Vulnerabilities > CVE-2016-5386 - Improper Access Control vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| OS | 1 | |
| OS | 3 | |
| Application | Golang
| 49 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2016-EA5E284D34.NASL description Security fix for CVE-2016-5386 AKA https://httpoxy.org/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-29 plugin id 92622 published 2016-07-29 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92622 title Fedora 24 : golang (2016-ea5e284d34) (httpoxy) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-ea5e284d34. # include("compat.inc"); if (description) { script_id(92622); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5386"); script_xref(name:"FEDORA", value:"2016-ea5e284d34"); script_name(english:"Fedora 24 : golang (2016-ea5e284d34) (httpoxy)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2016-5386 AKA https://httpoxy.org/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea5e284d34" ); script_set_attribute( attribute:"see_also", value:"https://httpoxy.org/" ); script_set_attribute( attribute:"solution", value:"Update the affected golang package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:golang"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/29"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"golang-1.6.3-1.fc24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang"); }NASL family Scientific Linux Local Security Checks NASL id SL_20160803_GOLANG_ON_SL7_X.NASL description The following packages have been upgraded to a newer upstream version: golang (1.6.3). Security Fix(es) : - An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable last seen 2020-03-18 modified 2016-08-04 plugin id 92722 published 2016-08-04 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92722 title Scientific Linux Security Update : golang on SL7.x x86_64 (20160803) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(92722); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2016-5386"); script_name(english:"Scientific Linux Security Update : golang on SL7.x x86_64 (20160803) (httpoxy)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The following packages have been upgraded to a newer upstream version: golang (1.6.3). Security Fix(es) : - An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTP_PROXY' is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in- the-middle attack. (CVE-2016-5386)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1608&L=scientific-linux-errata&F=&S=&P=3880 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?822f7702" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/04"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"golang-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"golang-bin-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"SL7", reference:"golang-docs-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"SL7", reference:"golang-misc-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"SL7", reference:"golang-src-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"SL7", reference:"golang-tests-1.6.3-1.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-979.NASL description This update addresses a security issue affecting code statically linked with go : - CVE-2016-5386: A remote attacker could set the HTTP_PROXY environment variable via Proxy header (bsc#988487) last seen 2020-06-05 modified 2016-08-12 plugin id 92933 published 2016-08-12 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92933 title openSUSE Security Update : go (openSUSE-2016-979) (httpoxy) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-979. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(92933); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5386"); script_name(english:"openSUSE Security Update : go (openSUSE-2016-979) (httpoxy)"); script_summary(english:"Check for the openSUSE-2016-979 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update addresses a security issue affecting code statically linked with go : - CVE-2016-5386: A remote attacker could set the HTTP_PROXY environment variable via Proxy header (bsc#988487)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=988487" ); script_set_attribute(attribute:"solution", value:"Update the affected go packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:go-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/11"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.2|SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2 / 42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.2", reference:"go-1.4.3-18.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"go-debuginfo-1.4.3-18.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"go-debugsource-1.4.3-18.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"go-1.6.2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"go-debuginfo-1.6.2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"go-debugsource-1.6.2-21.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "go / go-debuginfo / go-debugsource"); }NASL family Fedora Local Security Checks NASL id FEDORA_2016-340E361B90.NASL description Security fix for CVE-2016-5386 AKA https://httpoxy.org/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-29 plugin id 92615 published 2016-07-29 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92615 title Fedora 23 : golang (2016-340e361b90) (httpoxy) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-340e361b90. # include("compat.inc"); if (description) { script_id(92615); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5386"); script_xref(name:"FEDORA", value:"2016-340e361b90"); script_name(english:"Fedora 23 : golang (2016-340e361b90) (httpoxy)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2016-5386 AKA https://httpoxy.org/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-340e361b90" ); script_set_attribute( attribute:"see_also", value:"https://httpoxy.org/" ); script_set_attribute( attribute:"solution", value:"Update the affected golang package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:golang"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/29"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC23", reference:"golang-1.5.4-2.fc23")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1538.NASL description An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es) : * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable last seen 2020-06-01 modified 2020-06-02 plugin id 92693 published 2016-08-03 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92693 title RHEL 7 : golang (RHSA-2016:1538) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:1538. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(92693); script_version("2.17"); script_cvs_date("Date: 2019/10/24 15:35:41"); script_cve_id("CVE-2015-5739", "CVE-2015-5740", "CVE-2015-5741", "CVE-2016-3959", "CVE-2016-5386"); script_xref(name:"RHSA", value:"2016:1538"); script_name(english:"RHEL 7 : golang (RHSA-2016:1538) (httpoxy)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es) : * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTP_PROXY' is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. (CVE-2016-5386) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:1538" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-5739" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-5740" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-5741" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3959" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-5386" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/03"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:1538"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"golang-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"golang-bin-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"golang-docs-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"golang-misc-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"golang-src-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"golang-tests-1.6.3-1.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); } }NASL family Web Servers NASL id HTTP_HTTPOXY.NASL description The web application running on the remote web server is affected by a man-in-the-middle vulnerability known as last seen 2020-06-01 modified 2020-06-02 plugin id 92539 published 2016-07-25 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92539 title HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy) code #TRUSTED 7757ccc72c699faa2ffe9c4f53351ac4d80c4f292d805afa8fa959ac86adc1762d562e16fab11ec1c3ff2ec027c796ae1ae5ed062ea6900564a5cf9a7288adbbb6b9ec40295c81afb7810ecb667c55a0c16df845929d5127921d47071b6336f0a800a7e9e68f1953f750e12ec632198a5c923ad8933d507d85ce908845ef0b1c3e89e3150bf4a974352c465c88a0d34ead7741fef1cadcd8933a69108b202a418b934c032e82288550d8f91d178195c2aae763c68cf88085cab9cb8caf53082c99115ce156621b1605b4a4d31f2eceddf63f426b9c0450b348cd39cabf41c7d7bcfa0cd767f67bb82c0702c663df388eface6b8c2f7e9205c373d5505cdd44a3d30c71e6f4be459ee810cd07f1a8aac02d9c4f64e583c780313df4cadc99f4dad8450d96a05e295ede51b3d312072e29659f489d95fd639beb692f68a792be15028bf83193cb8cd2f23da0d5f6e58ddc512424b35629dbb316013edecd92a8639ce3f53795a555e24b6c005c5e52e38949f143ccf6adc71297aad9402441615920c5f80b3fa1346a93ff5e861f68bffde7edcf6015853a286ceafef4e1a4ba645d983e69df0e6dd787af4139233443f13f683b6dd7fb95cd74b848223e9dddcabaa1950b27ec5efc0db4ee45533db392681bc95a50424c7a55b9c845e2d718539a3459b1f9eead7fb59041798d00f8c83a8f7ea4f9f10e240d3a28e28b2f0f15 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(92539); script_version("1.12"); script_cvs_date("Date: 2019/11/19"); script_cve_id( "CVE-2016-5385", "CVE-2016-5386", "CVE-2016-5387", "CVE-2016-5388", "CVE-2016-1000109", "CVE-2016-1000110" ); script_bugtraq_id( 91815, 91816, 91818, 91821 ); script_xref(name:"CERT", value:"797896"); script_name(english:"HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)"); script_summary(english:"Checks if the web application responds to a crafted Proxy header in an HTTP request."); script_set_attribute(attribute:"synopsis", value: "The remote web application is affected by a man-in-the-middle vulnerability."); script_set_attribute(attribute:"description", value: "The web application running on the remote web server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated."); script_set_attribute(attribute:"see_also", value:"https://httpoxy.org/"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2016/q3/94"); script_set_attribute(attribute:"solution", value: "Applicable libraries and products should be updated to address this vulnerability. Please consult the library or product vendor for available updates. If updating the libraries and products is not an option, or if updates are unavailable, filter 'Proxy' request headers on all inbound requests."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5386"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_set_attribute(attribute:"cpe", value:"cpe:/a:golang:go"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal"); script_set_attribute(attribute:"cpe", value:"cpe:/a:python:python"); script_set_attribute(attribute:"cpe", value:"cpe:/a:facebook:hiphop_virtual_machine"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("webmirror.nasl"); script_require_ports("Services/www", 80, 443); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("audit.inc"); include("http.inc"); port = get_http_port(default: 80); urls = make_list(); # Fix for webmirror_uri "no such table" errors table = query_scratchpad("SELECT name FROM sqlite_master where type = 'table' and name = 'webmirror_uri'"); if (empty_or_null(table)) exit(1, "Unable to obtain webmirror_uri table from webmirror crawl."); # Query Scratchpad for webmirror results with a status code of 200 # and load results into urls list res = query_scratchpad("SELECT DISTINCT uri FROM webmirror_uri WHERE port = ? AND status_code = 200 ORDER BY uri ASC", port); if (empty_or_null(res)) exit(1, 'Unable to obtain crawled URIs from webmirror scratchpad.'); # Loop through filters to discard URLs we don't care about testing i = 0; foreach url (res) { if ( # Filter out Apache directory listings page sorting url['uri'] !~ "/\?[CO]\=[NDMSA](%|$)" && # Filter out static text files url['uri'] !~ "\.(md|js|css|scss|txt|csv|xml)($|\?)" && # Filter out image files url['uri'] !~ "\.