Vulnerabilities > CVE-2014-2270 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201503-08.NASL description The remote host is affected by the vulnerability described in GLSA-201503-08 (file: Denial of Service) Multiple issues with the ELF parser used by the file utility have been detected and fixed. Impact : A context-dependent attacker can cause Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 82007 published 2015-03-24 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82007 title GLSA-201503-08 : file: Denial of Service code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201503-08. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(82007); script_version("1.3"); script_cvs_date("Date: 2018/12/05 20:31:22"); script_cve_id("CVE-2014-2270", "CVE-2014-9620", "CVE-2014-9621"); script_bugtraq_id(66002, 71714, 71715); script_xref(name:"GLSA", value:"201503-08"); script_name(english:"GLSA-201503-08 : file: Denial of Service"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201503-08 (file: Denial of Service) Multiple issues with the ELF parser used by the file utility have been detected and fixed. Impact : A context-dependent attacker can cause Denial of Service. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201503-08" ); script_set_attribute( attribute:"solution", value: "All file users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sys-apps/file-5.22'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:file"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sys-apps/file", unaffected:make_list("ge 5.22"), vulnerable:make_list("lt 5.22"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "file"); }
NASL family CGI abuses NASL id PHP_5_5_10.NASL description According to its banner, the version of PHP 5.5.x installed on the remote host is a version prior to 5.5.10. It is, therefore, potentially affected by the following vulnerabilities : - An error exists related to the Fileinfo extension and the bundled libmagic library that could allow denial of service attacks. (CVE-2014-1943) - An error exists related to the Fileinfo extension and the process of analyzing Portable Executable (PE) format files that could allow denial of service attacks or possibly arbitrary code execution. (CVE-2014-2270) - The fix for CVE-2013-7327 was incomplete and NULL pointers can still be dereferenced. (Bug #66815) Note that this plugin does not attempt to exploit these issues, but instead relies only on PHP last seen 2020-06-01 modified 2020-06-02 plugin id 72882 published 2014-03-07 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72882 title PHP 5.5.x < 5.5.10 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72882); script_version("1.9"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2014-1943", "CVE-2014-2270"); script_bugtraq_id(65596, 66002); script_name(english:"PHP 5.5.x < 5.5.10 Multiple Vulnerabilities"); script_summary(english:"Checks version of PHP"); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP 5.5.x installed on the remote host is a version prior to 5.5.10. It is, therefore, potentially affected by the following vulnerabilities : - An error exists related to the Fileinfo extension and the bundled libmagic library that could allow denial of service attacks. (CVE-2014-1943) - An error exists related to the Fileinfo extension and the process of analyzing Portable Executable (PE) format files that could allow denial of service attacks or possibly arbitrary code execution. (CVE-2014-2270) - The fix for CVE-2013-7327 was incomplete and NULL pointers can still be dereferenced. (Bug #66815) Note that this plugin does not attempt to exploit these issues, but instead relies only on PHP's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.5.10"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=66731"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=66815"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=66820"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.5.10 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1943"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^5(\.5)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^5\.5\.") audit(AUDIT_NOT_DETECT, "PHP version 5.5.x", port); if (version =~ "^5\.5\.[0-9]($|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version+ '\n Fixed version : 5.5.10\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-145.NASL description Brief introduction CVE-2014-0237 The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. CVE-2014-0238 The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. CVE-2014-2270 softmagic.c in file before 5.17 and libmagic allows context dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. CVE-2014-8117 - Stop reporting bad capabilities after the first few. - limit the number of program and section header number of sections - limit recursion level CVE-2015-TEMP (no official CVE number available yet) - NULL pointer deference (PHP bugs: 68739 68740) - out-of-bounds memory access (file bug: 398) additional patches from CVE-2014-3478 added NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-26 plugin id 82128 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82128 title Debian DLA-145-1 : php5 security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-145-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(82128); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-0237", "CVE-2014-0238", "CVE-2014-2270", "CVE-2014-8117"); script_bugtraq_id(66002, 67759, 67765, 71692); script_name(english:"Debian DLA-145-1 : php5 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Brief introduction CVE-2014-0237 The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. CVE-2014-0238 The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. CVE-2014-2270 softmagic.c in file before 5.17 and libmagic allows context dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. CVE-2014-8117 - Stop reporting bad capabilities after the first few. - limit the number of program and section header number of sections - limit recursion level CVE-2015-TEMP (no official CVE number available yet) - NULL pointer deference (PHP bugs: 68739 68740) - out-of-bounds memory access (file bug: 398) additional patches from CVE-2014-3478 added NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/01/msg00019.