Vulnerabilities > CVE-2016-5404 - Improper Access Control vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
freeipa
oracle
fedoraproject
CWE-284
nessus

Summary

The cert_revoke command in FreeIPA does not check for the "revoke certificate" permission, which allows remote authenticated users to revoke arbitrary certificates by leveraging the "retrieve certificate" permission.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-F56C765D67.NASL
    descriptionSecurity fix for CVE-2016-5404 Along with second revision of 4.3.2 update. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94882
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94882
    titleFedora 25 : freeipa (2016-f56c765d67)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-f56c765d67.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94882);
      script_version("2.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-5404");
      script_xref(name:"FEDORA", value:"2016-f56c765d67");
    
      script_name(english:"Fedora 25 : freeipa (2016-f56c765d67)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2016-5404
    
    Along with second revision of 4.3.2 update.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-f56c765d67"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freeipa package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeipa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"freeipa-4.3.2-2.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeipa");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1797.NASL
    descriptionAn update for ipa is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es) : * An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. An attacker logged in with the
    last seen2020-06-01
    modified2020-06-02
    plugin id93269
    published2016-09-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93269
    titleRHEL 6 / 7 : ipa (RHSA-2016:1797)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1797. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93269);
      script_version("2.12");
      script_cvs_date("Date: 2019/10/24 15:35:41");
    
      script_cve_id("CVE-2016-5404");
      script_xref(name:"RHSA", value:"2016:1797");
    
      script_name(english:"RHEL 6 / 7 : ipa (RHSA-2016:1797)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for ipa is now available for Red Hat Enterprise Linux 6 and
    Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat Identity Management (IdM) is a centralized authentication,
    identity management, and authorization solution for both traditional
    and cloud-based enterprise environments.
    
    Security Fix(es) :
    
    * An insufficient permission check issue was found in the way IPA
    server treats certificate revocation requests. An attacker logged in
    with the 'retrieve certificate' permission enabled could use this flaw
    to revoke certificates, possibly triggering a denial of service
    attack. (CVE-2016-5404)
    
    This issue was discovered by Fraser Tweedale (Red Hat)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2016:1797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-5404"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-admintools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-server-dns");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-server-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ipa-server-trust-ad");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2016:1797";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-admintools-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ipa-admintools-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-admintools-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-client-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ipa-client-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-client-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-debuginfo-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ipa-debuginfo-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-debuginfo-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-python-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ipa-python-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-python-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-server-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-server-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-server-selinux-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-server-selinux-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ipa-server-trust-ad-3.0.0-50.el6_8.2")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ipa-server-trust-ad-3.0.0-50.el6_8.2")) flag++;
    
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ipa-admintools-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-admintools-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ipa-client-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-client-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ipa-debuginfo-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-debuginfo-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ipa-python-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-python-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-server-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-server-dns-4.2.0-15.el7_2.19")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ipa-server-trust-ad-4.2.0-15.el7_2.19")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ipa-admintools / ipa-client / ipa-debuginfo / ipa-python / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-1797.NASL
    descriptionFrom Red Hat Security Advisory 2016:1797 : An update for ipa is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es) : * An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. An attacker logged in with the
    last seen2020-06-01
    modified2020-06-02
    plugin id93268
    published2016-09-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93268
    titleOracle Linux 6 / 7 : ipa (ELSA-2016-1797)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2016:1797 and 
    # Oracle Linux Security Advisory ELSA-2016-1797 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93268);
      script_version("2.6");
      script_cvs_date("Date: 2019/09/27 13:00:37");
    
      script_cve_id("CVE-2016-5404");
      script_xref(name:"RHSA", value:"2016:1797");
    
      script_name(english:"Oracle Linux 6 / 7 : ipa (ELSA-2016-1797)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2016:1797 :
    
    An update for ipa is now available for Red Hat Enterprise Linux 6 and
    Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat Identity Management (IdM) is a centralized authentication,
    identity management, and authorization solution for both traditional
    and cloud-based enterprise environments.
    
