Qualitative Risk Analysis
with CVSS Scores
June 17, 2014 at 5:26pm EDT
[codydumont]
SC RESEARCH
Confidential: The following report contains confidential information. Do not distribute,
email, fax, or transfer via any electronic mechanism unless it has been approved by the
recipient company's security policy. All copies and backups of this document should be
saved on protected storage at all times. Do not share any of the information contained
within this report with anyone unless they are authorized to view the information. Violating
any of the previous instructions is grounds for termination.
Table of Contents
About this Report
..................................................................................................................................................................................................
1
Executive Summary
..........................................................................................................................................................................................
3
CVSS Patch Matrix
.............................................................................................................................................................................................
5
CVSS 4.0 to 4.9
......................................................................................................................................................................................................
CVSS 5.0 to 5.9
.................................................................................................................................................................................................
22
CVSS 6.0 to 6.9
.................................................................................................................................................................................................
37
CVSS 7.0 to 7.9
..................................................................................................................................................................................................
53
CVSS 8.0 to 8.9
.................................................................................................................................................................................................
72
CVSS 9.0 to 9.9
.................................................................................................................................................................................................
76
CVSS 10.0 to 10.0
...........................................................................................................................................................................................
7
85
Table of Contents
Qualitative Risk Analysis with CVSS Scores
i
About this Report
Information Security professionals continuously perform various types of risk assessments within their
environment. SecurityCenter users have a secret weapon in the battle to properly assess risk, and that
weapon is SecurityCenter’s native ability to fully use the CVSS scoring system.
A risk assessment requires a qualitative analysis of vulnerabilities with a network. The Forum of Incident
Response and Security Teams (FIRST) created the Common Vulnerability Scoring System (CVSS) to normalize
the methodology of analyzing risk. The CVSS provides the open framework for assessing the risk of
discovered vulnerabilities. The CVSS methodology uses three metric groups, the Base, Temporal, and
Environmental. This report uses the Base metric group to aid in the performance of qualitative risk analysis.
The report will focus on the CVSS scores of 4.0 to 10.0.
There are six base metrics used to qualitative assess the risk of a vulnerability. There are two sub groupings
of the Base metric, the access metrics and the impact metrics. The access metric assigns a risk level based on
the vector used to gain access to the target system.
The access metrics include: Access Vector, which reflects the methods used to exploit a vulnerability; Access
Complexity, which measures difficulty or complexity of that an attacker faces to exploit a vulnerability once
access is obtained; and Authentication, which measures how many authentication repetitions are required to
successfully exploit a vulnerability.
The impact metrics use the CIA triad (Confidentiality, Integrity, Availability) to assign an impact score to
a vulnerability. The impact metrics include: Confidentiality Impact: Measures the confidentiality after a
successful exploit, meaning how well access by unauthorized users can be prevented and limiting access to
information that could further aid the covert attack; Integrity Impact: Measures to what extent the information
stored on the system is impacted when successfully exploited, meaning the impact to the accuracy and
reliability the information stored on the victim system; Availability Impact: measures how system resources are
effected by the vulnerability being exploited, some attacks can consume CPU, network, or other resources
available to target system.
The CVSS report shows vulnerabilities within each of the different CVSS score ranges (4.0 – 4.9, 5.0 –
5.9, 6.0 – 6.9, 7.0 – 7.9, 8.0 – 8.9, 9.0 – 9.9, and 10.0). The colors for CVSS Scores are orange for medium
severity with a rating of 4.0 – 6.9, red for high severities that have a rating of 7.0 – 9.9, and purple for critical
severities with a rating of 10.0.
SecurityCenter can help identify vulnerabilities that must be mitigated in order to satisfy PCI DSS vulnerability
scanning requirements. PCI DSS v3.0 Req. 11.2 states that internal and external network vulnerability scans
must be run at least quarterly, and after any significant change in the network. PCI DSS v3.0 Req. 11.2.1
requires quarterly internal scans and rescans until all 'high risk' vulnerabilities are resolved, while PCI DSS
v3.0 Req. 11.2.2 requires quarterly external scans and rescans until no vulnerabilities exist that are scored
4.0 or higher by the CVSS. In addition, PCI DSS v3.0 Req. 11.2.3 requires internal and external scanning,
and rescanning, after any significant change to the network. PCI DSS v3.0 Req. 6.1 requires companies to
establish a formal process for vulnerability identification and risk ranking using reputable outside sources.
PCI DSS v3.0 further notes that 'Risk rankings should be based on industry best practices as well as
consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of
the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.' SecurityCenter
can be used to collect vulnerability data, and also to track and monitor other threat considerations that can
help your organization determine the appropriate risk ranking for internal scan findings. More information can
be found here: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
About this Report
Qualitative Risk Analysis with CVSS Scores
1
By defining assets for internal or external IP networks or a range of hosts, the compliance manager can
run this report for the internal and/or external network. Please note that the name of the report should be
modified to reflect if the report is internal or external.
To edit the report template, click the edit button and then change the name of the report, In this example, the
report will be called "External CVSS Report." Next, click on the definition tab, and select the find/update link
and click it. When windows comes up the top search option is called “Search Filters”, select the add button in
the search filter area and select the first drop down box and select Assets. A new drop down list will appear
and select “is not set”, followed by clicking the save button in the Search Filter area. Next under the “Update
Actions” section, select the add button. Select the Asset in the first drop down box, and then select the “is set
to” in the second drop down box. In the third drop down box select the external asset group and select save.
The last step is to click the “Update” button in the middle of the window on the left hand side. After the button
is clicked, the window at the bottom will be updated with filters that have been modified. Finally, click the
close button on the bottom of the “Find/Update Filters” window and click submit at the bottom of the page.
Now the report has been customized and can be launched, and only the IP addresses that are part of the
“External” assets will be covered in the report.
While this report can often result in a file with more than 1000 pages, this scalability of this report allows the
user to select only the chapters that is needed. One approach would be to have seven separate reports, one
with each CVSS level. This can be easily accomplished by only selecting the desired report when importing
from the feed, or by making a local copy of the report and deleting the unused chapters.
About this Report
Qualitative Risk Analysis with CVSS Scores
2
Executive Summary
The Vulnerability Information by CVSS Score matrix provides the cumulative number of vulnerable hosts, the
number of vulnerabilities and the percentage of exploitable vulnerabilities. Each row is a different set of CVSS
scores. This chart only provides information on medium to critical CVSS scores. These CVSS scores ranges
are (4.0 – 4.9, 5.0 – 5.9, 6.0 – 6.9, 7.0 – 7.9, 8.0 – 8.9, 9.0 – 9.9, and 10.0)
Vulnerability Information by CVSS Score
Vulnerable Hosts
Vulnerabilities
Exploitable
CVSS 4.0 - 4.9
9
111
. 5%
CVSS 5.0 - 5.9
9
78
.2 %
CVSS 6.0 - 6.9
9
120
.2 %
CVSS 7.0 - 7.9
2
56
.2 %
CVSS 8.0 - 8.9
1
9
CVSS 9.0 - 9.9
2
11
CVSS 10.0
2
29
. 8%
2
.2 %
The CVSS Trending for 3 Months chart provides an overview of the different CVSS Scores over the last 3
months. Each CVSS range is defined as a different set of CVSS scores. These score ranges are 4.0 – 4.9, 5.0
– 5.9. 6.0 – 6.9, 7.0 – 7.9, 8.0 – 8.9, 9.0 – 9.9 and 10.0 within this trending chart. The trend graph calculates
the data points every 24 hours to illustrate a daily trend during a three-month period.
CVSS Trending for 3 Months
Executive Summary
Qualitative Risk Analysis with CVSS Scores
3
The Vulnerabilities by Subnet table provides a cumulative number of medium, high, and critical vulnerabilities
per the top ten IP subnets. The CVSS score range is from 4.0 to 10.0. Each column provides the total number
of vulnerabilities for medium (orange color), high (red color), critical (purple color) and total for each subnet.
This table provides a good overview of the vulnerabilities by subnet.
Vulnerabilities by Subnet
IP Address
Med.
High
Crit.
Total
10.31.112.0/24
131
80
28
239
10.31.113.0/24
92
4
1
97
10.31.114.0/24
88
0
0
88
The Severities by Subnet chart provides a cumulative top ten IP subnets separated by severities of
vulnerabilities within each subnet range. The filters in this chart use the Class C Summary tool, and the CVSS
Score 4.0 to 10.0. Each subnet will have a bar representing the severity level, the color orange for medium
severity, red for high severity, and purple for critical severity vulnerabilities.
Severities by Subnet
Executive Summary
Qualitative Risk Analysis with CVSS Scores
4
CVSS Patch Matrix
The Time to Patch Vulnerabilities table displays the CVSS Score range 4.0 - 4.9, 5.0 - 5.9, 6.0 - 6.9, 7.0 - 7.9,
8.0 - 8.9, 9.0 - 9.9, and 10. Each column show the number hosts with vulnerabilities that were patched in a
day(s) ranges (0 day to 30 days), (31 days to 60 days), (61 days to 90 days) and any over 91days. The CVSS
Score colors are Orange for Medium (4.0 – 6.9), Red for High (7.0 – 9.9), and Purple for Critical (10.0).
Time to Patch Vulnerabilities
Within 30 Days
31 - 60 Days
61 - 90 Days
CVSS 4.0 - 4.9
> 90 Days
0
5
0
4
CVSS 5.0 - 5.9
0
2
0
0
CVSS 6.0 - 6.9
0
3
0
1
CVSS 7.0 - 7.9
0
2
0
1
CVSS 8.0 - 8.9
0
0
2
0
CVSS 9.0 - 9.9
0
8
2
4
CVSS 10.0
0
0
0
0
The Vulnerabilities Patched in Last X Days table displays the number of hosts with vulnerabilities that were
patched in a certain amount of days. These day ranges are (0 day to 30 days), (31 days to 60 days), (61 days
to 90 days) and any over 91days for each CVSS score range that was created. These CVSS Score ranges are
4.0 - 4.9, 5.0 - 5.9, 6.0 - 6.9, 7.0 - 7.9, 8.0 - 8.9, 9.0 - 9.9. The CVSS Score colors are Orange for Medium (4.0
– 6.9), Red for High (7.0 – 9.9), and Purple for Critical (10.0).
Vulnerabilities Patched in Last X Days
Within 30 Days
31 - 60 Days
61 - 90 Days
> 90 Days
CVSS 4.0 - 4.9
9
0
0
0
CVSS 5.0 - 5.9
2
0
0
0
CVSS 6.0 - 6.9
4
0
0
0
CVSS 7.0 - 7.9
2
0
1
0
CVSS 8.0 - 8.9
2
0
0
0
CVSS 9.0 - 9.9
8
3
3
0
CVSS 10.0
0
0
0
0
CVSS Patch Matrix
Qualitative Risk Analysis with CVSS Scores
5
The Current Vulnerabilities Last Seen X Days Ago table displays the cumulative hosts with vulnerabilities for
each CVSS Score range that was created. These CVSS Score ranges are 4.0 - 4.9, 5.0 - 5.9, 6.0 - 6.9, 7.0 7.9, 8.0 - 8.9, 9.0 - 9.9. The CVSS Score colors are Orange for Medium (4.0 – 6.9), Red for High (7.0 – 9.9),
and Purple for Critical (10.0).
Current Vulnerabilities Last Seen X Days Ago
Within 30 Days
31 - 60 Days
61 - 90 Days
> 90 Days
CVSS 4.0 - 4.9
9
0
0
2
CVSS 5.0 - 5.9
9
0
0
2
CVSS 6.0 - 6.9
5
0
0
4
CVSS 7.0 - 7.9
2
0
0
0
CVSS 8.0 - 8.9
1
0
0
0
CVSS 9.0 - 9.9
2
0
0
0
CVSS 10.0
2
0
0
0
The Percent of Vulnerabilities Patched in Last X Days table tracks patched vulnerabilities and detects the time
required to apply the patch. There is a separate row for CVSS. The day ranges are (0 day to 30 days), (31 days
to 60 days), (61 days to 90 days) and any over 91days for each CVSS score range that was created. The CVSS
Score ranges are 4.0 - 4.9, 5.0 - 5.9, 6.0 - 6.9, 7.0 - 7.9, 8.0 - 8.9, 9.0 - 9.9.
The cells each contain a ratio bar showing the percentage of vulnerabilities patched. Each cell has a threshold
to indicate patching progress and risk. If more than 90% of patches were applied, then the indicator will be
green. When more than 75% of patches were applied the indicator is yellow. For 50% of applied patches the
color is orange, followed by 25% being red, and less than 25% being purple. Green signifies a good patch
management program, where yellow indicates caution. For orange and red indicators, the current patch
management program is not working correctly, red being worse off than orange. For purple indicators, a
serious problem is occurring and an immediate review of the patch management cycle is needed.
The columns in the matrix each provide the vulnerability patch rate as compared to time taken to apply the
patch. The first column displays for 30d Rate Past 30d - percent of patches that occurred within 30 days of
being tracked by SecurityCenter for the past 30 calendar days. The second column displays30d Rate Past
31d - 60d - percent of patches that occurred within 30 days of being tracked by SecurityCenter between
31 and 60 calendar days ago. The third column displays 30d Rate Past 61d - 90d - percent of patches that
occurred within 30 days of being tracked by SecurityCenter between 61 and 90 calendar days ago. The fourth
column displays 30d Rate Past 91d - percent of patches that occurred within 30 days of being tracked by
SecurityCenter over 91 calendar days ago.
Percent of Vulnerabilities Patched in Last X Days
CVSS Patch Matrix
Qualitative Risk Analysis with CVSS Scores
6
CVSS 4.0 to 4.9
The Top 15 Host with CVSS 4.0 to 4.9 Vulnerabilities table provides cumulative top 15 hosts with a CVSS
score of 4.0 to 4.9. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities
(Total), and a vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different
colors are orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 4.0 to 4.9 Vulnerabilities
IP Address
DNS Name
OS CPE
Total
Vulns
10.31.112.10
ubuntu
cpe:/o:canonical:ubuntu_
linux:11.04
10.31.113.30
turnkey-worpress.acme.lab
cpe:/o:debian:debian_
linux:7.4
16
16
10.31.114.32
drupal7
cpe:/o:debian:debian_
linux:7.2
15
15
10.31.114.30
asp-net-apache
cpe:/o:debian:debian_
linux:7.2
12
12
10.31.113.32
openldap
cpe:/o:debian:debian_
linux:7.2
11
11
10.31.114.11
exch2.corp.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
5
5
10.31.113.11
exch1.acme.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
4
4
10.31.113.10
dc1.acme.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
2
2
10.31.114.10
dc2.corp.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
2
2
46
2 44
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
7
The Top 10 Subnets CVSS 4.0 to 4.9 Vulnerabilities chart provides the cumulative top ten network subnets
with a CVSS score of 4.0 to 4.9 by vulnerabilities. Each bar represents the total vulnerability count for each
subnet. The chart is filtered using the Class C summary tool and CVSS Score of 4.0 to 4.9; the data is then
sorted using the total vulnerability field.
Top 10 Subnets with CVSS 4.0 to 4.9 Vulnerabilities
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
8
The Top 10 Plugin Families Detecting CVSS 4.0 to 4.9 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 4.0 to 4.9 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number
of vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 4.0 to 4.9 Vulnerabilities
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
9
The Details for CVSS 4.0 to 4.9 Vulnerabilities with Affected Hosts table provides a detailed list of
vulnerabilities along with the affected host. The vulnerabilities filter by CVSS Score of 4.0 to 4.9 and sorts
by totals vulnerabilities. This table will show each IP Address and provides information in regards to plugin,
plugin name, plugin family, the severity, and total number of vulnerabilities. This table provides a description
of the vulnerability and separates the IP address into their respected repositories.
Details for CVSS 4.0 to 4.9 Vulnerabilities with Affected Hosts
Plugin
56306
Plugin Name
Family
Web Server Allows Password AutoCompletion (PCI-DSS variant)
Web Servers
Severity
Total
Medium
5
Severity
Total
Medium
5
Severity
Total
Medium
4
Description: The remote web server contains at least HTML form field containing an
input of type 'password' where 'autocomplete' is not set to 'off'.
While this does not represent a risk to this web server per se, it
does mean that users who use the affected forms may have their
credentials saved in their browsers, which could in turn lead to a
loss of confidentiality if any of them use a shared host or their
machine is compromised at some point.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
17705
Plugin Name
Family
OPIE w/ OpenSSH Account Enumeration
Misc.
Description: When using OPIE for PAM and OpenSSH, it is possible for remote
attackers to determine the existence of certain user acounts.
Note that Nessus has not tried to exploit the issue, but rather only
checked if OpenSSH is running on the remote host. As a result, it
does not detect if the remote host actually has OPIE for PAM
installed.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
62565
Plugin Name
Family
Transport Layer Security (TLS) Protocol
CRIME Vulnerability
General
Description: The remote service has one of two configurations that are known to be
required for the CRIME attack:
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
10
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the
remote service.
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
Terminal Services Doesn't Use Network
Level Authentication (NLA)
58453
Misc.
Severity
Total
Medium
4
Severity
Total
Medium
4
Severity
Total
Medium
4
Description: The remote Terminal Services is not configured to use Network Level
Authentication (NLA). NLA uses the Credential Security Support
Provider (CredSSP) protocol to perform strong server authentication
either through TLS/SSL or Kerberos mechanisms, which protect against
man-in-the-middle attacks. In addition to improving authentication,
NLA also helps protect the remote computer from malicious users and
software by completing user authentication before a full RDP
connection is established.
