Vulnerabilities > CVE-2013-6747 - Improper Input Validation vulnerability in IBM products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
IBM GSKit 7.x before 7.0.4.48 and 8.x before 8.0.50.16, as used in IBM Security Directory Server (ISDS) and Tivoli Directory Server (TDS), allows remote attackers to cause a denial of service (application crash or hang) via a malformed X.509 certificate chain.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Windows NASL id IBM_GSKIT_SWG21662902.NASL description The remote host is running a version of IBM Tivoli Directory Server 6.1.0.x prior to 6.1.0.59, 6.2.0 prior to 6.2.0.34, or 6.3.0.x prior to 6.3.0.26, and a version of IBM Global Security Kit (GSKit) 7.0.x prior to 7.0.4.48 or 8.0.50.x prior to 8.0.50.16. It is, therefore, affected by a denial of service vulnerability due to a flaw in the GSKit library. An attacker can exploit this vulnerability via a malformed X.509 certificate chain to cause an application crash or hang. last seen 2020-06-01 modified 2020-06-02 plugin id 72220 published 2014-01-29 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72220 title IBM Tivoli Directory Server < 6.1.0.59 / 6.2.0.34 / 6.3.0.26 with GSKit < 7.0.4.48 / 8.0.50.16 X.509 Certificate Chain DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72220); script_version("1.7"); script_cvs_date("Date: 2018/07/12 19:01:17"); script_cve_id("CVE-2013-6747"); script_bugtraq_id(65156); script_name(english:"IBM Tivoli Directory Server < 6.1.0.59 / 6.2.0.34 / 6.3.0.26 with GSKit < 7.0.4.48 / 8.0.50.16 X.509 Certificate Chain DoS"); script_summary(english:"Checks the version of Tivoli Directory Server."); script_set_attribute(attribute:"synopsis", value: "The version of IBM Tivoli Directory Server and GSKit is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is running a version of IBM Tivoli Directory Server 6.1.0.x prior to 6.1.0.59, 6.2.0 prior to 6.2.0.34, or 6.3.0.x prior to 6.3.0.26, and a version of IBM Global Security Kit (GSKit) 7.0.x prior to 7.0.4.48 or 8.0.50.x prior to 8.0.50.16. It is, therefore, affected by a denial of service vulnerability due to a flaw in the GSKit library. An attacker can exploit this vulnerability via a malformed X.509 certificate chain to cause an application crash or hang."); # https://www-304.ibm.com/support/docview.wss?uid=swg21662902 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1afae799"); # https://www.ibm.com/blogs/psirt/security-bulletin-gskit-certificate-chain-vulnerability-in-ibm-security-directory-server-and-tivoli-directory-server-cve-2013-6747/ script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?93389b8b"); script_set_attribute(attribute:"solution", value: "Install the appropriate fix based on the vendor's advisory : - 6.1.0.59-ISS-ITDFS-IF0059 - 6.2.0.34-ISS-ITDFS-IF0034 - 6.3.0.26-ISS-ITDFS-IF0026 Alternatively, upgrade GSKit to 7.0.4.48 or 8.0.50.16."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_directory_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("ibm_gskit_installed.nasl", "tivoli_directory_svr_installed.nasl"); script_require_keys("installed_sw/IBM GSKit", "installed_sw/IBM Security Directory Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); tds_name = "IBM Security Directory Server"; tds_install = get_single_install(app_name:tds_name, exit_if_unknown_ver:TRUE); tds_ver = tds_install['version']; tds_path = tds_install['path']; tds_fix = NULL; tds_patch = NULL; gsk_ver_regex = NULL; gsk_fix = NULL; # Ensure that TDS version is affected. if (tds_ver =~ "^6\.1\.") { tds_fix = "6.1.0.59"; tds_patch = "6.1.0.59-ISS-ITDFS-IF0059"; gsk_ver_regex = "^7\."; gsk_fix = '7.0.4.48'; } else if (tds_ver =~ "^6\.2\.") { tds_fix = "6.2.0.34"; tds_patch = "6.2.0.34-ISS-ITDFS-IF0034"; gsk_ver_regex = "^7\."; gsk_fix = '7.0.4.48'; } else if (tds_ver =~ "^6\.3\.") { tds_fix = "6.3.0.26"; tds_patch = "6.3.0.26-ISS-ITDFS-IF0026"; gsk_ver_regex = "^8\."; gsk_fix = '8.0.50.16'; } # If the IF has been installed or the branch is not affected, exit. if (isnull(tds_fix) || ver_compare(ver:tds_ver, fix:tds_fix, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, tds_name, tds_ver, tds_path); # If we got this far, we need to look at GSKit. gsk_app = "IBM GSKit"; # We don't bother to exit if we can't detect any GSKit installations gsk_installs = get_installs(app_name:gsk_app); gsk_report = NULL; gsk_vuln = 0; foreach gsk_install (gsk_installs[1]) { gsk_ver = gsk_install['version']; gsk_path = gsk_install['path']; # There can only be a single install per major version. So we will # have at most one vulnerable install. if (gsk_ver !~ gsk_ver_regex) continue; if ( (gsk_ver =~ "^8\.0\.50\." && ver_compare(ver:gsk_ver, fix:gsk_fix, strict:FALSE) == -1) || (gsk_ver =~ "^7\.0\." && ver_compare(ver:gsk_ver, fix:gsk_fix, strict:FALSE) == -1) ) { gsk_report += '\n Path : ' + gsk_path + '\n Installed GSKit Version : ' + gsk_ver + '\n Fixed GSKit Version : ' + gsk_fix + '\n'; gsk_vuln++; } } port = get_kb_item('SMB/transport'); if (!port) port = 445; if (report_verbosity > 0) { report = '\n' + 'The install of ' + tds_name + ' is vulnerable :' + '\n' + '\n' + ' Path : ' + tds_path + '\n' + ' Installed version : ' + tds_ver + '\n' + ' Fixed version : ' + tds_fix + '\n' + '\n' + 'Install ' + tds_patch + ' to update installation.' + '\n'; if (!isnull(gsk_report)) { instance = " instance "; is_are = " is "; if (gsk_vuln > 1) {instance = " instances "; is_are = " are ";} report += '\nAlso, the following vulnerable'+instance+'of '+gsk_app+is_are+'installed on the'+ '\nremote host :' + '\n' + gsk_report; } security_hole(port:port, extra:report); } else security_hole(port); exit(0);NASL family Databases NASL id DB2_101FP3A.NASL description According to its version, the installation of IBM DB2 10.1 running on the remote host is prior to Fix Pack 3a. It is, therefore, affected by one or more of the following vulnerabilities : - The included version of GSKit contains an error related to CBC-mode and timing that could allow an attacker to recover plaintext from encrypted