaw was discovered in the way OpenSSL handled DTLS
        packets. A remote attacker could use this flaw to cause
        a DTLS server or client using OpenSSL to crash or use
        excessive amounts of memory.(CVE-2014-3507)
    
      - The dtls1_buffer_record function in ssl/d1_pkt.c in
        OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote
        attackers to cause a denial of service (memory
        consumption) via a large series of 'future epoch' DTLS
        records that are buffered in a queue, aka 'DTLS record
        buffer limitation bug.'(CVE-2009-1377)
    
      - A use-after-free flaw was found in the way OpenSSL
        imported malformed Elliptic Curve private keys. A
        specially crafted key file could cause an application
        using OpenSSL to crash when imported.(CVE-2015-0209)
    
      - A denial of service flaw was found in the way OpenSSL
        verified certain signed messages using CMS
        (Cryptographic Message Syntax). A remote attacker could
        cause an application using OpenSSL to use excessive
        amounts of memory by sending a specially crafted
        message for verification.(CVE-2015-1792)
    
      - A denial of service flaw was found in the way OpenSSL
        handled SSLv2 handshake messages. A remote attacker
        could use this flaw to cause a TLS/SSL server using
        OpenSSL to exit on a failed assertion if it had both
        the SSLv2 protocol and EXPORT-grade cipher suites
        enabled.(CVE-2015-0293)
    
      - An invalid pointer use flaw was found in OpenSSL's
        ASN1_TYPE_cmp() function. A remote attacker could crash
        a TLS/SSL client or server using OpenSSL via a
        specially crafted X.509 certificate when the
        attacker-supplied certificate was verified by the
        application.(CVE-2015-0286)
    
      - Multiple flaws were found in the way OpenSSL parsed
        X.509 certificates. An attacker could use these flaws
        to modify an X.509 certificate to produce a certificate
        with a different fingerprint without invalidating its
        signature, and possibly bypass fingerprint-based
        blacklisting in applications.(CVE-2014-8275)
    
      - If an application encounters a fatal protocol error and
        then calls SSL_shutdown() twice (once to send a
        close_notify, and once to receive one) then OpenSSL can
        respond differently to the calling application if a 0
        byte record is received with invalid padding compared
        to if a 0 byte record is received with an invalid MAC.
        If the application then behaves differently based on
        that in a way that is detectable to the remote peer,
        then this amounts to a padding oracle that could be
        used to decrypt data. In order for this to be
        exploitable 'non-stitched' ciphersuites must be in use.
        Stitched ciphersuites are optimised implementations of
        certain commonly used ciphersuites. Also the
        application must call SSL_shutdown() twice even if a
        protocol error has occurred (applications should not do
        this but some do anyway). Fixed in OpenSSL 1.0.2r
        (Affected 1.0.2-1.0.2q).(CVE-2019-1559)
    
      - A flaw was found in the way the TLS protocol composes
        the Diffie-Hellman exchange (for both export and
        non-export grade cipher suites). An attacker could use
        this flaw to downgrade a DHE connection to use
        export-grade key sizes, which could then be broken by
        sufficient pre-computation. This can lead to a passive
        man-in-the-middle attack in which the attacker is able
        to decrypt all traffic.(CVE-2015-4000)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1548
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?08b55f2d");
      script_set_attribute(attribute:"solution", value:
    "Update the affected openssl packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssl-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["openssl-1.0.2k-16.h5",
            "openssl-devel-1.0.2k-16.h5",
            "openssl-libs-1.0.2k-16.h5"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-005.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server
    last seen2020-06-01
    modified2020-06-02
    plugin id40945
    published2009-09-11
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40945
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-005)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if (NASL_LEVEL < 3004) exit(0);
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(40945);
      script_version("1.21");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2008-2079", "CVE-2008-5498", "CVE-2008-6680", "CVE-2009-0590", "CVE-2009-0591",
                    "CVE-2009-0789", "CVE-2009-0949", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1271",
                    "CVE-2009-1272", "CVE-2009-1371", "CVE-2009-1372", "CVE-2009-1862", "CVE-2009-1863",
                    "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868",
                    "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2468", "CVE-2009-2800", "CVE-2009-2803",
                    "CVE-2009-2804", "CVE-2009-2805", "CVE-2009-2807", "CVE-2009-2809", "CVE-2009-2811",
                    "CVE-2009-2812", "CVE-2009-2813", "CVE-2009-2814");
      script_bugtraq_id(
        29106,
        33002,
        34256,
        34357,
        35759,
        36350,
        36354,
        36355,
        36357,
        36358,
        36359,
        36360,
        36361,
        36363,
        36364
      );
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-005)");
      script_summary(english:"Check for the presence of Security Update 2009-005");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is running a version of Mac OS X 10.5 or 10.4 that
    does not have Security Update 2009-005 applied.
    