(gif|jpeg|jpg|png|svg|ttf|eot|woff|ico)($|\?)" && # Filter out binary files url['uri'] !~ "\.(exe|zip|gz|tar)($|\?)" && # Filter out document files url['uri'] !~ "\.(rtf|doc|docx|pdf|xls|xlt)($|\?)" ) { # Strip any trailing args from URLs to get the url count down if ("?" >< url['uri']) url['uri'] = ereg_replace(pattern:"(.*)\?.*", replace:"\1", string:url['uri']); urls = make_list(urls, url['uri']); i++; } # If thorough_tests is not enabled, stop at 10 urls if (!thorough_tests && i > 10) break; } # If we have no URLs to check, bail out if (empty_or_null(urls)) audit(AUDIT_WEB_FILES_NOT, "dynamic content", port); urls = list_uniq(urls); scanner_ip = compat::this_host(); target_ip = get_host_ip(); pat = "HTTP/1\.(0|1)"; vuln = FALSE; foreach url (urls) { # If we get an empty url string, just go to the next if(empty_or_null(url)) continue; listener = bind_sock_tcp(); if (!listener) audit(AUDIT_SOCK_FAIL, 'tcp', 'unknown'); s_port = listener[1]; s = listener[0]; # Exploit is scanner's IP and our listener's socket in the Proxy header exploit = scanner_ip + ':' + s_port; v = http_mk_get_req(port: port, item: url, add_headers: make_array("Proxy", exploit)); req = http_mk_buffer_from_req(req: v); # We don't need to check the response we get back from the request's socket req = http_send_recv_buf(port:port, data:req); # When we have a successful attack, we won't get a response returned # to req, since the proxied request causes the server-side script to # pause execution and timeout without a response. Since we check for # NULL here, we can bypass the listener socket timeout for non-vuln # URLs to process through the URL queue faster. if(isnull(req)) { # Instead we're more interested in if we get data on the listener socket soc = sock_accept(socket:s, timeout:3); res = recv(socket:soc, length:1024, timeout:3); close(s); } else { res = NULL; close(s); } if (!empty_or_null(res) && (res =~ pat)) { vuln = TRUE; report = '\nThe full request used to detect this flaw was :\n\n' + http_last_sent_request() + '\n\nThe server sent back the following data to the listener on port ' + s_port + ':\n\n' + res + '\n'; } # Stop after first vulnerable page is found if (vuln) break; } if (vuln) { security_report_v4( port : port, severity : SECURITY_WARNING, extra : report ); exit(0); } audit(AUDIT_WEB_SERVER_NOT_AFFECTED, port);NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-1538.NASL description From Red Hat Security Advisory 2016:1538 : An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es) : * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable last seen 2020-06-01 modified 2020-06-02 plugin id 92687 published 2016-08-03 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92687 title Oracle Linux 7 : golang (ELSA-2016-1538) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:1538 and # Oracle Linux Security Advisory ELSA-2016-1538 respectively. # include("compat.inc"); if (description) { script_id(92687); script_version("2.12"); script_cvs_date("Date: 2019/09/27 13:00:37"); script_cve_id("CVE-2015-5739", "CVE-2015-5740", "CVE-2015-5741", "CVE-2016-3959", "CVE-2016-5386"); script_xref(name:"RHSA", value:"2016:1538"); script_name(english:"Oracle Linux 7 : golang (ELSA-2016-1538) (httpoxy)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:1538 : An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es) : * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTP_PROXY' is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. (CVE-2016-5386) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-August/006244.html" ); script_set_attribute( attribute:"solution", value:"Update the affected golang packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/03"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"golang-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"golang-bin-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"golang-docs-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"golang-misc-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"golang-src-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"golang-tests-1.6.3-1.el7_2.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-731.NASL description An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable last seen 2020-06-01 modified 2020-06-02 plugin id 93009 published 2016-08-18 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93009 title Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-731. # include("compat.inc"); if (description) { script_id(93009); script_version("2.5"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2016-5386"); script_xref(name:"ALAS", value:"2016-731"); script_name(english:"Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTP_PROXY' is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-731.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update golang' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/17"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"golang-1.5.3-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"golang-bin-1.5.3-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"golang-docs-1.5.3-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"golang-misc-1.5.3-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"golang-src-1.5.3-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"golang-tests-1.5.3-1.22.