Hosts in Repository 'net_10_31_113':
10.31.113.10 - MAC Address: d2:c1:3e:a4:72:f2 DNS Name: dc1.acme.lab NetBIOS Name: ACME\DC1
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':
10.31.114.10 - MAC Address: 8e:02:85:06:ab:4d DNS Name: dc2.corp.lab NetBIOS Name: CORP\DC2
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
Plugin
57690
Plugin Name
Family
Terminal Services Encryption Level is
Medium or Low
Misc.
Description: The remote Terminal Services service is not configured to use strong
cryptography.
Using weak cryptography with this service may allow an attacker to
eavesdrop on the communications more easily and obtain screenshots
and/or keystrokes.
Hosts in Repository 'net_10_31_113':
10.31.113.10 - MAC Address: d2:c1:3e:a4:72:f2 DNS Name: dc1.acme.lab NetBIOS Name: ACME\DC1
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':
10.31.114.10 - MAC Address: 8e:02:85:06:ab:4d DNS Name: dc2.corp.lab NetBIOS Name: CORP\DC2
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
Plugin
42873
Plugin Name
Family
SSL Medium Strength Cipher Suites
Supported
General
Description: The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
11
Note: This is considerably easier to exploit if the attacker is on the
same physical network.
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
PHP Foreign Function Interface Arbitra
ry DLL Loading safe_mode Restriction
Bypass
17714
CGI abuses
Severity
Total
Medium
4
Severity
Total
Medium
4
Severity
Total
Medium
4
Description: According to its banner, the version of PHP installed on the remote
host is affected by a security bypass vulnerability. The Foreign
Function Interface (ffi) extension does not follow safe_mode
restrictions, which allows context-dependent attackers to execute
arbitrary code by loading an arbitrary DLL and calling a function.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
Apache Mixed Platform AddType Directive
Web Servers
Information Disclosure
17695
Description: The remote host appears to be running Apache. When Apache runs on a
Unix host with a document root on a Windows SMB share, remote,
unauthenticated attackers could obtain the unprocessed contents of the
directory. For example, requesting a PHP file with a trailing
backslash could display the file's source instead of executing it.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
17694
Plugin Name
Family
Apache on Windows mod_alias URL
Validation Canonicalization CGI Source
Information Disclosure
CGI abuses
Description: The version of Apache installed on the remote Windows host can be
tricked into disclosing the source of its CGI scripts because of a
configuration issue. Specifically, if the CGI directory is located
within the document root, then requests that alter the case of the
directory name will bypass the mod_cgi cgi-script handler and be
treated as requests for ordinary files.
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
12
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
CGI Generic Cross-Site Scripting (compreh
CGI abuses : XSS
ensive test)
47831
Severity
Total
Medium
3
Severity
Total
Medium
2
Severity
Total
Medium
1
Description: The remote web server hosts CGI scripts that fail to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site. These XSS are likely to be 'non-persistent' or
'reflected'.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
Microsoft ASP.NET ValidateRequest Filters
Web Servers
Bypass
58601
Description: According to the HTTP headers received from the remote host, the web
server is configured to use the ASP.NET framework.
This framework includes the ValidateRequest feature, which is used by
ASP.NET web applications to filter user input in an attempt to prevent
cross-site scripting attacks. However, this set of filters can be
bypassed if it is the sole mechanism used for protection by a web
application.
Since Nessus is unable to remotely gather enough information to
determine if the ValidateRequest feature is used in an unsafe manner,
this plugin will report all web servers using ASP.NET when the 'Report
Paranoia' configuration setting is set to 'Paranoid (more false
alarms)'. Determining if an actual security risk exists requires
manual verification.
Hosts in Repository 'net_10_31_113':
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
Plugin
73862
Plugin Name
Family
PHP 5.4.x < 5.4.28 FPM Unix Socket
Insecure Permission Escalation
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.28. It is, therefore,
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
13
potentially affected by a permission escalation vulnerability.
A flaw exists within the FastCGI Process Manager (FPM) when setting permissions for a Unix
socket. This could allow a remote attacker to gain elevated privileges
after gaining access to the socket.
Note that this plugin has not attempted to exploit this issue, but
instead relied only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
Plugin Name
Family
PHP 5.4.x < 5.4.27 awk Magic Parsing
BEGIN DoS
73338
CGI abuses
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.27. It is, therefore,
potentially affected by a denial of service vulnerability.
A flaw exists in the awk script detector within magic/Magdir/commands
where multiple wildcards with unlimited repetitions are used. This
could allow a context dependent attacker to cause a denial of service
with a specially crafted ASCII file.
Note that this plugin has not attempted to exploit this issue, but
instead relied only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
66585
Plugin Name
Family
PHP 5.4.x < 5.4.13 Information Disclosure
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.13. It is, therefore, potentially affected
by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in
the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to
handling external entities. This error could cause PHP to parse remote
XML documents defined by an attacker and could allow access to arbitrary
files.
Note that this plugin does not attempt to exploit the vulnerability, but
instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
64993
Plugin Name
Family
PHP 5.4.x < 5.4.12 Multiple Vulnerabilities
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.12. It is, therefore, potentially affected
by the following vulnerabilities :
- An error exists in the file 'ext/soap/soap.c'
related to the 'soap.wsdl_cache_dir' configuration
directive and writing cache files that could allow
remote 'wsdl' files to be written to arbitrary
locations. (CVE-2013-1635)
- An error exists in the file 'ext/soap/php_xml.c'
related to parsing SOAP 'wsdl' files and external
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
14
entities that could cause PHP to parse remote XML
documents defined by an attacker. This could allow
access to arbitrary files. (CVE-2013-1643)
Note that this plugin does not attempt to exploit the vulnerabilities
but, instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : imagemagick vulnerability (USN1544-1)
61642
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Tom Lane discovered that ImageMagick would not always properly
allocate memory. If a user or automated system using ImageMagick were
tricked into opening a specially crafted PNG image, an attacker could
exploit this to cause a denial of service or possibly execute code
with the privileges of the user invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : python-crypto vulnerability (USN1484-1)
59783
Ubuntu Local Security Checks
Description: It was discovered that PyCrypto produced inappropriate prime numbers
when generating ElGamal keys. An attacker could use this flaw to
facilitate brute-forcing of ElGamal encryption keys.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : raptor vulnerability (USN-1480-1)
59567
Ubuntu Local Security Checks
Description: Timothy D. Morgan discovered that Raptor would unconditionally load
XML external entities. If a user were tricked into opening a specially
crafted document in an application linked against Raptor, an attacker
could possibly obtain access to arbitrary files on the user's system
or potentially execute arbitrary code with the privileges of the user
invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58578
Plugin Name
Family
Ubuntu 11.04 / 11.10 : aptdaemon vulnera
bility (USN-1414-1)
Ubuntu Local Security Checks
Description: It was discovered that Aptdaemon incorrectly handled installing
packages without performing a transaction simulation. An attacker
could possibly use this flaw to install altered packages.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
15
Plugin
58266
Plugin Name
Family
Ubuntu 11.04 / 11.10 : apt vulnerability
(USN-1385-1)
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Simon Ruderich discovered that APT incorrectly handled repositories
that use InRelease files. The default Ubuntu repositories do not use
InRelease files, so this issue only affected third-party repositories.
If a remote attacker were able to perform a man-in-the-middle attack,
this flaw could potentially be used to install altered packages.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : apache2 vulnerabilities (USN1368-1)
57999
Ubuntu Local Security Checks
Description: It was discovered that the Apache HTTP Server incorrectly handled the
SetEnvIf .htaccess file directive. An attacker having write access to
a .htaccess file may exploit this to possibly execute arbitrary code.
(CVE-2011-3607)
Prutha Parikh discovered that the mod_proxy module did not properly
interact with the RewriteRule and ProxyPassMatch pattern matches in
the configuration of a reverse proxy. This could allow remote
attackers to contact internal webservers behind the proxy that were
not intended for external exposure. (CVE-2011-4317)
Rainer Canavan discovered that the mod_log_config module incorrectly
handled a certain format string when used with a threaded MPM. A
remote attacker could exploit this to cause a denial of service via a
specially- crafted cookie. This issue only affected Ubuntu 11.04 and
11.10. (CVE-2012-0021)
It was discovered that the Apache HTTP Server incorrectly handled
certain type fields within a scoreboard shared memory segment. A local
attacker could exploit this to to cause a denial of service.
(CVE-2012-0031)
Norman Hippert discovered that the Apache HTTP Server incorrecly
handled header information when returning a Bad Request (400) error
page. A remote attacker could exploit this to obtain the values of
certain HTTPOnly cookies. (CVE-2012-0053).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57792
Plugin Name
Family
Apache HTTP Server httpOnly Cookie
Information Disclosure
Web Servers
Description: The version of Apache HTTP Server running on the remote host has an
information disclosure vulnerability. Sending a request with HTTP
headers long enough to exceed the server limit causes the web server
to respond with an HTTP 400. By default, the offending HTTP header
and value are displayed on the 400 error page. When used in
conjunction with other attacks (e.g., cross-site scripting), this
could result in the compromise of httpOnly cookies.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
16
Plugin
Plugin Name
Family
Ubuntu 11.04 / 11.10 : usbmuxd vulnerability
Ubuntu Local Security Checks
(USN-1354-1)
57790
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: It was discovered that usbmuxd did not correctly perform bounds
checking when processing the SerialNumber field of USB devices. An
attacker with physical access could use this to crash usbmuxd or
potentially execute arbitrary code as the 'usbmux' user.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
software-properties vulnerability (USN1352-1)
57763
Ubuntu Local Security Checks
Description: David Black discovered that Software Properties incorrectly validated
server certificates when performing secure connections to download PPA
GPG key fingerprints. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to install
altered package repository GPG keys.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
xorg vulnerability (USN-1349-1)
57707
Ubuntu Local Security Checks
Description: It was discovered that the X wrapper incorrectly checked certain
console permissions when launched by unprivileged users. An attacker
connected remotely could use this flaw to start X, bypassing the
console permissions check.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
Ubuntu Local Security Checks
04 / 11.10 : bzip2 vulnerability (USN-1308-1)
57315
Description: vladz discovered that executables compressed by bzexe insecurely
create temporary files when they are ran. A local attacker could
exploit this issue to execute arbitrary code as the user running a
compressed executable.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57060
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
acpid vulnerabilities (USN-1296-1)
Ubuntu Local Security Checks
Description: Oliver-Tobias Ripka discovered that an ACPI script incorrectly handled
power button events. A local attacker could use this to execute
arbitrary code, and possibly escalate privileges. (CVE-2011-2777)
Helmut Grohne and Michael Biebl discovered that ACPI scripts were
executed with a permissive file mode creation mask (umask). A local
attacker could read files and modify directories created by ACPI
scripts that did not set a strict umask. (CVE-2011-4578).
Hosts in Repository 'net_10_31_112':
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
17
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56680
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
empathy vulnerabilities (USN-1250-1)
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: It was discovered that a cross-site scripting (XSS) vulnerability in
the Adium theme allows remote attackers to inject arbitrary JavaScript
or HTML via a crafted nickname in XMPP group conversations.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
55903
Plugin Name
Family
CGI Generic Cross-Site Scripting (extende
d patterns)
CGI abuses : XSS
Description: The remote web server hosts one or more CGI scripts that fail to
adequately sanitize request strings with malicious JavaScript. By
leveraging this issue, an attacker may be able to cause arbitrary HTML
and script code to be executed in a user's browser within the security
context of the affected site. These XSS vulnerabilities are likely to
be 'non-persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
49067
Plugin Name
Family
CGI Generic HTML Injections (quick test)
CGI abuses : XSS
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML to be executed in a
user's browser within the security context of the affected site.
The remote web server may be vulnerable to IFRAME injections or
cross-site scripting attacks :
- IFRAME injections allow 'virtual defacement' that
might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks.
- XSS are extensively tested by four other scripts.
- Some applications (e.g. web forums) authorize a subset
of HTML without any ill effect. In this case, ignore
this warning.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
44135
Plugin Name
Family
Web Server Generic Cookie Injection
CGI abuses
Description: The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to inject arbitrary cookies. Depending
on the structure of the web application, it may be possible to launch
a 'session fixation' attack using this mechanism.
Please note that :
- Nessus did not check if the session fixation attack is
feasible.
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
18
- This is not the only vector of session fixation.
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
Plugin
39466
Plugin Name
Family
CGI Generic Cross-Site Scripting (quick
test)
CGI abuses : XSS
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
These XSS are likely to be 'non persistent' or 'reflected'.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
18124
Plugin Name
Family
phpBB <= 2.0.14 Multiple Vulnerabilities
CGI abuses
Description: According to its banner, the remote host is running a version of phpBB
that suffers from multiple flaws:
- A BBCode Input Validation Vulnerability
The application fails to properly filter for the BBCode
URL in the 'includes/bbcode.php' script. With a
specially crafted URL, an attacker could cause arbitrary
script code to be executed in a user's browser, possibly
even to modify registry entries without the user's
knowledge.
- Cross-Site Scripting Vulnerabilities
The application does not properly sanitize user-supplied input
to the 'forumname' and 'forumdesc' parameters of the
'admin/admin_forums.php' script. By enticing a phpBB
administrator to visit a specially crafted link, an attacker
can potentially steal the admin's session cookie or perform
other attacks.
- Improper Filtering of HTML Code
The application does not completely filter user-supplied input
to the 'u' parameter of the 'profile.php' script or the
'highlight' parameter of the 'viewtopic.php' script.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
13840
Plugin Name
Family
phpBB < 2.0.10 Multiple XSS
CGI abuses : XSS
Description: The remote host is running a version of phpBB older than 2.0.10.
phpBB contains a flaw that allows a remote cross-site scripting attack.
This flaw exists because the application does not validate user-supplied
input in the 'search_author' parameter.
This version is also vulnerable to an HTTP response splitting attack
that permits the injection of CRLF characters in the HTTP headers.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
19
Plugin
10815
Plugin Name
Family
Web Server Generic XSS
CGI abuses : XSS
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
Plugin
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.39 Multiple
Vulnerabilities
8141
Web Servers
Description: Versions of Tomcat 6.0.x earlier than 6.0.39 are potentially affected by the following vulnerabilities:
- The version of Java used to build the application could generate Javadoc containing a frame injection error. (CVE-2013-1571)
- The fix for CVE-2005-2090 was not complete and the application does not reject requests with multiple Content-Length HTTP headers or with ContentLength HTTP headers when using chunked encoding. (CVE-2013-4286)
- The fix for CVE-2012-3544 was not complete and limits are not properly applied to chunk extensions and whitespaces in certain trailing headers. This
error could allow denial of service attacks. (CVE-2013-4322)
- The application allows XML External Entity (XXE) processing that could disclose sensitive information. (CVE-2013-4590)
- An error exists related to the 'disableURLRewriting' configuration option and session IDs. (CVE-2014-0033)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6928
Plugin Name
Family
PHP 5.3.x < 5.3.27 Information Disclosure
Web Servers
Severity
Total
Medium
1
Description: PHP versions 5.3.x earlier than 5.3.23 are affected by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external
entities. This error could cause PHP to parse remote XML documents defined by an attacker and could allow access to arbitrary filesthe buffer overflow
error that exists in the function '_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache 2.2.x < 2.2.25 Remote Denial of
Service Vulnerability
6927
Web Servers
Severity
Total
Medium
1
Description: Apache versions earlier than 2.2.25 are affected by a remote denial-of-service vulnerability because the 'mod_dav.c' source file fails to
properly determine whether DAV is enabled for a URI. Specifically, this issue occurs when sending a URI MERGE request handled by the 'mod_dav_svn'
module with the source href pointing to a URI not configured for DAV. An attacker can exploit this issue to cause a segmentation fault.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6868
Plugin Name
Family
OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple
Vulnerabilities
Web Servers
Severity
Total
Medium
1
Description: Versions of OpenSSL prior to 0.9.8y are reportedly affected by the following vulnerabilities :
- An error exists related to the handling of OCSP response verification that could allow denial of service attacks. (CVE-2013-0166)
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
20
- An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of
encrypted traffic via timing attacks. (CVE-2013-0169)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6707
Plugin Name
Family
PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
Web Servers
Severity
Total
Medium
1
Description: PHP versions 5.3.x earlier than 5.3.22 are affected by the following vulnerabilities :
- An error exists in the file 'ext/soap/soap.c' related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote
'wsdl' files to be written to arbitrary locations. (CVE-2013-1635)
- An error exists in the file 'ext/soap/php_xml.c' related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML
documents defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache 2.2 < 2.2.24 Multiple Cross-Site
Scripting Vulnerabilites
6701
Web Servers
Severity
Total
Medium
1
Description: The remote host is running a Apache HTTP server.
Versions earlier than 2.4.4 are vulnerable to the following vulnerabilities :
- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and unescaped hostnames and URIs that
could allow cross-site scripting attacks. (CVE-2012-3499)
- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting attacks. (CVE-2012-4558)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
PHP 5.3.x < 5.3.21 cURL X.509 Certificate
Domain Name Matching MiTM Weakness
6671
Web Servers
Severity
Total
Medium
1
Description: PHP versions 5.3.x earlier than 5.3.21 are affected by a weakness in the cURL extension that call allow SSL spoofing and man-in-the-middle
attacks.
When attempting to validate a certificate, the cURL library (libcurl) fails to verify that a server hostname matches a domain name in an X.509 certificate's
'Subject Common Name' (CN) or 'SubjectAltName'.