    This security update contains fixes for the following products :
    
      - Alias Manager
      - CarbonCore
      - ClamAV
      - ColorSync
      - CoreGraphics
      - CUPS
      - Flash Player plug-in
      - ImageIO
      - Launch Services
      - MySQL
      - PHP
      - SMB
      - Wiki Server"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/HT3865"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.securityfocus.com/advisories/17867"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install Security Update 2009-005 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 59, 79, 94, 119, 189, 200, 264, 287, 399);
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
      exit(0);
    }
    
    #
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    
    if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages");
      if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
      if (egrep(pattern:"^SecUpd(Srvr)?(2009-00[5-9]|20[1-9][0-9]-)", string:packages))
        exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else if (egrep(pattern:"Darwin.* (9\.[0-8]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages/boms");
      if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");
    
      if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[5-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
        exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12397.NASL
    descriptionThis update of OpenSSL fixes the following problems : - ASN1_STRING_print_ex() function allows remote denial of service. (CVE-2009-0590) - denial of service due to malformed ASN.1 structures. (CVE-2009-0789)
    last seen2020-06-01
    modified2020-06-02
    plugin id41293
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41293
    titleSuSE9 Security Update : OpenSSL (YOU Patch Number 12397)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41293);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2009-0590", "CVE-2009-0789");
    
      script_name(english:"SuSE9 Security Update : OpenSSL (YOU Patch Number 12397)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of OpenSSL fixes the following problems :
    
      - ASN1_STRING_print_ex() function allows remote denial of
        service. (CVE-2009-0590)
    
      - denial of service due to malformed ASN.1 structures.
        (CVE-2009-0789)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0590.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-0789.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12397.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"openssl-0.9.7d-15.39")) flag++;
    if (rpm_check(release:"SUSE9", reference:"openssl-devel-0.9.7d-15.39")) flag++;
    if (rpm_check(release:"SUSE9", reference:"openssl-doc-0.9.7d-15.39")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"openssl-32bit-9-200904151544")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"openssl-devel-32bit-9-200904151544")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0009.NASL
    descriptiona. Service Console update for COS kernel Updated COS package
    last seen2020-06-01
    modified2020-06-02
    plugin id46765
    published2010-06-01
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46765
    titleVMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2010-0009. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(46765);
      script_version("1.43");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id("CVE-2006-6304", "CVE-2007-4567", "CVE-2009-0590", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1384", "CVE-2009-1386", "CVE-2009-1387", "CVE-2009-2409", "CVE-2009-2695", "CVE-2009-2908", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3556", "CVE-2009-3563", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3726", "CVE-2009-3736", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4212", "CVE-2009-4272", "CVE-2009-4355", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0001", "CVE-2010-0097", "CVE-2010-0290", "CVE-2010-0382", "CVE-2010-0426", "CVE-2010-0427");
      script_bugtraq_id(31692, 34256, 35001, 35112, 35138, 35174, 35417, 36304, 36472, 36576, 36639, 36706, 36723, 36824, 36827, 36901, 36936, 37019, 37068, 37069, 37118, 37128, 37255, 37339, 37519, 37521, 37523, 37749, 37806, 37865, 37876, 37886, 38432);
      script_xref(name:"VMSA", value:"2010-0009");
    
      script_name(english:"VMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESXi / ESX host is missing one or more
    security-related patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. Service Console update for COS kernel
    
