Vulnerabilities > CVE-2016-2176 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Openssl
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
HIGH Summary
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Misc. NASL id ORACLE_E-BUSINESS_CPU_OCT_2016.NASL description The version of Oracle E-Business installed on the remote host is missing the October 2016 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists in the OpenSSL subcomponent in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the OpenSSL subcomponent in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist in the OpenSSL subcomponent in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the OpenSSL subcomponent in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the OpenSSL subcomponent in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) - An unspecified flaw exists in the Runtime Catalog subcomponent in the iStore component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5489) - An unspecified flaw exists in the AD Utilities subcomponent in the Applications DBA component that allows a local attacker to disclose sensitive information. (CVE-2016-5517) - An unspecified flaw exists in the Workflow Events subcomponent in the Shipping Execution component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5532) - An unspecified flaw exists in the Price Book subcomponent in the Advanced Pricing component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5557) - An unspecified flaw exists in the Requisition Management subcomponent in the iProcurement component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5562) - Multiple unspecified flaws exist in the AD Utilities subcomponent in the DBA component that allow an authenticated, remote attacker to impact confidentiality and integrity. (CVE- 2016-5567, CVE-2016-5570, CVE-2016-5571) - An unspecified flaw exists in the Resources Module subcomponent in the Common Applications Calendar component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5575) - An unspecified flaw exists in the Candidate Self Service subcomponent in the iRecruitment component that allows a local attacker to gain elevated privileges. (CVE-2016-5581) - An unspecified flaw exists in the File Upload subcomponent in the One-to-One Fulfillment component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5583) - An unspecified flaw exists in the Select Application Dependencies subcomponent in the Interaction Center Intelligence component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5585) - An unspecified flaw exists in the Dispatch/Service Call Requests subcomponent in the Email Center component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5586) - Multiple unspecified flaws exist in the Outcome-Result subcomponent in the Customer Interaction History component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5587, CVE-2016-5591, CVE-2016-5593) - An unspecified flaw exists in the Responsibility Management subcomponent in the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5589) - Multiple unspecified flaws exist in the Result-Reason subcomponent in the Customer Interaction History component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5592, CVE-2016-5595) - An unspecified flaw exists in the Default Responsibility subcomponent in the CRM Technical Foundation component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5596) last seen 2020-06-01 modified 2020-06-02 plugin id 94164 published 2016-10-20 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94164 title Oracle E-Business Multiple Vulnerabilities (October 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94164); script_version("1.8"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-5489", "CVE-2016-5517", "CVE-2016-5532", "CVE-2016-5557", "CVE-2016-5562", "CVE-2016-5567", "CVE-2016-5570", "CVE-2016-5571", "CVE-2016-5575", "CVE-2016-5581", "CVE-2016-5583", "CVE-2016-5585", "CVE-2016-5586", "CVE-2016-5587", "CVE-2016-5589", "CVE-2016-5591", "CVE-2016-5592", "CVE-2016-5593", "CVE-2016-5595", "CVE-2016-5596" ); script_bugtraq_id( 87940, 89744, 89746, 89757, 89760, 93690, 93694, 93699, 93703, 93707, 93721, 93724, 93729, 93738, 93739, 93743, 93747, 93750, 93756, 93758, 93761, 93762, 93764, 93769, 93770 ); script_xref(name:"EDB-ID", value:"39768"); script_name(english:"Oracle E-Business Multiple Vulnerabilities (October 2016 CPU)"); script_summary(english:"Checks for the October 2016 CPU."); script_set_attribute(attribute:"synopsis", value: "A web application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle E-Business installed on the remote host is missing the October 2016 Oracle Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists in the OpenSSL subcomponent in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the OpenSSL subcomponent in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist in the OpenSSL subcomponent in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the OpenSSL subcomponent in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the OpenSSL subcomponent in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) - An unspecified flaw exists in the Runtime Catalog subcomponent in the iStore component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5489) - An unspecified flaw exists in the AD Utilities subcomponent in the Applications DBA component that allows a local attacker to disclose sensitive information. (CVE-2016-5517) - An unspecified flaw exists in the Workflow Events subcomponent in the Shipping Execution component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5532) - An unspecified flaw exists in