communications. (CVE-2013-0169) - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - A build error exists related to libraries in insecure locations that could allow a local user to carry out privilege escalation attacks. Note this issue does not affect the application when running on Microsoft Windows operating systems. (CVE-2014-0907) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963) last seen 2020-06-01 modified 2020-06-02 plugin id 76110 published 2014-06-18 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76110 title IBM DB2 10.1 < Fix Pack 3a Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76110); script_version("1.9"); script_cvs_date("Date: 2019/11/26"); script_cve_id( "CVE-2013-0169", "CVE-2013-6747", "CVE-2014-0907", "CVE-2014-0963" ); script_bugtraq_id( 57778, 65156, 67238, 67617 ); script_name(english:"IBM DB2 10.1 < Fix Pack 3a Multiple Vulnerabilities"); script_summary(english:"Checks DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 10.1 running on the remote host is prior to Fix Pack 3a. It is, therefore, affected by one or more of the following vulnerabilities : - The included version of GSKit contains an error related to CBC-mode and timing that could allow an attacker to recover plaintext from encrypted communications. (CVE-2013-0169) - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - A build error exists related to libraries in insecure locations that could allow a local user to carry out privilege escalation attacks. Note this issue does not affect the application when running on Microsoft Windows operating systems. (CVE-2014-0907) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21672100"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21671732"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21610582"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24037557"); script_set_attribute(attribute:"solution", value: "Apply IBM DB2 version 10.1 Fix Pack 3a or Fix Pack 4 or later. Note that the vendor has posted a workaround for the build error issue (CVE-2014-0907) involving the command 'sqllib/bin/db2chglibpath'. Please consult the advisory for detailed instructions."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0907"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/" + port + "/Level"); if (level !~ "^10\.1\.") audit(AUDIT_NOT_LISTEN, "DB2 10.1", port); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Windows 32-bit/64-bit if (platform == 5 || platform == 23) { fixed_level = '10.1.301.770'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; } # Others else if ( # Linux, 2.6 kernel 32/64-bit platform == 18 || platform == 30 || # AIX platform == 20 ) { fixed_level = '10.1.0.3'; if (ver_compare(ver:level, fix:fixed_level) <= 0) vuln = TRUE; # If not paranoid and at 10.1.0.3 already, # do not report - we cannot tell if FP3a is there. if (level == fixed_level && report_paranoia < 2) exit(1, "Nessus is unable to determine if the patch has been applied or not."); } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);NASL family Web Servers NASL id WEBSPHERE_8_0_0_9.NASL description IBM WebSphere Application Server 8.0 prior to Fix Pack 9 is running on the remote host. It is, therefore, affected by the following vulnerabilities : - A cross-site scripting flaw exists within the Administration Console, where user input is improperly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6323, PI04777 and PI04880) - A denial of service flaw exists within the Global Security Kit when handling SSLv2 resumption during the SSL/TLS handshake. This could allow a remote attacker to crash the program. (CVE-2013-6329, PI05309) - A buffer overflow flaw exists in the HTTP server with the mod_dav module when using add-ons. This could allow a remote attacker to cause a buffer overflow and a denial of service. (CVE-2013-6438, PI09345) - A cross-site scripting flaw exists within OAuth where user input is not properly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6738, PI05661) - A denial of service flaw exists within the Global Security Kit when handling X.509 certificate chain during the initiation of a SSL/TLS connection. A remote attacker, using a malformed certificate chain, could cause the client or server to crash by hanging the Global Security Kit. (CVE-2013-6747, PI09443) - A denial of service flaw exists within the Apache Commons FileUpload when parsing a content-type header for a multipart request. A remote attacker, using a specially crafted request, could crash the program. (CVE-2014-0050, PI12648, PI12926 and PI13162) - A flaw exists in the Elliptic Curve Digital Signature Algorithm implementation which could allow a malicious process to recover ECDSA nonces. (CVE-2014-0076, PI19700) - A denial of service flaw exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 76995 published 2014-08-04 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76995 title IBM WebSphere Application Server 8.0 < Fix Pack 9 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76995); script_version("1.10"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2013-6323", "CVE-2013-6329", "CVE-2013-6438", "CVE-2013-6738", "CVE-2013-6747", "CVE-2014-0050", "CVE-2014-0076", "CVE-2014-0098", "CVE-2014-0453", "CVE-2014-0460", "CVE-2014-0823", "CVE-2014-0857", "CVE-2014-0859", "CVE-2014-0878", "CVE-2014-0891", "CVE-2014-0963", "CVE-2014-0965", "CVE-2014-3022" ); script_bugtraq_id( 64249, 65156, 65400, 66303, 66914, 66916, 67051, 67238, 67327, 67329, 67335, 67579, 67601, 67720, 68210, 68211 ); script_name(english:"IBM WebSphere Application Server 8.0 < Fix Pack 9 Multiple Vulnerabilities"); script_summary(english:"Reads the version number from the SOAP port."); script_set_attribute(attribute:"synopsis", value: "The remote application server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "IBM WebSphere Application Server 8.0 prior to Fix Pack 9 is running on the remote host. It is, therefore, affected by the following vulnerabilities : - A cross-site scripting flaw exists within the Administration Console, where user input is