       Updated COS package 'kernel' addresses the security issues that are
       fixed through versions 2.6.18-164.11.1.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
       CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
       fixed in kernel 2.6.18-164.6.1
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
       CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537,
       CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,
       CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,
       CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to
       the security issues fixed in kernel 2.6.18-164.11.1.
    
    b. ESXi userworld update for ntp
    
       The Network Time Protocol (NTP) is used to synchronize the time of
       a computer client or server to another server or reference time
       source.
    
       A vulnerability in ntpd could allow a remote attacker to cause a
       denial of service (CPU and bandwidth consumption) by using
       MODE_PRIVATE to send a spoofed (1) request or (2) response packet
       that triggers a continuous exchange of MODE_PRIVATE error responses
       between two NTP daemons.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-3563 to this issue.
    
    c. Service Console package openssl updated to 0.9.8e-12.el5_4.1
    
       OpenSSL is a toolkit implementing SSL v2/v3 and TLS protocols with
       full-strength cryptography world-wide.
    
       A memory leak in the zlib could allow a remote attacker to cause a
       denial of service (memory consumption) via vectors that trigger
       incorrect calls to the CRYPTO_cleanup_all_ex_data function.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-4355 to this issue.
    
       A vulnerability was discovered which may allow remote attackers to
       spoof certificates by using MD2 design flaws to generate a hash
       collision in less than brute-force time. NOTE: the scope of this
       issue is currently limited because the amount of computation
       required is still large.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-2409 to this issue.
    
       This update also includes security fixes that were first addressed
       in version openssl-0.9.8e-12.el5.i386.rpm.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the names CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,
       CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387 to these issues.
    
    d. Service Console update for krb5 to 1.6.1-36.el5_4.1 and pam_krb5 to
       2.2.14-15.
    
       Kerberos is a network authentication protocol. It is designed to
       provide strong authentication for client/server applications by
       using secret-key cryptography.
    
       Multiple integer underflows in the AES and RC4 functionality in the
       crypto library could allow remote attackers to cause a denial of
       service (daemon crash) or possibly execute arbitrary code by
       providing ciphertext with a length that is too short to be valid.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-4212 to this issue.
    
       The service console package for pam_krb5 is updated to version
       pam_krb5-2.2.14-15. This update fixes a flaw found in pam_krb5. In
       some non-default configurations (specifically, where pam_krb5 would
       be the first module to prompt for a password), a remote attacker
       could use this flaw to recognize valid usernames, which would aid a
       dictionary-based password guess attack.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-1384 to this issue.
    
    e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2
    
       BIND (Berkeley Internet Name Daemon) is by far the most widely used
       Domain Name System (DNS) software on the Internet.
    
       A vulnerability was discovered which could allow remote attacker to
       add the Authenticated Data (AD) flag to a forged NXDOMAIN response
       for an existing domain.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2010-0097 to this issue.
    
       A vulnerability was discovered which could allow remote attackers
       to conduct DNS cache poisoning attacks by receiving a recursive
       client query and sending a response that contains CNAME or DNAME
       records, which do not have the intended validation before caching.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2010-0290 to this issue.
    
       A vulnerability was found in the way that bind handles out-of-
       bailiwick data accompanying a secure response without re-fetching
       from the original source, which could allow remote attackers to
       have an unspecified impact via a crafted response.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2010-0382 to this issue.
    