the Price Book subcomponent in the Advanced Pricing component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5557) - An unspecified flaw exists in the Requisition Management subcomponent in the iProcurement component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5562) - Multiple unspecified flaws exist in the AD Utilities subcomponent in the DBA component that allow an authenticated, remote attacker to impact confidentiality and integrity. (CVE- 2016-5567, CVE-2016-5570, CVE-2016-5571) - An unspecified flaw exists in the Resources Module subcomponent in the Common Applications Calendar component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5575) - An unspecified flaw exists in the Candidate Self Service subcomponent in the iRecruitment component that allows a local attacker to gain elevated privileges. (CVE-2016-5581) - An unspecified flaw exists in the File Upload subcomponent in the One-to-One Fulfillment component that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5583) - An unspecified flaw exists in the Select Application Dependencies subcomponent in the Interaction Center Intelligence component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5585) - An unspecified flaw exists in the Dispatch/Service Call Requests subcomponent in the Email Center component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5586) - Multiple unspecified flaws exist in the Outcome-Result subcomponent in the Customer Interaction History component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5587, CVE-2016-5591, CVE-2016-5593) - An unspecified flaw exists in the Responsibility Management subcomponent in the CRM Technical Foundation component that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5589) - Multiple unspecified flaws exist in the Result-Reason subcomponent in the Customer Interaction History component that allow an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5592, CVE-2016-5595) - An unspecified flaw exists in the Default Responsibility subcomponent in the CRM Technical Foundation component that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5596)"); # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2016 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5489"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:e-business_suite"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_e-business_query_patch_info.nbin"); script_require_keys("Oracle/E-Business/Version", "Oracle/E-Business/patches/installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Oracle/E-Business/Version"); patches = get_kb_item_or_exit("Oracle/E-Business/patches/installed"); # Batch checks if (patches) patches = split(patches, sep:',', keep:FALSE); else patches = make_list(); p12_1 = '24390793'; p12_2 = '24390794'; # Check if the installed version is an affected version affected_versions = make_array( '12.1.1', make_list(p12_1), '12.1.2', make_list(p12_1), '12.1.3', make_list(p12_1), '12.2.3', make_list(p12_2), '12.2.4', make_list(p12_2), '12.2.5', make_list(p12_2), '12.2.6', make_list(p12_2) ); patched = FALSE; affectedver = FALSE; if (affected_versions[version]) { affectedver = TRUE; patchids = affected_versions[version]; foreach required_patch (patchids) { foreach applied_patch (patches) { if(required_patch == applied_patch) { patched = applied_patch; break; } } if(patched) break; } if(!patched) patchreport = join(patchids,sep:" or "); } if (!patched && affectedver) { if(report_verbosity > 0) { report = '\n Installed version : '+version+ '\n Fixed version : '+version+' Patch '+patchreport+ '\n'; security_hole(port:0,extra:report); } else security_hole(0); exit(0); } else if (!affectedver) audit(AUDIT_INST_VER_NOT_VULN, 'Oracle E-Business', version); else exit(0, 'The Oracle E-Business server ' + version + ' is not affected because patch ' + patched + ' has been applied.');
NASL family Misc. NASL id VIRTUALBOX_5_0_22.NASL description The Oracle VM VirtualBox application installed on the remote host is a version prior to 5.0.22. It is, therefore, affected by multiple vulnerabilities in the bundled OpenSSL component : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) last seen 2020-06-01 modified 2020-06-02 plugin id 92458 published 2016-07-20 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92458 title Oracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92458); script_version("1.12"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2016-2105", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-3612" ); script_bugtraq_id( 87940, 89744, 89746, 89757, 89760 ); script_xref(name:"EDB-ID", value:"39768"); script_name(english:"Oracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU)"); script_summary(english:"Performs a version check on VirtualBox.exe."); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The Oracle VM VirtualBox application installed on the remote host is a version prior to 5.0.22. It is, therefore, affected by multiple vulnerabilities in the bundled OpenSSL component : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176)"); # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453b5f8c"); script_set_attribute(attribute:"see_also", value:"https://www.virtualbox.org/wiki/Changelog"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle VM VirtualBox version 5.0.22 or later as referenced in the July 2016 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2176"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:vm_virtualbox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("virtualbox_installed.nasl", "macosx_virtualbox_installed.nbin"); script_require_ports("installed_sw/Oracle VM VirtualBox", "installed_sw/VirtualBox"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = NULL; apps = make_list('Oracle VM VirtualBox', 'VirtualBox'); foreach app (apps) { if (get_install_count(app_name:app)) break; else app = NULL; } if (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox'); install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); ver = install['version']; path = install['path']; # Affected : # 5.0.x < 5.0.22 if (ver =~ '^5\\.0' && ver_compare(ver:ver, fix:'5.0.22', strict:FALSE) < 0) fix = '5.0.22'; else audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path); port = 0; if (app == 'Oracle VM VirtualBox') { port = get_kb_item("SMB/transport"); if (!port) port = 445; } report = '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0);