improperly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6323, PI04777 and PI04880) - A denial of service flaw exists within the Global Security Kit when handling SSLv2 resumption during the SSL/TLS handshake. This could allow a remote attacker to crash the program. (CVE-2013-6329, PI05309) - A buffer overflow flaw exists in the HTTP server with the mod_dav module when using add-ons. This could allow a remote attacker to cause a buffer overflow and a denial of service. (CVE-2013-6438, PI09345) - A cross-site scripting flaw exists within OAuth where user input is not properly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6738, PI05661) - A denial of service flaw exists within the Global Security Kit when handling X.509 certificate chain during the initiation of a SSL/TLS connection. A remote attacker, using a malformed certificate chain, could cause the client or server to crash by hanging the Global Security Kit. (CVE-2013-6747, PI09443) - A denial of service flaw exists within the Apache Commons FileUpload when parsing a content-type header for a multipart request. A remote attacker, using a specially crafted request, could crash the program. (CVE-2014-0050, PI12648, PI12926 and PI13162) - A flaw exists in the Elliptic Curve Digital Signature Algorithm implementation which could allow a malicious process to recover ECDSA nonces. (CVE-2014-0076, PI19700) - A denial of service flaw exists in the 'mod_log_config' when logging a cookie with an unassigned value. A remote attacker, using a specially crafted request, can cause the program to crash. (CVE-2014-0098, PI13028) - An information disclosure flaw exists in the 'sun.security.rsa.RSAPadding' with 'PKCS#1' unpadding. This many allow a remote attacker to gain timing information intended to be protected by encryption. (CVE-2014-0453) - A flaw exists with 'com.sun.jndi.dns.DnsClient' related to the randomization of query IDs. This could allow a remote attacker to conduct spoofing attacks. (CVE-2014-0460) - A flaw exists in the Full and Liberty profiles. A remote attacker, using a specially crafted request, could gain access to arbitrary files. (CVE-2014-0823, PI05324) - An information disclosure flaw exists within the Administrative Console. This could allow a network attacker, using a specially crafted request, to gain privileged access. (CVE-2014-0857, PI07808) - A denial of service flaw exists in a web server plugin on servers configured to retry failed POST request. This could allow a remote attacker to crash the application. (CVE-2014-0859, PI08892) - An information disclosure flaw exists within Proxy and ODR servers. This could allow a remote attacker, using a specially crafted request, to gain access to potentially sensitive information. (CVE-2014-0891, PI09786) - A denial of service flaw exists within the IBM Security Access Manager for Web with the Reverse Proxy component. This could allow a remote attacker, using specially crafted TLS traffic, to cause the application on the system to become unresponsive. (CVE-2014-0963, PI17025) - An information disclosure flaw exists when handling SOAP responses. This could allow a remote attacker to potentially gain access to sensitive information. (CVE-2014-0965, PI11434) - An information disclosure flaw exists. A remote attacker, using a specially crafted URL, could gain access to potentially sensitive information. (CVE-2014-3022, PI09594)"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21676092"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21659548"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21663941"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21667254"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21667526"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21672843"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21673013"); script_set_attribute(attribute:"solution", value: "Apply Fix Pack 9 for version 8.0 (8.0.0.9) or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0050"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/01"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("websphere_detect.nasl"); script_require_keys("www/WebSphere"); script_require_ports("Services/www", 8880, 8881); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:8880, embedded:0); version = get_kb_item_or_exit("www/WebSphere/"+port+"/version"); if (version !~ "^8\.0([^0-9]|$)") audit(AUDIT_NOT_LISTEN, "IBM WebSphere Application Server 8.0", port); if (version =~ "^[0-9]+(\.[0-9]+)?$") audit(AUDIT_VER_NOT_GRANULAR, "IBM WebSphere Application Server", port, version); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (ver[0] == 8 && ver[1] == 0 && ver[2] == 0 && ver[3] < 9) { set_kb_item(name:"www/"+port+"/XSS", value:TRUE); if (report_verbosity > 0) { source = get_kb_item_or_exit("www/WebSphere/"+port+"/source"); report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 8.0.0.9' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "IBM WebSphere Application Server", port, version);NASL family Misc. NASL id IBM_INFORMIX_SERVER_SWG21668664.NASL description The remote Informix server ships with a version of IBM last seen 2020-06-01 modified 2020-06-02 plugin id 80476 published 2015-01-13 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80476 title Informix Server GSKit 7.x <= 7.0.4.47 / 8.0.50.x <= 8.0.50.13 X.509 Certificate Chain DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80476); script_version("1.5"); script_cvs_date("Date: 2018/07/12 19:01:16"); script_cve_id("CVE-2013-6747"); script_bugtraq_id(65156); script_name(english:"Informix Server GSKit 7.x <= 7.0.4.47 / 8.0.50.x <= 8.0.50.13 X.509 Certificate Chain DoS"); script_summary(english:"Checks version of Informix Server and GSKit."); script_set_attribute(attribute:"synopsis", value: "The remote host has an application that is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The remote Informix server ships with a version of IBM's Global Security kit (GSKit) library that is affected by a denial of service vulnerability. A remote attacker can exploit this issue via malformed X.509 certificate