Vulnerabilities > CVE-2015-9019 - Use of Insufficiently Random Values vulnerability in Xmlsoft Libxslt
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Brute Force In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1052.NASL description According to the version of the libxslt packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.(CVE-2015-9019) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-22 plugin id 122379 published 2019-02-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122379 title EulerOS 2.0 SP2 : libxslt (EulerOS-SA-2019-1052) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122379); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2015-9019" ); script_name(english:"EulerOS 2.0 SP2 : libxslt (EulerOS-SA-2019-1052)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libxslt packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.(CVE-2015-9019) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1052 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a3e6261a"); script_set_attribute(attribute:"solution", value: "Update the affected libxslt package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libxslt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libxslt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libxslt-python"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["libxslt-1.1.28-5.h1", "libxslt-devel-1.1.28-5.h1", "libxslt-python-1.1.28-5.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libxslt"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1282-1.NASL description This update for libxslt fixes the following issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute last seen 2020-06-01 modified 2020-06-02 plugin id 100208 published 2017-05-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100208 title SUSE SLES11 Security Update : libxslt (SUSE-SU-2017:1282-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0025_LIBXSLT.NASL description An update of the libxslt package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121715 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121715 title Photon OS 1.0: Libxslt PHSA-2017-0025 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1318.NASL description According to the versions of the libxslt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.(CVE-2019-11068) - In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.(CVE-2015-5019) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-05-01 plugin id 124445 published 2019-05-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124445 title EulerOS 2.0 SP5 : libxslt (EulerOS-SA-2019-1318) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0025.NASL description An update of [linux,sqlite-autoconf,libxslt] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111874 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111874 title Photon OS 1.0: Libxslt / Linux / Sqlite PHSA-2017-0025 (deprecated) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-609.NASL description This update for libxslt fixes the following security issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute last seen 2020-06-05 modified 2017-05-24 plugin id 100367 published 2017-05-24 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100367 title openSUSE Security Update : libxslt (openSUSE-2017-609) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1592.NASL description According to the versions of the libxslt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.(CVE-2019-11068) - In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.(CVE-2015-9019) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-05-29 plugin id 125519 published 2019-05-29 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125519 title EulerOS 2.0 SP3 : libxslt (EulerOS-SA-2019-1592) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1313-1.NASL description This update for libxslt fixes the following issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute last seen 2020-06-01 modified 2020-06-02 plugin id 100243 published 2017-05-17 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100243 title SUSE SLED12 / SLES12 Security Update : libxslt (SUSE-SU-2017:1313-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1625.NASL description According to the versions of the libxslt packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.(CVE-2019-11068) - In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.(CVE-2015-9019) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 125577 published 2019-05-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125577 title EulerOS Virtualization for ARM 64 3.0.2.0 : libxslt (EulerOS-SA-2019-1625) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1606.NASL description According to the versions of the libxslt packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.(CVE-2019-11068) - In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.(CVE-2015-9019) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 125558 published 2019-05-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125558 title EulerOS Virtualization 3.0.1.0 : libxslt (EulerOS-SA-2019-1606)