NASL family CISCO NASL id CISCO_TELEPRESENCE_VCS_MULTIPLE_880.NASL description According to its self-reported version, the Cisco TelePresence Video Communication Server (VCS) / Expressway running on the remote host is 8.x prior to 8.8. It is, therefore, affected by multiple vulnerabilities : - A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808) - A flaw exists in the web framework of TelePresence Video Communication Server (VCS) Expressway due to missing authorization checks on certain administrative pages. An authenticated, remote attacker can exploit this to bypass read-only restrictions and install Tandberg Linux Packages (TLPs) without proper authorization. (CVE-2015-6413) - A flaw exists in certificate management and validation for the Mobile and Remote Access (MRA) component due to improper input validation of a trusted certificate. An unauthenticated, remote attacker can exploit this, using a trusted certificate, to bypass authentication and gain access to internal HTTP system resources. (CVE-2016-1444) - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - A remote code execution vulnerability exists in the ASN.1 encoder due to an underflow condition that occurs when attempting to encode the value zero represented as a negative integer. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2108) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN.1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) - An information disclosure vulnerability exists in the file system permissions due to certain files having overly permissive permissions. An unauthenticated, local attacker can exploit this to disclose sensitive information. (Cisco bug ID CSCuw55636) Note that Cisco bug ID CSCuw55636 and CVE-2015-6413 only affect versions 8.6.x prior to 8.8. last seen 2020-06-01 modified 2020-06-02 plugin id 92045 published 2016-07-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92045 title Cisco TelePresence VCS / Expressway 8.x < 8.8 Multiple Vulnerabilities (Bar Mitzvah) NASL family Misc. NASL id LCE_4_8_1.NASL description The version of Tenable Log Correlation Engine (LCE) installed on the remote host is prior to 4.8.1. It is, therefore, affected by the following vulnerabilities : - Multiple cross-site scripting (XSS) vulnerabilities exist in the Handlebars library in the lib/handlebars/utils.js script due to a failure to properly escape input passed as unquoted attributes to templates. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted request, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 97893 published 2017-03-22 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97893 title Tenable Log Correlation Engine (LCE) < 4.8.1 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_01D729CA114311E6B55EB499BAEBFEAF.NASL description OpenSSL reports : Memory corruption in the ASN.1 encoder Padding oracle in AES-NI CBC MAC check EVP_EncodeUpdate overflow EVP_EncryptUpdate overflow ASN.1 BIO excessive memory allocation EBCDIC overread (OpenSSL only) last seen 2020-06-01 modified 2020-06-02 plugin id 90876 published 2016-05-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90876 title FreeBSD : OpenSSL -- multiple vulnerabilities (01d729ca-1143-11e6-b55e-b499baebfeaf) NASL family MacOS X Local Security Checks NASL id MACOSX_10_11_6.NASL description The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.6. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - Audio - bsdiff - CFNetwork - CoreGraphics - FaceTime - Graphics Drivers - ImageIO - Intel Graphics Driver - IOHIDFamily - IOKit - IOSurface - Kernel - libc++abi - libexpat - LibreSSL - libxml2 - libxslt - Login Window - OpenSSL - QuickTime - Safari Login AutoFill - Sandbox Profiles Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 92496 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92496 title Mac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-456.NASL description Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer toolkit. CVE-2016-2105 Guido Vranken discovered that an overflow can occur in the function EVP_EncodeUpdate(), used for Base64 encoding, if an attacker can supply a large amount of data. This could lead to a heap corruption. CVE-2016-2106 Guido Vranken discovered that an overflow can occur in the function EVP_EncryptUpdate() if an attacker can supply a large amount of data. This could lead to a heap corruption. CVE-2016-2107 Juraj Somorovsky discovered a padding oracle in the AES CBC cipher implementation based on the AES-NI instruction set. This could allow an attacker to decrypt TLS traffic encrypted with one of the cipher suites based on AES CBC. CVE-2016-2108 David Benjamin from Google discovered that two separate bugs in the ASN.1 encoder, related to handling of negative zero integer values and large universal tags, could lead to an out-of-bounds write. CVE-2016-2109 