Vulnerabilities > CVE-2014-3600 - XXE vulnerability in Apache Activemq

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(84960);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id(
    "CVE-2014-3600",
    "CVE-2014-3612",
    "CVE-2014-8110",
    "CVE-2014-8176",
    "CVE-2015-1788",
    "CVE-2015-1789",
    "CVE-2015-1790",
    "CVE-2015-1791",
    "CVE-2015-1792",
    "CVE-2015-3165",
    "CVE-2015-3166",
    "CVE-2015-3167",
    "CVE-2015-4000"
  );
  script_bugtraq_id(
    72510,
    72511,
    72513,
    74733,
    74787,
    74789,
    74790,
    75154,
    75156,
    75157,
    75158,
    75159,
    75161
  );

  script_name(english:"Puppet Enterprise 3.x < 3.8.1 Multiple Vulnerabilities (Logjam)");
  script_summary(english:"Checks the Puppet Enterprise version.");

  script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Puppet Enterprise
application running on the remote host is 3.x prior to 3.8.1. It is,
therefore, affected by the following vulnerabilities :

  - An XML external entity injection (XXE) flaw exists in
    the Apache ActiveMQ component due to a faulty
    configuration that allows an XML parser to accept XML
    external entities from untrusted sources. A remote
    attacker, by sending crafted XML data, can exploit this
    to disclose arbitrary files. (CVE-2014-3600)

  - An authentication bypass vulnerability exists in the
    Apache ActiveMQ component due to a flaw in the
    LDAPLoginModule implementation. A remote attacker can
    exploit this to bypass authentication mechanisms.
    (CVE-2014-3612)

  - Multiple cross-site scripting vulnerabilities exist in
    the administrative console of Apache ActiveMQ that allow
    a remote attacker to inject arbitrary HTML or web
    scripts. (CVE-2014-8110)

  - An invalid free memory error exists due to improper
    validation of user-supplied input when a DTLS peer
    receives application data between ChangeCipherSpec and
    Finished messages. A remote attacker can exploit this to
    corrupt memory, resulting in a denial of service or
    the execution of arbitrary code. (CVE-2014-8176)

  - A denial of service vulnerability exists when processing
    an ECParameters structure due to an infinite loop that
    occurs when a specified curve is over a malformed binary
    polynomial field. A remote attacker can exploit this to
    perform a denial of service against any system that
    processes public keys, certificate requests, or
    certificates. This includes TLS clients and TLS servers
    with client authentication enabled. (CVE-2015-1788)

  - A denial of service vulnerability exists due to improper
    validation of the content and length of the ASN1_TIME
    string by the X509_cmp_time() function. A remote
    attacker can exploit this, via a malformed certificate
    and CRLs of various sizes, to cause a segmentation
    fault, resulting in a denial of service condition. TLS
    clients that verify CRLs are affected. TLS clients and
    servers with client authentication enabled may be
    affected if they use custom verification callbacks.
    (CVE-2015-1789)

  - A NULL pointer dereference flaw exists in the PKCS#7
    parsing code due to incorrect handling of missing inner
    'EncryptedContent'. This allows a remote attacker, via
    specially crafted ASN.1-encoded PKCS#7 blobs with
    missing content, to cause a denial of service condition
    or other potential unspecified impacts. (CVE-2015-1790)

  - A double-free error exists due to a race condition that
    occurs when a NewSessionTicket is received by a
    multi-threaded client when attempting to reuse a
    previous ticket. (CVE-2015-1791)

  - A denial of service vulnerability exists in the CMS code
    due to an infinite loop that occurs when verifying a
    signedData message. A remote attacker can exploit this
    to cause a denial of service condition. (CVE-2015-1792)

  - A double-free memory flaw exists in PostgreSQL due to
    a timeout interrupt occurring partway in the session
    shutdown sequence. A remote attacker, by closing
    an SSL session when the authentication timeout expires,
    can exploit this flaw to cause a denial of service.
    (CVE-2015-3165)

  - An out-of-memory condition exists in the printf()
    functions in PostgreSQL due to a failure to check for
    errors. A remote attacker can exploit this to access
    sensitive information. (CVE-2015-3166)

  - A flaw exists in contrib/pgcrypto in PostgreSQL due
    to cases of decryption reporting other error message
    texts, which a remote attacker can use to recover
    keys from other systems. (CVE-2015-3167)

