Vulnerabilities > CVE-2012-1180 - Use After Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2012-3846.NASL description Update to upstream release 1.0.14 to fix: malformed HTTP response headers leads to information leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-04-12 plugin id 58688 published 2012-04-12 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58688 title Fedora 17 : nginx-1.0.14-1.fc17 (2012-3846) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-3846. # include("compat.inc"); if (description) { script_id(58688); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-1180"); script_bugtraq_id(52578); script_xref(name:"FEDORA", value:"2012-3846"); script_name(english:"Fedora 17 : nginx-1.0.14-1.fc17 (2012-3846)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to upstream release 1.0.14 to fix: malformed HTTP response headers leads to information leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=803856" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-April/077966.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4c5b7668" ); script_set_attribute(attribute:"solution", value:"Update the affected nginx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^17([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 17.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC17", reference:"nginx-1.0.14-1.fc17")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-209.NASL description specially crafted http responses from upstream server could leak already freed memory last seen 2020-06-05 modified 2014-06-13 plugin id 74588 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74588 title openSUSE Security Update : nginx-1.0 (openSUSE-SU-2012:0469-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2012-209. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(74588); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2012-1180"); script_name(english:"openSUSE Security Update : nginx-1.0 (openSUSE-SU-2012:0469-1)"); script_summary(english:"Check for the openSUSE-2012-209 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "specially crafted http responses from upstream server could leak already freed memory" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=752482" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2012-04/msg00021.html" ); script_set_attribute( attribute:"solution", value:"Update the affected nginx-1.0 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.1", reference:"nginx-1.0-1.0.10-3.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"nginx-1.0-debuginfo-1.0.10-3.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"nginx-1.0-debugsource-1.0.10-3.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx-1.0 / nginx-1.0-debuginfo / nginx-1.0-debugsource"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2012-043.NASL description A vulnerability has been found and corrected in nginx : Specially crafted backend response could result in sensitive information leak (CVE-2012-1180). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 58522 published 2012-03-29 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58522 title Mandriva Linux Security Advisory : nginx (MDVSA-2012:043) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2012:043. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(58522); script_version("1.7"); script_cvs_date("Date: 2019/08/02 13:32:54"); script_cve_id("CVE-2012-1180"); script_xref(name:"MDVSA", value:"2012:043"); script_name(english:"Mandriva Linux Security Advisory : nginx (MDVSA-2012:043)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandriva Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability has been found and corrected in nginx : Specially crafted backend response could result in sensitive information leak (CVE-2012-1180). The updated packages have been patched to correct this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected nginx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2011"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2010.1", reference:"nginx-0.8.41-1.1mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2011", reference:"nginx-1.0.5-1.1-mdv2011.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2012-63.NASL description Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request. last seen 2020-06-01 modified 2020-06-02 plugin id 69670 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69670 title Amazon Linux AMI : nginx (ALAS-2012-63) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2012-63. # include("compat.inc"); if (description) { script_id(69670); script_version("1.5"); script_cvs_date("Date: 2018/04/18 15:09:34"); script_cve_id("CVE-2012-1180"); script_xref(name:"ALAS", value:"2012-63"); script_name(english:"Amazon Linux AMI : nginx (ALAS-2012-63)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2012-63.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update nginx' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2012/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"nginx-1.0.14-1.8.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"nginx-debuginfo-1.0.14-1.8.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo"); }NASL family Fedora Local Security Checks NASL id FEDORA_2012-3991.NASL description Update to upstream release 1.0.14 to fix: malformed HTTP response headers leads to information leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-04-02 plugin id 58545 published 2012-04-02 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58545 title Fedora 16 : nginx-1.0.14-1.fc16 (2012-3991) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-3991. # include("compat.inc"); if (description) { script_id(58545); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-1180"); script_xref(name:"FEDORA", value:"2012-3991"); script_name(english:"Fedora 16 : nginx-1.0.14-1.fc16 (2012-3991)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to upstream release 1.0.14 to fix: malformed HTTP response headers leads to information leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=803856" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-March/076646.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5e76968f" ); script_set_attribute(attribute:"solution", value:"Update the affected nginx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"nginx-1.0.14-1.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2434.NASL description Matthew Daley discovered a memory disclosure vulnerability in nginx. In previous versions of this web server, an attacker can receive the content of previously freed memory if an upstream server returned a specially crafted HTTP response, potentially exposing sensitive information. last seen 2020-03-17 modified 2012-03-20 plugin id 58391 published 2012-03-20 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58391 title Debian DSA-2434-1 : nginx - sensitive information leak code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2434. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(58391); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-1180"); script_xref(name:"DSA", value:"2434"); script_name(english:"Debian DSA-2434-1 : nginx - sensitive information leak"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Matthew Daley discovered a memory disclosure vulnerability in nginx. In previous versions of this web server, an attacker can receive the content of previously freed memory if an upstream server returned a specially crafted HTTP response, potentially exposing sensitive information." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664137" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/nginx" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2012/dsa-2434" ); script_set_attribute( attribute:"solution", value: "Upgrade the nginx packages. For the stable distribution (squeeze), this problem has been fixed in version 0.7.67-3+squeeze2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"nginx", reference:"0.7.67-3+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"nginx-dbg", reference:"0.7.67-3+squeeze2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2012-4006.NASL description Update to upstream release 1.0.14 to fix: malformed HTTP response headers leads to information leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-04-02 plugin id 58546 published 2012-04-02 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58546 title Fedora 15 : nginx-1.0.14-1.fc15 (2012-4006) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-4006. # include("compat.inc"); if (description) { script_id(58546); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-1180"); script_xref(name:"FEDORA", value:"2012-4006"); script_name(english:"Fedora 15 : nginx-1.0.14-1.fc15 (2012-4006)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to upstream release 1.0.14 to fix: malformed HTTP response headers leads to information leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=803856" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-March/076671.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6776c1a1" ); script_set_attribute(attribute:"solution", value:"Update the affected nginx package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"nginx-1.0.14-1.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }NASL family Web Servers NASL id NGINX_1_0_14.NASL description The remote web server is running nginx, a lightweight, high performance web server / reverse proxy and email (IMAP/POP3) proxy. According to its Server response header, the installed version of nginx is earlier than 1.0.14 or is 1.1.x before 1.1.17 and is, therefore, affected by a memory disclosure vulnerability. An issue related to the parsing of HTTP header responses can allow a remote attacker to obtain the contents of previously freed memory. last seen 2020-05-09 modified 2012-03-21 plugin id 58414 published 2012-03-21 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58414 title nginx < 1.0.14 / 1.1.17 HTTP Header Response Memory Disclosure code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(58414); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2012-1180"); script_bugtraq_id(52578); script_name(english:"nginx < 1.0.14 / 1.1.17 HTTP Header Response Memory Disclosure"); script_set_attribute(attribute:"synopsis", value: "The web server on the remote host is affected by a memory disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The remote web server is running nginx, a lightweight, high performance web server / reverse proxy and email (IMAP/POP3) proxy. According to its Server response header, the installed version of nginx is earlier than 1.0.14 or is 1.1.x before 1.1.17 and is, therefore, affected by a memory disclosure vulnerability. An issue related to the parsing of HTTP header responses can allow a remote attacker to obtain the contents of previously freed memory."); script_set_attribute(attribute:"see_also", value:"http://nginx.net/CHANGES"); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/CHANGES-1.0"); script_set_attribute(attribute:"see_also", value:"https://trac.nginx.org/nginx/changeset/4535/nginx"); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html"); script_set_attribute(attribute:"solution", value:"Upgrade to version 1.0.14 / 1.1.17 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-1180"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/21"); script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"agent", value:"unix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("nginx_detect.nasl", "nginx_nix_installed.nbin"); script_require_keys("installed_sw/nginx"); exit(0); } include('http.inc'); include('vcf.inc'); appname = 'nginx'; get_install_count(app_name:appname, exit_if_zero:TRUE); app_info = vcf::combined_get_app_info(app:appname); vcf::check_granularity(app_info:app_info, sig_segments:3); # If the detection is only remote, Detection Method won't be set, and we should require paranoia if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ {'fixed_version' : '1.0.14'}, {'fixed_version' : '1.1.17', 'min_version' : '1.1.0'}]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201203-22.NASL description The remote host is affected by the vulnerability described in GLSA-201203-22 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been found in nginx: The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). The last seen 2020-06-01 modified 2020-06-02 plugin id 59614 published 2012-06-21 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59614 title GLSA-201203-22 : nginx: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201203-22. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(59614); script_version("1.8"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2009-3555", "CVE-2009-3896", "CVE-2009-3898", "CVE-2011-4315", "CVE-2012-1180"); script_bugtraq_id(36490, 36839, 36935, 50710, 52578); script_xref(name:"GLSA", value:"201203-22"); script_name(english:"GLSA-201203-22 : nginx: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201203-22 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been found in nginx: The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). The 'ngx_http_process_request_headers()' function in ngx_http_parse.c could cause a NULL pointer dereference (CVE-2009-3896). nginx does not properly sanitize user input for the the WebDAV COPY or MOVE methods (CVE-2009-3898). The 'ngx_resolver_copy()' function in ngx_resolver.c contains a boundary error which could cause a heap-based buffer overflow (CVE-2011-4315). nginx does not properly parse HTTP header responses which could expose sensitive information (CVE-2012-1180). Impact : A remote attacker could possibly execute arbitrary code with the privileges of the nginx process, cause a Denial of Service condition, create or overwrite arbitrary files, or obtain sensitive information. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201203-22" ); script_set_attribute( attribute:"solution", value: "All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/nginx-1.0.14'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(22, 119, 310); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/nginx", unaffected:make_list("ge 1.0.14"), vulnerable:make_list("lt 1.0.14"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 52578 CVE ID: CVE-2012-1180 nginx是一款使用非常广泛的高性能web服务器。 nginx在处理上游服务器的畸形HTTP响应的实现上存在信息泄露漏洞,攻击者可利用此漏洞获取敏感信息。 0 nginx 1.0.9 nginx 1.0.8 nginx 1.0.10 厂商补丁: Igor Sysoev ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://nginx.net/ |
| id | SSV:60011 |
| last seen | 2017-11-19 |
| modified | 2012-03-29 |
| published | 2012-03-29 |
| reporter | Root |
| title | nginx 'ngx_cpystrn()'信息泄露漏洞(CVE-2012-1180) |
References
- http://nginx.org/en/security_advisories.html
- http://nginx.org/download/patch.2012.memory.txt
- http://trac.nginx.org/nginx/changeset/4531/nginx
- http://www.openwall.com/lists/oss-security/2012/03/15/5
- http://www.openwall.com/lists/oss-security/2012/03/15/9
- http://seclists.org/bugtraq/2012/Mar/65
- http://trac.nginx.org/nginx/changeset/4530/nginx
- https://bugzilla.redhat.com/show_bug.cgi?id=803856
- http://www.securityfocus.com/bid/52578
- http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076671.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077966.html
- http://secunia.com/advisories/48465
- http://www.securitytracker.com/id?1026827
- http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076646.html
- http://security.gentoo.org/glsa/glsa-201203-22.xml
- http://secunia.com/advisories/48577
- http://osvdb.org/80124
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74191
- https://hermes.opensuse.org/messages/14173096
- http://www.debian.org/security/2012/dsa-2434
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:043