Note that this plugin does not attempt to verify whether the PHP install has been built with the cURL extention but instead relies only on PHP's selfreported version number.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6062
Plugin Name
Family
Apache 2.2 < 2.2.21 mod_proxy_ajp DoS
Web Servers
Severity
Total
High
1
Description: Versions of Apache 2.2 earlier than 2.2.21 are potentially affected by a denial of service vulnerability. An error exists in the mod_proxy_ajp
module that can allow specially crafted HTTP requests to cause a backend server to temporarily enter an error state. This vulnerability only occurs when
mod_proxy_ajp is used along with mod_proxy_balancer.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 4.0 to 4.9
Qualitative Risk Analysis with CVSS Scores
21
CVSS 5.0 to 5.9
The Top 15 Host with CVSS 5.0 to 5.9 Vulnerabilities table provides cumulative top 15 hosts with a CVSS
score of 5.0 to 5.9. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities
(Total), and a vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different
colors are orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 5.0 to 5.9 Vulnerabilities
IP Address
DNS Name
OS CPE
Vulns
10.31.112.10
ubuntu
cpe:/o:canonical:ubuntu_
linux:11.04
10.31.113.30
turnkey-worpress.acme.lab
cpe:/o:debian:debian_linux:7.4
7
10.31.113.32
openldap
cpe:/o:debian:debian_linux:7.2
7
10.31.114.32
drupal7
cpe:/o:debian:debian_linux:7.2
7
10.31.114.11
exch2.corp.lab
cpe:/o:microsoft:windows_server
_2008:r2:sp1:enterprise
5
10.31.113.11
exch1.acme.lab
cpe:/o:microsoft:windows_server
_2008:r2:sp1:enterprise
4
10.31.113.10
dc1.acme.lab
cpe:/o:microsoft:windows_server
_2008:r2:sp1:enterprise
2
10.31.114.10
dc2.corp.lab
cpe:/o:microsoft:windows_server
_2008:r2:sp1:enterprise
2
10.31.114.30
asp-net-apache
cpe:/o:debian:debian_linux:7.2
1
43
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
22
The Top 10 Subnets CVSS 5.0 to 5.9 Vulnerabilities chart provides the cumulative top ten network subnets
with a CVSS score of 5.0 to 5.9 by vulnerabilities. Each bar represents the total vulnerability count for each
subnet. The chart is filtered using the Class C summary tool and CVSS Score of 5.0 to 5.9; the data is then
sorted using the total vulnerability field.
Top 10 Subnets with CVSS 5.0 to 5.9 Vulnerabilities
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
23
The Top 10 Plugin Families Detecting CVSS 5.0 to 5.9 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 5.0 to 5.9 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number
of vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 5.0 to 5.9 Vulnerabilities
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
24
The Details for CVSS 5.0 to 5.9 Vulnerabilities with Affected Hosts table provides a detailed list of
vulnerabilities along with the affected host. The vulnerabilities filter by CVSS Score of 5.0 to 5.9 and sorts
by totals vulnerabilities. This table will show each IP Address and provides information in regards to plugin,
plugin name, plugin family, the severity, and total number of vulnerabilities. This table provides a description
of the vulnerability and separates the IP address into their respected repositories.5.4.1 – [PARA4] - 5.0 – 5.9
Details for CVSS 5.0 to 5.9 Vulnerabilities with Affected Hosts
Plugin
Plugin Name
Family
OpenSSH S/KEY Authentication Account
Enumeration
17704
Misc.
Severity
Total
Medium
5
Severity
Total
Medium
4
Severity
Total
Medium
4
Description: When OpenSSH has S/KEY authentication enabled, it is possible to
determine remotely if an account configured for S/KEY authentication
exists.
Note that Nessus has not tried to exploit the issue, but rather only
checked if OpenSSH is running on the remote host. As a result, it
will not detect if the remote host has implemented a workaround.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
46803
Plugin Name
Family
PHP expose_php Information Disclosure
Web Servers
Description: The PHP install on the remote server is configured in a way that
allows disclosure of potentially sensitive information to an attacker
through a special URL. Such a URL triggers an Easter egg built into
PHP itself.
Other such Easter eggs likely exist, but Nessus has not checked for
them.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
18405
Plugin Name
Family
Microsoft Windows Remote Desktop
Protocol Server Man-in-the-Middle
Weakness
Windows
Description: The remote version of the Remote Desktop Protocol Server (Terminal
Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP
client makes no effort to validate the identity of the server when
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
25
setting up encryption. An attacker with the ability to intercept
traffic from the RDP server can establish encryption with the client
and server without being detected. A MiTM attack of this nature would
allow the attacker to obtain any sensitive information transmitted,
including authentication credentials.
This flaw exists because the RDP server stores a hard-coded RSA
private key in the mstlsapi.dll library. Any local user with
access to this file (on any Windows system) can retrieve the
key and use it for this attack.
Hosts in Repository 'net_10_31_113':
10.31.113.10 - MAC Address: d2:c1:3e:a4:72:f2 DNS Name: dc1.acme.lab NetBIOS Name: ACME\DC1
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':
10.31.114.10 - MAC Address: 8e:02:85:06:ab:4d DNS Name: dc2.corp.lab NetBIOS Name: CORP\DC2
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
Plugin
Plugin Name
Family
PHP ip2long Function String Validation
Weakness
17715
CGI abuses
Severity
Total
Medium
4
Severity
Total
Medium
2
Description: According to its banner, the 'ip2long()' function in the version of
PHP installed on the remote host may incorrectly validate an arbitrary
string and return a valid network IP address.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
64589
Plugin Name
Family
Microsoft ASP.NET MS-DOS Device Name
Web Servers
DoS (PCI-DSS check)
Description: The web server running on the remote host appears to be using Microsoft
ASP.NET, and may be affected by a denial of service vulnerability.
Requesting a URL containing an MS-DOS device name can cause the web
server to become temporarily unresponsive. An attacker could repeatedly
request these URLs, resulting in a denial of service.
Additionally, there is speculation that this vulnerability could result
in code execution if an attacker with physical access to the machine
connects to a serial port.
This plugin does not attempt to exploit the vulnerability and only runs
when 'Check for PCI-DSS compliance' is enabled in the scan policy. This
plugin reports all web servers using ASP.NET 1.1. If it cannot
determine the version, it will report all web servers using ASP.NET.
Manual verification is required to determine if a vulnerability is
present.
Hosts in Repository 'net_10_31_113':
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
26
Plugin
57640
Plugin Name
Family
Web Application Information Disclosure
CGI abuses
Severity
Total
Medium
2
Severity
Total
Medium
2
Severity
Total
Medium
2
Severity
Total
Medium
1
Description: At least one web application hosted on the remote web server
discloses the physical path to its directories when a malformed
request is sent to it.
Leaking this kind of information may help an attacker fine-tune
attacks against the application and its backend.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
20007
Plugin Name
Family
SSL Version 2 (v2) Protocol Detection
Service detection
Description: The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.
Hosts in Repository 'net_10_31_113':
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
Hosts in Repository 'net_10_31_114':
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
Plugin
Plugin Name
Family
DNS Server Cache Snooping Remote
Information Disclosure
12217
DNS
Description: The remote DNS server responds to queries for third-party domains
that do not have the recursion bit set.
This may allow a remote attacker to determine which domains have
recently been resolved via this name server, and therefore which hosts
have been recently visited.
For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution,
they would be able to use this attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more.
Note: If this is an internal DNS server not accessable to outside
networks, attacks would be limited to the internal network. This
may include employees, consultants and potentially users on
a guest network or WiFi connection if supported.
Hosts in Repository 'net_10_31_113':
10.31.113.10 - MAC Address: d2:c1:3e:a4:72:f2 DNS Name: dc1.acme.lab NetBIOS Name: ACME\DC1
Hosts in Repository 'net_10_31_114':
10.31.114.10 - MAC Address: 8e:02:85:06:ab:4d DNS Name: dc2.corp.lab NetBIOS Name: CORP\DC2
Plugin
71927
Plugin Name
Family
PHP 5.4.x < 5.4.24 Multiple Vulnerabilities
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
27
remote host is a version prior to 5.4.24. It is, therefore, potentially
affected by the following vulnerabilities :
- A heap-based buffer overflow error exists in the file
'ext/date/lib/parse_iso_intervals.c' related to
handling DateInterval objects that could allow denial
of service attacks. (CVE-2013-6712)
- An integer overflow error exists in the function
'exif_process_IFD_TAG' in the file 'ext/exif/exif.c'
that could allow denial of service attacks or arbitrary
memory reads. (Bug #65873)
Note that this plugin does not attempt to exploit the vulnerabilities,
but instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS / 12.10 : firefox vulnerabilities (USN1620-1)
62733
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Mariusz Mlynski and others discovered several flaws in Firefox that
allowed a remote attacker to conduct cross-site scripting (XSS)
attacks. (CVE-2012-4194, CVE-2012-4195)
Antoine Delignat-Lavaud discovered a flaw in the way Firefox handled
the Location object. If a user were tricked into opening a specially
crafted page, a remote attacker could exploit this to bypass security
protections and perform cross-origin reading of the Location object.
(CVE-2012-4196).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 : libgdata,
evolution-data-server vulnerability (USN1547-1)
61707
Ubuntu Local Security Checks
Description: Vreixo Formoso discovered that the libGData library, as used by
Evolution and other applications, did not properly verify SSL
certificates. A remote attacker could exploit this to perform a man in
the middle attack to view sensitive information or alter data
transmitted via the GData protocol.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
61569
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 : nss
vulnerability (USN-1540-1)
Ubuntu Local Security Checks
Description: Kaspar Brand discovered a vulnerability in how the Network Security
Services (NSS) ASN.1 decoder handles zero length items. If the user
were tricked into opening a specially crafted certificate, an attacker
could possibly exploit this to cause a denial of service via
application crash.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
28
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : expat vulnerabilities (USN- Ubuntu Local Security Checks
1527-1)
61485
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: It was discovered that Expat computed hash values without restricting
the ability to trigger hash collisions predictably. If a user or
application linked against Expat were tricked into opening a crafted
XML file, an attacker could cause a denial of service by consuming
excessive CPU resources. (CVE-2012-0876)
Tim Boddy discovered that Expat did not properly handle memory
reallocation when processing XML files. If a user or application
linked against Expat were tricked into opening a crafted XML file, an
attacker could cause a denial of service by consuming excessive memory
resources. This issue only affected Ubuntu 8.04 LTS, 10.04 LTS, 11.04
and 11.10. (CVE-2012-1148).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59452
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
12.04 LTS : mysql-5.1, mysql-5.5, mysqlUbuntu Local Security Checks
dfsg-5.0, mysql-dfsg-5.1 vulnerabilities
(USN-1467-1)
Description: It was discovered that certain builds of MySQL incorrectly handled
password authentication on certain platforms. A remote attacker could
use this issue to authenticate with an arbitrary password and
establish a connection. (CVE-2012-2122)
MySQL has been updated to 5.5.24 in Ubuntu 12.04 LTS. Ubuntu 10.04
LTS, Ubuntu 11.04 and Ubuntu 11.10 have been updated to MySQL 5.1.63.
A patch to fix the issue was backported to the version of MySQL in
Ubuntu 8.04 LTS.
In addition to additional security fixes, the updated packages contain
bug fixes, new features, and possibly incompatible changes.
Please see the following for more information :
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59364
Plugin Name
Family
Ubuntu 11.04 / 11.10 / 12.04 LTS : updatemanager vulnerability (USN-1443-2)
Ubuntu Local Security Checks
Description: USN-1443-1 fixed vulnerabilities in Update Manager. The fix for
CVE-2012-0949 was discovered to be incomplete. This update fixes the
problem.
Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when
reporting bugs. This could possibly result in repository credentials
being included in public bug reports. (CVE-2012-0949).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
29
Plugin
Plugin Name
Family
Ubuntu 11.04 / 11.10 / 12.04 LTS : updatemanager vulnerabilities (USN-1443-1)
59186
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: It was discovered that Update Manager created system state archive
files with incorrect permissions when upgrading releases. A local user
could possibly use this to read repository credentials.
(CVE-2012-0948)
Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when
reporting bugs. This could possibly result in repository credentials
being included in public bug reports. (CVE-2012-0949).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
12.04 LTS : libtasn1-3 vulnerability (USNUbuntu Local Security Checks
1436-1)
58974
Description: Matthew Hall discovered that Libtasn incorrectly handled certain large
values. An attacker could exploit this with a specially crafted ASN.1
structure and cause a denial of service, or possibly execute arbitrary
code.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : gnutls13, gnutls26 vulnerabilitie Ubuntu Local Security Checks
s (USN-1418-1)
58618
Description: Alban Crequy discovered that the GnuTLS library incorrectly checked
array bounds when copying TLS session data. A remote attacker could
crash a client application, leading to a denial of service, as the
client application prepared for TLS session resumption.
(CVE-2011-4128)
Matthew Hall discovered that the GnuTLS library incorrectly handled
TLS records. A remote attacker could crash client and server
applications, leading to a denial of service, by sending a crafted TLS
record. (CVE-2012-1573).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58145
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : libxml2 vulnerability (USN-1376- Ubuntu Local Security Checks
1)
Description: Juraj Somorovsky discovered that libxml2 was vulnerable to hash table
collisions. If a user or application linked against libxml2 were
tricked into opening a specially crafted XML file, an attacker could
cause a denial of service.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
30
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
python-httplib2 vulnerability (USN-1375-1)
58144
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: The httplib2 Python library earlier than version 0.7.0 did not perform
any server certificate validation when using HTTPS connections. If a
remote attacker were able to perform a man-in-the-middle attack, this
flaw could be exploited to alter or compromise confidential
information in applications that used the httplib2 library.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
tomcat6 vulnerabilities (USN-1359-1)
57933
Ubuntu Local Security Checks
Description: It was discovered that Tomcat incorrectly performed certain caching
and recycling operations. A remote attacker could use this flaw to
obtain read access to IP address and HTTP header information in
certain cases. This issue only applied to Ubuntu 11.10.
(CVE-2011-3375)
It was discovered that Tomcat computed hash values for form parameters
without restricting the ability to trigger hash collisions
predictably. A remote attacker could cause a denial of service by
sending many crafted parameters. (CVE-2011-4858)
It was discovered that Tomcat incorrectly handled parameters. A remote
attacker could cause a denial of service by sending requests with a
large number of parameters and values. (CVE-2012-0022).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
Ubuntu Local Security Checks
04 / 11.10 : bind9 vulnerability (USN-1264-1)
56861
Description: It was discovered that Bind incorrectly handled certain specially
crafted packets. A remote attacker could use this flaw to cause Bind
to crash, resulting in a denial of service.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56778
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : apache2, apache2-mpm-itk
vulnerabilities (USN-1259-1)
Ubuntu Local Security Checks
Description: It was discovered that the mod_proxy module in Apache did not properly
interact with the RewriteRule and ProxyPassMatch pattern matches in
the configuration of a reverse proxy. This could allow remote
attackers to contact internal webservers behind the proxy that were
not intended for external exposure. (CVE-2011-3368)
Stefano Nichele discovered that the mod_proxy_ajp module in Apache
when used with mod_proxy_balancer in certain configurations could
allow remote attackers to cause a denial of service via a malformed
HTTP request. (CVE-2011-3348)
Samuel Montosa discovered that the ITK Multi-Processing Module for
Apache did not properly handle certain configuration sections that
specify NiceValue but not AssignUserID, preventing Apache from
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
31
dropping privileges correctly. This issue only affected Ubuntu 10.04
LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1176)
USN 1199-1 fixed a vulnerability in the byterange filter of Apache.
The upstream patch introduced a regression in Apache when handling
specific byte range requests. This update fixes the issue.
A flaw was discovered in the byterange filter in Apache. A remote
attacker could exploit this to cause a denial of service via resource
exhaustion.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 11.04 : rsyslog vulnerability (USN1224-1)
56384
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: It was discovered that rsyslog had an off-by-two error when parsing
legacy syslog messages. An attacker could potentially exploit this to
cause a denial of service via application crash.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56206
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 : cups, cupsys vulnerabilities (USN1207-1)
Ubuntu Local Security Checks
Description: Tomas Hoger discovered that the CUPS image library incorrectly handled
LZW streams. A remote attacker could use this flaw to cause a denial
of service or possibly execute arbitrary code.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
55640
Plugin Name
Family
SQL Dump Files Disclosed via Web Server CGI abuses
Description: The remote web server hosts publicly available files that contain SQL
instructions. These files are most likely database dumps and may
contain sensitive information.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
45411
Plugin Name
Family
SSL Certificate with Wrong Hostname
General
Description: The commonName (CN) of the SSL certificate presented on this service
is for a different machine.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
44670
Plugin Name
Family
Web Application SQL Backend Identif
ication
CGI abuses
Description: At least one web application hosted on the remote web server is built
on a SQL backend that Nessus was able to identify by looking at
error messages.
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
32
Leaking this kind of information may help an attacker fine-tune
attacks against the application and its backend.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
42056
Plugin Name
Family
CGI Generic Local File Inclusion
CGI abuses
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: The remote web server hosts CGI scripts that fail to adequately sanitize
request strings. By leveraging this issue, an attacker may be able
to include a local file and disclose its content.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
17205
Plugin Name
Family
phpBB <= 2.0.11 Multiple Vulnerabilities
CGI abuses
Description: The remote host is running phpBB version 2.0.11 or older. Such
versions suffer from multiple vulnerabilities:
- full path display on critical messages.
- full path disclosure in username handling caused by a PHP 4.3.10 bug.