       NOTE: ESX does not use the BIND name service daemon by default.
    
    f. Service Console package gcc updated to 3.2.3-60
    
       The GNU Compiler Collection includes front ends for C, C++,
       Objective-C, Fortran, Java, and Ada, as well as libraries for these
       languages
    
       GNU Libtool's ltdl.c attempts to open .la library files in the
       current working directory.  This could allow a local user to gain
       privileges via a Trojan horse file.  The GNU C Compiler collection
       (gcc) provided in ESX contains a statically linked version of the
       vulnerable code, and is being replaced.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2009-3736 to this issue.
    
    g. Service Console package gzip update to 1.3.3-15.rhel3
    
       gzip is a software application used for file compression
    
       An integer underflow in gzip's unlzw function on 64-bit platforms
       may allow a remote attacker to trigger an array index error
       leading to a denial of service (application crash) or possibly
       execute arbitrary code via a crafted LZW compressed file.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2010-0001 to this issue.
    
    h. Service Console package sudo updated to 1.6.9p17-6.el5_4
    
       Sudo (su 'do') allows a system administrator to delegate authority
       to give certain users (or groups of users) the ability to run some
       (or all) commands as root or another user while providing an audit
       trail of the commands and their arguments.
    
       When a pseudo-command is enabled, sudo permits a match between the
       name of the pseudo-command and the name of an executable file in an
       arbitrary directory, which allows local users to gain privileges
       via a crafted executable file.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2010-0426 to this issue.
    
       When the runas_default option is used, sudo does not properly set
       group memberships, which allows local users to gain privileges via
       a sudo command.
    
       The Common Vulnerabilities and Exposures Project (cve.mitre.org)
       has assigned the name CVE-2010-0427 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2010/000099.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 119, 189, 200, 264, 287, 310, 362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/05/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/01");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2010-05-27");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006405-SG")) flag++;
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006406-SG")) flag++;
    if (
      esx_check(
        ver           : "ESX 3.5.0",
        patch         : "ESX350-201006408-SG",
        patch_updates : make_list("ESX350-201008411-SG")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005401-SG",
        patch_updates : make_list("ESX400-201009401-SG", "ESX400-201101401-SG", "ESX400-201103401-SG", "ESX400-201104401-SG", "ESX400-201110401-SG", "ESX400-201111201-SG", "ESX400-201203401-SG", "ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005405-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005406-SG",
        patch_updates : make_list("ESX400-201009403-SG", "ESX400-201110403-SG", "ESX400-201203407-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005407-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005408-SG",
        patch_updates : make_list("ESX400-201103407-SG", "ESX400-201305403-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0.0",
        patch         : "ESX400-201005409-SG",
        patch_updates : make_list("ESX400-201009410-SG", "ESX400-201101404-SG", "ESX400-201305402-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESXi 4.0.0",
        patch         : "ESXi400-201005401-SG",
        patch_updates : make_list("ESXi400-201101401-SG", "ESXi400-201103401-SG", "ESXi400-201104401-SG", "ESXi400-201110401-SG", "ESXi400-201203401-SG", "ESXi400-201205401-SG", "ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG", "ESXi400-Update02", "ESXi400-Update03", "ESXi400-Update04")
      )
    ) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200904-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200904-08 (OpenSSL: Denial of Service) The ASN1_STRING_print_ex() function does not properly check the provided length of a BMPString or UniversalString, leading to an invalid memory access. Impact : A remote attacker could entice a user or automated system to print a specially crafted certificate, possibly leading to a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id36096
    published2009-04-07
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36096
    titleGLSA-200904-08 : OpenSSL: Denial of Service
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200904-08.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36096);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2009-0590");
      script_bugtraq_id(34256);
      script_xref(name:"GLSA", value:"200904-08");
    
      script_name(english:"GLSA-200904-08 : OpenSSL: Denial of Service");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200904-08
    (OpenSSL: Denial of Service)
    
        The ASN1_STRING_print_ex() function does not properly check the
        provided length of a BMPString or UniversalString, leading to an
        invalid memory access.
      