chain to cause the host to become unresponsive. Note that this plugin only checks the version of IBM Informix Server and GSKit. It does not check for the presence of any workaround."); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21668664"); script_set_attribute(attribute:"solution", value: "Upgrade the Informix server or apply the correct GSKit patch per the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/06"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:global_security_kit"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:informix_dynamic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ibm_gskit_installed.nasl", "ibm_informix_server_installed.nasl"); script_require_keys("installed_sw/IBM GSKit", "installed_sw/IBM Informix Dynamic Server"); exit(0); } include('audit.inc'); include('global_settings.inc'); include("install_func.inc"); include('misc_func.inc'); ids_app = 'IBM Informix Dynamic Server'; ids_install = get_single_install(app_name:ids_app, exit_if_unknown_ver:TRUE); ids_ver = ids_install['version']; ids_path = ids_install['path']; ids_fix = NULL; gsk_regex = NULL; gsk_fix = NULL; item = pregmatch(pattern: "[cC]([0-9]+)([^0-9]|$)", string: ids_ver); c_num = 0; if (!isnull(item) && !isnull(item[1])) c_num = int(item[1]); # 11.50 (currently no fix for 11.50 branch) if (ids_ver =~ "^11\.50($|[^0-9])") { ids_fix = "None available. Upgrade GSKit."; gsk_regex = "^7\."; gsk_fix = '7.0.4.48'; } # 11.70 (currently no fix for 11.70 branch) else if (ids_ver =~ "^11\.70($|[^0-9])") { ids_fix = "None available. Upgrade GSKit."; gsk_regex = "^8\.0\.50\."; gsk_fix = "8.0.50.17"; } # 12.10 < 12.10.xC3 else if (ids_ver =~ "^12\.10($|[^0-9])" && c_num < 3) { ids_fix = "12.10.xC4"; gsk_regex = "^8\.0\.50\."; gsk_fix = "8.0.50.17"; } else audit(AUDIT_INST_PATH_NOT_VULN, ids_app, ids_ver, ids_path); # Check GSKit version if Informix is not patched gsk_app = "IBM GSKit"; # We don't bother to exit if we can't detect any GSKit installations gsk_installs = get_installs(app_name:gsk_app); gsk_report = NULL; gsk_vuln = 0; foreach gsk_install (gsk_installs[1]) { gsk_ver = gsk_install['version']; gsk_path = gsk_install['path']; if (gsk_ver =~ gsk_regex && ver_compare(ver:gsk_ver, fix:gsk_fix, strict:FALSE) == -1) { gsk_report += '\n Path : ' + gsk_path + '\n Installed version : ' + gsk_ver + '\n Fixed version : ' + gsk_fix + '\n'; gsk_vuln++; } } port = get_kb_item("SMB/transport"); if (!port) port = 445; if (report_verbosity > 0) { report = '\n' + 'The install of ' + ids_app + ' is vulnerable :' + '\n' + '\n' + ' Path : ' + ids_path + '\n' + ' Installed version : ' + ids_ver + '\n' + ' Fixed version : ' + ids_fix + '\n'; server_instances = get_kb_item("Host/" + ids_app + "/Server Instances"); if (!empty_or_null(server_instances)) { instance_list = split(server_instances, sep:' / ', keep:FALSE); report += ' Server instances : ' + '\n - ' + join(instance_list, sep:'\n - ') + '\n'; } if (!isnull(gsk_report)) { instance = " instance "; is_are = " is "; if (gsk_vuln > 1) {instance = " instances "; is_are = " are ";} report += '\nAlso, the following vulnerable'+instance+'of '+gsk_app+is_are+'installed on the'+ '\nremote host :' + '\n' + gsk_report; } security_hole(port:port, extra:report); } else security_hole(port);NASL family Databases NASL id DB2_105FP3A.NASL description According to its version, the installation of IBM DB2 10.5 running on the remote host is prior to Fix Pack 3a. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - A build error exists related to libraries in insecure locations that could allow a local user to carry out privilege escalation attacks. Note this issue does not affect the application when running on Microsoft Windows operating systems. (CVE-2014-0907) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963) last seen 2020-06-01 modified 2020-06-02 plugin id 76111 published 2014-06-18 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76111 title IBM DB2 10.5 < Fix Pack 3a Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76111); script_version("1.8"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2013-6747", "CVE-2014-0907", "CVE-2014-0963"); script_bugtraq_id(65156, 67238, 67617); script_name(english:"IBM DB2 10.5 < Fix Pack 3a Multiple Vulnerabilities"); script_summary(english:"Checks DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 10.5 running on the remote host is prior to Fix Pack 3a. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - A build error exists related to libraries in insecure locations that could allow a local user to carry out privilege escalation attacks. Note this issue does not affect the application when running on Microsoft Windows operating systems. (CVE-2014-0907) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21672100"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21671732"); script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21647054"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24037555"); script_set_attribute(attribute:"solution", value: "Apply IBM DB2 version 10.5 Fix Pack 3a or later. Alternatively, in the case of DB2 Version 10.5 Fix Pack 2, contact the vendor to obtain a special build with the interim fix. Note that the vendor has posted a workaround for the build error issue (CVE-2014-0907) involving the command 'sqllib/bin/db2chglibpath'. Please consult the advisory for detailed instructions."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0907"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/" + port + "/Level"); if (level !