Vulnerabilities > CVE-2016-4450 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
canonical
f5
debian
CWE-476
nessus

Summary

os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-715.NASL
    descriptionA problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.
    last seen2020-06-01
    modified2020-06-02
    plugin id91629
    published2016-06-16
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91629
    titleAmazon Linux AMI : nginx (ALAS-2016-715)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2016-715.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(91629);
      script_version("2.3");
      script_cvs_date("Date: 2018/04/18 15:09:36");
    
      script_cve_id("CVE-2016-4450");
      script_xref(name:"ALAS", value:"2016-715");
    
      script_name(english:"Amazon Linux AMI : nginx (ALAS-2016-715)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A problem was identified in nginx code responsible for saving client
    request body to a temporary file. A specially crafted request might
    result in worker process crash due to a NULL pointer dereference while
    writing client request body to a temporary file."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2016-715.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update nginx' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"nginx-1.8.1-3.27.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"nginx-debuginfo-1.8.1-3.27.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2016-0012.NASL
    descriptionAn update of [ linux , wget , vim , grub2 , zookeeper , nginx , dnsmasq , haproxy ] packages for PhotonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111846
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111846
    titlePhoton OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2/7/2019
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2016-0012. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111846);
      script_version("1.3");
      script_cvs_date("Date: 2019/04/05 23:25:07");
    
      script_cve_id(
        "CVE-2015-8370",
        "CVE-2015-8899",
        "CVE-2016-1248",
        "CVE-2016-4450",
        "CVE-2016-5017",
        "CVE-2016-5360",
        "CVE-2016-7098",
        "CVE-2016-9083",
        "CVE-2016-9555"
      );
    
      script_name(english:"Photon OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "This plugin has been deprecated.");
      script_set_attribute(attribute:"description", value:
    "An update of [ linux , wget , vim , grub2 , zookeeper , nginx ,
    dnsmasq , haproxy ] packages for PhotonOS has been released.");
      # https://github.com/vmware/photon/wiki/Security-Updates-12
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b465880d");
      script_set_attribute(attribute:"solution", value:"n/a.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9555");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:dnsmasq");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:grub2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:vim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:wget");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zookeeper");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    pkgs = [
      "dnsmasq-2.76-1.ph1",
      "dnsmasq-debuginfo-2.76-1.ph1",
      "grub2-2.02-5.ph1",
      "grub2-efi-2.02-3.ph1",
      "grub2-efi-lang-2.02-3.ph1",
      "grub2-lang-2.02-5.ph1",
      "haproxy-1.6.10-1.ph1",
      "haproxy-debuginfo-1.6.10-1.ph1",
      "haproxy-doc-1.6.10-1.ph1",
      "linux-4.4.35-1.ph1",
      "linux-api-headers-4.4.35-1.ph1",
      "linux-debuginfo-4.4.35-1.ph1",
      "linux-dev-4.4.35-1.ph1",
      "linux-docs-4.4.35-1.ph1",
      "linux-drivers-gpu-4.4.35-1.ph1",
      "linux-esx-4.4.35-1.ph1",
      "linux-esx-debuginfo-4.4.35-1.ph1",
      "linux-esx-devel-4.4.35-1.ph1",
      "linux-esx-docs-4.4.35-1.ph1",
      "linux-oprofile-4.4.35-1.ph1",
      "linux-sound-4.4.35-1.ph1",
      "linux-tools-4.4.35-1.ph1",
      "linux-tools-debuginfo-4.4.35-1.ph1",
      "nginx-1.10.0-4.ph1",
      "nginx-debuginfo-1.10.0-4.ph1",
      "vim-7.4-6.ph1",
      "vim-extra-7.4-6.ph1",
      "wget-1.18-1.ph1",
      "wget-debuginfo-1.18-1.ph1",
      "zookeeper-3.4.9-1.ph1"
    ];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dnsmasq / grub2 / haproxy / linux / nginx / vim / wget / zookeeper");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201606-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201606-06 (nginx: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition via a crafted packet. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id103587
    published2017-10-02
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103587
    titleGLSA-201606-06 : nginx: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201606-06.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103587);
      script_version("$Revision: 3.1 $");
      script_cvs_date("$Date: 2017/10/02 21:40:44 $");
    