    Impact :
    
        A remote attacker could entice a user or automated system to print a
        specially crafted certificate, possibly leading to a Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200904-08"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All OpenSSL users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=dev-libs/openssl-0.9.8k'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-libs/openssl", unaffected:make_list("ge 0.9.8k"), vulnerable:make_list("lt 0.9.8k"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSL");
    }
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_140119.NASL
    descriptionSunOS 5.10_x86: sshd patch. Date this patch was last updated by Sun : Aug/14/09
    last seen2018-09-01
    modified2018-08-13
    plugin id38757
    published2009-05-13
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=38757
    titleSolaris 10 (x86) : 140119-11
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_LIBOPENSSL-DEVEL-090415.NASL
    descriptionThis update of openssl fixes the following problems : - CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial of service - CVE-2009-0789: denial of service due to malformed ASN.1 structures
    last seen2020-06-01
    modified2020-06-02
    plugin id40033
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40033
    titleopenSUSE Security Update : libopenssl-devel (libopenssl-devel-785)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1335.NASL
    descriptionUpdated openssl packages that fix several security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (for example, UDP). Multiple denial of service flaws were discovered in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id63892
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63892
    titleRHEL 5 : openssl (RHSA-2009:1335)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0009_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries : - libpng - VMnc Codec - vmrun - VMware Remote Console (VMrc) - VMware Tools - vmware-authd
    last seen2020-06-01
    modified2020-06-02
    plugin id89740
    published2016-03-08
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89740
    titleVMware ESX / ESXi Third-Party Libraries and Components (VMSA-2010-0009) (remote check)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_COMPAT-OPENSSL097G-110721.NASL
    descriptionThis update adds openssl patches since 2007 for : - CVE-2009-0590 - CVE-2008-5077 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen2020-06-01
    modified2020-06-02
    plugin id55711
    published2011-07-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55711
    titleSuSE 11.1 Security Update : compat-openssl097g (SAT Patch Number 4913)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1763.NASL
    descriptionIt was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate.
    last seen2020-06-01
    modified2020-06-02
    plugin id36090
    published2009-04-07
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36090
    titleDebian DSA-1763-1 : openssl - programming error
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2009-098-01.NASL
    descriptionNew openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36104
    published2009-04-08
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36104
    titleSlackware 11.0 / 12.0 / 12.1 / 12.2 / current : openssl (SSA:2009-098-01)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0163.NASL
    descriptionFrom Red Hat Security Advisory 2010:0163 : Updated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id68017
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68017
    titleOracle Linux 3 / 4 : openssl (ELSA-2010-0163)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_COMPAT-OPENSSL097G-7644.NASL
    descriptionThis update adds openssl patches since 2007 for : - CVE-2009-0590 - CVE-2008-5077 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen2020-06-01
    modified2020-06-02
    plugin id55715
    published2011-07-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55715
    titleSuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7644)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_141742.NASL
    descriptionSunOS 5.10: sshd patch. Date this patch was last updated by Sun : Aug/14/09
    last seen2018-09-01
    modified2018-08-13
    plugin id39326
    published2009-06-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=39326
    titleSolaris 10 (sparc) : 141742-04
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1335.NASL
    descriptionUpdated openssl packages that fix several security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (for example, UDP). Multiple denial of service flaws were discovered in OpenSSL
    last seen2020-06-01
    modified2020-06-02
    plugin id43785
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43785
    titleCentOS 5 : openssl (CESA-2009:1335)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_COMPAT-OPENSSL097G-090416.NASL
    descriptionThis update of openssl fixes the following problems : - CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial of service - CVE-2009-0789: denial of service due to malformed ASN.1 structures
    last seen2020-06-01
    modified2020-06-02
    plugin id40204
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40204
    titleopenSUSE Security Update : compat-openssl097g (compat-openssl097g-788)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-750-1.NASL
    descriptionIt was discovered that OpenSSL did not properly validate the length of an encoded BMPString or UniversalString when printing ASN.1 strings. If a user or automated system were tricked into processing a crafted certificate, an attacker could cause a denial of service via application crash in applications linked against OpenSSL. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36907
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36907
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : openssl vulnerability (USN-750-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_COMPAT-OPENSSL097G-6175.NASL
    descriptionThis update of openssl fixes the following problems : - CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial of service - CVE-2009-0789: denial of service due to malformed ASN.1 structures
    last seen2020-06-01
    modified2020-06-02
    plugin id38643
    published2009-04-30
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38643
    titleopenSUSE 10 Security Update : compat-openssl097g (compat-openssl097g-6175)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0019.NASL