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/php5" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache2-mod-php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache2-mod-php5filter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-pear"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-interbase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-sybase"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-xsl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"libapache2-mod-php5", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"libapache2-mod-php5filter", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php-pear", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-cgi", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-cli", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-common", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-curl", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-dbg", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-dev", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-enchant", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-gd", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-gmp", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-imap", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-interbase", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-intl", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-ldap", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-mcrypt", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-mysql", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-odbc", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-pgsql", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-pspell", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-recode", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-snmp", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-sqlite", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-sybase", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-tidy", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-xmlrpc", reference:"5.3.3-7+squeeze24")) flag++; if (deb_check(release:"6.0", prefix:"php5-xsl", reference:"5.3.3-7+squeeze24")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-209.NASL description file was updated to fix two security issues. - A possible endless recursion. (CVE-2014-1943) - A crash in PE file handling (CVE-2014-2270) last seen 2020-06-05 modified 2014-06-13 plugin id 75291 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75291 title openSUSE Security Update : file (openSUSE-SU-2014:0364-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2014-209. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75291); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-1943", "CVE-2014-2270"); script_name(english:"openSUSE Security Update : file (openSUSE-SU-2014:0364-1)"); script_summary(english:"Check for the openSUSE-2014-209 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "file was updated to fix two security issues. - A possible endless recursion. (CVE-2014-1943) - A crash in PE file handling (CVE-2014-2270)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=864589" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=866750" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2014-03/msg00034.html" ); script_set_attribute(attribute:"solution", value:"Update the affected file packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:file"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:file-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:file-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:file-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:file-magic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmagic-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmagic1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmagic1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmagic1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmagic1-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-magic"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"file-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"file-debuginfo-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"file-debugsource-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"file-devel-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libmagic-data-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libmagic1-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libmagic1-debuginfo-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"python-magic-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libmagic1-32bit-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libmagic1-debuginfo-32bit-5.11-12.12.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"file-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"file-debuginfo-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"file-debugsource-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"file-devel-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"file-magic-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libmagic1-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libmagic1-debuginfo-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"python-magic-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libmagic1-32bit-5.15-4.16.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libmagic1-debuginfo-32bit-5.15-4.16.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "file"); }