~ "^10\.5\.") audit(AUDIT_NOT_LISTEN, "DB2 10.5", port); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Windows 32-bit/64-bit if (platform == 5 || platform == 23) { fixed_level = '10.5.301.84'; if (ver_compare(ver:level, fix:fixed_level) == -1) vuln = TRUE; # In the case of 10.5 FP2 and a non-paranoid # scan, do not report as it's not clear that # a special build increases the build level if (level == '10.5.200.109' && report_paranoia < 2) exit(1, "Nessus is unable to determine if the patch has been applied or not."); } # Others else if ( # Linux, 2.6 kernel 32/64-bit platform == 18 || platform == 30 || # AIX platform == 20 ) { fixed_level = '10.5.0.3'; if (ver_compare(ver:level, fix:fixed_level) <= 0) vuln = TRUE; # If not paranoid and at 10.5.0.2/10.5.0.3 already, # do not report - we cannot tell if special build or # FP3a is there. if ((level == '10.5.0.2' || level == fixed_level) && report_paranoia < 2) exit(1, "Nessus is unable to determine if the patch has been applied or not."); } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { fixed_level += ' (10.5 Fix Pack 3a)'; report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);NASL family Web Servers NASL id WEBSPHERE_8_5_5_2.NASL description IBM WebSphere Application Server 8.5 prior to Fix Pack 8.5.5.2 appears to be running on the remote host and is, therefore, potentially affected by the following vulnerabilities : - Numerous errors exist related to the included IBM SDK for Java (based on the Oracle JDK) that could allow denial of service attacks and information disclosure. (CVE-2013-5372, CVE-2013-5780, CVE-2013-5803) - User input validation errors exist related to the Administrative console and the Oauth component that could allow cross-site scripting attacks. (CVE-2013-6725 / PM98132, CVE-2013-6323 / PI04777, CVE-2013-6738 / PI05661) - An error exists due to a failure to properly handle by web services endpoint requests that could allow denial of service attacks. (CVE-2013-6325 / PM99450, PI08267) - An error exists in the included IBM Global Security Kit related to SSL handling that could allow denial of service attacks. (CVE-2013-6329 / PI05309) - A flaw exists with the last seen 2020-06-01 modified 2020-06-02 plugin id 74235 published 2014-05-29 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74235 title IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(74235); script_version("1.12"); script_cvs_date("Date: 2019/11/26"); script_cve_id( "CVE-2013-5372", "CVE-2013-5780", "CVE-2013-5803", "CVE-2013-6323", "CVE-2013-6325", "CVE-2013-6329", "CVE-2013-6438", "CVE-2013-6725", "CVE-2013-6738", "CVE-2013-6747", "CVE-2014-0050", "CVE-2014-0823", "CVE-2014-0857", "CVE-2014-0859", "CVE-2014-0891", "CVE-2014-0896" ); script_bugtraq_id( 63082, 63115, 63224, 64249, 65096, 65099, 65156, 65400, 66303, 67051, 67327, 67328, 67329, 67335, 67579, 67720 ); script_name(english:"IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.2 Multiple Vulnerabilities"); script_summary(english:"Reads the version number from the SOAP port."); script_set_attribute(attribute:"synopsis", value: "The remote application server may be affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "IBM WebSphere Application Server 8.5 prior to Fix Pack 8.5.5.2 appears to be running on the remote host and is, therefore, potentially affected by the following vulnerabilities : - Numerous errors exist related to the included IBM SDK for Java (based on the Oracle JDK) that could allow denial of service attacks and information disclosure. (CVE-2013-5372, CVE-2013-5780, CVE-2013-5803) - User input validation errors exist related to the Administrative console and the Oauth component that could allow cross-site scripting attacks. (CVE-2013-6725 / PM98132, CVE-2013-6323 / PI04777, CVE-2013-6738 / PI05661) - An error exists due to a failure to properly handle by web services endpoint requests that could allow denial of service attacks. (CVE-2013-6325 / PM99450, PI08267) - An error exists in the included IBM Global Security Kit related to SSL handling that could allow denial of service attacks. (CVE-2013-6329 / PI05309) - A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding. (CVE-2013-6438 / PI09345) - An error exists in the included IBM Global Security Kit related to malformed X.509 certificate chain handling that could allow denial of service attacks. (CVE-2013-6747 / PI09443) - An error exists in the included Apache Tomcat version related to handling 'Content-Type' HTTP headers and multipart requests such as file uploads that could allow denial of service attacks. (CVE-2014-0050 / PI12648, PI12926) - An unspecified error exists that could allow file disclosures to remote unauthenticated attackers. (CVE-2014-0823 / PI05324) - An unspecified error exists related to the Administrative console that could allow a security bypass. (CVE-2014-0857 / PI07808) - An error exists related to a web server plugin and retrying failed POST requests that could allow denial of service attacks. (CVE-2014-0859 / PI08892) - An error exists related to the Proxy and ODR components that could allow information disclosure. (CVE-2014-0891 / PI09786) - An unspecified error exists related to the 'Liberty Profile' that could allow information disclosure. (CVE-2014-0896 / PI10134)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24037250"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg27036319#8552"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21669554"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21655990"); script_set_attribute(attribute:"solution", value: "Apply Fix Pack 8.5.5.2 for version 8.5 (8.5.5.0) or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0050"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("websphere_detect.nasl"); script_require_keys("www/WebSphere"); script_require_ports("Services/www", 8880, 8881); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:8880, embedded:0); version = get_kb_item_or_exit("www/WebSphere/"+port+"/version"); source = get_kb_item_or_exit("www/WebSphere/"+port+"/source"); if (version !~ "^8\.5([^0-9]|$)") audit(AUDIT_NOT_LISTEN, "IBM WebSphere Application Server 8.5", port); if (version =~ "^[0-9]+(\.[0-9]+)?$") audit(AUDIT_VER_NOT_GRANULAR, "IBM WebSphere Application Server", port, version); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if ( ver[0] == 8 && ver[1] == 5 && ( ver[2] < 5 || (ver[2] == 5 && ver[3] < 2) ) ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 8.5.5.2' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "IBM WebSphere Application Server", port, version);NASL family Databases NASL id DB2_91_TLS_SSL_DOS.NASL description According to its version, the installation of IBM DB2 running on the remote host is version 9.1. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963) last seen 2020-06-01 modified 2020-06-02 plugin id 76112 published 2014-06-18 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76112 title IBM DB2 9.1 TLS/SSL Multiple DoS Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76112); script_version("1.6"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id("CVE-2013-6747", "CVE-2014-0963"); script_bugtraq_id(65156, 67238); script_name(english:"IBM DB2 9.1 TLS/SSL Multiple DoS Vulnerabilities"); script_summary(english:"Checks DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 running on the remote host is version 9.1. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963)"); # Advisory script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21671732"); script_set_attribute(attribute:"solution", value: "If the install is under an extended support contract, please contact the vendor for a patch. Alternatively, upgrade to one of the latest supported versions."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/db2das", 523); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); # There is no information regarding fix build numbers, # so this plugin is strictly paranoid-only if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/" + port + "/Level"); if (level !~ "^9\.1\.") audit(AUDIT_NOT_LISTEN, "DB2 9.1", port); # Go ahead and check platform to preserve unknown-platform # reporting. platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Known platforms if ( ( # Windows platform == 5 || platform == 23 || # Linux, 2.6 kernel 32/64-bit platform == 18 || platform == 30 || # AIX platform == 20 ) && level =~ "^9\.1\." ) { vuln = TRUE; } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : 'See solution'); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);NASL family General NASL id IBM_TSM_SERVER_7_1_1.NASL description The version of IBM Tivoli Storage Manager installed on the remote host is affected by a denial of service vulnerability. A remote attacker can exploit this issue via malformed X.509 certificate chain to cause the host to become unresponsive. last seen 2020-06-01 modified 2020-06-02 plugin id 80478 published 2015-01-13 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80478 title IBM Tivoli Storage Manager Server 6.2 < 6.2.7 / 6.3 < 6.3.5 / 7.1 < 7.1.1 GSKit X.509 Certificate Chain DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80478); script_version("1.3"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2013-6747"); script_bugtraq_id(65156); script_name(english:"IBM Tivoli Storage Manager Server 6.2 < 6.2.7 / 6.3 < 6.3.5 / 7.1 < 7.1.1 GSKit X.509 Certificate Chain DoS"); script_summary(english:"Checks the version of IBM TSM."); script_set_attribute(attribute:"synopsis", value: "The remote backup service is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The version of IBM Tivoli Storage Manager installed on the remote host is affected by a denial of service vulnerability. A remote attacker can exploit this issue via malformed X.509 certificate chain to cause the host to become unresponsive."); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21674824"); script_set_attribute(attribute:"solution", value: "Upgrade IBM Tivoli Storage Manager or apply the correct GSKit patch. Alternatively, apply the workaround per the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/09"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("ibm_tsm_detect.nasl"); script_require_keys("installed_sw/IBM Tivoli Storage Manager"); script_require_ports("Services/tsm-agent"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("audit.inc"); include("install_func.inc"); port = get_service(svc:"tsm-agent",exit_on_fail:TRUE); prod = "IBM Tivoli Storage Manager"; install = get_single_install(app_name:prod, port:port, exit_if_unknown_ver:TRUE); # Install data version = install["version"]; fix = NULL; if (version =~ "^6\.2(\.|$)") fix = "6.2.7"; else if (version =~ "^6\.3(\.|$)") fix = "6.3.5"; else if (version =~ "^7\.1(\.|$)") fix = "7.1.1"; else audit(AUDIT_NOT_LISTEN, prod+" 6.2 / 6.3 / 7.1", port); # See if SSL is on for the port we're checking sslon = get_kb_item("Transports/TCP/"+port); sslon = (sslon && sslon > ENCAPS_IP); # Work around is to turn SSL off if(!sslon && report_paranoia < 2) audit(AUDIT_LISTEN_NOT_VULN, prod, port); if(ver_compare(ver:version,fix:fix,strict:FALSE) < 0) { if(report_verbosity > 0) { report = '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port,extra:report); } else security_hole(port); } else audit(AUDIT_LISTEN_NOT_VULN, prod, port);NASL family Databases NASL id DB2_98FP5_MULTI_VULN.NASL description According to its version, the installation of IBM DB2 running on the remote host is version 9.8 prior or equal to Fix Pack 5. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists in the GSKit component when initiating SSL/TLS connections due to improper handling of malformed X.509 certificate chains. A remote attacker can exploit this to cause a denial of service. (CVE-2013-6747) - Untrusted search path vulnerabilities exist in unspecified setuid and setgid programs that allow a local attacker to gain root privileges by using a trojan horse library. (CVE-2014-0907) - An unspecified error exists in the reverse proxy GSKit component that allows a remote attacker to exhaust CPU resources by using crafted SSL messages, resulting in a denial of service. (CVE-2014-0963) - An unspecified error exists during the handling of SELECT statements with XML/XSLT functions that allows a remote attacker to gain access to arbitrary files. (CVE-2014-8910) - A flaw exists in the LUW component when handling SQL statements with unspecified Scaler functions. A remote, authenticated attacker can exploit this to cause a denial of service. (CVE-2015-0157) - An unspecified flaw in the General Parallel File System (GPFS) allows a local attacker to gain root privileges. CVE-2015-0197) - A