Vulnerabilities > CVE-2018-11058 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
dell
oracle
CWE-125
critical
nessus

Summary

RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition, version prior to 4.0.5.3 (in 4.0.x) contain a Buffer Over-Read vulnerability when parsing ASN.1 data. A remote attacker could use maliciously constructed ASN.1 data that would result in such issue.

Vulnerable Configurations

Part Description Count
Application
Dell
21
Application
Oracle
27

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JAN_2020_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Ops Center installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - An unspecified vulnerability in the Networking (Oracle Security Service) component of Oracle Enterprise Manager Ops Center. An easy to exploit vulnerability could allow unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Ops Center. A successful attack of this vulnerability can result in takeover of Enterprise Manager Ops Center. (CVE-2018-11058) - An unspecified vulnerability in the Networking (RSA Bsafe) component of Oracle Enterprise Manager Ops Center. A difficult to exploit vulnerability could allow a low privileged attacker with logon to the infrastructure where Enterprise Manager Ops Center executes to compromise Enterprise Manager Ops Center. A successful attack of this vulnerability can result in takeover of Enterprise Manager Ops Center. (CVE-2019-1547) - An unspecified vulnerability in the Networking (cURL) component of Oracle Enterprise Manager Ops Center. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Enterprise Manager Ops Center. A successful attack of this vulnerability can result in takeover of Enterprise Manager Ops Center. (CVE-2019-5482)
    last seen2020-05-08
    modified2020-01-20
    plugin id133091
    published2020-01-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133091
    titleOracle Enterprise Manager Ops Center (Jan 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133091);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id("CVE-2018-11058", "CVE-2019-1547", "CVE-2019-5482");
      script_xref(name:"IAVA", value:"2020-A-0150");
    
      script_name(english:"Oracle Enterprise Manager Ops Center (Jan 2020 CPU)");
      script_summary(english:"Checks for the patch ID.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An enterprise management application installed on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Enterprise Manager Ops Center installed on
    the remote host is affected by multiple vulnerabilities in
    Enterprise Manager Base Platform component:
    
      - An unspecified vulnerability in the Networking (Oracle
        Security Service) component of Oracle Enterprise Manager
        Ops Center. An easy to exploit vulnerability could allow
        unauthenticated attacker with network access via HTTPS
        to compromise Enterprise Manager Ops Center.
        A successful attack of this vulnerability can result in
        takeover of Enterprise Manager Ops Center. (CVE-2018-11058)
    
      - An unspecified vulnerability in the Networking (RSA
          Bsafe) component of Oracle Enterprise Manager Ops Center.
          A difficult to exploit vulnerability could allow a low
          privileged attacker with logon to the infrastructure where
          Enterprise Manager Ops Center executes to compromise
          Enterprise Manager Ops Center. A successful attack of this
          vulnerability can result in takeover of Enterprise Manager
          Ops Center. (CVE-2019-1547)
    
      - An unspecified vulnerability in the Networking (cURL)
        component of Oracle Enterprise Manager Ops Center.
        Easily exploitable vulnerability allows unauthenticated
        attacker with network access via multiple protocols to
        compromise Enterprise Manager Ops Center. A successful
        attack of this vulnerability can result in takeover of
        Enterprise Manager Ops Center. (CVE-2019-5482)");
      # https://www.oracle.com/security-alerts/cpujan2020.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d22a1e87");
      # https://www.oracle.com/security-alerts/cpujan2020verbose.html#EM
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91e1354f");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the January 2020
    Oracle Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5482");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_ops_center");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_enterprise_manager_ops_center_installed.nbin");
      script_require_keys("installed_sw/Oracle Enterprise Manager Ops Center");
    
      exit(0);
    }
    
    include('global_settings.inc');
    include('misc_func.inc');
    include('install_func.inc');
    
    get_kb_item_or_exit('Host/local_checks_enabled');
    app_name = 'Oracle Enterprise Manager Ops Center';
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    version_full = install['Full Patch Version'];
    path = install['path'];
    patch_version = install['Patch Version'];
    
    
    patchid = NULL;
    fix = NULL;
    
    if (version_full =~ "^12\.3\.3\.")
    {
      patchid = '30670631';
      fix = '1836';
    } 
    else if (version_full =~ "^12\.4\.0\.")
    {
      patchid = '30670627';
      fix = '1504';
    }
    
    if (isnull(patchid))
      audit(AUDIT_HOST_NOT, 'affected');
    
    if (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1)
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path);
    
    report = 
      '\n Path                : ' + path + 
      '\n Version             : ' + version + 
      '\n Ops Agent Version   : ' + version_full + 
      '\n Current Patch       : ' + patch_version + 
      '\n Fixed Patch Version : ' + fix +
      '\n Fix                 : ' + patchid;
    
    security_report_v4(extra:report, severity:SECURITY_HOLE, port:0);
    