NASL family MacOS X Local Security Checks NASL id MACOSX_10_9_5.NASL description The remote host is running a version of Mac OS X 10.9.x that is prior to version 10.9.5. This update contains several security-related fixes for the following components : - apache_mod_php - Bluetooth - CoreGraphics - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - Libnotify - OpenSSL - QT Media Foundation - ruby Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 77748 published 2014-09-18 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77748 title Mac OS X 10.9.x < 10.9.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77748); script_version("1.9"); script_cvs_date("Date: 2018/07/14 1:59:36"); script_cve_id( "CVE-2013-7345", "CVE-2014-0076", "CVE-2014-0185", "CVE-2014-0195", "CVE-2014-0207", "CVE-2014-0221", "CVE-2014-0224", "CVE-2014-0237", "CVE-2014-0238", "CVE-2014-1391", "CVE-2014-1943", "CVE-2014-2270", "CVE-2014-2525", "CVE-2014-3470", "CVE-2014-3478", "CVE-2014-3479", "CVE-2014-3480", "CVE-2014-3487", "CVE-2014-3515", "CVE-2014-3981", "CVE-2014-4049", "CVE-2014-4350", "CVE-2014-4374", "CVE-2014-4376", "CVE-2014-4377", "CVE-2014-4378", "CVE-2014-4379", "CVE-2014-4381", "CVE-2014-4388", "CVE-2014-4389", "CVE-2014-4390", "CVE-2014-4393", "CVE-2014-4394", "CVE-2014-4395", "CVE-2014-4396", "CVE-2014-4397", "CVE-2014-4398", "CVE-2014-4399", "CVE-2014-4400", "CVE-2014-4401", "CVE-2014-4402", "CVE-2014-4403", "CVE-2014-4416", "CVE-2014-4979" ); script_bugtraq_id( 65596, 66002, 66363, 66406, 66478, 67118, 67759, 67765, 67837, 67898, 67899, 67900, 67901, 68007, 68120, 68237, 68238, 68239, 68241, 68243, 68852, 69888, 69891, 69892, 69893, 69894, 69895, 69896, 69897, 69898, 69901, 69903, 69905, 69906, 69907, 69908, 69910, 69915, 69916, 69921, 69925, 69931, 69948, 69950 ); script_xref(name:"APPLE-SA", value:"APPLE-SA-2014-09-17-3"); script_name(english:"Mac OS X 10.9.x < 10.9.5 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Mac OS X."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.9.x that is prior to version 10.9.5. This update contains several security-related fixes for the following components : - apache_mod_php - Bluetooth - CoreGraphics - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - Libnotify - OpenSSL - QT Media Foundation - ruby Note that successful exploitation of the most serious issues can result in arbitrary code execution."); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/archive/1/533483/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT6443"); script_set_attribute(attribute:"see_also", value:"http://osdir.com/ml/general/2014-09/msg34124.html"); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.9.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/18"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); match = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9])+)", string:os); if (isnull(match)) exit(1, "Failed to parse the Mac OS X version ('" + os + "')."); version = match[1]; if (!ereg(pattern:"^10\.9([^0-9]|$)", string:version)) audit(AUDIT_OS_NOT, "Mac OS X 10.9", "Mac OS X "+version); fixed_version = "10.9.5"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else exit(0, "The host is not affected as it is running Mac OS X "+version+".");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_7E61A839B71411E38195001966155BEA.NASL description Aaron Reffett reports : softmagic.c in file ... and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable. last seen 2020-06-01 modified 2020-06-02 plugin id 73267 published 2014-03-31 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73267 title FreeBSD : file -- out-of-bounds access in search rules with offsets from input file (7e61a839-b714-11e3-8195-001966155bea) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-080.NASL description Multiple vulnerabilities has been discovered and corrected in php : It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file last seen 2020-06-01 modified 2020-06-02 plugin id 82333 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82333 title Mandriva Linux Security Advisory : php (MDVSA-2015:080) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2162-1.NASL description It was discovered that file incorrectly handled PE executable files. An attacker could use this issue to cause file to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2014-04-08 plugin id 73399 published 2014-04-08 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73399 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : file vulnerability (USN-2162-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1606.NASL description From Red Hat Security Advisory 2014:1606 : Updated file packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The last seen 2020-06-01 modified 2020-06-02 plugin id 78527 published 2014-10-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78527 title Oracle Linux 6 : file (ELSA-2014-1606) NASL family Scientific Linux Local Security Checks NASL id SL_20141014_FILE_ON_SL6_X.NASL description Multiple denial of service flaws were found in the way file parsed certain Composite Document Format (CDF) files. A remote attacker could use either of these flaws to crash file, or an application using file, via a specially crafted CDF file. (CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, CVE-2012-1571) Two denial of service flaws were found in the way file handled indirect and search rules. A remote attacker could use either of these flaws to cause file, or an application using file, to crash or consume an excessive amount of CPU. (CVE-2014-1943, CVE-2014-2270) This update also fixes the following bugs : - Previously, the output of the last seen 2020-03-18 modified 2014-11-04 plugin id 78843 published 2014-11-04 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78843 title Scientific Linux Security Update : file on SL6.x i386/x86_64 (20141014) NASL family CGI abuses NASL id PHP_5_6_0.NASL description According to its banner, the version of PHP installed on the remote host is a development version of 5.6.0. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not attempted to exploit this issue but has instead relied only on application last seen 2020-06-01 modified 2020-06-02 plugin id 78556 published 2014-10-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78556 title PHP 5.6.0 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2014-3606.NASL description Fix for CVE-2014-2270. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-03-13 plugin id 72974 published 2014-03-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72974 title Fedora 20 : file-5.14-17.fc20 (2014-3606) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2943.NASL description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development : - CVE-2014-0185 The default PHP FPM socket permission has been changed from 0666 to 0660 to mitigate a security vulnerability ( CVE-2014-0185 ) in PHP FPM that allowed any local user to run a PHP code under the active user of FPM process via crafted FastCGI client. The default Debian setup now correctly sets the listen.owner and listen.group to www-data:www-data in default php-fpm.conf. If you have more FPM instances or a webserver not running under www-data user you need to adjust the configuration of FPM pools in /etc/php5/fpm/pool.d/ so the accessing process has rights to access the socket. - CVE-2014-0237 / CVE-2014-0238 Denial of service in the CDF parser of the fileinfo module. - CVE-2014-2270 Denial of service in the fileinfo module. last seen 2020-03-17 modified 2014-06-03 plugin id 74279 published 2014-06-03 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74279 title Debian DSA-2943-1 : php5 - security update NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-059.NASL description Multiple vulnerabilities has been discovered and corrected in php : Fixed bug #66731 (file: infinite recursion (CVE-2014-1943)). Fixed bug #66820 (out-of-bounds memory access in fileinfo (CVE-2014-2270)). Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer (CVE-2013-7327)). The updated php packages have been upgraded to the 5.5.10 version which is not vulnerable to these issues. The php-xdebug packages has been upgraded to the latest 2.2.4 version that resolves numerous upstream bugs. Additionally, the PECL packages which requires so has been rebuilt for php-5.5.10. last seen 2020-06-01 modified 2020-06-02 plugin id 73051 published 2014-03-17 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73051 title Mandriva Linux Security Advisory : php (MDVSA-2014:059) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2873.NASL description Several vulnerabilities have been found in file, a file type classification tool. Aaron Reffett reported a flaw in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. When processing a defective or intentionally prepared PE executable which contains invalid offset information, the file_strncmp routine will access memory that is out of bounds, causing file to crash. The Common Vulnerabilities and Exposures project ID CVE-2014-2270 has been assigned to identify this flaw. Mike Frysinger reported that file last seen 2020-03-17 modified 2014-03-12 plugin id 72952 published 2014-03-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72952 title Debian DSA-2873-1 : file - several vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2163-1.NASL description It was discovered that PHP last seen 2020-03-18 modified 2014-04-08 plugin id 73400 published 2014-04-08 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73400 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : php5 vulnerability (USN-2163-1) NASL family Fedora Local Security Checks NASL id FEDORA_2014-3589.NASL description Fix for CVE-2014-2270. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-03-27 plugin id 73217 published 2014-03-27 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73217 title Fedora 19 : file-5.11-13.fc19 (2014-3589) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-051.NASL description Updated file package fixes security vulnerability : It was discovered that file before 5.17 contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). Additionally, other well-crafted files might result in long computation times (while using 100% CPU) and overlong results. A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). A memory leak in file has also been fixed. The affected packages have been upgraded to the 5.12 version and patched to correct these flaws. last seen 2020-06-01 modified 2020-06-02 plugin id 72998 published 2014-03-14 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72998 title Mandriva Linux Security Advisory : file (MDVSA-2014:051) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1012.NASL description Updated php53 and php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP last seen 2020-06-01 modified 2020-06-02 plugin id 77032 published 2014-08-07 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77032 title CentOS 5 / 6 : php / php53 (CESA-2014:1012) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-255.NASL description The file magic scanning tool/library was updated to fix a off-by-one error in the last security fixes. last seen 2020-06-05 modified 2014-06-13 plugin id 75306 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75306 title openSUSE Security Update : file (openSUSE-SU-2014:0435-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1012.NASL description Updated php53 and php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP last seen 2020-06-01 modified 2020-06-02 plugin id 77015 published 2014-08-06 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77015 title RHEL 5 / 6 : php53 and php (RHSA-2014:1012) NASL family CGI abuses NASL id PHP_5_4_26.NASL description According to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.26. It