- arbitrary file disclosure vulnerability in avatar handling functions.
- arbitrary file unlink vulnerability in avatar handling functions.
- path disclosure bug in search.php caused by a PHP 4.3.10 bug.
- path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug.
The path disclosure vulnerabilities can be exploited by remote
attackers to reveal sensitive information about the installation that
can be used in further attacks against the target.
To exploit the avatar handling vulnerabilities, 'Enable gallery
avatars' must be enabled on the target (by default, it is disabled)
and an attacker have a phpBB account on the target.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
12218
Plugin Name
Family
mDNS Detection (Remote Network)
Service detection
Description: The remote service understands the Bonjour (also known as ZeroConf or
mDNS) protocol, which allows anyone to uncover information from the
remote host such as its operating system type and exact version, its
hostname, and the list of services it is running.
This plugin attempts to discover mDNS used by hosts that are not on the
network segment on which Nessus resides.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
11411
Plugin Name
Family
Backup Files Disclosure
CGI abuses
Description: By appending various suffixes (ie: .old, .bak, ~, etc...) to the names
of various files on the remote host, it seems possible to retrieve
their contents, which may result in disclosure of sensitive
information.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
33
Plugin
Plugin Name
Family
Web Server info.php / phpinfo.php Detecti
CGI abuses
on
11229
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Many PHP installation tutorials instruct the user to create a PHP file
that calls the PHP function 'phpinfo()' for debugging purposes.
Various PHP applications may also include such a file. By accessing
such a file, a remote attacker can discover a large amount of
information about the remote web server, including :
- The username of the user who installed PHP and if they
are a SUDO user.
- The IP address of the host.
- The version of the operating system.
- The web server version.
- The root directory of the web server.
- Configuration information about the remote PHP
installation.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache mod_info /server-info Information
Disclosure
10678
Web Servers
Description: It is possible to obtain an overview of the remote Apache web server's
configuration by requesting the URL '/server-info'. This overview
includes information such as installed modules, their configuration,
and assorted run-time settings.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
10079
Plugin Name
Family
Anonymous FTP Enabled
FTP
Description: This FTP service allows anonymous logins. Any remote user may connect
and authenticate without providing a password or unique credentials.
This allows a user to access any files made available on the FTP
server.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
8253
Plugin Name
Family
OpenSSL < 0.9.8za / < 1.0.0m / < 1.0.1h
Multiple Vulnerabilities
Web Servers
Description: OpenSSL before 0.9.8za, 1.0.0m, or 1.0.1h are unpatched for the following vulnerabilities:
- Potential arbitrary code execution due to a buffer overflow vulnerability when processing invalid DTLS fragments (CVE-2014-0195)
- Denial of service via a NULL pointer dereference error in 'so_ssl3_write()' function of 's3_pkt.c' source file (CVE-2014-0198)
- Denial of service against an OpenSSL client due to a recursion flaw in the DTLS hadnshake. (CVE-2014-0221)
- A man-in-the-middle security bypass due to weak keying material in OpenSSL SSL/TLS clients and servers, which can be exploited via a specially
crafted handshake (CVE-2014-0224)
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
34
- Denial of service that can be triggered in the case where anonymous ECDH ciphersuites are enabled in TLS clients (CVE-2014-3470)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
OpenSSL 0.9.8 < 0.9.8u / 1.0.0 < 1.0.0h
Multiple Vulnerabilities
6400
Web Servers
Severity
Total
Medium
1
Description: OpenSSL versions earlier than 0.9.8u and 1.0.0h are potentially affected by multiple vulnerabilities :
- A NULL pointer dereference flaw exists in mime_param_cmp. A specially crafted S/MIME input header could cause an application to crash during S/
MIME message verification or decryption. (CVE-2012-1165)
- A weakness in the OpenSSL CMS and PKCS 7 code can be exploited using Bleichenbacher's attack on PKCS 1 v1.5 RSA padding. Note that only users
of CMS, PKCS 7, or S/MIME decryption operations are affected.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.33 Multiple
Vulnerabilities
6018
Web Servers
Severity
Total
Medium
1
Description: Versions of Tomcat 6.x earlier than 6.0.33 are potentially affected by multiple vulnerabilities :
- An error handling issue exists related to the MemoryUserDatabase that allows user passwords to be disclosed through log files. (CVE-2011-2204)
- An input validation error exists that allows a local attacker to either bypass security or carry out denial of service attacks when the APR or NIO
connectors are enabled. (CVE-2011-2526)
- A component that Apache Tomcat relies on called 'jsvc' contains an error in that it does not drop capabilities after starting and can allow access to
sensitive files owned by the super user. Note this vulnerability only affects Linux operating systems and only when the following are true: jsvc is compiled
with libpcap and the '-user' parameter is used. (CVE-2011-2729)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.32 Denial of
Service Vulnerability
5790
Web Servers
Severity
Total
Medium
1
Description: Versions of Tomcat 6.x earlier than 6.0.32 are potentially affected by a denial of service vulnerability because the NIO connector expands
its buffer endlessly during request line processing.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
5789
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.30 Multiple
Vulnerabilities
Web Servers
Severity
Total
Medium
1
Description: Versions of Tomcat 6.x earlier than 6.0.30 are potentially affected by multiple vulnerabilities :
- When running under a SecurityManager it is possible for a web application to gain read/write permissions to any area on the file system.
(CVE-2010-3718)
- It is possible to conduct cross-site scripting attacks via the 'sort' and 'orderBy' parameers of the Manager application. (CVE-2010-4172)
- The HTML Manager interface displays web application provided data, such as display names, without filtering. (CVE-2011-0013)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
35
Plugin
5720
Plugin Name
Family
OpenSSL < 0.9.8q / 1.0.0c Multiple Vulnera
Web Servers
bilities
Severity
Total
Medium
1
Description: Versions of OpenSSL earlier than 0.9.8q and 1.0.0c are potentially affected by multiple vulnerabilities :
- It may be possible to downgrade the ciphersuite to a weaker version by modifying the stored session cache cipher suite.
- An error exists in the J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret.
IAVA Reference : 2011-A-0160
IAVB Reference : 2012-B-0038
STIG Finding Severity : Category I
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 5.0 to 5.9
Qualitative Risk Analysis with CVSS Scores
36
CVSS 6.0 to 6.9
The Top 15 Host with CVSS 6.0 to 6.9 Vulnerabilities table provides cumulative top 15 hosts with a CVSS
score of 6.0 to 6.9. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities
(Total), and a vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different
colors are orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 6.0 to 6.9 Vulnerabilities
IP Address
DNS Name
OS CPE
Score
Vulns
10.31.112.10
ubuntu
cpe:/o:canonical:ubuntu_
linux:11.04
10.31.113.30
turnkey-worpress.acme.lab
cpe:/o:debian:debian_
linux:7.4
48
16
10.31.114.11
exch2.corp.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
42
14
10.31.114.32
drupal7
cpe:/o:debian:debian_
linux:7.2
42
14
10.31.113.32
openldap
cpe:/o:debian:debian_
linux:7.2
39
13
10.31.114.30
asp-net-apache
cpe:/o:debian:debian_
linux:7.2
27
9
10.31.113.11
exch1.acme.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
24
8
10.31.113.10
dc1.acme.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
6
2
10.31.114.10
dc2.corp.lab
cpe:/o:microsoft:windows
_server_2008:r2:sp1:enterpr
ise
6
2
126
42
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
37
The Top 10 Subnets CVSS 6.0 to 6.9 Vulnerabilities chart provides the cumulative top ten network subnets
with a CVSS score of 6.0 to 6.9 by vulnerabilities. Each bar represents the total vulnerability count for each
subnet. The chart is filtered using the Class C summary tool and CVSS Score of 6.0 to 6.9; the data is then
sorted using the total vulnerability field.
Top 10 Subnets with CVSS 6.0 to 6.9 Vulnerabilities
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
38
The Top 10 Plugin Families Detecting CVSS 6.0 to 6.9 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 6.0 to 6.9 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number
of vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 6.0 to 6.9 Vulnerabilities
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
39
The Details for CVSS 6.0 to 6.9 Vulnerabilities with Affected Hosts table provides a detailed list of
vulnerabilities along with the affected host. The vulnerabilities filter by CVSS Score of 6.0 to 6.9 and sorts
by totals vulnerabilities. This table will show each IP Address and provides information in regards to plugin,
plugin name, plugin family, the severity, and total number of vulnerabilities. This table provides a description
of the vulnerability and separates the IP address into their respected repositories.
Details for CVSS 6.0 to 6.9 Vulnerabilities with Affected Hosts
Plugin
57582
Plugin Name
Family
SSL Self-Signed Certificate
General
Severity
Total
Medium
8
Severity
Total
Medium
8
Description: The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host
in production, this nullifies the use of SSL as anyone could establish
a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end
in a certificate that is not self-signed, but is signed by an
unrecognized certificate authority.
Hosts in Repository 'net_10_31_113':
10.31.113.10 - MAC Address: d2:c1:3e:a4:72:f2 DNS Name: dc1.acme.lab NetBIOS Name: ACME\DC1
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.10 - MAC Address: 8e:02:85:06:ab:4d DNS Name: dc2.corp.lab NetBIOS Name: CORP\DC2
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
51192
Plugin Name
Family
SSL Certificate Cannot Be Trusted
General
Description: The server's X.509 certificate does not have a signature from a known
public certificate authority. This situation can occur in three
different ways, each of which results in a break in the chain below
which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not
be descended from a known public certificate authority. This can
occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would
connect the top of the certificate chain to a known public certificate
authority.
Second, the certificate chain may contain a certificate that is not
valid at the time of the scan. This can occur either when the scan
occurs before one of the certificate's 'notBefore' dates, or after one
of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either
didn't match the certificate's information, or could not be verified.
Bad signatures can be fixed by getting the certificate with
the bad signature to be re-signed by its issuer. Signatures that
could not be verified are the result of the certificate's issuer using
a signing algorithm that Nessus either does not support or does not
recognize.
If the remote host is a public host in production, any break in the
chain makes it more difficult for users to verify the authenticity and
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
40
identity of the web server. This could make it easier to carry out
man-in-the-middle attacks against the remote host.
Hosts in Repository 'net_10_31_113':
10.31.113.10 - MAC Address: d2:c1:3e:a4:72:f2 DNS Name: dc1.acme.lab NetBIOS Name: ACME\DC1
10.31.113.11 - MAC Address: 82:97:5f:32:26:04 DNS Name: exch1.acme.lab NetBIOS Name: ACME\EXCH1
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.10 - MAC Address: 8e:02:85:06:ab:4d DNS Name: dc2.corp.lab NetBIOS Name: CORP\DC2
10.31.114.11 - MAC Address: 0a:d9:af:9b:69:c2 DNS Name: exch2.corp.lab NetBIOS Name: CORP\EXCH2
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
CGI Generic Cross-Site Request Forgery
Detection (potential)
56818
CGI abuses
Severity
Total
Medium
5
Severity
Total
Medium
5
Description: The spider found HTML forms on the remote web server. Some CGI
scripts do not appear to be protected by random tokens, a common
anti-cross-site request forgery (CSRF) protection. The web
application might be vulnerable to CSRF attacks.
Note that :
- Nessus did not exploit the flaw,
- Nessus cannot identify sensitive actions -- for example, on an
online bank, consulting an account is less sensitive than
transferring money.
You will have to audit the source of the CGI scripts and check if they
are actually affected.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
17744
Plugin Name
Family
OpenSSH >= 2.3.0 AllowTcpForwarding
Port Bouncing
Misc.
Description: According to its banner, the remote host is running OpenSSH, version
2.3.0 or later. Such versions of OpenSSH allow forwarding TCP
connections. If the OpenSSH server is configured to allow anonymous
connections (e.g. AnonCVS), remote, unauthenticated users could use
the host as a proxy.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
41
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
PHP Symlink Function Race Condition
open_basedir Bypass
17717
CGI abuses
Severity
Total
Medium
4
Severity
Total
Medium
4
Severity
Total
Medium
1
Description: According to its banner, the version of PHP installed on the remote
host is affected by a security bypass vulnerability. A race condition
exists in the symlink function that allows local users to bypass the
open_basedir restriction by using a combination of symlink, mkdir, and
unlink functions.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Hosts in Repository 'net_10_31_114':
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
Plugin Name
Family
Apache mod_suexec Multiple Privilege
Escalation Vulnerabilities
17693
Web Servers
Description: The remote host appears to be running Apache and is potentially
affected by the following vulnerabilities:
- Multiple race conditions exist in suexec between the
validation and usage of directories and files. Under
certain conditions local users are able to escalate
privileges and execute arbitrary code through the
renaming of directories or symlink attacks.
(CVE-2007-1741)
- Apache's suexec module only performs partial
comparisons on paths, which could result in privilege
escalation. (CVE-2007-1742)
- Apache's suexec module does not properly verify user
and group IDs on the command line. When the '/proc'
filesystem is mounted, a local user can utilize suexec
to escalate privileges. (CVE-2007-1743)
Note that this plugin only checks for the presence of Apache, and does
not actually check the configuration.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Hosts in Repository 'net_10_31_113':
10.31.113.30 - MAC Address: 96:53:2b:7a:d9:f3 DNS Name: turnkey-worpress.acme.lab
Hosts in Repository 'net_10_31_114':
10.31.114.30 - MAC Address: 02:f0:ab:17:b0:dc DNS Name: asp-net-apache
10.31.114.32 - MAC Address: da:80:69:ea:1f:80 DNS Name: drupal7
Plugin
71427
Plugin Name
Family
PHP 5.4.x < 5.4.23 OpenSSL openssl_
x509_parse() Memory Corruption
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
42
remote host is a version prior to 5.4.23. It is, therefore, potentially
affected by a memory corruption flaw in the way the openssl_x509_parse()
function of the PHP OpenSSL extension parsed X.509 certificates. A
remote attacker could use this flaw to provide a malicious, self-signed
certificate or a certificate signed by a trusted authority to a PHP
application using the aforementioned function. This could cause the
application to crash or possibly allow the attacker to execute arbitrary
code with the privileges of the user running the PHP interpreter.
Note that this plugin does not attempt to exploit the vulnerability, but
instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : libxslt vulnerabilities (USN- Ubuntu Local Security Checks
1595-1)
62435
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Chris Evans discovered that libxslt incorrectly handled generate-id
XPath functions. If a user or automated system were tricked into
processing a specially crafted XSLT document, a remote attacker could
obtain potentially sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2011-1202)
It was discovered that libxslt incorrectly parsed certain patterns. If
a user or automated system were tricked into processing a specially
crafted XSLT document, a remote attacker could cause libxslt to crash,
causing a denial of service. (CVE-2011-3970)
Nicholas Gregoire discovered that libxslt incorrectly handled
unexpected DTD nodes. If a user or automated system were tricked into
processing a specially crafted XSLT document, a remote attacker could
cause libxslt to crash, causing a denial of service. (CVE-2012-2825)
Nicholas Gregoire discovered that libxslt incorrectly managed memory.
If a user or automated system were tricked into processing a specially
crafted XSLT document, a remote attacker could cause libxslt to crash,
causing a denial of service. (CVE-2012-2870)
Nicholas Gregoire discovered that libxslt incorrectly handled certain
transforms. If a user or automated system were tricked into processing
a specially crafted XSLT document, a remote attacker could cause
libxslt to crash, causing a denial of service, or possibly execute
arbitrary code. (CVE-2012-2871)
Cris Neckar discovered that libxslt incorrectly managed memory. If a
user or automated system were tricked into processing a specially
crafted XSLT document, a remote attacker could cause libxslt to crash,
causing a denial of service, or possibly execute arbitrary code.
(CVE-2012-2893).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
62434
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
Ubuntu Local Security Checks
12.04 LTS : dbus regressions (USN-1576-2)
Description: USN-1576-1 fixed vulnerabilities in DBus. The update caused a
regression for certain services launched from the activation helper,
and caused an unclean shutdown on upgrade. This update fixes the
problem.
We apologize for the inconvenience.
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
43
Sebastian Krahmer discovered that DBus incorrectly handled environment
variables when running with elevated privileges. A local attacker
could possibly exploit this flaw with a setuid binary and gain root
privileges.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 11.04 / 11.10 : python2.7 vulnera
bilities (USN-1592-1)
62410
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Niels Heinen discovered that the urllib and urllib2 modules would
process Location headers that specify a redirection to file: URLs. A
remote attacker could exploit this to obtain sensitive information or
cause a denial of service. This issue only affected Ubuntu 11.04.
(CVE-2011-1521)
It was discovered that SimpleHTTPServer did not use a charset
parameter in the Content-Type HTTP header. An attacker could
potentially exploit this to conduct cross-site scripting (XSS) attacks
against Internet Explorer 7 users. This issue only affected Ubuntu
11.04. (CVE-2011-4940)
It was discovered that Python distutils contained a race condition
when creating the ~/.pypirc file. A local attacker could exploit this
to obtain sensitive information. (CVE-2011-4944)
It was discovered that SimpleXMLRPCServer did not properly validate
its input when handling HTTP POST requests. A remote attacker could
exploit this to cause a denial of service via excessive CPU
utilization. (CVE-2012-0845)
It was discovered that Python was susceptible to hash algorithm
attacks. An attacker could cause a denial of service under certian
circumstances. This update adds the '-R' command line option and
honors setting the PYTHONHASHSEED environment variable to 'random' to
salt str and datetime objects with an unpredictable value.