      script_cve_id("CVE-2013-3587", "CVE-2016-0742", "CVE-2016-0746", "CVE-2016-0747", "CVE-2016-4450");
      script_xref(name:"GLSA", value:"201606-06");
    
      script_name(english:"GLSA-201606-06 : nginx: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201606-06
    (nginx: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in nginx. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could possibly cause a Denial of Service condition via
          a crafted packet.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201606-06"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All nginx users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=www-servers/nginx-1.10.1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-servers/nginx", unaffected:make_list("ge 1.10.1"), vulnerable:make_list("lt 1.10.1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx");
    }
    
  • NASL familyWeb Servers
    NASL idNGINX_1_11_1.NASL
    descriptionAccording to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 1.10.1, or 1.11.x less than 1.11.1. It is, therefore, affected by a denial of service vulnerability
    last seen2020-05-09
    modified2018-10-16
    plugin id118150
    published2018-10-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118150
    titlenginx < 1.10.1 / 1.11.x < 1.11.1 Denial-of-Service Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(118150);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2016-4450");
      script_bugtraq_id(90967);
    
      script_name(english:"nginx < 1.10.1 / 1.11.x < 1.11.1 Denial-of-Service Vulnerability");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by a denial of service
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to the self-reported version in its response header, the
    version of nginx hosted on the remote web server is less than 1.10.1,
     or 1.11.x less than 1.11.1. It is, therefore, affected by a denial of  
    service vulnerability");
      # http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d0e3888");
      script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to nginx version 1.10.1 / 1.11.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4450");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/16");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx");
      script_set_attribute(attribute:"agent", value:"unix");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("nginx_nix_installed.nbin");
      script_require_keys("Settings/ParanoidReport", "installed_sw/nginx");
    
      exit(0);
    }
    
    include('http.inc');
    include('vcf.inc');
    
    appname = 'nginx';
    get_install_count(app_name:appname, exit_if_zero:TRUE);
    app_info = vcf::combined_get_app_info(app:appname);
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    # If the detection is only remote, Detection Method won't be set, and we should require paranoia
    if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2)
      audit(AUDIT_PARANOID);
    
    constraints = [
      {'fixed_version' : '1.10.1', 'min_version' : '1.3.9', 'fixed_display' : '1.10.1 / 1.11.1'},
      {'fixed_version' : '1.11.1', 'min_version' : '1.11.0'}
                ];
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2991-1.NASL
    descriptionIt was discovered that nginx incorrectly handled saving client request bodies to temporary files. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91451
    published2016-06-03
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91451
    titleUbuntu 14.04 LTS / 15.10 / 16.04 LTS : nginx vulnerability (USN-2991-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2991-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(91451);
      script_version("2.7");
      script_cvs_date("Date: 2019/09/18 12:31:45");
    
      script_cve_id("CVE-2016-4450");
      script_xref(name:"USN", value:"2991-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 15.10 / 16.04 LTS : nginx vulnerability (USN-2991-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that nginx incorrectly handled saving client request
    bodies to temporary files. A remote attacker could possibly use this
    issue to cause nginx to crash, resulting in a denial of service.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2991-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-extras");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-full");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nginx-light");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|15\.10|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 15.10 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-core", pkgver:"1.4.6-1ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-extras", pkgver:"1.4.6-1ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-full", pkgver:"1.4.6-1ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"nginx-light", pkgver:"1.4.6-1ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"15.10", pkgname:"nginx-core", pkgver:"1.9.3-1ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"15.10", pkgname:"nginx-extras", pkgver:"1.9.3-1ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"15.10", pkgname:"nginx-full", pkgver:"1.9.3-1ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"15.10", pkgname:"nginx-light", pkgver:"1.9.3-1ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-core", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-extras", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-full", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"nginx-light", pkgver:"1.10.0-0ubuntu0.16.04.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx-core / nginx-extras / nginx-full / nginx-light");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-C329FC4C32.NASL
    descriptionupdate to upstream release 1.10.1 to fix CVE-2016-4450 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-14
    plugin id92155
    published2016-07-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92155
    titleFedora 24 : 1:nginx (2016-c329fc4c32)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-c329fc4c32.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92155);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-4450");
      script_xref(name:"FEDORA", value:"2016-c329fc4c32");
    
      script_name(english:"Fedora 24 : 1:nginx (2016-c329fc4c32)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "update to upstream release 1.10.1 to fix CVE-2016-4450
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-c329fc4c32"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:nginx package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC24", reference:"nginx-1.10.1-1.fc24", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:nginx");
    }
    