is, therefore, potentially affected by the following vulnerabilities : - An error exists related to the Fileinfo extension and the bundled libmagic library that could allow denial of service attacks. (CVE-2014-1943) - An error exists related to the Fileinfo extension and the process of analyzing Portable Executable (PE) format files that could allow denial of service attacks or possibly arbitrary code execution. (CVE-2014-2270) Note that this plugin does not attempt to exploit the vulnerabilities, but instead relies only on PHP last seen 2020-06-01 modified 2020-06-02 plugin id 72881 published 2014-03-07 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72881 title PHP 5.4.x < 5.4.26 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1606.NASL description Updated file packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The last seen 2020-06-01 modified 2020-06-02 plugin id 78414 published 2014-10-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78414 title RHEL 6 : file (RHSA-2014:1606) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1606.NASL description Updated file packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The last seen 2020-06-01 modified 2020-06-02 plugin id 79185 published 2014-11-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79185 title CentOS 6 : file (CESA-2014:1606) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_70140F20600711E6A6C314DAE9D210B8.NASL description A specifically crafted Composite Document File (CDF) file can trigger an out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571] A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. [CVE-2013-7345] A malicious input file could trigger infinite recursion in libmagic(3). [CVE-2014-1943] A specifically crafted Portable Executable (PE) can trigger out-of-bounds read. [CVE-2014-2270] Impact : An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can the application to crash or consume excessive CPU resources, resulting in a denial-of-service. last seen 2020-06-01 modified 2020-06-02 plugin id 92905 published 2016-08-12 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92905 title FreeBSD : FreeBSD -- Multiple vulnerabilities in file(1) and libmagic(3) (70140f20-6007-11e6-a6c3-14dae9d210b8) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-314.NASL description A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU. The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226 . last seen 2020-06-01 modified 2020-06-02 plugin id 73233 published 2014-03-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73233 title Amazon Linux AMI : php55 (ALAS-2014-314) NASL family Fedora Local Security Checks NASL id FEDORA_2014-3534.NASL description Excerpt from upstream NEWS: 06 Mar 2014, PHP 5.5.10 Core : - Fixed Request #66574i (Allow multiple paths in php_ini_scanned_path). (Remi) Date : - Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones per offset too). (Derick) Fileinfo : - Fixed bug #66731 (file: infinite recursion) (CVE-2014-1943). (Remi) - Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270). (Remi) LDAP : - Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch). (Ondrej Hosek) Openssl : - Fixed bug #66501 (Add EC key support to php_openssl_is_private_key). (Mark Zedwood) Pgsql : - Added warning for dangerous client encoding and remove possible injectionsfor pg_insert()/pg_update()/pg_delete()/pg_select(). (Yasuo) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-03-10 plugin id 72892 published 2014-03-10 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72892 title Fedora 20 : php-5.5.10-1.fc20 (2014-3534) NASL family SuSE Local Security Checks NASL id SUSE_11_FILE-140331.NASL description The command line tool file(1) and its library libmagic have been updated to fix the following issues : - file(1) crashed when parsing some PE executables. (CVE-2014-2270, bnc#866750) - file(1) did not set return code on non-existing files. (bnc#863450) last seen 2020-06-05 modified 2014-05-19 plugin id 74087 published 2014-05-19 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74087 title SuSE 11.3 Security Update : file (SAT Patch Number 9066) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201408-11.NASL description The remote host is affected by the vulnerability described in GLSA-201408-11 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker can cause arbitrary code execution, create a Denial of Service condition, read or write arbitrary files, impersonate other servers, hijack a web session, or have other unspecified impact. Additionally, a local attacker could gain escalated privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 77455 published 2014-08-30 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77455 title GLSA-201408-11 : PHP: Multiple vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1424.NASL description According to the versions of the file packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in the File Information (fileinfo) extension rules for detecting AWK files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of CPU.(CVE-2013-7345) - A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-3479) - An ouf-of-bounds read flaw was found in the way the file utility processed certain Pascal strings. A remote attacker could cause an application using the file utility (for example, PHP using the fileinfo module) to crash if it was used to identify the type of the attacker-supplied file.(CVE-2014-9652) - A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-0207) - A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-3480) - It was found that the fix for CVE-2012-1571 was incomplete the File Information (fileinfo) extension did not correctly parse certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-3587) - A buffer overflow flaw was found in the way the File Information (fileinfo) extension processed certain Pascal strings. A remote attacker able to make a PHP application using fileinfo convert a specially crafted Pascal string provided by an image file could cause that application to crash.