(CVE-2012-1150).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
62388
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : eglibc, glibc vulnerabilities Ubuntu Local Security Checks
(USN-1589-1)
Description: It was discovered that positional arguments to the printf() family of
functions were not handled properly in the GNU C Library. An attacker
could possibly use this to cause a stack-based buffer overflow,
creating a denial of service or possibly execute arbitrary code.
(CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)
It was discovered that multiple integer overflows existed in the
strtod(), strtof() and strtold() functions in the GNU C Library. An
attacker could possibly use this to trigger a stack-based buffer
overflow, creating a denial of service or possibly execute arbitrary
code. (CVE-2012-3480).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
44
Plugin
62366
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : libxml2 vulnerability (USN1587-1)
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Juri Aedla discovered that libxml2 incorrectly handled certain memory
operations. If a user or application linked against libxml2 were
tricked into opening a specially crafted XML file, an attacker could
cause the application to crash or possibly execute arbitrary code with
the privileges of the user invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
Ubuntu Local Security Checks
12.04 LTS : dbus vulnerability (USN-1576-1)
62219
Description: Sebastian Krahmer discovered that DBus incorrectly handled environment
variables when running with elevated privileges. A local attacker
could possibly exploit this flaw with a setuid binary and gain root
privileges.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : mono vulnerabilities (USN-1517-1)
60126
Ubuntu Local Security Checks
Description: It was discovered that the Mono System.Web library incorrectly
filtered certain error messages related to forbidden files. If a user
were tricked into opening a specially crafted URL, an attacker could
possibly exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2012-3382)
It was discovered that the Mono System.Web library incorrectly handled
the EnableViewStateMac property. If a user were tricked into opening a
specially crafted URL, an attacker could possibly exploit this to
conduct cross-site scripting (XSS) attacks. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-4159).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59395
Plugin Name
Family
Ubuntu 11.04 / 11.10 : ubuntu-sso-client
vulnerability (USN-1464-1)
Ubuntu Local Security Checks
Description: It was discovered that the Ubuntu Single Sign On Client incorrectly
validated server certificates when using HTTPS connections. If a
remote attacker were able to perform a man-in-the-middle attack, this
flaw could be exploited to alter or compromise confidential
information.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59289
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
12.04 LTS : openssl vulnerabilities (USNUbuntu Local Security Checks
1451-1)
Description: Ivan Nestlerode discovered that the Cryptographic Message Syntax (CMS)
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
45
and PKCS #7 implementations in OpenSSL returned early if RSA
decryption failed. This could allow an attacker to expose sensitive
information via a Million Message Attack (MMA). (CVE-2012-0884)
It was discovered that an integer underflow was possible when using
TLS 1.1, TLS 1.2, or DTLS with CBC encryption. This could allow a
remote attacker to cause a denial of service. (CVE-2012-2333).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59225
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : libxml2 vulnerability (USN1447-1)
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Juri Aedla discovered that libxml2 contained an off by one error in
its XPointer functionality. If a user or application linked against
libxml2 were tricked into opening a specially crafted XML file, an
attacker could cause the application to crash or possibly execute
arbitrary code with the privileges of the user invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 :
mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 Ubuntu Local Security Checks
vulnerabilities (USN-1427-1)
58872
Description: Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.1.62 in Ubuntu 10.04 LTS, Ubuntu 11.04 and
Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to MySQL 5.0.96.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information :
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-62.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-96.html
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : libpng vulnerability (USN-1417-1)
58617
Ubuntu Local Security Checks
Description: It was discovered that libpng incorrectly handled certain memory
operations. If a user or automated system using libpng were tricked
into opening a specially crafted image, an attacker could exploit this
to cause a denial of service or execute code with the privileges of
the user invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58600
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : tiff vulnerabilities (USN-1416-1)
Ubuntu Local Security Checks
Description: Alexander Gavrun discovered that the TIFF library incorrectly
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
46
allocated space for a tile. If a user or automated system were tricked
into opening a specially crafted TIFF image, a remote attacker could
execute arbitrary code with user privileges, or crash the application,
leading to a denial of service. (CVE-2012-1173)
It was discovered that the tiffdump utility incorrectly handled
directory data structures with many directory entries. If a user or
automated system were tricked into opening a specially crafted TIFF
image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user
privileges. This issue only applied to Ubuntu 8.04 LTS, Ubuntu 10.04
LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2010-4665).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
Ubuntu Local Security Checks
04 / 11.10 : libpng vulnerability (USN-1402-1)
58443
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: It was discovered that libpng did not properly process compressed
chunks. If a user or automated system using libpng were tricked into
opening a specially crafted image, an attacker could exploit this to
cause a denial of service or execute code with the privileges of the
user invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : update-manager regression
(USN-1284-2)
57997
Ubuntu Local Security Checks
Description: USN-1284-1 fixed vulnerabilities in Update Manager. One of the fixes
introduced a regression for Kubuntu users attempting to upgrade to a
newer Ubuntu release. This update fixes the problem.
We apologize for the inconvenience.
David Black discovered that Update Manager incorrectly extracted the
downloaded upgrade tarball before verifying its GPG signature. If a
remote attacker were able to perform a man-in-the-middle attack, this
flaw could potentially be used to replace arbitrary files.
(CVE-2011-3152)
David Black discovered that Update Manager created a
temporary directory in an insecure fashion. A local attacker
could possibly use this flaw to read the XAUTHORITY file of
the user performing the upgrade. (CVE-2011-3154)
This update also adds a hotfix to Update Notifier to handle
cases where the upgrade is being performed from CD media.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57698
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 : evince
vulnerability (USN-1347-1)
Ubuntu Local Security Checks
Description: It was discovered that Evince did not properly parse AFM font files
when processing DVI files. If a user were tricked into opening a
specially crafted DVI file, an attacker could cause Evince to crash or
potentially execute arbitrary code with the privileges of the user
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
47
invoking the program.
In the default installation, attackers would be isolated by the Evince
AppArmor profile.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : t1lib
Ubuntu Local Security Checks
vulnerability (USN-1316-1)
57370
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: Jonathan Brossard discovered that t1lib did not correctly handle
certain malformed font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause t1lib to
crash or possibly execute arbitrary code with user privileges.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
jasper vulnerabilities (USN-1315-1)
57357
Ubuntu Local Security Checks
Description: Jonathan Foote discovered that JasPer incorrectly handled certain
malformed JPEG-2000 image files. If a user were tricked into opening a
specially crafted JPEG-2000 image file, a remote attacker could cause
JasPer to crash or possibly execute arbitrary code with user
privileges.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
libarchive vulnerabilities (USN-1310-1)
57341
Ubuntu Local Security Checks
Description: It was discovered that libarchive incorrectly handled certain ISO 9660
image files. If a user were tricked into using a specially crafted ISO
9660 image file, a remote attacker could cause libarchive to crash or
possibly execute arbitrary code with user privileges. (CVE-2011-1777)
It was discovered that libarchive incorrectly handled certain tar
archive files. If a user were tricked into using a specially crafted
tar file, a remote attacker could cause libarchive to crash or
possibly execute arbitrary code with user privileges. (CVE-2011-1778).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57314
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : php5 vulnerability (USN-1307-1)
Ubuntu Local Security Checks
Description: Florent Hochwelker discovered that PHP incorrectly handled certain
EXIF headers in JPEG files. A remote attacker could exploit this issue
to view sensitive information or cause the PHP server to crash.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
48
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : update-manager vulnerabilities
(USN-1284-1)
56971
Ubuntu Local Security Checks
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: David Black discovered that Update Manager incorrectly extracted the
downloaded upgrade tarball before verifying its GPG signature. If a
remote attacker were able to perform a man-in-the-middle attack, this
flaw could potentially be used to replace arbitrary files.
(CVE-2011-3152)
David Black discovered that Update Manager created a temporary
directory in an insecure fashion. A local attacker could possibly use
this flaw to read the XAUTHORITY file of the user performing the
upgrade. (CVE-2011-3154)
This update also adds a hotfix to Update Notifier to handle cases
where the upgrade is being performed from CD media.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.10 / 11.04 / 11.10 : softwarecenter vulnerability (USN-1270-1)
56912
Ubuntu Local Security Checks
Description: David B. discovered that Software Center incorrectly validated server
certificates when performing secure connections. If a remote attacker
were able to perform a man-in-the-middle attack, this flaw could be
exploited to view sensitive information or install altered packages
and repositories.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56629
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
Ubuntu Local Security Checks
04 / 11.10 : pam vulnerabilities (USN-1237-1)
Description: Kees Cook discovered that the PAM pam_env module incorrectly handled
certain malformed environment files. A local attacker could use this
flaw to cause a denial of service, or possibly gain privileges. The
default compiler options for affected releases should reduce the
vulnerability to a denial of service. (CVE-2011-3148)
Kees Cook discovered that the PAM pam_env module incorrectly handled
variable expansion. A local attacker could use this flaw to cause a
denial of service. (CVE-2011-3149)
Stephane Chazelas discovered that the PAM pam_motd module incorrectly
cleaned the environment during execution of the motd scripts. In
certain environments, a local attacker could use this to execute
arbitrary code as root, and gain privileges.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56194
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 : librsvg
vulnerability (USN-1206-1)
Ubuntu Local Security Checks
Description: Sauli Pahlman discovered that librsvg did not correctly handle
malformed filter names. If a user or automated system were tricked
into processing a specially crafted SVG image, a remote attacker could
gain user privileges.
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
49
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
26057
Plugin Name
Family
lighttpd mod_fastcgi HTTP Request
Header Remote Overflow
Web Servers
Severity
Total
Medium
1
Severity
Total
Medium
1
Severity
Total
Medium
1
Description: The remote web server appears to be lighttpd running with the FastCGI
module (mod_fastcgi).
The version of that module on the remote host appears to be
affected by a buffer overflow vulnerability. By sending a specially
crafted request with a long header, a remote attacker may be able to
exploit this issue to add or replace headers passed to PHP, such as
SCRIPT_FILENAME, which in turn could result in arbitrary code
execution.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
19782
Plugin Name
Family
FTP Writable Directories
FTP
Description: By crawling through the remote FTP server, Nessus discovered several
directories were marked as being world-writable.
This could have several negative impacts :
* Temporary file uploads are sometimes immediately available to
all anonymous users, allowing the FTP server to be used as
a 'drop' point. This may facilitate trading copyrighted,
pornographic or questionable material.
* A user may be able to upload large files that consume disk
space, resulting in a denial of service condition.
* A user can upload a malicious program. If an administrator
routinely checks the 'incoming' directory, they may load a
document or run a program that exploits a vulnerability
in client software.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
17301
Plugin Name
Family
phpBB <= 2.0.13 Multiple Vulnerabilities
CGI abuses
Description: According to its banner, the remote host is running a version of phpBB
that suffers from multiple flaws:
- A Path Disclosure Vulnerability
A remote attacker can cause phpBB to reveal its installation
path via a direct request to the script 'db/oracle.php'.
- A Cross-Site Scripting Vulnerability
The application does not properly sanitize user input before
using it in 'privmsg.php' and 'viewtopic.php'.
- A Privilege Escalation Vulnerability
In 'session.php' phpBB resets the 'user_id' value when an
autologin fails; it does not, however, reset the 'user_level'
value, which remains as the account that failed the autologin.
Since the software uses the 'user_level' parameter in some
cases to control access to privileged functionality, this flaw
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
50
allows an attacker to view information, and possibly even
perform tasks, normally limited to administrators.
- SQL Injection Vulnerabilities
The DLMan Pro and LinksLinks Pro mods, if installed, reportedly
fail to properly sanitize user input to the 'file_id' parameter
of the 'dlman.php' script and the 'id' parameter of the
'links.php' script respectively before using it in a SQL
query. This may allow an attacker to pass malicious input
to database queries.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
OpenSSL < 0.9.8x / < 1.0.0j / < 1.0.1c
Remote Denial of Service Vulnerability
8064
Web Servers
Severity
Total
Medium
1
Description: OpenSSL before 0.9.8x, 1.0.0.j, or 1.0.1c contains an integer underflow condition which may result in a denial of service. A remote attacker
could send a specially crafted TLS request causing the affected application to crash causing denial of service to legitimate users. The integer underflow
is seen in TLS 1.1, TLS 1.2, and DTLS when handling CBC mode ciphersuites.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
PHP < 5.4.16 / 5.3.26 Heap Based Buffer
Overflow Vulnerability
6866
Web Servers
Severity
Total
Medium
1
Description: PHP versions earlier than 5.4.16 and 5.3.26 are affected by a heap based buffer overflow vulnerability due to lack of user input sanitation
when parsing strings. (An additional security vulnerability exists while parsing 'mimetype' for MP3 files, which can be exploited to cause a crash in version
5.4.15.)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.37 Multiple
Vulnerabilities
6832
Web Servers
Severity
Total
Medium
1
Description: Versions of Apache Tomcat earlier than 6.0.37 are potentially affected by multiple vulnerabilities :
- An error exists related to chunked transfer encoding and extensions that could allow limited denial of service attacks. (CVE-2012-3544)
- An error exists related to HTML form authentication and session fixation that could allow an attacker to carry out requests using a victim's credentials.
(CVE-2013-2067)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6657
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.36 Multiple
Vulnerabilities
Web Servers
Severity
Total
Medium
1
Description: Apache Tomcat versions earlier than 6.0.36 are potentially affected by multiple vulnerabilities :
- A flaw exists within the parseHeaders() function that could allow for a crafted header to cause a remote denial of service. (CVE-2012-2733)
- An error exists related to FORM authentication that can allow security bypass if 'j_security_check' is appended to the request. (CVE-2012-3546)
- An error exists in the file 'filters/CsrfPreventionFilter.java' that can allow cross-site request forgery (CSRF) attacks to bypass the filtering. This can allow
access to protected resources without a session identifier. (CVE-2012-4431)
- An error exists related to the 'NIO' connector when HTTPS and 'sendfile' are enabled that can force the application into an infinite loop.
(CVE-2012-4534)
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
51
- Replay-countermeasure functionality in HTTP Digest Access Authentication tracks cnonce values instead of nonce values, which makes it easier for
attackers to bypass access restrictions by sniffing the network for valid requests. (CVE-2012-5885)
- HTTP Digest Access Authentication implementation caches information about the authenticated user, which could potentially allow an attacker to
bypass authentication via session ID. (CVE-2012-5886)
- HTTP Digest Access Authentication implementation does not properly check for stale nonce values with enforcement of proper credentials, which
allows an attacker to bypass restrictions by sniffing requests. (CVE-2012-5887)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache 2.2 < 2.2.23 Multiple Vulnerabilitie
Web Servers
s
6576
Severity
Total
Medium
1
Description: Apache versions earlier than 2.2.23 are affected by the following vulnerabilities.
- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility
could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution. (CVE-2012-0883)
- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.
(CVE-2012-2687)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
5782
Plugin Name
Family
OpenSSL < 0.9.8r / 1.0.0d OCSP Stapling
Denial of Service
Web Servers
Severity
Total
Medium
1
Description: Versions of OpenSSL earlier than 0.9.8r and 1.0.0d are potentially affected by a vulnerability wherein an incorrectly formatted ClientHello
handshake message could cause OpenSSL to parse past the end of the message which could cause the web server to crash. There is also the potential
for information disclosure if OCSP nonce extensions are used.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 6.0 to 6.9
Qualitative Risk Analysis with CVSS Scores
52
CVSS 7.0 to 7.9
The Top 15 Host with CVSS 7.0 to 7.9 Vulnerabilities table provides cumulative top 15 hosts with a CVSS
score of 7.0 to 7.9. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities
(Total), and a vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different
colors are orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 7.0 to 7.9 Vulnerabilities
IP Address
DNS Name
OS CPE
10.31.112.10
ubuntu
cpe:/o:canonical:ubuntu_
linux:11.04
10.31.113.32
openldap
cpe:/o:debian:debian_
linux:7.2
Score
556
10
Vulns
55
2
1
The Top 10 Subnets CVSS 7.0 to 7.9 Vulnerabilities chart provides the cumulative top ten network subnets
with a CVSS score of 7.0 to 7.9 by vulnerabilities. Each bar represents the total vulnerability count for each
subnet. The chart is filtered using the Class C summary tool and CVSS Score of 7.0 to 7.9; the data is then
sorted using the total vulnerability field.
Top 10 Subnets with CVSS 7.0 to 7.9 Vulnerabilities
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
53
The Top 10 Plugin Families Detecting CVSS 7.0 to 7.9 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 7.0 to 7.9 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number
of vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 7.0 to 7.9 Vulnerabilities
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
54
The Details for CVSS 7.0 to 7.9 Vulnerabilities with Affected Hosts table provides a detailed list of
vulnerabilities along with the affected host. The vulnerabilities filter by CVSS Score of 7.0 to 7.9 and sorts
by totals vulnerabilities. This table will show each IP Address and provides information in regards to plugin,
plugin name, plugin family, the severity, and total number of vulnerabilities. This table provides a description
of the vulnerability and separates the IP address into their respected repositories.