  • NASL familyCGI abuses
    NASL idORACLE_RUEI_CPU_APR_2020.NASL
    descriptionThe version of Oracle Real User Experience Insight installed on the remote host is missing the April 2020 CPU. It is, therefore, affected by a buffer overflow condition due to insufficient validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by sending specially crafted ASN.1 data to an affected host, to cause a denial of service condition or the execution of arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-17
    plugin id135705
    published2020-04-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135705
    titleOracle Real User Experience Insight (Apr 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135705);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
    
      script_cve_id("CVE-2018-11058");
      script_bugtraq_id(108106);
      script_xref(name:"IAVA", value:"2020-A-0150");
    
      script_name(english:"Oracle Real User Experience Insight (Apr 2020 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by a buffer overflow vulnerability");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Real User Experience Insight installed on the remote host is missing the April 2020 CPU. It is, 
    therefore, affected by a buffer overflow condition due to insufficient validation of user-supplied input. An 
    unauthenticated, remote attacker can exploit this, by sending specially crafted ASN.1 data to an affected host, to 
    cause a denial of service condition or the execution of arbitrary code.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version");
      # https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixEM
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ffb7f13c");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version as referenced in the April 
      2020 CPU");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-11058");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/17");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_grid_control");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_ruei_detect.nbin");
      script_require_keys("installed_sw/Oracle Real User Experience Insight", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80, 443);
    
      exit(0);
    }
    
    include('http.inc');
    include('vcf.inc');
    
    if (report_paranoia < 2)
      audit(AUDIT_PARANOID);
    
    port = get_http_port(default:443);
    app_info = vcf::get_app_info(app:'Oracle Real User Experience Insight', port:port, webapp:TRUE);
    
    constraints = [
      { 'min_version' : '13.1.2', 'fixed_version' : '13.1.2.1' },
      { 'min_version' : '13.2.3', 'fixed_version' : '13.2.3.1', 'fixed_display' : '13.2.3.1 / 13.3.1.0' }
    ];
    
    vcf::check_version_and_report(
      app_info:app_info,
      constraints:constraints,
      severity:SECURITY_HOLE
    );
    
  • NASL familyDatabases
    NASL idORACLE_RDBMS_CPU_JUL_2019.NASL
    descriptionThe remote Oracle Database Server is missing the July 2019 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - An unspecified vulnerability in the Spatial component of Oracle Database Server, which could allow an authenticated, remote attacker to cause a partial denial of service of Spatial. (CVE-2016-9572) - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an unauthenticated, remote attacker to take over Core RDBMS (CVE-2018-11058) - An unspecified vulnerability in the Application Express component of Oracle Database Server, which could allow an authenticated, remote attacker to manipulate Application Express accessible data. (CVE-2019-2484) - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an authenticated, local attacker complete access to all Core RDBMS accessible data. (CVE-2019-2569) - An unspecified vulnerability in the Java VM component of Oracle Database Server, which could allow an authenticated, remote attacker to manipulate Java VM accessible data or cause a complete denial of service of Java VM. (CVE-2019-2749) - An unspecified vulnerability in the Oracle Text component of Oracle Database Server, which could allow an authenticated, remote attacker to read a subset of Oracle Text accessible data or cause a partial denial of service of Oracle Text. (CVE-2019-2753) - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an authenticated, remote attacker complete access to all Core RDBMS accessible data. (CVE-2019-2776) - An unspecified vulnerability in the Oracle ODBC Driver component of Oracle Database Server, which could allow an authenticated, remote attacker to take over Oracle ODBC Driver. Note this vulnerability only affects the Windows platform. (CVE-2019-2799) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-02
    modified2019-07-19
    plugin id126830
    published2019-07-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126830
    titleOracle Database Server Multiple Vulnerabilities (Jul 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126830);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");
    
      script_cve_id(
        "CVE-2016-9572",
        "CVE-2018-11058",
        "CVE-2019-2484",
        "CVE-2019-2569",
        "CVE-2019-2749",
        "CVE-2019-2753",
        "CVE-2019-2776",
        "CVE-2019-2799"
      );
      script_bugtraq_id(
        108106,
        109195,
        109203,
        109211,
        109214,
        109217,
        109224,
        109233
      );
    
      script_name(english:"Oracle Database Server Multiple Vulnerabilities (Jul 2019 CPU)");
      script_summary(english:"Checks installed patch info.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Oracle Database Server is missing the July 2019 Critical Patch Update (CPU). It is, therefore, affected by
    multiple vulnerabilities :
    
      - An unspecified vulnerability in the Spatial component of Oracle Database Server, which could allow an
        authenticated, remote attacker to cause a partial denial of service of Spatial. (CVE-2016-9572)
    
      - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an
        unauthenticated, remote attacker to take over Core RDBMS (CVE-2018-11058)
    
      - An unspecified vulnerability in the Application Express component of Oracle Database Server, which could allow an
        authenticated, remote attacker to manipulate Application Express accessible data. (CVE-2019-2484)
    
      - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an
        authenticated, local attacker complete access to all Core RDBMS accessible data. (CVE-2019-2569)
    
      - An unspecified vulnerability in the Java VM component of Oracle Database Server, which could allow an
        authenticated, remote attacker to manipulate Java VM accessible data or cause a complete denial of service of
        Java VM. (CVE-2019-2749)
    
      - An unspecified vulnerability in the Oracle Text component of Oracle Database Server, which could allow an
        authenticated, remote attacker to read a subset of Oracle Text accessible data or cause a partial denial of service
        of Oracle Text. (CVE-2019-2753)
    
      - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an
        authenticated, remote attacker complete access to all Core RDBMS accessible data. (CVE-2019-2776)
    
      - An unspecified vulnerability in the Oracle ODBC Driver component of Oracle Database Server, which could allow an
        authenticated, remote attacker to take over Oracle ODBC Driver. Note this vulnerability only affects the Windows
        platform. (CVE-2019-2799)
    
    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
    number.");
      # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixDB
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8d1d765d");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the July 2019 Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-11058");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server");
      script_set_attribute(attribute:"agent", value:"all");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin");
    
      exit(0);
    }
    
    include("oracle_rdbms_cpu_func.inc");
    
    patches = make_nested_array();
    
    # RDBMS 19.4.0.0
    patches["19.4.0.0"]["db"]["nix"] = make_array("patch_level", "19.4.0.0.190716", "CPU", "29708769, 29834717");
    patches["19.4.0.0"]["db"]["win"] = make_array("patch_level", "19.4.0.0.190716", "CPU", "29859191");
    # RDBMS 18.7.0.0
    patches["18.7.0.0"]["db"]["nix"] = make_array("patch_level", "18.7.0.0.190716", "CPU", "29708703, 29757256");
    patches["18.7.0.0"]["db"]["win"] = make_array("patch_level", "18.7.0.0.190716", "CPU", "29859180");
    # RDBMS 18.6.1.0
    patches["18.6.1.0"]["db"]["nix"] = make_array("patch_level", "18.6.1.0.190716", "CPU", "29708235");
    # RDBMS 18.5.2.0
    patches["18.5.2.0"]["db"]["nix"] = make_array("patch_level", "18.5.2.0.190716", "CPU", "29708437");
    # RDBMS 12.2.0.1
    patches["12.2.0.1"]["db"]["nix"] = make_array("patch_level", "12.2.0.1.190716", "CPU", "29708381, 29708478, 29757449");
    patches["12.2.0.1"]["db"]["win"] = make_array("patch_level", "12.2.0.1.190716", "CPU", "29832062");
    # RDBMS 12.1.0.2
    patches["12.1.0.2"]["db"]["nix"] = make_array("patch_level", "12.1.0.2.190716", "CPU", "29496791, 29494060");
    patches["12.1.0.2"]["db"]["win"] = make_array("patch_level", "12.1.0.2.190716", "CPU", "29831650");
    # RDBMS 11.2.0.4
    patches["11.2.0.4"]["db"]["nix"] = make_array("patch_level", "11.2.0.4.190716", "CPU", "29698813, 29497421");
    patches["11.2.0.4"]["db"]["win"] = make_array("patch_level", "11.2.0.4.190716", "CPU", "29596609");
    
    # OJVM 19.4.0.0
    patches["19.4.0.0"]["ojvm"]["nix"] = make_array("patch_level", "19.4.0.0.190716", "CPU", "29774421");
    # OJVM 18.7.0.0
    patches["18.7.0.0"]["ojvm"]["nix"] = make_array("patch_level", "18.7.0.0.190716", "CPU", "29774410");
    patches["18.7.0.0"]["ojvm"]["win"] = make_array("patch_level", "18.7.0.0.190716", "CPU", "29774410");
    # OJVM 12.2.0.1
    patches["12.2.0.1"]["ojvm"]["nix"] = make_array("patch_level", "12.2.0.1.190716", "CPU", "29774415");
    patches["12.2.0.1"]["ojvm"]["win"] = make_array("patch_level", "12.2.0.1.190716", "CPU", "29837425");
    # OJVM 12.1.0.2
    patches["12.1.0.2"]["ojvm"]["nix"] = make_array("patch_level", "12.1.0.2.190716", "CPU", "29774383");
    patches["12.1.0.2"]["ojvm"]["win"] = make_array("patch_level", "12.1.0.2.190716", "CPU", "29837393");
    # OVJM 11.2.0.4
    patches["11.2.0.4"]["ojvm"]["nix"] = make_array("patch_level", "11.2.0.4.190716", "CPU", "29610422");
    patches["11.2.0.4"]["ojvm"]["win"] = make_array("patch_level", "11.2.0.4.190716", "CPU", "30012911");
    
    check_oracle_database(patches:patches, high_risk:TRUE);