(CVE-2014-3478) - Multiple flaws were found in the File Information (fileinfo) extension regular expression rules for detecting various files. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to consume an excessive amount of CPU.(CVE-2014-3538) - A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-3487) - A denial of service flaw was found in the way the File Information (fileinfo) extension handled search rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU.(CVE-2014-2270) - A flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to cause a PHP application using fileinfo to consume an excessive amount of system resources.(CVE-2014-8117) - A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-0237) - A flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or disclose certain portions of server memory.(CVE-2014-9653) - A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.(CVE-2014-0238) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124927 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124927 title EulerOS Virtualization 3.0.1.0 : file (EulerOS-SA-2019-1424) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-313.NASL description A denial of service flaw was found in the way the File Information (fileinfo) extension handled indirect rules. A remote attacker could use this flaw to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU. last seen 2020-06-01 modified 2020-06-02 plugin id 73232 published 2014-03-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73232 title Amazon Linux AMI : php54 (ALAS-2014-313) NASL family Solaris Local Security Checks NASL id SOLARIS11_PHP_20140522.NASL description The remote Solaris system is missing necessary patches to address security updates : - The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 80737 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80737 title Oracle Solaris Third-Party Patch Update : php (cve_2013_4248_input_validation) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1012.NASL description From Red Hat Security Advisory 2014:1012 : Updated php53 and php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP last seen 2020-06-01 modified 2020-06-02 plugin id 77043 published 2014-08-07 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77043 title Oracle Linux 5 / 6 : php / php53 (ELSA-2014-1012) NASL family Fedora Local Security Checks NASL id FEDORA_2014-3537.NASL description Excerpt from upstream NEWS: 06 Mar 2014, PHP 5.5.10 Core : - Fixed Request #66574i (Allow multiple paths in php_ini_scanned_path). (Remi) Date : - Fixed bug #45528 (Allow the DateTimeZone constructor to accept timezones per offset too). (Derick) Fileinfo : - Fixed bug #66731 (file: infinite recursion) (CVE-2014-1943). (Remi) - Fixed bug #66820 (out-of-bounds memory access in fileinfo) (CVE-2014-2270). (Remi) GD : - Fixed bug #66815 (imagecrop(): insufficient fix for NULL defer CVE-2013-7327). (Tomas Hoger, Remi) LDAP : - Implemented ldap_modify_batch (https://wiki.php.net/rfc/ldap_modify_batch). (Ondrej Hosek) Openssl : - Fixed bug #66501 (Add EC key support to php_openssl_is_private_key). (Mark Zedwood) Pgsql : - Added warning for dangerous client encoding and remove possible injectionsfor pg_insert()/pg_update()/pg_delete()/pg_select(). (Yasuo) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-03-17 plugin id 73040 published 2014-03-17 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73040 title Fedora 19 : php-5.5.10-1.fc19 (2014-3537) NASL family Scientific Linux Local Security Checks NASL id SL_20140806_PHP53_AND_PHP_ON_SL5_X.NASL description Multiple denial of service flaws were found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use either of these flaws to crash a PHP application using fileinfo via a specially crafted CDF file. (CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, CVE-2012-1571) Two denial of service flaws were found in the way the File Information (fileinfo) extension handled indirect and search rules. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to crash or consume an excessive amount of CPU. (CVE-2014-1943, CVE-2014-2270) A heap-based buffer overflow flaw was found in the way PHP parsed DNS TXT records. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application used the dns_get_record() function to perform a DNS query. (CVE-2014-4049) A type confusion issue was found in PHP last seen 2020-03-18 modified 2014-08-07 plugin id 77047 published 2014-08-07 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77047 title Scientific Linux Security Update : php53 and php on SL5.x, SL6.x i386/x86_64 (20140806)
Redhat
advisories |
| ||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 66002 CVE(CAN) ID: CVE-2014-2270 PHP是一种HTML内嵌式的语言。 PHP的file程序在解析可移植执行体(PE)格式文件时在实现上存在内存破坏漏洞,成功利用该漏洞后可使远程攻击者执行任意代码或造成拒绝服务。 0 PHP PHP 5.x 厂商补丁: PHP --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.php.net/downloads.php |
id | SSV:61748 |
last seen | 2017-11-19 |
modified | 2014-03-12 |
published | 2014-03-12 |
reporter | Root |
title | PHP Fileinfo组件越界内存破坏漏洞 |
References
- http://seclists.org/oss-sec/2014/q1/505
- http://seclists.org/oss-sec/2014/q1/473
- http://www.php.net/ChangeLog-5.php
- http://www.debian.org/security/2014/dsa-2873
- http://seclists.org/oss-sec/2014/q1/504
- https://github.com/file/file/commit/447558595a3650db2886cd2f416ad0beba965801
- http://bugs.gw.com/view.php?id=313
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00034.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00037.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00084.html
- http://www.ubuntu.com/usn/USN-2163-1
- http://www.ubuntu.com/usn/USN-2162-1
- http://support.apple.com/kb/HT6443
- http://rhn.redhat.com/errata/RHSA-2014-1765.html
- https://security.gentoo.org/glsa/201503-08