Details for CVSS 7.0 to 7.9 Vulnerabilities with Affected Hosts
Plugin
66843
Plugin Name
Family
PHP 5.4.x < 5.4.16 Multiple Vulnerabilities
CGI abuses
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is prior to 5.4.16. It is, therefore, potentially
affected by the following vulnerabilities:
- An error exists in the mimetype detection of 'mp3' files
that could lead to a denial of service. (Bug #64830)
- An error exists in the function 'php_quot_print_encode'
in the file 'ext/standard/quot_print.c' that could allow
a heap-based buffer overflow when attempting to parse
certain strings. (Bug #64879)
- An integer overflow error exists related to the value
of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'
that could allow denial of service attacks. (Bug #64895)
Note that this plugin does not attempt to exploit these
vulnerabilities, but instead relies only on PHP's self-reported
version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
62495
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
Ubuntu Local Security Checks
12.04 LTS : bind9 vulnerability (USN-1601-1)
Description: Jake Montgomery discovered that Bind incorrectly handled certain
specific combinations of RDATA. A remote attacker could use this flaw
to cause Bind to crash, resulting in a denial of service.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
62180
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : dhcp3, isc-dhcp vulnerability (USN1571-1)
Ubuntu Local Security Checks
Description: Glen Eustace discovered that the DHCP server incorrectly handled IPv6
expiration times. A remote attacker could use this issue to cause DHCP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 11.04, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-3955)
Dan Rosenberg discovered that the DHCP AppArmor profile could be
escaped by using environment variables. This update mitigates the
issue by sanitizing certain variables in the DHCP shell scripts.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
55
Plugin
62098
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
12.04 LTS : bind9 vulnerability (USN-1566- Ubuntu Local Security Checks
1)
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: It was discovered that Bind incorrectly handled certain specially
crafted long resource records. A remote attacker could use this flaw
to cause Bind to crash, resulting in a denial of service.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 11.04 / 11.10 / 12.04 LTS : libreoffice
Ubuntu Local Security Checks
vulnerability (USN-1536-1)
61525
Description: It was discovered that LibreOffice incorrectly handled certain
encryption tags in Open Document Text (.odt) files. If a user were
tricked into opening a specially crafted file, an attacker could cause
LibreOffice to crash or possibly execute arbitrary code with the
privileges of the user invoking the program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : bind9 vulnerability (USN-1518-1)
60136
Ubuntu Local Security Checks
Description: Einar Lonn discovered that Bind incorrectly initialized the
failing-query cache. A remote attacker could use this flaw to cause
Bind to crash, resulting in a denial of service.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
60105
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : libexif vulnerabilities (USN- Ubuntu Local Security Checks
1513-1)
Description: Mateusz Jurczyk discovered that libexif incorrectly parsed certain
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause
libexif to crash, leading to a denial of service, or possibly obtain
sensitive information. (CVE-2012-2812, CVE-2012-2813)
Mateusz Jurczyk discovered that libexif incorrectly parsed certain
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause
libexif to crash, leading to a denial of service, or possibly execute
arbitrary code. (CVE-2012-2814)
Yunho Kim discovered that libexif incorrectly parsed certain malformed
EXIF tags. If a user or automated system were tricked into processing
a specially crafted image file, an attacker could cause libexif to
crash, leading to a denial of service, or possibly obtain sensitive
information. (CVE-2012-2836)
Yunho Kim discovered that libexif incorrectly parsed certain malformed
EXIF tags. If a user or automated system were tricked into processing
a specially crafted image file, an attacker could cause libexif to
crash, leading to a denial of service. (CVE-2012-2837)
Dan Fandrich discovered that libexif incorrectly parsed certain
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
56
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause
libexif to crash, leading to a denial of service, or possibly execute
arbitrary code. (CVE-2012-2840, CVE-2012-2841).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59903
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : pidgin vulnerabilities (USN-1500-1)
Ubuntu Local Security Checks
Severity
Total
High
1
Description: Evgeny Boger discovered that Pidgin incorrectly handled buddy list
messages in the AIM and ICQ protocol handlers. A remote attacker could
send a specially crafted message and cause Pidgin to crash, leading to
a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04
and 11.10. (CVE-2011-4601)
Thijs Alkemade discovered that Pidgin incorrectly handled malformed
voice and video chat requests in the XMPP protocol handler. A remote
attacker could send a specially crafted message and cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu
10.04 LTS, 11.04 and 11.10. (CVE-2011-4602)
Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8
sequences in the SILC protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash, leading to a
denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04
and 11.10. (CVE-2011-4603)
Julia Lawall discovered that Pidgin incorrectly cleared memory
contents used in cryptographic operations. An attacker could exploit
this to read the memory contents, leading to an information
disclosure. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-4922)
Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly
handled nickname changes inside chat rooms in the XMPP protocol
handler. A remote attacker could exploit this by changing nicknames,
leading to a denial of service. This issue only affected Ubuntu 11.10.
(CVE-2011-4939)
Thijs Alkemade discovered that Pidgin incorrectly handled off-line
instant messages in the MSN protocol handler. A remote attacker could
send a specially crafted message and cause Pidgin to crash, leading to
a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04
and 11.10. (CVE-2012-1178)
José Valentín Gutiérrez discovered that Pidgin incorrectly handled
SOCKS5 proxy connections during file transfer requests in the XMPP
protocol handler. A remote attacker could send a specially crafted
request and cause Pidgin to crash, leading to a denial of service.
This issue only affected Ubuntu 12.04 LTS and 11.10. (CVE-2012-2214)
Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed
messages in the MSN protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash, leading to a
denial of service. (CVE-2012-2318)
Ulf Härnhammar discovered that Pidgin incorrectly handled messages
with in-line images in the MXit protocol handler. A remote attacker
could send a specially crafted message and possibly execute arbitrary
code with user privileges. (CVE-2012-3374).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
57
Plugin
59856
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
Ubuntu Local Security Checks
12.04 LTS : tiff vulnerabilities (USN-1498-1)
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: It was discovered that the TIFF library incorrectly handled certain
malformed TIFF images. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash
the application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2012-2088)
It was discovered that the tiff2pdf utility incorrectly handled
certain malformed TIFF images. If a user or automated system were
tricked into opening a specially crafted TIFF image, a remote attacker
could crash the application, leading to a denial of service, or
possibly execute arbitrary code with user privileges. (CVE-2012-2113).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59832
Plugin Name
Family
Ubuntu 11.04 / 11.10 : libreoffice, libreofficeUbuntu Local Security Checks
l10n vulnerabilities (USN-1495-1)
Description: Integer overflows were discovered in the graphics loading code of
several different image types. If a user were tricked into opening a
specially crafted file, an attacker could cause LibreOffice to crash
or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2012-1149)
Sven Jacobi discovered an integer overflow when processing Escher
graphics records. If a user were tricked into opening a specially
crafted PowerPoint file, an attacker could cause LibreOffice to crash
or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2012-2334).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59603
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
12.04 LTS : php5 vulnerabilities (USN-1481- Ubuntu Local Security Checks
1)
Description: It was discovered that PHP incorrectly handled certain Tidy::diagnose
operations on invalid objects. A remote attacker could use this flaw
to cause PHP to crash, leading to a denial of service. (CVE-2012-0781)
It was discovered that PHP incorrectly handled certain multi-file
upload filenames. A remote attacker could use this flaw to cause a
denial of service, or to perform a directory traversal attack.
(CVE-2012-1172)
Rubin Xu and Joseph Bonneau discovered that PHP incorrectly handled
certain Unicode characters in passwords passed to the crypt()
function. A remote attacker could possibly use this flaw to bypass
authentication. (CVE-2012-2143)
It was discovered that a Debian/Ubuntu specific patch caused PHP to
incorrectly handle empty salt strings. A remote attacker could
possibly use this flaw to bypass authentication. This issue only
affected Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2012-2317)
It was discovered that PHP, when used as a stand alone CGI processor
for the Apache Web Server, did not properly parse and filter query
strings. This could allow a remote attacker to execute arbitrary code
running with the privilege of the web server, or to perform a denial
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
58
of service. Configurations using mod_php5 and FastCGI were not
vulnerable. (CVE-2012-2335, CVE-2012-2336)
Alexander Gavrun discovered that the PHP Phar extension incorrectly
handled certain malformed TAR files. A remote attacker could use this
flaw to perform a denial of service, or possibly execute arbitrary
code. (CVE-2012-2386).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : ubuntuone-storage-protocol update
(USN-1465-2)
59397
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: USN-1465-1 fixed a vulnerability in the Ubuntu One Client. This update
adds a required fix to the Ubuntu One storage protocol library.
It was discovered that the Ubuntu One Client incorrectly validated
server certificates when using HTTPS connections. If a remote attacker
were able to perform a man-in-the-middle attack, this flaw could be
exploited to alter or compromise confidential information.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59396
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : ubuntuone-client vulnerability (USN1465-1)
Ubuntu Local Security Checks
Description: It was discovered that the Ubuntu One Client incorrectly validated
server certificates when using HTTPS connections. If a remote attacker
were able to perform a man-in-the-middle attack, this flaw could be
exploited to alter or compromise confidential information.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 /
Ubuntu Local Security Checks
12.04 LTS : sudo vulnerability (USN-1442-1)
59170
Description: It was discovered that sudo incorrectly handled network masks when
using Host and Host_List. A local user who is listed in sudoers may be
allowed to run commands on unintended hosts when IPv4 network masks
are used to grant access. A local attacker could exploit this to
bypass intended access restrictions. Host and Host_List are not used
in the default installation of Ubuntu.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58873
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 :
Ubuntu Local Security Checks
openssl vulnerability (USN-1428-1)
Description: It was discovered that the fix for CVE-2012-2110 was incomplete for
OpenSSL 0.9.8. A remote attacker could trigger this flaw in services
that used SSL to cause a denial of service or possibly execute
arbitrary code with application privileges. Ubuntu 11.10 was not
affected by this issue. (CVE-2012-2131)
The original upstream fix for CVE-2012-2110 would cause
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
59
BUF_MEM_grow_clean() to sometimes return the wrong error condition.
This update fixes the problem.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58808
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 :
Ubuntu Local Security Checks
openssl vulnerabilities (USN-1424-1)
Severity
Total
High
1
Severity
Total
High
1
Description: It was discovered that OpenSSL could be made to dereference a NULL
pointer when processing S/MIME messages. A remote attacker could use
this to cause a denial of service. These issues did not affect Ubuntu
8.04 LTS. (CVE-2006-7250, CVE-2012-1165)
Tavis Ormandy discovered that OpenSSL did not properly perform bounds
checking when processing DER data via BIO or FILE functions. A remote
attacker could trigger this flaw in services that used SSL to cause a
denial of service or possibly execute arbitrary code with application
privileges. (CVE-2012-2110).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58318
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : eglibc, glibc vulnerabilities
(USN-1396-1)
Ubuntu Local Security Checks
Description: It was discovered that the GNU C Library did not properly handle
integer overflows in the timezone handling code. An attacker could use
this to possibly execute arbitrary code by convincing an application
to load a maliciously constructed tzfile. (CVE-2009-5029)
It was discovered that the GNU C Library did not properly handle
passwd.adjunct.byname map entries in the Network Information Service
(NIS) code in the name service caching daemon (nscd). An attacker
could use this to obtain the encrypted passwords of NIS accounts. This
issue only affected Ubuntu 8.04 LTS. (CVE-2010-0015)
Chris Evans reported that the GNU C Library did not properly calculate
the amount of memory to allocate in the fnmatch() code. An attacker
could use this to cause a denial of service or possibly execute
arbitrary code via a maliciously crafted UTF-8 string. This issue only
affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10.
(CVE-2011-1071)
Tomas Hoger reported that an additional integer overflow was possible
in the GNU C Library fnmatch() code. An attacker could use this to
cause a denial of service via a maliciously crafted UTF-8 string. This
issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04. (CVE-2011-1659)
Dan Rosenberg discovered that the addmntent() function in the GNU C
Library did not report an error status for failed attempts to write to
the /etc/mtab file. This could allow an attacker to corrupt /etc/mtab,
possibly causing a denial of service or otherwise manipulate mount
options. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS,
Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1089)
Harald van Dijk discovered that the locale program included with the
GNU C library did not properly quote its output. This could allow a
local attacker to possibly execute arbitrary code using a crafted
localization string that was evaluated in a shell script. This issue
only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10.
(CVE-2011-1095)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
60
It was discovered that the GNU C library loader expanded the $ORIGIN
dynamic string token when RPATH is composed entirely of this token.
This could allow an attacker to gain privilege via a setuid program
that had this RPATH value. (CVE-2011-1658)
It was discovered that the GNU C library implementation of memcpy
optimized for Supplemental Streaming SIMD Extensions 3 (SSSE3)
contained a possible integer overflow. An attacker could use this to
cause a denial of service or possibly execute arbitrary code. This
issue only affected Ubuntu 10.04 LTS. (CVE-2011-2702)
John Zimmerman discovered that the Remote Procedure Call (RPC)
implementation in the GNU C Library did not properly handle large
numbers of connections. This could allow a remote attacker to cause a
denial of service. (CVE-2011-4609)
It was discovered that the GNU C Library vfprintf() implementation
contained a possible integer overflow in the format string protection
code offered by FORTIFY_SOURCE. An attacker could use this flaw in
conjunction with a format string vulnerability to bypass the format
string protection and possibly execute arbitrary code. (CVE-2012-0864).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
python-pam vulnerability (USN-1395-1)
58301
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: Markus Vervier discovered that PyPAM incorrectly handled passwords
containing NULL bytes. An attacker could exploit this to cause
applications using PyPAM to crash, or possibly execute arbitrary code.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58034
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
firefox vulnerability (USN-1367-2)
Ubuntu Local Security Checks
Description: USN-1367-1 fixed vulnerabilities in libpng. This provides the
corresponding update for Firefox.
Jueri Aedla discovered that libpng did not properly verify the size
used when allocating memory during chunk decompression. If a user or
automated system using libpng were tricked into opening a specially
crafted image, an attacker could exploit this to cause a denial of
service or execute code with the privileges of the user invoking the
program. (CVE-2011-3026).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57998
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : libpng vulnerabilities (USN1367-1)
Ubuntu Local Security Checks
Description: It was discovered that libpng did not properly verify the embedded
profile length of iCCP chunks. An attacker could exploit this to cause
a denial of service via application crash. This issue only affected
Ubuntu 8.04 LTS. (CVE-2009-5063)
Jueri Aedla discovered that libpng did not properly verify the size
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
61
used when allocating memory during chunk decompression. If a user or
automated system using libpng were tricked into opening a specially
crafted image, an attacker could exploit this to cause a denial of
service or execute code with the privileges of the user invoking the
program. (CVE-2011-3026).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
firefox vulnerability (USN-1360-1)
57934
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Description: Andrew McCreight and Olli Pettay discovered a use-after-free
vulnerability in the XBL bindings. An attacker could exploit this to
cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox.
(CVE-2012-0452).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57932
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : php5 regression (USN-1358-2)
Ubuntu Local Security Checks
Description: USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling the
ini_get() function.
We apologize for the inconvenience.
It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions
predictably. This could allow a remote attacker to cause a denial of
service by sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a 'max_input_vars' directive
to the php.ini configuration file. See
http://www.php.net/manual/en/info.configuration.php#ini.maxinput-vars for more information.
Stefan Esser discovered that the fix to address the
predictable hash collision issue, CVE-2011-4885, did not
properly handle the situation where the limit was reached.
This could allow a remote attacker to cause a denial of
service or execute arbitrary code via a request containing a
large number of variables. (CVE-2012-0830)
It was discovered that PHP did not always check the return
value of the zend_strndup function. This could allow a
remote attacker to cause a denial of service.
(CVE-2011-4153)
It was discovered that PHP did not properly enforce libxslt
security settings. This could allow a remote attacker to
create arbitrary files via a crafted XSLT stylesheet that
uses the libxslt output extension. (CVE-2012-0057)
It was discovered that PHP did not properly enforce that
PDORow objects could not be serialized and not be saved in a
session. A remote attacker could use this to cause a denial
of service via an application crash. (CVE-2012-0788)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
62
It was discovered that PHP allowed the magic_quotes_gpc
setting to be disabled remotely. This could allow a remote
attacker to bypass restrictions that could prevent an SQL
injection. (CVE-2012-0831)
USN 1126-1 addressed an issue where the /etc/cron.d/php5
cron job for PHP allowed local users to delete arbitrary
files via a symlink attack on a directory under
/var/lib/php5/. Emese Revfy discovered that the fix had not
been applied to PHP for Ubuntu 10.04 LTS. This update
corrects the issue. We apologize for the error.
(CVE-2011-0441).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57888
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : php5 vulnerabilities (USN-1358- Ubuntu Local Security Checks
1)
Severity
Total
High
1
Description: It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions
predictably. This could allow a remote attacker to cause a denial of
service by sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by limiting the
number of external input variables to 1000. This may be increased by
adding a 'max_input_vars' directive to the php.ini configuration file.
See
http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
for more information.
Stefan Esser discovered that the fix to address the predictable hash
collision issue, CVE-2011-4885, did not properly handle the situation
where the limit was reached. This could allow a remote attacker to
cause a denial of service or execute arbitrary code via a request
containing a large number of variables. (CVE-2012-0830)
It was discovered that PHP did not always check the return value of
the zend_strndup function. This could allow a remote attacker to cause
a denial of service. (CVE-2011-4153)
It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary files
via a crafted XSLT stylesheet that uses the libxslt output extension.