flaw exists in the General Parallel File System (GPFS), related to certain cipherList configurations, that allows a remote attacker, using specially crafted data, to bypass authentication and execute arbitrary programs with root privileges. (CVE-2015-0198) - A denial of service vulnerability exists in the General Parallel File System (GPFS) that allows a local attacker to corrupt the kernel memory by sending crafted ioctl character device calls to the mmfslinux kernel module. (CVE-2015-0199) - An information disclosure vulnerability exists in the automated maintenance feature. An attacker with elevated privileges, by manipulating a stored procedure, can exploit this issue to disclose arbitrary files owned by the DB2 fenced ID on UNIX/Linux or the administrator on Windows. (CVE-2015-1883) - A flaw exists in the Data Movement feature when handling specially crafted queries. An authenticated, remote attacker can exploit this to delete database rows from a table without having the appropriate privileges. (CVE-2015-1922) - A flaw exists when handling SQL statements having unspecified LUW Scaler functions. An authenticated, remote attacker can exploit this to run arbitrary code, under the privileges of the DB2 instance owner, or to cause a denial of service. (CVE-2015-1935) last seen 2020-06-01 modified 2020-06-02 plugin id 76115 published 2014-06-18 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76115 title IBM DB2 9.8 <= Fix Pack 5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76115); script_version("1.13"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id( "CVE-2013-6747", "CVE-2014-0907", "CVE-2014-0963", "CVE-2014-8910", "CVE-2015-0157", "CVE-2015-0197", "CVE-2015-0198", "CVE-2015-0199", "CVE-2015-1883", "CVE-2015-1922", "CVE-2015-1935" ); script_bugtraq_id( 65156, 67238, 67617, 73278, 73282, 73283, 75908, 75911 ); script_name(english:"IBM DB2 9.8 <= Fix Pack 5 Multiple Vulnerabilities"); script_summary(english:"Checks the DB2 signature."); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM DB2 running on the remote host is version 9.8 prior or equal to Fix Pack 5. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists in the GSKit component when initiating SSL/TLS connections due to improper handling of malformed X.509 certificate chains. A remote attacker can exploit this to cause a denial of service. (CVE-2013-6747) - Untrusted search path vulnerabilities exist in unspecified setuid and setgid programs that allow a local attacker to gain root privileges by using a trojan horse library. (CVE-2014-0907) - An unspecified error exists in the reverse proxy GSKit component that allows a remote attacker to exhaust CPU resources by using crafted SSL messages, resulting in a denial of service. (CVE-2014-0963) - An unspecified error exists during the handling of SELECT statements with XML/XSLT functions that allows a remote attacker to gain access to arbitrary files. (CVE-2014-8910) - A flaw exists in the LUW component when handling SQL statements with unspecified Scaler functions. A remote, authenticated attacker can exploit this to cause a denial of service. (CVE-2015-0157) - An unspecified flaw in the General Parallel File System (GPFS) allows a local attacker to gain root privileges. CVE-2015-0197) - A flaw exists in the General Parallel File System (GPFS), related to certain cipherList configurations, that allows a remote attacker, using specially crafted data, to bypass authentication and execute arbitrary programs with root privileges. (CVE-2015-0198) - A denial of service vulnerability exists in the General Parallel File System (GPFS) that allows a local attacker to corrupt the kernel memory by sending crafted ioctl character device calls to the mmfslinux kernel module. (CVE-2015-0199) - An information disclosure vulnerability exists in the automated maintenance feature. An attacker with elevated privileges, by manipulating a stored procedure, can exploit this issue to disclose arbitrary files owned by the DB2 fenced ID on UNIX/Linux or the administrator on Windows. (CVE-2015-1883) - A flaw exists in the Data Movement feature when handling specially crafted queries. An authenticated, remote attacker can exploit this to delete database rows from a table without having the appropriate privileges. (CVE-2015-1922) - A flaw exists when handling SQL statements having unspecified LUW Scaler functions. An authenticated, remote attacker can exploit this to run arbitrary code, under the privileges of the DB2 instance owner, or to cause a denial of service. (CVE-2015-1935)"); # Advisories script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21672100"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21671732"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21697987"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21697988"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21698308"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21902662"); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21959650"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21902661"); script_set_attribute(attribute:"solution", value: "Contact the vendor to obtain a special build with the interim fix. Note that the vendor has posted a workaround for the build error issue (CVE-2014-0907) involving the command 'sqllib/bin/db2chglibpath'. Please consult the advisory for detailed instructions."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("db2_das_detect.nasl"); script_require_ports("Services/db2das", 523); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("db2_report_func.inc"); port = get_service(svc:"db2das", default:523, exit_on_fail:TRUE); level = get_kb_item_or_exit("DB2/" + port + "/Level"); if (level !