    Security Fix(es) :
    
    * An insufficient permission check issue was found in the way IPA
    server treats certificate revocation requests. An attacker logged in
    with the 'retrieve certificate' permission enabled could use this flaw
    to revoke certificates, possibly triggering a denial of service
    attack. (CVE-2016-5404)
    
    This issue was discovered by Fraser Tweedale (Red Hat)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-September/006318.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-September/006319.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ipa packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-admintools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-server-dns");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-server-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ipa-server-trust-ad");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"ipa-admintools-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ipa-client-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ipa-python-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ipa-server-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ipa-server-selinux-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ipa-server-trust-ad-3.0.0-50.el6_8.2")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ipa-admintools-4.2.0-15.0.1.el7_2.19")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ipa-client-4.2.0-15.0.1.el7_2.19")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ipa-python-4.2.0-15.0.1.el7_2.19")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ipa-server-4.2.0-15.0.1.el7_2.19")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ipa-server-dns-4.2.0-15.0.1.el7_2.19")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ipa-server-trust-ad-4.2.0-15.0.1.el7_2.19")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ipa-admintools / ipa-client / ipa-python / ipa-server / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-1797.NASL
    descriptionAn update for ipa is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es) : * An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. An attacker logged in with the
    last seen2020-06-01
    modified2020-06-02
    plugin id93318
    published2016-09-06
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93318
    titleCentOS 6 / 7 : ipa (CESA-2016:1797)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1797 and 
    # CentOS Errata and Security Advisory 2016:1797 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93318);
      script_version("2.7");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2016-5404");
      script_xref(name:"RHSA", value:"2016:1797");
    
      script_name(english:"CentOS 6 / 7 : ipa (CESA-2016:1797)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for ipa is now available for Red Hat Enterprise Linux 6 and
    Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat Identity Management (IdM) is a centralized authentication,
    identity management, and authorization solution for both traditional
    and cloud-based enterprise environments.
    
    Security Fix(es) :
    
    * An insufficient permission check issue was found in the way IPA
    server treats certificate revocation requests. An attacker logged in
    with the 'retrieve certificate' permission enabled could use this flaw
    to revoke certificates, possibly triggering a denial of service
    attack. (CVE-2016-5404)
    
    This issue was discovered by Fraser Tweedale (Red Hat)."
      );
      # https://lists.centos.org/pipermail/centos-announce/2016-September/022057.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?86e5591e"
      );
      # https://lists.centos.org/pipermail/centos-announce/2016-September/022060.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?051d2fee"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ipa packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5404");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-admintools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-server-dns");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-server-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ipa-server-trust-ad");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x / 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-6", reference:"ipa-admintools-3.0.0-50.el6.centos.2")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"ipa-client-3.0.0-50.el6.centos.2")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"ipa-python-3.0.0-50.el6.centos.2")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"ipa-server-3.0.0-50.el6.centos.2")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"ipa-server-selinux-3.0.0-50.el6.centos.2")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"ipa-server-trust-ad-3.0.0-50.el6.centos.2")) flag++;
    
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ipa-admintools-4.2.0-15.0.1.el7.centos.19")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ipa-client-4.2.0-15.0.1.el7.centos.19")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ipa-python-4.2.0-15.0.1.el7.centos.19")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ipa-server-4.2.0-15.0.1.el7.centos.19")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ipa-server-dns-4.2.0-15.0.1.el7.centos.19")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.19")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ipa-admintools / ipa-client / ipa-python / ipa-server / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-92A3655B70.NASL
    descriptionSecurity fix for CVE-2016-5404 Along with second revision of 4.3.2 update. ---- Update to FreeIPA 4.3.2 http://www.freeipa.org/page/Releases/4.3.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-08-30
    plugin id93206
    published2016-08-30
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93206
    titleFedora 24 : freeipa (2016-92a3655b70)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-92a3655b70.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93206);
      script_version("2.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-5404");
      script_xref(name:"FEDORA", value:"2016-92a3655b70");
    
      script_name(english:"Fedora 24 : freeipa (2016-92a3655b70)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2016-5404
    
    Along with second revision of 4.3.2 update.
    