(CVE-2012-0057)
It was discovered that PHP did not properly enforce that PDORow
objects could not be serialized and not be saved in a session. A
remote attacker could use this to cause a denial of service via an
application crash. (CVE-2012-0788)
It was discovered that PHP allowed the magic_quotes_gpc setting to be
disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection. (CVE-2012-0831)
USN 1126-1 addressed an issue where the /etc/cron.d/php5 cron job for
PHP allowed local users to delete arbitrary files via a symlink attack
on a directory under /var/lib/php5/. Emese Revfy discovered that the
fix had not been applied to PHP for Ubuntu 10.04 LTS. This update
corrects the issue. We apologize for the error. (CVE-2011-0441).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
63
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : icu
vulnerability (USN-1348-1)
57706
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: It was discovered that ICU did not properly handle invalid locale data
during Unicode conversion. If an application using ICU processed
crafted data, an attacker could cause it to crash or potentially
execute arbitrary code with the privileges of the user invoking the
program.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.10 / 11.04 / 11.10 : curl vulnera
bility (USN-1346-1)
57689
Ubuntu Local Security Checks
Description: Dan Fandrich discovered that curl incorrectly handled URLs containing
embedded or percent-encoded control characters. If a user or automated
system were tricked into processing a specially crafted URL, arbitrary
data could be injected.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : t1lib
Ubuntu Local Security Checks
vulnerabilities (USN-1335-1)
57616
Description: Jon Larimer discovered that t1lib did not properly parse AFM fonts. If
a user were tricked into using a specially crafted font file, a remote
attacker could cause t1lib to crash or possibly execute arbitrary code
with user privileges. (CVE-2010-2642, CVE-2011-0433)
Jonathan Brossard discovered that t1lib did not correctly handle
certain malformed font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause t1lib to
crash. (CVE-2011-1552, CVE-2011-1553, CVE-2011-1554).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
vsftpd vulnerability (USN-1288-1)
57038
Ubuntu Local Security Checks
Description: It was discovered that the 2.6.35 and earlier Linux kernel does not
properly handle a high rate of creation and cleanup of network
namespaces, which makes it easier for remote attackers to cause a
denial of service (memory consumption) in applications that require a
separate namespace per connection, like vsftpd. This update adjusts
vsftpd to only use network namespaces on kernels that are known to be
not affected.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56868
Plugin Name
Family
Ubuntu 11.04 / 11.10 : system-config-printer
vulnerability (USN-1265-1)
Ubuntu Local Security Checks
Description: Marc Deslauriers discovered that system-config-printer's cupshelpers
scripts used by the Ubuntu automatic printer driver download service
queried the OpenPrinting database using an insecure connection. If a
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
64
remote attacker were able to perform a man-in-the-middle attack, this
flaw could be exploited to install altered packages and repositories.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
tomcat6 vulnerabilities (USN-1252-1)
56746
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Description: It was discovered that Tomcat incorrectly implemented HTTP DIGEST
authentication. An attacker could use this flaw to perform a variety
of authentication attacks. (CVE-2011-1184)
Polina Genova discovered that Tomcat incorrectly created log entries
with passwords when encountering errors during JMX user creation. A
local attacker could possibly use this flaw to obtain sensitive
information. This issue only affected Ubuntu 10.04 LTS, 10.10 and
11.04. (CVE-2011-2204)
It was discovered that Tomcat incorrectly validated certain request
attributes when sendfile is enabled. A local attacker could bypass
intended restrictions, or cause the JVM to crash, resulting in a
denial of service. (CVE-2011-2526)
It was discovered that Tomcat incorrectly handled certain AJP
requests. A remote attacker could use this flaw to spoof requests,
bypass authentication, and obtain sensitive information. This issue
only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-3190).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56554
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
Ubuntu Local Security Checks
04 / 11.10 : php5 vulnerabilities (USN-1231-1)
Description: Mateusz Kocielski, Marek Kroemeke and Filip Palian discovered that a
stack-based buffer overflow existed in the socket_connect function's
handling of long pathnames for AF_UNIX sockets. A remote attacker
might be able to exploit this to execute arbitrary code; however, the
default compiler options for affected releases should reduce the
vulnerability to a denial of service. This issue affected Ubuntu 10.04
LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1938)
Krzysztof Kotowicz discovered that the PHP post handler function does
not properly restrict filenames in multipart/form-data POST requests.
This may allow remote attackers to conduct absolute path traversal
attacks and possibly create or overwrite arbitrary files. This issue
affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu
11.04. (CVE-2011-2202)
It was discovered that the crypt function for blowfish does not
properly handle 8-bit characters. This could make it easier for an
attacker to discover a cleartext password containing an 8-bit
character that has a matching blowfish crypt value. This issue
affected Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04.
(CVE-2011-2483)
It was discovered that PHP did not properly check the return values of
the malloc(3), calloc(3) and realloc(3) library functions in multiple
locations. This could allow an attacker to cause a denial of service
via a NULL pointer dereference or possibly execute arbitrary code.
This issue affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04. (CVE-2011-3182)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
65
Maksymilian Arciemowicz discovered that PHP did not properly implement
the error_log function. This could allow an attacker to cause a denial
of service via an application crash. This issue affected Ubuntu 10.04
LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10. (CVE-2011-3267)
Maksymilian Arciemowicz discovered that the ZipArchive functions
addGlob() and addPattern() did not properly check their flag
arguments. This could allow a malicious script author to cause a
denial of service via application crash. This issue affected Ubuntu
10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10.
(CVE-2011-1657)
It was discovered that the Xend opcode parser in PHP could be
interrupted while handling the shift-left, shift-right, and
bitwise-xor opcodes. This could allow a malicious script author to
expose memory contents. This issue affected Ubuntu 10.04 LTS.
(CVE-2010-1914)
It was discovered that the strrchr function in PHP could be
interrupted by a malicious script, allowing the exposure of memory
contents. This issue affected Ubuntu 8.04 LTS. (CVE-2010-2484).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56256
Plugin Name
Family
Ubuntu 11.04 : linux vulnerabilities (USN1211-1)
Ubuntu Local Security Checks
Severity
Total
High
1
Description: It was discovered that the /proc filesystem did not correctly handle
permission changes when programs executed. A local attacker could hold
open files to examine details about programs running with higher
privileges, potentially increasing the chances of exploiting
additional vulnerabilities. (CVE-2011-1020)
Dan Rosenberg discovered that the X.25 Rose network stack did not
correctly handle certain fields. If a system was running with Rose
enabled, a remote attacker could send specially crafted traffic to
gain root privileges. (CVE-2011-1493)
Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not
correctly check the origin of mount points. A local attacker could
exploit this to trick the system into unmounting arbitrary mount
points, leading to a denial of service. (CVE-2011-1833)
It was discovered that Bluetooth l2cap and rfcomm did not correctly
initialize structures. A local attacker could exploit this to read
portions of the kernel stack, leading to a loss of privacy.
(CVE-2011-2492)
It was discovered that GFS2 did not correctly check block sizes. A
local attacker could exploit this to crash the system, leading to a
denial of service. (CVE-2011-2689)
Fernando Gont discovered that the IPv6 stack used predictable fragment
identification numbers. A remote attacker could exploit this to
exhaust network resources, leading to a denial of service.
(CVE-2011-2699)
The performance counter subsystem did not correctly handle certain
counters. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2011-2918)
A flaw was found in the Linux kernel's /proc/*/*map* interface. A
local, unprivileged user could exploit this flaw to cause a denial of
service. (CVE-2011-3637)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
66
Ben Hutchings discovered several flaws in the Linux Rose (X.25 PLP)
layer. A local user or a remote user on an X.25 network could exploit
these flaws to execute arbitrary code as root. (CVE-2011-4914).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56048
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 : apache2 vulnerability (USN-1199-1)
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: A flaw was discovered in the byterange filter in Apache. A remote
attacker could exploit this to cause a denial of service via resource
exhaustion.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
55976
Plugin Name
Family
Apache HTTP Server Byte Range DoS
Web Servers
Description: The version of Apache HTTP Server running on the remote host is
affected by a denial of service vulnerability. Making a series of
HTTP requests with overlapping ranges in the Range or Request-Range
request headers can result in memory and CPU exhaustion. A remote,
unauthenticated attacker could exploit this to make the system
unresponsive.
Exploit code is publicly available and attacks have reportedly been
observed in the wild.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
26925
Plugin Name
Family
VNC Server Unauthenticated Access
Misc.
Description: The VNC server installed on the remote host allows an attacker
to connect to the remote host as no authentication is required
to access this service.
** The VNC server sometimes sends the connected user to the XDM login
** screen. Unfortunately, Nessus cannot identify this situation.
** In such a case, it is not possible to go further without valid
** credentials and this alert may be ignored.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
15780
Plugin Name
Family
phpBB viewtopic.php highlight Parameter
SQL Injection
CGI abuses
Description: The remote host is running phpBB.
There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands in the login form.
An attacker could exploit this flaw to bypass the authentication of the
remote host or execute arbitrary SQL statements against the remote
database.
Hosts in Repository 'net_10_31_112':
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
67
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
13655
Plugin Name
Family
phpBB < 2.0.9 Multiple Vulnerabilities
CGI abuses
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
Medium
1
Description: The remote host is running a version of phpBB older than 2.0.9.
There is a flaw in the remote software that may allow anyone
to inject arbitrary SQL commands, which may in turn be used to
gain administrative access on the remote host or to obtain
the MD5 hash of the password of any user.
One vulnerability is reported to exist in 'admin_board.php'.
The other pertains to improper characters in the session id variable.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
phpBB < 2.0.7 Multiple Script SQL Injecti
on
11938
CGI abuses
Description: The remote host is running a version of phpBB older than 2.0.7.
There is a flaw in the remote software that could allow anyone to inject
arbitrary SQL commands, which may in turn be used to gain administrative
access on the remote host or to obtain the MD5 hash of the password of
any user.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
phpBB viewtopic.php topic_id Parameter
SQL Injection
11767
CGI abuses
Description: There is a flaw in the version of phpBB hosted on the remote web server
that may allow anyone to inject arbitrary SQL commands, which could in
turn be used to gain administrative access on the remote host or to
obtain the MD5 hash of the password of any user.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
11139
Plugin Name
Family
CGI Generic SQL Injection
CGI abuses
Description: By providing specially crafted parameters to CGIs, Nessus was able to
get an error from the underlying database. This error suggests that
the CGI is affected by a SQL injection vulnerability.
An attacker may exploit this flaw to bypass authentication, read
confidential data, modify the remote database, or even take control of
the remote operating system.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6995
Plugin Name
Family
PHP < 5.3.11 Multiple Vulnerabilities
Web Servers
Description: PHP versions earlier than 5.3.11 are affected by the following vulnerabilities :
- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handled properly. This can lower the
difficulty for SQL injection attacks. (CVE-2012-0831)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
68
- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated. (CVE-2012-1172)
- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and 'readline_read_history'.
- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache Tomcat 6.0.x < 6.0.35 Multiple
Vulnerabilities
6332
Web Servers
Severity
Total
High
1
Description: Versions of Apache Tomcat 6.0.35 are potentially affected by multiple vulnerabilities :
- Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to
authentication bypass and disclosure of sensitive information. Note this vulnerability only occurs when the following are true (CVE-2011-3190):
- the org.apache.jk.server.JkCoyoteHandler AJP connector is not used.
- POST requests are accepted.
- Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6263
Plugin Name
Family
PHP < 5.3.9 Multiple Vulnerabilities
Web Servers
Severity
Total
High
1
Description: Versions of PHP earlier than 5.3.9 are potentially affected by multiple vulnerabilities :
- It is possible to create a denial of service condition by sending multiple, specially crafted requests containing parameter values that cause hash
collisions when computing the hash values for storage in a hash table. (CVE-2011-4885)
- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read arbitrary memory locations or cause a
denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)
- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite file, resulting in arbitrary code execution.
(CVE-2012-0057)
- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null pointer. This causes the
application to crash. (CVE-2012-0781)
- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the session feature. C(VE-2012-0788)
- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of service attack via memory consuption.
(CVE-2012-0789)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6129
Plugin Name
Family
OpenSSL 0.9.8 < 0.9.8s / 1.x < 1.0.0f
Multiple Vulnerabilities
Web Servers
Severity
Total
High
1
Description: Versions of OpenSSL 0.9.8 earlier than 0.9.8s, and 1.0.0 earlier than 1.0.0f are potentially affected by the following vulnerabilities :
- An extension of the Vaudenay padding oracle attack exists against CBC mode encryption which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. (CVE-2011-4108)
- If x509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. (CVE-2011-4109)
- OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records. As a result, in each record, up to 15 bytes of uninitialized memory may
be sent, encrypted, to the SSL peer. (CVE-2011-4576)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
69
- RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack.
(CVE-2011-4577)
- Support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. (CVE-2011-4619)
- A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to a lack of error checking.
(CVE-2012-0027)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Apache 2.2 < 2.2.20 Multiple Vulnerabilitie
Web Servers
s
6021
Severity
Total
High
1
Description: Versions of Apache 2.2 earlier than 2.2.20 are potentially affected by a denial of service vulnerability. Making a series of HTTP requests
with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker
could exploit this flaw to make the system unresponsive.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
PHP 5.3.7 crypt() MD5 Incorrect Return
Value
6017
Web Servers
Severity
Total
High
1
Description: PHP version 5.3.7 contains a bug in the crypt() function when generating salted MD5 hashes. The function only returns the salt rather than
the salt and hash. Any authentication mechanism that uses crypt() could authorize all authentication attempts due to this bug.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6015
Plugin Name
Family
PHP 5.3 < 5.3.7 Multiple Vulnerabilities
Web Servers
Severity
Total
High
1
Severity
Total
High
1
Description: Versions of PHP 5.3 earlier than 5.3.7 are potentially affected by multiple vulnerabilities :
- A stack buffer overflow exists in socket_connect(). (CVE-2011-1938)
- A use-after-free vulnerability exists in substr_replace(). (CVE-2011-1148)
- A code execution vulnerability exists in ZipArchive: : addGlob(). (CVE-2011-1657)
- crypt_blowfish was updated to 1.2. (CVE-2011-2483)
- Multiple null pointer dereferences exist.
- An unspecified crash exists in error_log().
- A buffer overflow vulnerability exists in crypt().
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
5824
Plugin Name
Family
PHP 5.3 < 5.3.6 String To Double Convers
Web Servers
ion DoS
Description: Versions of PHP 5.3 earlier than 5.3.6 are potentially affected by multiple vulnerabilities :
- An error exists in the function '_zip_name_locate()' in the file 'ext/zip/lib/zip_name_locate.c' which allows a NULL pointer to be dereferenced when
processing an empty archive. (CVE-2011-0421)
- A variable casting error exists in the Exif extension's C function 'exif_process_IFD_TAG()' in the file 'ext/exif/exif.c' could allow arbitrary code execution.
(CVE-2011-0708)
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
70
- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read' in the file 'ext/shmop/shmop.c'. (CVE-2011-1092)
- An error exists in the file 'phar/phar_object.c' n which calls to 'zend_throw_exception_ex()' pass data as a string format parameter which could lead to
information disclosure or memory corruption when handling PHP archives. (CVE-2011-1153)
- A buffer overflow error exists in the C function 'xbuf_format_converter' in the file 'main/snprintf.c' when the PHP configuration setting for 'precision' is
set to a large value. (Bug 54055)
- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 7.0 to 7.9
Qualitative Risk Analysis with CVSS Scores
71
CVSS 8.0 to 8.9
The Top 15 Host with CVSS 8.0 to 8.9 Vulnerabilities table provides cumulative top 15 hosts with a CVSS
score of 8.0 to 8.9. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities
(Total), and a vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different
colors are orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 8.0 to 8.9 Vulnerabilities
IP Address
10.31.112.10
DNS Name
ubuntu
OS CPE
cpe:/o:canonical:ubuntu_
linux:11.04
Score
90
Vulns
9
The Top 10 Subnets CVSS 8.0 to 8.9 Vulnerabilities chart provides the cumulative top ten network subnets
with a CVSS score of 8.0 to 8.9 by vulnerabilities. Each bar represents the total vulnerability count for each
subnet. The chart is filtered using the Class C summary tool and CVSS Score of 8.0 to 8.9; the data is then
sorted using the total vulnerability field.
Top 10 Subnets with CVSS 8.0 to 8.9 Vulnerabilities
CVSS 8.0 to 8.9
Qualitative Risk Analysis with CVSS Scores
72
The Top 10 Plugin Families Detecting CVSS 8.0 to 8.9 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 8.0 to 8.9 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number
of vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 8.0 to 8.9 Vulnerabilities
CVSS 8.0 to 8.9
Qualitative Risk Analysis with CVSS Scores
73
The Details for CVSS 8.0 to 8.9 Vulnerabilities with Affected Hosts table provides a detailed list of
vulnerabilities along with the affected host. The vulnerabilities filter by CVSS Score of 8.0 to 8.9 and sorts
by totals vulnerabilities. This table will show each IP Address and provides information in regards to plugin,
plugin name, plugin family, the severity, and total number of vulnerabilities. This table provides a description
of the vulnerability and separates the IP address into their respected repositories.
Details for CVSS 8.0 to 8.9 Vulnerabilities with Affected Hosts
Plugin
59386
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : bind9 vulnerabilities (USN- Ubuntu Local Security Checks
1462-1)
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: Dan Luther discovered that Bind incorrectly handled zero length rdata
fields. A remote attacker could use this flaw to cause Bind to crash
or behave erratically, resulting in a denial of service.
(CVE-2012-1667)
It was discovered that Bind incorrectly handled revoked domain names.
A remote attacker could use this flaw to cause malicious domain names
to be continuously resolvable even after they have been revoked.