  • NASL familyMisc.
    NASL idARISTA_EOS_SA0021.NASL
    descriptionThe version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in NGINX due to a NULL pointer dereference flaw in the ngx_chain_to_iovec() function within file os/unix/ngx_files.c when handling specially crafted requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request to write a client request body to a temporary file, to crash a worker process.
    last seen2020-03-17
    modified2018-02-28
    plugin id107063
    published2018-02-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107063
    titleArista Networks EOS ngx_chain_to_iovec NULL Pointer Deference DoS (SA0021)
    code
    #TRUSTED a53370ab260638ec90299228bb633bb0c5633e0e36a34d27e21d2425844058aa8dfa1ade0e194263b326950235458478c10b7b9c274315f3e84c6579da58dcada3f8a875bb0aa46545befdb46e8c6eb060f280a20ceefb4f01f370e78ae43ba48b2076ab08c96af1475ad965f64e2812b3b2e193b2fe5818d05507d06ecc792b5547329e1d68f5e75fecedc0262f6a7615fedda0483074d6dd41c4fe8bcfacc8d55b26e45d6e19d0c9d3221bd2d45955630d46dbd33cccd55267662844b2ebfe3cc9fdc4924366e561cc38c1f59d62246d1f744a8bbe2a3b392d9f0bed2b8b2b59b657972650b1f2160a5c06ad5e85f1a42470454ddd7e98170b768983b4fc5bf75078b1964371be040ef0e1eba17cdb4889cc279e6aa7d951a43d57de808ff82b41b068cc9bc9068adeed564ff7df4e292029ac02fb12191d5f5cfd8582ae0741a54772a2f5d25b15af499e61692853321ca26c75eb71b02234aa8206e5a0a2e649f58fb09c3b1341e549d0104a954ab2333c302ec6a788eabdaf144acdc74b7fbd773e5f6318354e38d37c897678724fc8f95acc7673baded73cb1c560d6f778682bc272a8b0b65a6397b6c377329f22bb4506d0b7f2eed7913b0697816f726ddcf53a130d29348c6c0c093191e1020dd125b15176003156bedaad5bdd235aafaccd936b58cc63d15e722f2dca8def57253d968276b3848d637b8be8dc45ed
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107063);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13");
    
      script_cve_id("CVE-2016-4450");
      script_bugtraq_id(90967);
    
      script_name(english:"Arista Networks EOS ngx_chain_to_iovec NULL Pointer Deference DoS (SA0021)");
      script_summary(english:"Checks the Arista Networks EOS version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of Arista Networks EOS running on the remote device is
    affected by a denial of service vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Arista Networks EOS running on the remote device is
    affected by a denial of service vulnerability in NGINX due to a NULL
    pointer dereference flaw in the ngx_chain_to_iovec() function within
    file os/unix/ngx_files.c when handling specially crafted requests. An
    unauthenticated, remote attacker can exploit this, via a specially
    crafted request to write a client request body to a temporary file,
    to crash a worker process.");
      # https://www.arista.com/en/support/advisories-notices/security-advisories/1354-security-advisory-21
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b364c9b9");
      script_set_attribute(attribute:"solution", value:
    "Contact the vendor for a fixed version, or apply the patch file
    referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4450");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/28");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:arista:eos");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("arista_eos_detect.nbin");
      script_require_keys("Host/Arista-EOS/Version");
    
      exit(0);
    }
    
    
    include("arista_eos_func.inc");
    
    version = get_kb_item_or_exit("Host/Arista-EOS/Version");
    ext = "1.6.2/3236644.idburleydevdasturias.11";
    sha = "d7124b02ae8505436a94a0440b2c4192b801b30bd84ed1a9c3672c8c4891fadca18b6221237fb959436c5dd084e95bc97317606c41c6b173993becbc13c857e6";
    if(eos_extension_installed(ext:ext, sha:sha)) exit(0, "The Arista device is not vulnerable, as a relevant hotfix has been installed.");
    