Brian Carpenter discovered that when ASN.1 data is read from a BIO using functions such as d2i_CMS_bio(), a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. CVE-2016-2176 Guido Vranken discovered that ASN.1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. Additional information about these issues can be found in the OpenSSL security advisory at https://www.openssl.org/news/secadv/20160503.txt NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2016-05-04 plugin id 90874 published 2016-05-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90874 title Debian DLA-456-1 : openssl security update NASL family Firewalls NASL id PFSENSE_SA-16_04.NASL description According to its self-reported version number, the remote pfSense install is prior to 2.3.1. It is, therefore, affected by multiple vulnerabilities. last seen 2020-04-30 modified 2018-01-31 plugin id 106500 published 2018-01-31 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106500 title pfSense < 2.3.1 Multiple Vulnerabilities (SA-16_03 / SA-16-04) NASL family AIX Local Security Checks NASL id AIX_OPENSSL_ADVISORY20.NASL description The version of OpenSSL installed on the remote AIX host is affected by the following vulnerabilities : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - A remote code execution vulnerability exists in the ASN.1 encoder due to an underflow condition that occurs when attempting to encode the value zero represented as a negative integer. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2108) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) last seen 2020-06-01 modified 2020-06-02 plugin id 92323 published 2016-07-15 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92323 title AIX OpenSSL Advisory : openssl_advisory20.asc NASL family Web Servers NASL id OPENSSL_1_0_2H.NASL description According to its banner, the remote host is running a version of OpenSSL 1.0.2 prior to 1.0.2h. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) last seen 2020-06-01 modified 2020-06-02 plugin id 90891 published 2016-05-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90891 title OpenSSL 1.0.2 < 1.0.2h Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-124-01.NASL description New openssl packages are available for Slackware 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90863 published 2016-05-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90863 title Slackware 14.0 / 14.1 / current : openssl (SSA:2016-124-01) NASL family Web Servers NASL id OPENSSL_1_0_1T.NASL description According to its banner, the remote host is running a version of OpenSSL 1.0.1 prior to 1.0.1t. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Flaws exist in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - An out-of-bounds read error exists in the X509_NAME_oneline() function within file crypto/x509/x509_obj.c when handling very long ASN1 strings. An unauthenticated, remote attacker can exploit this to disclose the contents of stack memory. (CVE-2016-2176) last seen 2020-06-01 modified 2020-06-02 plugin id 90890 published 2016-05-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90890 title OpenSSL 1.0.1 < 1.0.1t Multiple Vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-16.NASL description The remote host is affected by the vulnerability described in GLSA-201612-16 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers and the International Association for Cryptologic Research’s (IACR) paper, “Make Sure DSA Signing Exponentiations Really are Constant-Time” for further details. Impact : Remote attackers could cause a Denial of Service condition or have other unspecified impacts. Additionally, a time based side-channel attack may allow a local attacker to recover a private DSA key. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95602 published 2016-12-07 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95602 title GLSA-201612-16 : OpenSSL: Multiple vulnerabilities
Packetstorm
data source | https://packetstormsecurity.com/files/download/143369/orionbrowser79-mitm.txt |
id | PACKETSTORM:143369 |
last seen | 2017-07-15 |
published | 2017-07-14 |
reporter | MaXe |
source | https://packetstormsecurity.com/files/143369/Orion-Elite-Hidden-IP-Browser-Pro-7.9-OpenSSL-Tor-Man-In-The-Middle.html |
title | Orion Elite Hidden IP Browser Pro 7.9 OpenSSL / Tor / Man-In-The-Middle |
References
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/89746
- http://www.securityfocus.com/bid/89746
- http://www.securityfocus.com/bid/91787
- http://www.securityfocus.com/bid/91787
- http://www.securitytracker.com/id/1035721
- http://www.securitytracker.com/id/1035721
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.542103
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.542103
- https://bto.bluecoat.com/security-advisory/sa123
- https://bto.bluecoat.com/security-advisory/sa123
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=2919516136a4227d9e6d8f2fe66ef976aaf8c561
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=2919516136a4227d9e6d8f2fe66ef976aaf8c561
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- https://kc.mcafee.com/corporate/index?page=content&id=SB10160
- https://security.gentoo.org/glsa/201612-16
- https://security.gentoo.org/glsa/201612-16
- https://security.netapp.com/advisory/ntap-20160504-0001/
- https://security.netapp.com/advisory/ntap-20160504-0001/
- https://support.apple.com/HT206903
- https://support.apple.com/HT206903
- https://www.openssl.org/news/secadv/20160503.txt
- https://www.openssl.org/news/secadv/20160503.txt
- https://www.tenable.com/security/tns-2016-18
- https://www.tenable.com/security/tns-2016-18