    ----
    
    Update to FreeIPA 4.3.2 http://www.freeipa.org/page/Releases/4.3.2
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      # http://www.freeipa.org/page/Releases/4.3.2
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.freeipa.org/page/Releases/4.3.2"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-92a3655b70"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freeipa package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeipa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC24", reference:"freeipa-4.3.2-2.fc24")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeipa");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160901_IPA_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. An attacker logged in with the
    last seen2020-03-18
    modified2016-09-06
    plugin id93340
    published2016-09-06
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93340
    titleScientific Linux Security Update : ipa on SL6.x, SL7.x i386/x86_64 (20160901)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93340);
      script_version("2.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");
    
      script_cve_id("CVE-2016-5404");
    
      script_name(english:"Scientific Linux Security Update : ipa on SL6.x, SL7.x i386/x86_64 (20160901)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - An insufficient permission check issue was found in the
        way IPA server treats certificate revocation requests.
        An attacker logged in with the 'retrieve certificate'
        permission enabled could use this flaw to revoke
        certificates, possibly triggering a denial of service
        attack. (CVE-2016-5404)
    
    This issue was discovered by Fraser Tweedale (Red Hat).
    
    For SL7.0 and SL7.1 only, this includes updated packages for sssd,
    mod_auth_gssapi, and slapi-nis to satisfy dependencies."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1609&L=scientific-linux-errata&F=&S=&P=80
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3d0fbceb"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-admintools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-server-dns");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-server-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:ipa-server-trust-ad");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL6", reference:"ipa-admintools-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"SL6", reference:"ipa-client-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"SL6", reference:"ipa-debuginfo-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"SL6", reference:"ipa-python-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"SL6", reference:"ipa-server-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"SL6", reference:"ipa-server-selinux-3.0.0-50.el6_8.2")) flag++;
    if (rpm_check(release:"SL6", reference:"ipa-server-trust-ad-3.0.0-50.el6_8.2")) flag++;
    
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-admintools-4.2.0-15.sl7_2.19")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-client-4.2.0-15.sl7_2.19")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-debuginfo-4.2.0-15.sl7_2.19")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-python-4.2.0-15.sl7_2.19")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-server-4.2.0-15.sl7_2.19")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-server-dns-4.2.0-15.sl7_2.19")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"ipa-server-trust-ad-4.2.0-15.sl7_2.19")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ipa-admintools / ipa-client / ipa-debuginfo / ipa-python / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-7898627D08.NASL
    descriptionsecurity fix for CVE-2016-5404 related: https://bugzilla.redhat.com/show_bug.cgi?id=1367883 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-08-30
    plugin id93205
    published2016-08-30
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93205
    titleFedora 23 : freeipa (2016-7898627d08)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-7898627d08.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93205);
      script_version("2.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-5404");
      script_xref(name:"FEDORA", value:"2016-7898627d08");
    
      script_name(english:"Fedora 23 : freeipa (2016-7898627d08)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "security fix for CVE-2016-5404
    
    related: https://bugzilla.redhat.com/show_bug.cgi?id=1367883
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-7898627d08"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1367883"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freeipa package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeipa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC23", reference:"freeipa-4.2.4-2.fc23")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeipa");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1042.NASL
    descriptionAccording to the version of the ipa packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The cert_revoke command in FreeIPA does not check for the
    last seen2020-05-06
    modified2017-05-01
    plugin id99805
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99805
    titleEulerOS 2.0 SP1 : ipa (EulerOS-SA-2016-1042)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99805);
      script_version("1.11");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2016-5404"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : ipa (EulerOS-SA-2016-1042)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the ipa packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerability :
    