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); }NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL description The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an last seen 2020-06-01 modified 2020-06-02 plugin id 101837 published 2017-07-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101837 title Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(101837); script_version("1.6"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2015-7940", "CVE-2015-8607", "CVE-2015-8608", "CVE-2016-1181", "CVE-2016-2381", "CVE-2016-3092", "CVE-2016-5385", "CVE-2016-5386", "CVE-2016-5387", "CVE-2016-5388", "CVE-2017-3732", "CVE-2017-10091" ); script_bugtraq_id( 79091, 80504, 83802, 86018, 91068, 91453, 91815, 91816, 91818, 91821, 95814, 99649 ); script_xref(name:"CERT", value:"797896"); script_name(english:"Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "An enterprise management application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an 'invalid curve attack.' (CVE-2015-7940) - A flaw exists in the PathTools module for Perl in the File::Spec::canonpath() function that is triggered as strings are returned as untainted even when passing tainted input. An unauthenticated, remote attacker can exploit this to pass unvalidated user input to sensitive or insecure areas. (CVE-2015-8607) - An overflow condition exists in Perl in the MapPathA() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-8608) - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - A flaw exists in Perl that is triggered during the handling of variables that appear twice in the environment (envp), causing the last value to appear in %ENV, while getenv would return the first. An unauthenticated, remote attacker can exploit this to cause variables to be incorrectly propagated to subprocesses, regardless of the protections offered by taint checking. (CVE-2016-2381) - A denial of service vulnerability exists in the Apache Commons FileUpload component due to improper handling of boundaries in content-type headers when handling file upload requests. An unauthenticated, remote attacker can exploit this to cause processes linked against the library to become unresponsive. (CVE-2016-3092) - A man-in-the-middle vulnerability exists in various components, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) - An unspecified flaw exists in the UI Framework component that allows authenticated, remote attacker to have an impact on integrity. (CVE-2017-10091)"); # http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76f5def7"); script_set_attribute(attribute:"see_also", value:"https://support.oracle.com/rs?type=doc&id=2261562.1"); script_set_attribute(attribute:"see_also", value:"https://httpoxy.org"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_enterprise_manager_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("oracle_rdbms_cpu_func.inc"); include("install_func.inc"); product = "Oracle Enterprise Manager Cloud Control"; install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE); version = install['version']; emchome = install['path']; patchid = NULL; missing = NULL; patched = FALSE; fix = NULL; if (version =~ "^13\.2\.0\.0(\.[0-9]+)?$") { patchid = "25731746"; fix = "13.2.0.0.170718"; } else if (version =~ "^13\.1\.0\.0(\.[0-9]+)?$") { patchid = "25904755"; fix = "13.1.0.0.170718"; } else if (version =~ "^12\.1\.0\.5(\.[0-9]+)?$") { patchid = "25904769"; fix = "12.1.0.5.170718"; } if (isnull(patchid)) audit(AUDIT_HOST_NOT, 'affected'); # compare version to check if we've already adjusted for patch level during detection if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome); # Now look for the affected components patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome)); if (isnull(patchesinstalled)) missing = patchid; else { foreach applied (keys(patchesinstalled[emchome])) { if (applied == patchid) { patched = TRUE; break; } else { foreach bugid (patchesinstalled[emchome][applied]['bugs']) { if (bugid == patchid) { patched = TRUE; break; } } if (patched) break; } } if (!patched) missing = patchid; } if (empty_or_null(missing)) audit(AUDIT_HOST_NOT, 'affected'); order = make_list('Product', 'Version', "Missing patch"); report = make_array( order[0], product, order[1], version, order[2], patchid ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-1538.NASL description An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es) : * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable last seen 2020-06-01 modified 2020-06-02 plugin id 92680 published 2016-08-03 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92680 title CentOS 7 : golang (CESA-2016:1538) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:1538 and # CentOS Errata and Security Advisory 2016:1538 respectively. # include("compat.inc"); if (description) { script_id(92680); script_version("2.14"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2015-5739", "CVE-2015-5740", "CVE-2015-5741", "CVE-2016-3959", "CVE-2016-5386"); script_xref(name:"RHSA", value:"2016:1538"); script_name(english:"CentOS 7 : golang (CESA-2016:1538) (httpoxy)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a newer upstream version: golang (1.6.3). (BZ#1346331) Security Fix(es) : * An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable 'HTTP_PROXY' using the incoming 'Proxy' HTTP-request header. The environment variable 'HTTP_PROXY' is used by numerous web clients, including Go's net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. (CVE-2016-5386) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue." ); # https://lists.centos.org/pipermail/centos-announce/2016-August/022005.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e91e6b89" ); script_set_attribute( attribute:"solution", value:"Update the affected golang packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-5739"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:golang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:golang-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:golang-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:golang-misc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:golang-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:golang-tests"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/03"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"golang-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"golang-bin-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"golang-docs-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"golang-misc-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"golang-src-1.6.3-1.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"golang-tests-1.6.3-1.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "golang / golang-bin / golang-docs / golang-misc / golang-src / etc"); }
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.kb.cert.org/vuls/id/797896
- https://httpoxy.org/
- https://bugzilla.redhat.com/show_bug.cgi?id=1353798
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/