Vulnerabilities > CVE-2016-4450 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-715.NASL description A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file. last seen 2020-06-01 modified 2020-06-02 plugin id 91629 published 2016-06-16 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91629 title Amazon Linux AMI : nginx (ALAS-2016-715) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-715. # include("compat.inc"); if (description) { script_id(91629); script_version("2.3"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2016-4450"); script_xref(name:"ALAS", value:"2016-715"); script_name(english:"Amazon Linux AMI : nginx (ALAS-2016-715)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-715.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update nginx' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"nginx-1.8.1-3.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"nginx-debuginfo-1.8.1-3.27.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo"); }NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2016-0012.NASL description An update of [ linux , wget , vim , grub2 , zookeeper , nginx , dnsmasq , haproxy ] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111846 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111846 title Photon OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2016-0012. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111846); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:07"); script_cve_id( "CVE-2015-8370", "CVE-2015-8899", "CVE-2016-1248", "CVE-2016-4450", "CVE-2016-5017", "CVE-2016-5360", "CVE-2016-7098", "CVE-2016-9083", "CVE-2016-9555" ); script_name(english:"Photon OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of [ linux , wget , vim , grub2 , zookeeper , nginx , dnsmasq , haproxy ] packages for PhotonOS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-12 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b465880d"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9555"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:dnsmasq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:grub2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:vim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:wget"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zookeeper"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "dnsmasq-2.76-1.ph1", "dnsmasq-debuginfo-2.76-1.ph1", "grub2-2.02-5.ph1", "grub2-efi-2.02-3.ph1", "grub2-efi-lang-2.02-3.ph1", "grub2-lang-2.02-5.ph1", "haproxy-1.6.10-1.ph1", "haproxy-debuginfo-1.6.10-1.ph1", "haproxy-doc-1.6.10-1.ph1", "linux-4.4.35-1.ph1", "linux-api-headers-4.4.35-1.ph1", "linux-debuginfo-4.4.35-1.ph1", "linux-dev-4.4.35-1.ph1", "linux-docs-4.4.35-1.ph1", "linux-drivers-gpu-4.4.35-1.ph1", "linux-esx-4.4.35-1.ph1", "linux-esx-debuginfo-4.4.35-1.ph1", "linux-esx-devel-4.4.35-1.ph1", "linux-esx-docs-4.4.35-1.ph1", "linux-oprofile-4.4.35-1.ph1", "linux-sound-4.4.35-1.ph1", "linux-tools-4.4.35-1.ph1", "linux-tools-debuginfo-4.4.35-1.ph1", "nginx-1.10.0-4.ph1", "nginx-debuginfo-1.10.0-4.ph1", "vim-7.4-6.ph1", "vim-extra-7.4-6.ph1", "wget-1.18-1.ph1", "wget-debuginfo-1.18-1.ph1", "zookeeper-3.4.9-1.ph1" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dnsmasq / grub2 / haproxy / linux / nginx / vim / wget / zookeeper"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201606-06.NASL description The remote host is affected by the vulnerability described in GLSA-201606-06 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition via a crafted packet. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 103587 published 2017-10-02 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103587 title GLSA-201606-06 : nginx: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201606-06. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(103587); script_version("$Revision: 3.1 $"); script_cvs_date("$Date: 2017/10/02 21:40:44 $"); script_cve_id("CVE-2013-3587", "CVE-2016-0742", "CVE-2016-0746", "CVE-2016-0747", "CVE-2016-4450"); script_xref(name:"GLSA", value:"201606-06"); script_name(english:"GLSA-201606-06 : nginx: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201606-06 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition via a crafted packet. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201606-06" ); script_set_attribute( attribute:"solution", value: "All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/nginx-1.10.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/nginx", unaffected:make_list("ge 1.10.1"), vulnerable:make_list("lt 1.10.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }NASL family Web Servers NASL id NGINX_1_11_1.NASL description According to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 1.10.1, or 1.11.x less than 1.11.1. It is, therefore, affected by a denial of service vulnerability last seen 2020-05-09 modified 2018-10-16 plugin id 118150 published 2018-10-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118150 title nginx < 1.10.1 / 1.11.x < 1.11.1 Denial-of-Service Vulnerability code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(118150); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2016-4450"); script_bugtraq_id(90967); script_name(english:"nginx < 1.10.1 / 1.11.x < 1.11.1 Denial-of-Service Vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 1.10.1, or 1.11.x less than 1.11.1. It is, therefore, affected by a denial of service vulnerability"); # http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d0e3888"); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html"); script_set_attribute(attribute:"solution", value: "Upgrade to nginx version 1.10.1 / 1.11.