Vulnerabilities > CVE-2016-4738 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3271-1.NASL description Holger Fuhrmannek discovered an integer overflow in the xsltAddTextString() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possible execute arbitrary code. (CVE-2017-5029) Nicolas Gregoire discovered that Libxslt mishandled namespace nodes. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbtrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683) Sebastian Apelt discovered that a use-after-error existed in the xsltDocumentFunctionLoadDocument() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1841) It was discovered that a type confusion error existed in the xsltStylePreCompute() function in Libxslt. An attacker could use this to craft a malicious XML file that, when opened, caused a denial of service (application crash). This issue only affected Ubuntu 14.04 LTS and Ubuntu 12.04 LTS. (CVE-2015-7995) Nicolas Gregoire discovered the Libxslt mishandled the last seen 2020-06-01 modified 2020-06-02 plugin id 99725 published 2017-04-28 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99725 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : libxslt vulnerabilities (USN-3271-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3271-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(99725); script_version("3.6"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2015-7995", "CVE-2016-1683", "CVE-2016-1684", "CVE-2016-1841", "CVE-2016-4738", "CVE-2017-5029"); script_xref(name:"USN", value:"3271-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : libxslt vulnerabilities (USN-3271-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Holger Fuhrmannek discovered an integer overflow in the xsltAddTextString() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possible execute arbitrary code. (CVE-2017-5029) Nicolas Gregoire discovered that Libxslt mishandled namespace nodes. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbtrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683) Sebastian Apelt discovered that a use-after-error existed in the xsltDocumentFunctionLoadDocument() function in Libxslt. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash) or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1841) It was discovered that a type confusion error existed in the xsltStylePreCompute() function in Libxslt. An attacker could use this to craft a malicious XML file that, when opened, caused a denial of service (application crash). This issue only affected Ubuntu 14.04 LTS and Ubuntu 12.04 LTS. (CVE-2015-7995) Nicolas Gregoire discovered the Libxslt mishandled the 'i' and 'a' format tokens for xsl:number data. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash). This issue only affected Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1684) It was discovered that the xsltFormatNumberConversion() function in Libxslt did not properly handle empty decimal separators. An attacker could use this to craft a malicious document that, when opened, could cause a denial of service (application crash). This issue only affected Ubuntu 16.10, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-4738). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3271-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libxslt1.1 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libxslt1.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"libxslt1.1", pkgver:"1.1.26-8ubuntu1.4")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libxslt1.1", pkgver:"1.1.28-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libxslt1.1", pkgver:"1.1.28-2.1ubuntu0.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"libxslt1.1", pkgver:"1.1.29-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libxslt1.1", pkgver:"1.1.29-2ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libxslt1.1"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1282-1.NASL description This update for libxslt fixes the following issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute last seen 2020-06-01 modified 2020-06-02 plugin id 100208 published 2017-05-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100208 title SUSE SLES11 Security Update : libxslt (SUSE-SU-2017:1282-1) NASL family Fedora Local Security Checks NASL id FEDORA_2019-320D5295FC.NASL description Update to 1.1.33 Fix CVE-2016-1841, CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, CVE-2016-4609, CVE-2019-11068, CVE-2016-1684, CVE-2016-1683, CVE-2016-4738. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126015 published 2019-06-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126015 title Fedora 30 : mingw-libxslt (2019-320d5295fc) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-700.NASL description A heap overread bug was found in libxslt, which can cause arbitrary code execution or denial of service. For Debian 7 last seen 2020-03-17 modified 2016-11-07 plugin id 94583 published 2016-11-07 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/94583 title Debian DLA-700-1 : libxslt security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-609.NASL description This update for libxslt fixes the following security issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute last seen 2020-06-05 modified 2017-05-24 plugin id 100367 published 2017-05-24 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100367 title openSUSE Security Update : libxslt (openSUSE-2017-609) NASL family MacOS X Local Security Checks NASL id MACOS_10_12.NASL description The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, or is not macOS 10.12. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple HSSPI Support - AppleEFIRuntime - AppleMobileFileIntegrity - AppleUCC - Application Firewall - ATS - Audio - Bluetooth - cd9660 - CFNetwork - CommonCrypto - CoreCrypto - CoreDisplay - curl - Date & Time Pref Pane - DiskArbitration - File Bookmark - FontParser - IDS - Connectivity - ImageIO - Intel Graphics Driver - IOAcceleratorFamily - IOThunderboltFamily - Kerberos v5 PAM module - Kernel - libarchive - libxml2 - libxpc - libxslt - mDNSResponder - NSSecureTextField - Perl - S2 Camera - Security - Terminal - WindowServer Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 93685 published 2016-09-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93685 title macOS < 10.12 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3709.NASL description Nick Wellnhofer discovered that the xsltFormatNumberConversion function in libxslt, an XSLT processing runtime library, does not properly check for a zero byte terminating the pattern string. This flaw can be exploited to leak a couple of bytes after the buffer that holds the pattern string. last seen 2020-06-01 modified 2020-06-02 plugin id 94645 published 2016-11-09 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94645 title Debian DSA-3709-1 : libxslt - security update NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6A177C87993311E793F7D43D7E971A1B.NASL description GitLab reports : Please reference CVE/URL list for details last seen 2020-06-01 modified 2020-06-02 plugin id 103237 published 2017-09-15 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103237 title FreeBSD : GitLab -- multiple vulnerabilities (6a177c87-9933-11e7-93f7-d43d7e971a1b) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1313-1.NASL description This update for libxslt fixes the following issues : - CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page (bsc#1035905). - CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string (bsc#1005591). - CVE-2015-9019: Properly initialize random generator (bsc#934119). - CVE-2015-7995: Vulnerability in function xsltStylePreCompute last seen 2020-06-01 modified 2020-06-02 plugin id 100243 published 2017-05-17 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100243 title SUSE SLED12 / SLES12 Security Update : libxslt (SUSE-SU-2017:1313-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201804-01.NASL description The remote host is affected by the vulnerability described in GLSA-201804-01 (libxslt: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libxslt. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, via a crafted HTML page, could possibly execute arbitrary code, cause a Denial of Service condition or leak information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 108821 published 2018-04-04 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/108821 title GLSA-201804-01 : libxslt: Multiple vulnerabilities NASL family Misc. NASL id APPLETV_10.NASL description According to its banner, the version of Apple TV on the remote device is prior to 10. It is, therefore, affected by multiple vulnerabilities in the following components : - Audio - CFNetwork - CoreCrypto - FontParser - IOAcceleratorFamily - Kernel - libxml2 - libxslt - Security - WebKit Note that only 4th generation models are affected by these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 93776 published 2016-09-28 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93776 title Apple TV < 10 Multiple Vulnerabilities
References
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html
- https://support.apple.com/HT207170
- https://support.apple.com/HT207143
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html
- https://support.apple.com/HT207141
- https://support.apple.com/HT207142
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html
- http://www.securityfocus.com/bid/93054
- http://www.securitytracker.com/id/1036858
- http://www.debian.org/security/2016/dsa-3709
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/