    vmatrix = make_array();
    vmatrix["all"] =  make_list("4.12");
    vmatrix["F"] =    make_list("4.13.1.1<=4.13.6",
                                "4.14.0<=4.14.4.2",
                                "4.15.0<=4.15.4.1");
    vmatrix["M"] =    make_list("4.13.7<=4.13.15",
                                "4.14.5<=4.14.11",
                                "4.15.5",
                                "4.15.6",
                                "4.16.6");
    
    vmatrix["misc"] = make_list("4.14.5FX",
                                "4.14.5FX.1",
                                "4.14.5FX.2",
                                "4.14.5FX.3",
                                "4.14.5FX.4",
                                "4.14.5.1F-SSU",
                                "4.15.0FX",
                                "4.15.0FXA",
                                "4.15.0FX1",
                                "4.15.1FXB.1",
                                "4.15.1FXB",
                                "4.15.1FX-7060X",
                                "4.15.1FX-7060QX",
                                "4.15.3FX-7050X-72Q",
                                "4.15.3FX-7060X.1",
                                "4.15.3FX-7500E3",
                                "4.15.3FX-7500E3.3",
                                "4.15.4FX-7500E3",
                                "4.15.5FX-7500R",
                                "4.15.5FX-7500R-bgpscale"
                                );
    
    if (eos_is_affected(vmatrix:vmatrix, version:version))
    {
      security_report_v4(severity:SECURITY_WARNING, port:0, extra:eos_report_get());
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "Arista Networks EOS", version);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_36CF7670277411E6AF29F0DEF16C5C1B.NASL
    descriptionMaxim Dounin reports : A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.
    last seen2020-06-01
    modified2020-06-02
    plugin id91399
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91399
    titleFreeBSD : nginx -- a specially crafted request might result in worker process crash (36cf7670-2774-11e6-af29-f0def16c5c1b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3592.NASL
    descriptionIt was discovered that a NULL pointer dereference in the Nginx code responsible for saving client request bodies to a temporary file might result in denial of service: Malformed requests could crash worker processes.
    last seen2020-06-01
    modified2020-06-02
    plugin id91431
    published2016-06-02
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91431
    titleDebian DSA-3592-1 : nginx - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-EA323BD6CF.NASL
    descriptionfix CVE-2016-4450 ---- update to upstream release 1.8.1 to fix CVE-2016-4450 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-14
    plugin id92194
    published2016-07-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92194
    titleFedora 23 : 1:nginx (2016-ea323bd6cf)
  • NASL familyPalo Alto Local Security Checks
    NASL idPALO_ALTO_PAN-SA-2020-0006.NASL
    descriptionThe version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 8.1.14 or 8.0.x prior to 8.1.14 or 8.1.x prior to 8.1.14 or 9.0.x prior to 9.0.7. It is, therefore, affected by a vulnerability. - The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files. (CVE-2013-0337) - os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. (CVE-2016-4450) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-23
    modified2020-05-22
    plugin id136826
    published2020-05-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136826
    titlePalo Alto Networks PAN-OS 7.1.x < 8.1.14 / 8.0.x < 8.1.14 / 8.1.x < 8.1.14 / 9.0.x < 9.0.7 Vulnerability
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-192.NASL
    descriptionThis update for nginx fixes the following vulnerability : - CVE-2016-4450: Remote attackers could have caused a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
    last seen2020-06-05
    modified2017-02-02
    plugin id96943
    published2017-02-02
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96943
    titleopenSUSE Security Update : nginx (openSUSE-2017-192)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2016-0012_NGINX.NASL
    descriptionAn update of the nginx package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121651
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121651
    titlePhoton OS 1.0: Nginx PHSA-2016-0012

Redhat

advisories
rhsa
idRHSA-2016:1425
rpms
  • rh-nginx18-nginx-1:1.8.1-1.el6
  • rh-nginx18-nginx-1:1.8.1-1.el7
  • rh-nginx18-nginx-debuginfo-1:1.8.1-1.el6
  • rh-nginx18-nginx-debuginfo-1:1.8.1-1.el7