    descriptiona. Service Console update for samba The service console package samba is updated to version 3.0.9-1.3E.18. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3069 to this issue. b. Service Console update for bzip2 The service console package bzip2 is updated to version 1.0.2-14.EL3 in ESX 3.x and version 1.0.3-6 in ESX 4.x. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0405 to this issue. c. Service Console update for OpenSSL The service console package openssl updated to version 0.9.7a-33.26. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0590, CVE-2009-2409 and CVE-2009-3555 to the issues addressed in this update.
    last seen2020-06-01
    modified2020-06-02
    plugin id51077
    published2010-12-08
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51077
    titleVMSA-2010-0019 : VMware ESX third-party updates for Service Console
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0163.NASL
    descriptionUpdated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id46274
    published2010-05-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46274
    titleRHEL 3 / 4 : openssl (RHSA-2010:0163)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_COMPAT-OPENSSL097G-6170.NASL
    descriptionThis update of openssl fixes the following problems : - ASN1_STRING_print_ex() function allows remote denial of service. (CVE-2009-0590) - denial of service due to malformed ASN.1 structures. (CVE-2009-0789)
    last seen2020-06-01
    modified2020-06-02
    plugin id41491
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41491
    titleSuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 6170)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_COMPAT-OPENSSL097G-090416.NASL
    descriptionThis update of openssl fixes the following problems : - CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial of service - CVE-2009-0789: denial of service due to malformed ASN.1 structures
    last seen2020-06-01
    modified2020-06-02
    plugin id39938
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39938
    titleopenSUSE Security Update : compat-openssl097g (compat-openssl097g-788)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2010-0019_REMOTE.NASL
    descriptionThe remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bzip2 - Network Security Services (NSS) Library - OpenSSL - Samba
    last seen2020-06-01
    modified2020-06-02
    plugin id89745
    published2016-03-08
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89745
    titleVMware ESX Multiple Vulnerabilities (VMSA-2010-0019) (remote check)
  • NASL familyWeb Servers
    NASL idOPENSSL_0_9_8K.NASL
    descriptionAccording to its banner, the remote server is running a version of OpenSSL prior to 0.9.8k. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the ASN1_STRING_print_ex() function due to improper string handling. A remote attacker can exploit this to cause an invalid memory access and application crash. (CVE-2009-0590) - A flaw exists in the CMS_verify() function due to improper handling of errors associated with malformed signed attributes. A remote attacker can exploit this to repudiate a signature that originally appeared to be valid but was actually invalid. (CVE-2009-0591) - A denial of service vulnerability exists due to improper handling of malformed ASN.1 structures. A remote attacker can exploit this to cause an invalid memory access and application crash. (CVE-2009-0789) - A memory leak exists in the SSL_free() function in ssl_lib.c. A remote attacker can exploit this to exhaust memory resources, resulting in a denial of service condition. (CVE-2009-5146)
    last seen2020-06-01
    modified2020-06-02
    plugin id17763
    published2012-01-04
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17763
    titleOpenSSL < 0.9.8k Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_COMPAT-OPENSSL097G-110721.NASL
    descriptionThis update adds openssl patches since 2007 for : - CVE-2008-5077 - CVE-2009-0590 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen2020-06-01
    modified2020-06-02
    plugin id75453
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75453
    titleopenSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_COMPAT-OPENSSL097G-090416.NASL
    descriptionThis update of openssl fixes the following problems : - ASN1_STRING_print_ex() function allows remote denial of service. (CVE-2009-0590) - denial of service due to malformed ASN.1 structures. (CVE-2009-0789)
    last seen2020-06-01
    modified2020-06-02
    plugin id41376
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41376
    titleSuSE 11 Security Update : OpenSSL (SAT Patch Number 789)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2010-0163.NASL
    descriptionUpdated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id45346
    published2010-03-26
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45346
    titleCentOS 3 / 4 : openssl (CESA-2010:0163)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_LIBOPENSSL-DEVEL-6173.NASL
    descriptionThis update of openssl fixes the following problems : - CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial of service - CVE-2009-0789: denial of service due to malformed ASN.1 structures
    last seen2020-06-01
    modified2020-06-02
    plugin id38646
    published2009-04-30
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38646
    titleopenSUSE 10 Security Update : libopenssl-devel (libopenssl-devel-6173)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_LIBOPENSSL-DEVEL-090415.NASL
    descriptionThis update of openssl fixes the following problems : - CVE-2009-0590: ASN1_STRING_print_ex() function allows remote denial of service - CVE-2009-0591: CMS_verify() function allows signatures to look valid - CVE-2009-0789: denial of service due to malformed ASN.1 structures
    last seen2020-06-01
    modified2020-06-02
    plugin id40260
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40260
    titleopenSUSE Security Update : libopenssl-devel (libopenssl-devel-786)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENSSL-6179.NASL
    descriptionThis update of openssl fixes the following problems : - ASN1_STRING_print_ex() function allows remote denial of service. (CVE-2009-0590) - denial of service due to malformed ASN.1 structures. (CVE-2009-0789)
    last seen2020-06-01
    modified2020-06-02
    plugin id41571
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41571
    titleSuSE 10 Security Update : OpenSSL (ZYPP Patch Number 6179)