  - A man-in-the-middle vulnerability, known as Logjam,
    exists due to a flaw in the SSL/TLS protocol. A remote
    attacker can exploit this flaw to downgrade connections
    using ephemeral Diffie-Hellman key exchange to 512-bit
    export-grade cryptography. (CVE-2015-4000)");
  # https://puppet.com/security/cve/activemq-february-2015-vulnerability-fix
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f903b0fa");
  # https://puppet.com/security/cve/postgresql-may-2015-vulnerability-fix
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50c9bedd");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/about/news/1587/");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/CVE-2015-4000");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/openssl-june-2015-vulnerability-fix");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20150611.txt");
  script_set_attribute(attribute:"see_also", value:"https://weakdh.org/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Puppet Enterprise version 3.8.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-3166");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("puppet_rest_detect.nasl");
  script_require_keys("puppet/rest_port");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

app_name = "Puppet Enterprise";

port = get_kb_item_or_exit('puppet/rest_port');
ver = get_kb_item_or_exit('puppet/' + port + '/version');

if ('Enterprise' >< ver)
{
  # convert something like
  #   2.7.19 (Puppet Enterprise 2.7.0)
  # to
  #   2.7.0
  match = eregmatch(string:ver, pattern:"Enterprise ([0-9.]+)\)");
  if (isnull(match)) audit(AUDIT_UNKNOWN_WEB_APP_VER, app_name, build_url(port:port));
  ver = match[1];
}
else audit(AUDIT_WEB_APP_NOT_INST, app_name, port);

if (
  ver =~ "^3\.[0-7]($|[^0-9])" ||
  ver =~ "^3\.8\.0($|[^0-9])"
)
{
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version : Puppet Enterprise ' + ver +
      '\n  Fixed version     : Puppet Enterprise 3.8.1\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, build_url(port:port), ver);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81374);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id(
    "CVE-2014-3576",
    "CVE-2014-3600",
    "CVE-2014-3612",
    "CVE-2014-8110"
  );
  script_bugtraq_id(72510, 72511, 72513);

  script_name(english:"Apache ActiveMQ 5.x < 5.10.1 / 5.11.0 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of ActiveMQ.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a web application installed that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Apache ActiveMQ running on the remote host is 5.x prior
to 5.10.1 / 5.11.0. It is, therefore, potentially affected by multiple
vulnerabilities :

  - An unauthenticated, remote attacker can crash the broker
    listener by sending a packet to the same port that a
    message consumer or product connects to, resulting in a
    denial of service condition. (CVE-2014-3576)

  - An XML external entity (XXE) injection vulnerability 
    exists that is related to XPath selectors. A remote
    attacker can exploit this, via specially crafted XML
    data, to disclose the contents of arbitrary files.
    (CVE-2014-3600)

  - A flaw exists in the LDAPLoginModule of the Java
    Authentication and Authorization Service (JAAS) which
    can be triggered by the use of wildcard operators
    instead of a username or by invalid passwords. A remote
    attacker can exploit this to bypass authentication.
    (CVE-2014-3612)

  - Multiple cross-site scripting (XSS) vulnerabilities
    exist in the web administrative console. (CVE-2014-8110)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # http://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c8309341");
  # http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3d4e09f");
  # http://activemq.apache.org/security-advisories.data/CVE-2014-8110-announcement.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3b2b5313");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 5.10.1 / 5.11.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3612");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/16");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:activemq");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("activemq_web_console_detect.nasl");
  script_require_keys("installed_sw/ActiveMQ", "Settings/ParanoidReport");
  script_require_ports("Services/www", 8161);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = 'ActiveMQ';
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:8161);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

dir = install['path'];
version = install['version'];
install_url = build_url(port:port, qs:dir);

if (report_paranoia < 2) audit(AUDIT_PARANOID);
fix = '5.10.1';
report_fix = fix + " / 5.11.0";

if (
  (version =~ "^5\.") &&
  (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
)
{
  set_kb_item(name:"www/" + port + "/XSS", value:TRUE);
    if (report_verbosity > 0)
  {
    report =
      '\n  URL               : ' + install_url +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3330. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85353);
  script_version("2.8");
  script_cvs_date("Date: 2018/11/10 11:49:37");

  script_cve_id("CVE-2014-3576");
  script_xref(name:"DSA", value:"3330");

  script_name(english:"Debian DSA-3330-1 : activemq - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that the Apache ActiveMQ message broker is
susceptible to denial of service through an undocumented, remote
shutdown command."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-3612"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-3600"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/activemq"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/activemq"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2015/dsa-3330"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the activemq packages.

For the oldstable distribution (wheezy), this problem has been fixed
in version 5.6.0+dfsg-1+deb7u1. This update also fixes CVE-2014-3612
and CVE-2014-3600.

For the stable distribution (jessie), this problem has been fixed in
version 5.6.0+dfsg1-4+deb8u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:activemq");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/08/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"activemq", reference:"5.6.0+dfsg-1+deb7u1")) flag++;
if (deb_check(release:"7.0", prefix:"libactivemq-java", reference:"5.6.0+dfsg-1+deb7u1")) flag++;
if (deb_check(release:"7.0", prefix:"libactivemq-java-doc", reference:"5.6.0+dfsg-1+deb7u1")) flag++;
if (deb_check(release:"8.0", prefix:"activemq", reference:"5.6.0+dfsg1-4+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libactivemq-java", reference:"5.6.0+dfsg1-4+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libactivemq-java-doc", reference:"5.6.0+dfsg1-4+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");