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4450"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/11"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx"); script_set_attribute(attribute:"agent", value:"unix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("nginx_nix_installed.nbin"); script_require_keys("Settings/ParanoidReport", "installed_sw/nginx"); exit(0); } include('http.inc'); include('vcf.inc'); appname = 'nginx'; get_install_count(app_name:appname, exit_if_zero:TRUE); app_info = vcf::combined_get_app_info(app:appname); vcf::check_granularity(app_info:app_info, sig_segments:3); # If the detection is only remote, Detection Method won't be set, and we should require paranoia if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ {'fixed_version' : '1.10.1', 'min_version' : '1.3.9', 'fixed_display' : '1.10.1 / 1.11.1'}, {'fixed_version' : '1.11.1', 'min_version' : '1.11.0'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2991-1.NASL description It was discovered that nginx incorrectly handled saving client request bodies to temporary files. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 91451 published 2016-06-03 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91451 title Ubuntu 14.04 LTS / 15.10 / 16.04 LTS : nginx vulnerability (USN-2991-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2991-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(91451); script_version("2.7"); script_cvs_date("Date: 2019/09/18 12:31:45"); script_cve_id("CVE-2016-4450"); script_xref(name:"USN", value:"2991-1"); script_name(english:"Ubuntu 14.04 LTS / 15.10 / 16.04 LTS : nginx vulnerability (USN-2991-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that nginx incorrectly handled saving client request bodies to temporary files. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2991-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-extras"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-full"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-light"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|15\.10|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 15.10 / 16.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"nginx-core", pkgver:"1.4.6-1ubuntu3.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nginx-extras", pkgver:"1.4.6-1ubuntu3.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nginx-full", pkgver:"1.4.6-1ubuntu3.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nginx-light", pkgver:"1.4.6-1ubuntu3.5")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nginx-core", pkgver:"1.9.3-1ubuntu1.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nginx-extras", pkgver:"1.9.3-1ubuntu1.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nginx-full", pkgver:"1.9.3-1ubuntu1.2")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nginx-light", pkgver:"1.9.3-1ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"nginx-core", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"nginx-extras", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"nginx-full", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"nginx-light", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx-core / nginx-extras / nginx-full / nginx-light"); }NASL family Fedora Local Security Checks NASL id FEDORA_2016-C329FC4C32.NASL description update to upstream release 1.10.1 to fix CVE-2016-4450 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92155 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92155 title Fedora 24 : 1:nginx (2016-c329fc4c32) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-c329fc4c32. # include("compat.inc"); if (description) { script_id(92155); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-4450"); script_xref(name:"FEDORA", value:"2016-c329fc4c32"); script_name(english:"Fedora 24 : 1:nginx (2016-c329fc4c32)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "update to upstream release 1.10.1 to fix CVE-2016-4450 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-c329fc4c32" ); script_set_attribute( attribute:"solution", value:"Update the affected 1:nginx package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"nginx-1.10.1-1.fc24", epoch:"1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:nginx"); }NASL family Misc. NASL id ARISTA_EOS_SA0021.NASL description The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in NGINX due to a NULL pointer dereference flaw in the ngx_chain_to_iovec() function within file os/unix/ngx_files.c when handling specially crafted requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request to write a client request body to a temporary file, to crash a worker process. last seen 2020-03-17 modified 2018-02-28 plugin id 107063 published 2018-02-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107063 title Arista Networks EOS ngx_chain_to_iovec NULL Pointer Deference DoS (SA0021) code #TRUSTED a53370ab260638ec90299228bb633bb0c5633e0e36a34d27e21d2425844058aa8dfa1ade0e194263b326950235458478c10b7b9c274315f3e84c6579da58dcada3f8a875bb0aa46545befdb46e8c6eb060f280a20ceefb4f01f370e78ae43ba48b2076ab08c96af1475ad965f64e2812b3b2e193b2fe5818d05507d06ecc792b5547329e1d68f5e75fecedc0262f6a7615fedda0483074d6dd41c4fe8bcfacc8d55b26e45d6e19d0c9d3221bd2d45955630d46dbd33cccd55267662844b2ebfe3cc9fdc4924366e561cc38c1f59d62246d1f744a8bbe2a3b392d9f0bed2b8b2b59b657972650b1f2160a5c06ad5e85f1a42470454ddd7e98170b768983b4fc5bf75078b1964371be040ef0e1eba17cdb4889cc279e6aa7d951a43d57de808ff82b41b068cc9bc9068adeed564ff7df4e292029ac02fb12191d5f5cfd8582ae0741a54772a2f5d25b15af499e61692853321ca26c75eb71b02234aa8206e5a0a2e649f58fb09c3b1341e549d0104a954ab2333c302ec6a788eabdaf144acdc74b7fbd773e5f6318354e38d37c897678724fc8f95acc7673baded73cb1c560d6f778682bc272a8b0b65a6397b6c377329f22bb4506d0b7f2eed7913b0697816f726ddcf53a130d29348c6c0c093191e1020dd125b15176003156bedaad5bdd235aafaccd936b58cc63d15e722f2dca8def57253d968276b3848d637b8be8dc45ed # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(107063); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13"); script_cve_id("CVE-2016-4450"); script_bugtraq_id(90967); script_name(english:"Arista Networks EOS ngx_chain_to_iovec NULL Pointer Deference DoS (SA0021)"); script_summary(english:"Checks the Arista Networks EOS version."); script_set_attribute(attribute:"synopsis", value: "The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in NGINX due to a NULL pointer dereference flaw in the ngx_chain_to_iovec() function within file os/unix/ngx_files.c when handling specially crafted requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request to write a client request body to a temporary file, to crash a worker process."); # https://www.arista.com/en/support/advisories-notices/security-advisories/1354-security-advisory-21 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b364c9b9"); script_set_attribute(attribute:"solution", value: "Contact the vendor for a fixed version, or apply the patch file referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4450"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/28"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("arista_eos_detect.nbin"); script_require_keys("Host/Arista-EOS/Version"); exit(0); } include("arista_eos_func.inc"); version = get_kb_item_or_exit("Host/Arista-EOS/Version"); ext = "1.6.2/3236644.idburleydevdasturias.11"; sha = "d7124b02ae8505436a94a0440b2c4192b801b30bd84ed1a9c3672c8c4891fadca18b6221237fb959436c5dd084e95bc97317606c41c6b173993becbc13c857e6"; if(eos_extension_installed(ext:ext, sha:sha)) exit(0, "The Arista device is not vulnerable, as a relevant hotfix has been installed."); vmatrix = make_array(); vmatrix["all"] = make_list("4.12"); vmatrix["F"] = make_list("4.13.1.1<=4.13.6", "4.14.0<=4.14.4.2", "4.15.0<=4.15.4.1"); vmatrix["M"] = make_list("4.13.7<=4.13.15", "4.14.5<=4.14.11", "4.15.5", "4.15.6", "4.16.6"); vmatrix["misc"] = make_list("4.14.5FX", "4.14.5FX.1", "4.14.5FX.2", "4.14.5FX.3", "4.14.5FX.4", "4.14.5.1F-SSU", "4.15.0FX", "4.15.0FXA", "4.15.0FX1", "4.15.1FXB.1", "4.15.1FXB", "4.15.1FX-7060X", "4.15.1FX-7060QX", "4.15.3FX-7050X-72Q", "4.15.3FX-7060X.1", "4.15.3FX-7500E3", "4.15.3FX-7500E3.3", "4.15.4FX-7500E3", "4.15.5FX-7500R", "4.15.5FX-7500R-bgpscale" ); if (eos_is_affected(vmatrix:vmatrix, version:version)) { security_report_v4(severity:SECURITY_WARNING, port:0, extra:eos_report_get()); } else audit(AUDIT_INST_VER_NOT_VULN, "Arista Networks EOS", version);NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_36CF7670277411E6AF29F0DEF16C5C1B.NASL description Maxim Dounin reports : A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file. last seen 2020-06-01 modified 2020-06-02 plugin id 91399 published 2016-06-01 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91399 title FreeBSD : nginx -- a specially crafted request might result in worker process crash (36cf7670-2774-11e6-af29-f0def16c5c1b) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3592.NASL description It was discovered that a NULL pointer dereference in the Nginx code responsible for saving client request bodies to a temporary file might result in denial of service: Malformed requests could crash worker processes. last seen 2020-06-01 modified 2020-06-02 plugin id 91431 published 2016-06-02 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91431 title Debian DSA-3592-1 : nginx - security update NASL family Fedora Local Security Checks NASL id FEDORA_2016-EA323BD6CF.NASL description fix CVE-2016-4450 ---- update to upstream release 1.8.1 to fix CVE-2016-4450 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92194 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92194 title Fedora 23 : 1:nginx (2016-ea323bd6cf) NASL family Palo Alto Local Security Checks NASL id PALO_ALTO_PAN-SA-2020-0006.NASL description The version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 8.1.14 or 8.0.x prior to 8.1.14 or 8.1.x prior to 8.1.14 or 9.0.x prior to 9.0.7. It is, therefore, affected by a vulnerability. - The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files. (CVE-2013-0337) - os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. (CVE-2016-4450) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-23 modified 2020-05-22 plugin id 136826 published 2020-05-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136826 title Palo Alto Networks PAN-OS 7.1.x < 8.1.14 / 8.0.x < 8.1.14 / 8.1.x < 8.1.14 / 9.0.x < 9.0.7 Vulnerability NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-192.NASL description This update for nginx fixes the following vulnerability : - CVE-2016-4450: Remote attackers could have caused a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. last seen 2020-06-05 modified 2017-02-02 plugin id 96943 published 2017-02-02 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96943 title openSUSE Security Update : nginx (openSUSE-2017-192) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2016-0012_NGINX.NASL description An update of the nginx package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121651 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121651 title Photon OS 1.0: Nginx PHSA-2016-0012
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html
- http://www.ubuntu.com/usn/USN-2991-1
- http://www.debian.org/security/2016/dsa-3592
- http://www.securitytracker.com/id/1036019
- http://www.securityfocus.com/bid/90967
- https://security.gentoo.org/glsa/201606-06
- https://access.redhat.com/errata/RHSA-2016:1425