Oval

  • accepted2013-04-29T04:03:20.638-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionThe ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
    familyunix
    idoval:org.mitre.oval:def:10198
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleThe ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
    version27
  • accepted2014-01-20T04:01:31.137-05:00
    classvulnerability
    contributors
    • nameJ. Daniel Brown
      organizationDTCC
    • nameChris Coffin
      organizationThe MITRE Corporation
    definition_extensions
    commentVMware ESX Server 4.0 is installed
    ovaloval:org.mitre.oval:def:6293
    descriptionThe ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
    familyunix
    idoval:org.mitre.oval:def:6996
    statusaccepted
    submitted2010-06-01T17:30:00.000-05:00
    titleOpenSSL Multiple Vulnerabilities
    version8

Redhat

advisories
rhsa
idRHSA-2009:1335
rpms
  • openssl-0:0.9.8e-12.el5
  • openssl-debuginfo-0:0.9.8e-12.el5
  • openssl-devel-0:0.9.8e-12.el5
  • openssl-perl-0:0.9.8e-12.el5
  • openssl-0:0.9.7a-33.26
  • openssl-0:0.9.7a-43.17.el4_8.5
  • openssl-debuginfo-0:0.9.7a-33.26
  • openssl-debuginfo-0:0.9.7a-43.17.el4_8.5
  • openssl-devel-0:0.9.7a-33.26
  • openssl-devel-0:0.9.7a-43.17.el4_8.5
  • openssl-perl-0:0.9.7a-33.26
  • openssl-perl-0:0.9.7a-43.17.el4_8.5

Statements

contributorTomas Hoger
lastmodified2010-03-25
organizationRed Hat
statementThis issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1335.html This issue was fixed in openssl packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0163.html

References