~ "^9\.8\.") audit(AUDIT_NOT_LISTEN, "DB2 9.8", port); platform = get_kb_item_or_exit("DB2/"+port+"/Platform"); platform_name = get_kb_item("DB2/"+port+"/Platform_Name"); if (isnull(platform_name)) { platform_name = platform; report_phrase = "platform " + platform; } else report_phrase = platform_name; vuln = FALSE; # Note : DB2 9.8x is not available for Windows if ( # Linux, 2.6 kernel 32/64-bit platform == 18 || platform == 30 || # AIX platform == 20 ) { fixed_level = '9.8.0.5'; if (ver_compare(ver:level, fix:fixed_level) <= 0) vuln = TRUE; # If not paranoid and at 9.8.0.5 already, # do not report - we cannot tell if a special build is in place. if (level == fixed_level && report_paranoia < 2) exit(1, "Nessus is unable to determine if the patch has been applied or not."); } else { info = 'Nessus does not support version checks against ' + report_phrase + '.\n' + 'To help us better identify vulnerable versions, please send the platform\n' + 'number along with details about the platform, including the operating system\n' + 'version, CPU architecture, and DB2 version to [email protected].\n'; exit(1, info); } if (vuln) { report_db2( severity : SECURITY_HOLE, port : port, platform_name : platform_name, installed_level : level, fixed_level : fixed_level); } else audit(AUDIT_LISTEN_NOT_VULN, "DB2", port, level);NASL family Web Servers NASL id WEBSPHERE_7_0_0_33.NASL description IBM WebSphere Application Server 7.0 prior to Fix Pack 33 is running on the remote host. It is, therefore, affected by the following vulnerabilities : - A cross-site scripting flaw exists within the Administration Console, where user input is improperly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6323, PI04777 and PI04880) - A denial of service flaw exists within the Global Security Kit when handling SSLv2 resumption during the SSL/TLS handshake. This could allow a remote attacker to crash the program. (CVE-2013-6329, PI05309) - A buffer overflow flaw exists in the HTTP server with the mod_dav module when using add-ons. This could allow a remote attacker to cause a buffer overflow and a denial of service. (CVE-2013-6438, PI09345) - A cross-site scripting flaw exists within OAuth where user input is not properly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6738, PI05661) - A denial of service flaw exists within the Global Security Kit when handling X.509 certificate chain during the initiation of an SSL/TLS connection. A remote attacker, using a malformed certificate chain, could cause the client or server to crash by hanging the Global Security Kit. (CVE-2013-6747, PI09443) - A denial of service flaw exists within the Apache Commons FileUpload when parsing a content-type header for a multipart request. A remote attacker, using a specially crafted request, could crash the program. (CVE-2014-0050, PI12648, PI12926 and PI13162) - A denial of service flaw exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 76967 published 2014-08-01 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76967 title IBM WebSphere Application Server 7.0 < Fix Pack 33 Multiple Vulnerabilities NASL family Databases NASL id DB2_95FP9_MULTI_VULN.NASL description According to its version, the installation of IBM DB2 9.5 running on the remote host is prior or equal to Fix Pack 9 or 10. It is, therefore, reportedly affected by one or more of the following vulnerabilities : - An unspecified error exists related to handling malformed certificate chains that could allow denial of service attacks. (CVE-2013-6747) - A build error exists related to libraries in insecure locations that could allow a local user to carry out privilege escalation attacks. Note this issue does not affect the application when running on Microsoft Windows operating systems. (CVE-2014-0907) - An unspecified error exists related to the TLS implementation that could allow certain error cases to cause 100% CPU utilization. (CVE-2014-0963) last seen 2020-06-01 modified 2020-06-02 plugin id 76113 published 2014-06-18 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76113 title IBM DB2 9.5 <= Fix Pack 9 or 10 Multiple Vulnerabilities NASL family Databases NASL id DB2_97FP9A.NASL description According to its version, the installation of DB2 9.7 running on the remote host is prior to Fix Pack 9a. It is, therefore, affected by one or more of the following vulnerabilities : - An unspecified error exists related to handling malformed certificate chains that allows denial of service attacks. (CVE-2013-6747) - A build error exists related to libraries in insecure locations that allows a local user to carry out privilege escalation attacks. Note that this issue does not affect the application when running on Microsoft Windows operating systems. (CVE-2014-0907) - An unspecified error exists related to the TLS implementation that allows certain error cases to cause 100% CPU utilization. (CVE-2014-0963) last seen 2020-06-01 modified 2020-06-02 plugin id 76114 published 2014-06-18 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76114 title IBM DB2 9.7 < Fix Pack 9a Multiple Vulnerabilities
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 65156 CVE(CAN) ID: CVE-2013-6747 IBM Global Security Kit (GSKit)提供了SSL或TLS通讯所需的库和实用程序。 IBM Security Directory Server (ISDS)及Tivoli Directory Server (TDS)内使用的IBM GSKit 7.0.4.48之前版本及8.0.50.16之前版本在实现上存在拒绝服务漏洞,远程攻击者通过畸形X.509证书链,利用此漏洞可造成应用崩溃或挂起。 0 IBM GSKit 8.x IBM GSKit 7.x 厂商补丁: IBM --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.ibm.com/support/fixcentral/ http://www-01.ibm.com/support/docview.wss?uid=swg21662902 http://www-01.ibm.com/support/docview.wss?uid=swg21663428 http://www-01.ibm.com/support/docview.wss?uid=swg21663941 http://www-01.ibm.com/support/docview.wss?uid=swg24036992 https://www-304.ibm.com/support/docview.wss?uid=swg21664756 |
| id | SSV:61662 |
| last seen | 2017-11-19 |
| modified | 2014-03-06 |
| published | 2014-03-06 |
| reporter | Root |
| title | 多个IBM产品拒绝服务漏洞(CVE-2013-6747) |
References
- http://osvdb.org/102556
- http://secunia.com/advisories/56698
- http://secunia.com/advisories/56699
- http://www.securitytracker.com/id/1029687
- http://www-01.ibm.com/support/docview.wss?uid=swg21662902
- http://www-01.ibm.com/support/docview.wss?uid=swg21669554
- http://www-01.ibm.com/support/docview.wss?uid=swg21676091
- http://www-01.ibm.com/support/docview.wss?uid=swg21676092
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89863