      - The cert_revoke command in FreeIPA does not check for
        the 'revoke certificate' permission, which allows
        remote authenticated users to revoke arbitrary
        certificates by leveraging the 'retrieve certificate'
        permission.(CVE-2016-5404)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1042
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4cd6fb27");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ipa package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ipa-admintools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ipa-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ipa-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ipa-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ipa-server-trust-ad");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ipa-admintools-4.2.0-15.0.1.19",
            "ipa-client-4.2.0-15.0.1.19",
            "ipa-python-4.2.0-15.0.1.19",
            "ipa-server-4.2.0-15.0.1.19",
            "ipa-server-trust-ad-4.2.0-15.0.1.19"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ipa");
    }
    

Redhat

advisories
bugzilla
id1351593
titleCVE-2016-5404 ipa: Insufficient privileges check in certificate revocation
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentipa-client is earlier than 0:3.0.0-50.el6_8.2
          ovaloval:com.redhat.rhsa:tst:20161797001
        • commentipa-client is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268026
      • AND
        • commentipa-python is earlier than 0:3.0.0-50.el6_8.2
          ovaloval:com.redhat.rhsa:tst:20161797003
        • commentipa-python is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533004
      • AND
        • commentipa-server-selinux is earlier than 0:3.0.0-50.el6_8.2
          ovaloval:com.redhat.rhsa:tst:20161797005
        • commentipa-server-selinux is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533006
      • AND
        • commentipa-server is earlier than 0:3.0.0-50.el6_8.2
          ovaloval:com.redhat.rhsa:tst:20161797007
        • commentipa-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268018
      • AND
        • commentipa-admintools is earlier than 0:3.0.0-50.el6_8.2
          ovaloval:com.redhat.rhsa:tst:20161797009
        • commentipa-admintools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533010
      • AND
        • commentipa-server-trust-ad is earlier than 0:3.0.0-50.el6_8.2
          ovaloval:com.redhat.rhsa:tst:20161797011
        • commentipa-server-trust-ad is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268016
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentipa-server-dns is earlier than 0:4.2.0-15.el7_2.19
          ovaloval:com.redhat.rhsa:tst:20161797014
        • commentipa-server-dns is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268052
      • AND
        • commentipa-admintools is earlier than 0:4.2.0-15.el7_2.19
          ovaloval:com.redhat.rhsa:tst:20161797016
        • commentipa-admintools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533010
      • AND
        • commentipa-server-trust-ad is earlier than 0:4.2.0-15.el7_2.19
          ovaloval:com.redhat.rhsa:tst:20161797017
        • commentipa-server-trust-ad is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268016
      • AND
        • commentipa-client is earlier than 0:4.2.0-15.el7_2.19
          ovaloval:com.redhat.rhsa:tst:20161797018
        • commentipa-client is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268026
      • AND
        • commentipa-server is earlier than 0:4.2.0-15.el7_2.19
          ovaloval:com.redhat.rhsa:tst:20161797019
        • commentipa-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268018
      • AND
        • commentipa-python is earlier than 0:4.2.0-15.el7_2.19
          ovaloval:com.redhat.rhsa:tst:20161797020
        • commentipa-python is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533004
rhsa
idRHSA-2016:1797
released2016-09-01
severityModerate
titleRHSA-2016:1797: ipa security update (Moderate)
rpms
  • ipa-admintools-0:3.0.0-50.el6_8.2
  • ipa-admintools-0:4.2.0-15.el7_2.19
  • ipa-client-0:3.0.0-50.el6_8.2
  • ipa-client-0:4.2.0-15.el7_2.19
  • ipa-debuginfo-0:3.0.0-50.el6_8.2
  • ipa-debuginfo-0:4.2.0-15.el7_2.19
  • ipa-python-0:3.0.0-50.el6_8.2
  • ipa-python-0:4.2.0-15.el7_2.19
  • ipa-server-0:3.0.0-50.el6_8.2
  • ipa-server-0:4.2.0-15.el7_2.19
  • ipa-server-dns-0:4.2.0-15.el7_2.19
  • ipa-server-selinux-0:3.0.0-50.el6_8.2
  • ipa-server-trust-ad-0:3.0.0-50.el6_8.2
  • ipa-server-trust-ad-0:4.2.0-15.el7_2.19

References