(CVE-2012-1033).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58325
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 /
11.04 / 11.10 : mysql-5.1, mysql-dfsg-5.0,
Ubuntu Local Security Checks
mysql-dfsg-5.1 vulnerabilities (USN-1397-1)
Description: Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.1.61 in Ubuntu 10.04 LTS, Ubuntu 10.10,
Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to
MySQL 5.0.95.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information :
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.ht
ml.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56555
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
xorg-server vulnerabilities (USN-1232-1)
Ubuntu Local Security Checks
Description: It was discovered that the X server incorrectly handled certain
malformed input. An authorized attacker could exploit this to cause
the X server to crash, leading to a denial or service, or possibly
execute arbitrary code with root privileges. This issue only affected
Ubuntu 10.04 LTS and 10.10. (CVE-2010-4818)
CVSS 8.0 to 8.9
Qualitative Risk Analysis with CVSS Scores
74
It was discovered that the X server incorrectly handled certain
malformed input. An authorized attacker could exploit this to cause
the X server to crash, leading to a denial or service, or possibly
read arbitrary data from the X server process. This issue only
affected Ubuntu 10.04 LTS. (CVE-2010-4819)
Vladz discovered that the X server incorrectly handled lock files. A
local attacker could use this flaw to determine if a file existed or
not. (CVE-2011-4028)
Vladz discovered that the X server incorrectly handled setting lock
file permissions. A local attacker could use this flaw to gain read
permissions on arbitrary files and view sensitive information.
(CVE-2011-4029).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
PHP < 5.3.12 / 5.4.2 CGI Query String
Code Execution
6993
Web Servers
Severity
Total
High
1
Description: PHP versions earlier than 5.3.12 / 5.4.2 are affected by the following vulnerabilities.
An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or to potentially execute arbitrary
code. In vulnerable configurations, PHP treats certain query string parameters as command line arguments including switches such as '-s', '-d', and '-c'.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6495
Plugin Name
Family
PHP 5.4.x < 5.4.3 Multiple Vulnerabilities
Web Servers
Severity
Total
High
1
Description: PHP versions earlier than 5.4.3 are affected by the following vulnerabilities.
- The fix for CVE-2012-1823 does not completely correct the CGI query parameter vulnerability. Disclosure of PHP source code and code execution via
query paramenters are still possible. Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php'
is not an exploitable configuration. (CVE-2012-2311, CVE-2012-2335, CVE-2012-2336)
- An unspecified buffer overflow exists related to the function 'apache_request_headers'. (CVE-2012-2329)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6494
Plugin Name
Family
PHP 5.3.x < 5.3.13 CGI Query String Code
Execution
Web Servers
Severity
Total
High
1
Description: PHP versions earlier than 5.3.13 are affected by a code execution vulnerability.
The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code and code execution via query
paramenters are still possible.
Note that his vulnerability is exploitable only when PHP is used by CGI-based configurations. Apache with 'mod-php' is not an exploitable configuration.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 8.0 to 8.9
Qualitative Risk Analysis with CVSS Scores
75
CVSS 9.0 to 9.9
The Top 15 Host with CVSS 9.0 to 9.9 Vulnerabilities table provides cumulative top 15 hosts with a CVSS
score of 9.0 to 9.9. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities
(Total), and a vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different
colors are orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 9.0 to 9.9 Vulnerabilities
IP Address
DNS Name
OS CPE
10.31.112.10
ubuntu
cpe:/o:canonical:ubuntu_
linux:11.04
10.31.113.32
openldap
cpe:/o:debian:debian_
linux:7.2
Score
Vulns
80
8
30
3
The Top 10 Subnets CVSS 9.0 to 9.9 Vulnerabilities chart provides the cumulative top ten network subnets
with a CVSS score of 9.0 to 9.9 by vulnerabilities. Each bar represents the total vulnerability count for each
subnet. The chart is filtered using the Class C summary tool and CVSS Score of 9.0 to 9.9; the data is then
sorted using the total vulnerability field.
Top 10 Subnets with CVSS 9.0 to 9.9 Vulnerabilities
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
76
The Top 10 Plugin Families Detecting CVSS 9.0 to 9.9 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 9.0 to 9.9 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number
of vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 9.0 to 9.9 Vulnerabilities
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
77
The Details for CVSS 9.0 to 9.9 Vulnerabilities with Affected Hosts table provides a detailed list of
vulnerabilities along with the affected host. The vulnerabilities filter by CVSS Score of 9.0 to 9.9 and sorts
by totals vulnerabilities. This table will show each IP Address and provides information in regards to plugin,
plugin name, plugin family, the severity, and total number of vulnerabilities. This table provides a description
of the vulnerability and separates the IP address into their respected repositories.
Details for CVSS 9.0 to 9.9 Vulnerabilities with Affected Hosts
Plugin
72881
Plugin Name
Family
PHP 5.4.x < 5.4.26 Multiple Vulnerabilities
CGI abuses
Severity
Total
High
1
Severity
Total
High
1
Severity
Total
High
1
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.26. It is, therefore, potentially
affected by the following vulnerabilities :
- An error exists related to the Fileinfo extension and
the bundled libmagic library that could allow denial of
service attacks. (CVE-2014-1943)
- An error exists related to the Fileinfo extension and
the process of analyzing Portable Executable (PE)
format files that could allow denial of service attacks
or possibly arbitrary code execution. (CVE-2014-2270)
Note that this plugin does not attempt to exploit the vulnerabilities,
but instead relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
69401
Plugin Name
Family
PHP 5.4.x < 5.4.18 Multiple Vulnerabilities
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.18. It is, therefore,
potentially affected by the following vulnerabilities :
- A heap corruption error exists in numerous functions
in the file 'ext/xml/xml.c'. (CVE-2013-4113 /
Bug #65236)
- An error exists related to certificate validation, the
'subjectAltName' field and certificates containing NULL
bytes. This error can allow spoofing attacks.
(CVE-2013-4248)
Note that this plugin does not attempt to exploit these
vulnerabilities, but instead relies only on PHP's self-reported
version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
67260
Plugin Name
Family
PHP 5.4.x < 5.4.17 Buffer Overflow
CGI abuses
Description: According to its banner, the version of PHP 5.4.x installed on the
remote host is a version prior to 5.4.17. It is, therefore, potentially
affected by a buffer overflow error that exists in the function
'_pdo_pgsql_error' in the file 'ext/pdo_pgsql/pgsql_driver.c'.
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
78
Note that this plugin does not attempt to exploit this vulnerability,
but instead, relies only on PHP's self-reported version number.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 : qt4-x11 vulnera
bilities (USN-1504-1)
59957
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Description: It was discovered that Qt did not properly handle wildcard domain
names or IP addresses in the Common Name field of X.509 certificates.
An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications. This
issue only affected Ubuntu 10.04 LTS. (CVE-2010-5076)
A heap-based buffer overflow was discovered in the HarfBuzz module. If
a user were tricked into opening a crafted font file in a Qt
application, an attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2011-3193)
It was discovered that Qt did not properly handle greyscale TIFF
images. If a Qt application could be made to process a crafted TIFF
file, an attacker could cause a denial of service. (CVE-2011-3194).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58964
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : imagemagick vulnerabilities (USN1435-1)
Ubuntu Local Security Checks
Description: Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick
incorrectly handled certain ResolutionUnit tags. If a user or
automated system using ImageMagick were tricked into opening a
specially crafted image, an attacker could exploit this to cause a
denial of service or possibly execute code with the privileges of the
user invoking the program. (CVE-2012-0247, CVE-2012-1185)
Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick
incorrectly handled certain IFD structures. If a user or automated
system using ImageMagick were tricked into opening a specially crafted
image, an attacker could exploit this to cause a denial of service.
(CVE-2012-0248, CVE-2012-1186)
Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered
that ImageMagick incorrectly handled certain JPEG EXIF tags. If a user
or automated system using ImageMagick were tricked into opening a
specially crafted image, an attacker could exploit this to cause a
denial of service. (CVE-2012-0259)
It was discovered that ImageMagick incorrectly handled certain JPEG
EXIF tags. If a user or automated system using ImageMagick were
tricked into opening a specially crafted image, an attacker could
exploit this to cause a denial of service or possibly execute code
with the privileges of the user invoking the program. (CVE-2012-1610)
Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered
that ImageMagick incorrectly handled certain TIFF EXIF tags. If a user
or automated system using ImageMagick were tricked into opening a
specially crafted image, an attacker could exploit this to cause a
denial of service or possibly execute code with the privileges of the
user invoking the program. (CVE-2012-1798).
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
79
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58807
Plugin Name
Family
Ubuntu 11.04 : gsettings-desktop-schemas
Ubuntu Local Security Checks
regression (USN-1400-5)
Severity
Total
High
1
Description: USN-1400-1 fixed vulnerabilities in Firefox. Firefox 11 started using
GSettings to access the system proxy settings. If there is a GSettings
proxy settings schema, Firefox will consume it. The GSettings proxy
settings schema that was shipped by default was unused by other
applications and broke Firefox's ability to use system proxy settings.
This update removes the unused schema. We apologize for the
inconvenience.
Soroush Dalili discovered that Firefox did not adequately protect
against dropping JavaScript links onto a frame. A remote attacker
could, through cross-site scripting (XSS), exploit this to modify the
contents or steal confidential data. (CVE-2012-0455)
Atte Kettunen discovered a use-after-free vulnerability in
Firefox's handling of SVG animations. An attacker could
potentially exploit this to execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2012-0457)
Atte Kettunen discovered an out of bounds read vulnerability
in Firefox's handling of SVG Filters. An attacker could
potentially exploit this to make data from the user's memory
accessible to the page content. (CVE-2012-0456)
Mike Brooks discovered that using carriage return line feed
(CRLF) injection, one could introduce a new Content Security
Policy (CSP) rule which allows for cross-site scripting
(XSS) on sites with a separate header injection
vulnerability. With cross-site scripting vulnerabilities, if
a user were tricked into viewing a specially crafted page, a
remote attacker could exploit this to modify the contents,
or steal confidential data, within the same domain.
(CVE-2012-0451)
Mariusz Mlynski discovered that the Home button accepted
JavaScript links to set the browser Home page. An attacker
could use this vulnerability to get the script URL loaded in
the privileged about:sessionrestore context. (CVE-2012-0458)
Daniel Glazman discovered that the Cascading Style Sheets
(CSS) implementation is vulnerable to crashing due to
modification of a keyframe followed by access to the cssText
of the keyframe. If the user were tricked into opening a
specially crafted web page, an attacker could exploit this
to cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-0459)
Matt Brubeck discovered that Firefox did not properly
restrict access to the window.fullScreen object. If the user
were tricked into opening a specially crafted web page, an
attacker could potentially use this vulnerability to spoof
the user interface. (CVE-2012-0460)
Bob Clary, Christian Holler, Jesse Ruderman, Michael
Bebenita, David Anderson, Jeff Walden, Vincenzo Iozzo, and
Willem Pinckaers discovered memory safety issues affecting
Firefox. If the user were tricked into opening a specially
crafted page, an attacker could exploit these to cause a
denial of service via application crash, or potentially
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
80
execute code with the privileges of the user invoking
Firefox. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58384
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
ubufox update (USN-1400-2)
Ubuntu Local Security Checks
Severity
Total
High
1
Description: USN-1400-1 fixed vulnerabilities in Firefox. This update provides an
updated ubufox package for use with the latest Firefox.
Soroush Dalili discovered that Firefox did not adequately protect
against dropping JavaScript links onto a frame. A remote attacker
could, through cross-site scripting (XSS), exploit this to modify the
contents or steal confidential data. (CVE-2012-0455)
Atte Kettunen discovered a use-after-free vulnerability in
Firefox's handling of SVG animations. An attacker could
potentially exploit this to execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2012-0457)
Atte Kettunen discovered an out of bounds read vulnerability
in Firefox's handling of SVG Filters. An attacker could
potentially exploit this to make data from the user's memory
accessible to the page content. (CVE-2012-0456)
Mike Brooks discovered that using carriage return line feed
(CRLF) injection, one could introduce a new Content Security
Policy (CSP) rule which allows for cross-site scripting
(XSS) on sites with a separate header injection
vulnerability. With cross-site scripting vulnerabilities, if
a user were tricked into viewing a specially crafted page, a
remote attacker could exploit this to modify the contents,
or steal confidential data, within the same domain.
(CVE-2012-0451)
Mariusz Mlynski discovered that the Home button accepted
JavaScript links to set the browser Home page. An attacker
could use this vulnerability to get the script URL loaded in
the privileged about:sessionrestore context. (CVE-2012-0458)
Daniel Glazman discovered that the Cascading Style Sheets
(CSS) implementation is vulnerable to crashing due to
modification of a keyframe followed by access to the cssText
of the keyframe. If the user were tricked into opening a
specially crafted web page, an attacker could exploit this
to cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-0459)
Matt Brubeck discovered that Firefox did not properly
restrict access to the window.fullScreen object. If the user
were tricked into opening a specially crafted web page, an
attacker could potentially use this vulnerability to spoof
the user interface. (CVE-2012-0460)
Bob Clary, Christian Holler, Jesse Ruderman, Michael
Bebenita, David Anderson, Jeff Walden, Vincenzo Iozzo, and
Willem Pinckaers discovered memory safety issues affecting
Firefox. If the user were tricked into opening a specially
crafted page, an attacker could exploit these to cause a
denial of service via application crash, or potentially
execute code with the privileges of the user invoking
Firefox. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464).
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
81
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
firefox vulnerabilities (USN-1400-1)
58383
Ubuntu Local Security Checks
Severity
Total
High
1
Severity
Total
High
1
Description: Soroush Dalili discovered that Firefox did not adequately protect
against dropping JavaScript links onto a frame. A remote attacker
could, through cross-site scripting (XSS), exploit this to modify the
contents or steal confidential data. (CVE-2012-0455)
Atte Kettunen discovered a use-after-free vulnerability in Firefox's
handling of SVG animations. An attacker could potentially exploit this
to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2012-0457)
Atte Kettunen discovered an out of bounds read vulnerability in
Firefox's handling of SVG Filters. An attacker could potentially
exploit this to make data from the user's memory accessible to the
page content. (CVE-2012-0456)
Mike Brooks discovered that using carriage return line feed (CRLF)
injection, one could introduce a new Content Security Policy (CSP)
rule which allows for cross-site scripting (XSS) on sites with a
separate header injection vulnerability. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially
crafted page, a remote attacker could exploit this to modify the
contents, or steal confidential data, within the same domain.
(CVE-2012-0451)
Mariusz Mlynski discovered that the Home button accepted JavaScript
links to set the browser Home page. An attacker could use this
vulnerability to get the script URL loaded in the privileged
about:sessionrestore context. (CVE-2012-0458)
Daniel Glazman discovered that the Cascading Style Sheets (CSS)
implementation is vulnerable to crashing due to modification of a
keyframe followed by access to the cssText of the keyframe. If the
user were tricked into opening a specially crafted web page, an
attacker could exploit this to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-0459)
Matt Brubeck discovered that Firefox did not properly restrict access
to the window.fullScreen object. If the user were tricked into opening
a specially crafted web page, an attacker could potentially use this
vulnerability to spoof the user interface. (CVE-2012-0460)
Bob Clary, Christian Holler, Jesse Ruderman, Michael Bebenita, David
Anderson, Jeff Walden, Vincenzo Iozzo, and Willem Pinckaers discovered
memory safety issues affecting Firefox. If the user were tricked into
opening a specially crafted page, an attacker could exploit these to
cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox.
(CVE-2012-0461, CVE-2012-0462, CVE-2012-0464).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57887
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : openssl vulnerabilities (USN1357-1)
Ubuntu Local Security Checks
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
82
Description: It was discovered that the elliptic curve cryptography (ECC) subsystem
in OpenSSL, when using the Elliptic Curve Digital Signature Algorithm
(ECDSA) for the ECDHE_ECDSA cipher suite, did not properly implement
curves over binary fields. This could allow an attacker to determine
private keys via a timing attack. This issue only affected Ubuntu 8.04
LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1945)
Adam Langley discovered that the ephemeral Elliptic Curve
Diffie-Hellman (ECDH) functionality in OpenSSL did not ensure thread
safety while processing handshake messages from clients. This could
allow a remote attacker to cause a denial of service via out-of-order
messages that violate the TLS protocol. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04.
(CVE-2011-3210)
Nadhem Alfardan and Kenny Paterson discovered that the Datagram
Transport Layer Security (DTLS) implementation in OpenSSL performed a
MAC check only if certain padding is valid. This could allow a remote
attacker to recover plaintext. (CVE-2011-4108)
Antonio Martin discovered that a flaw existed in the fix to address
CVE-2011-4108, the DTLS MAC check failure. This could allow a remote
attacker to cause a denial of service. (CVE-2012-0050)
Ben Laurie discovered a double free vulnerability in OpenSSL that
could be triggered when the X509_V_FLAG_POLICY_CHECK flag is enabled.
This could allow a remote attacker to cause a denial of service. This
issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04. (CVE-2011-4109)
It was discovered that OpenSSL, in certain circumstances involving
ECDH or ECDHE cipher suites, used an incorrect modular reduction
algorithm in its implementation of the P-256 and P-384 NIST elliptic
curves. This could allow a remote attacker to obtain the private key
of a TLS server via multiple handshake attempts. This issue only
affected Ubuntu 8.04 LTS. (CVE-2011-4354)
Adam Langley discovered that the SSL 3.0 implementation in OpenSSL did
not properly initialize data structures for block cipher padding. This
could allow a remote attacker to obtain sensitive information.
(CVE-2011-4576)
Andrew Chi discovered that OpenSSL, when RFC 3779 support is enabled,
could trigger an assert when handling an X.509 certificate containing
certificate-extension data associated with IP address blocks or
Autonomous System (AS) identifiers. This could allow a remote attacker
to cause a denial of service. (CVE-2011-4577)
Adam Langley discovered that the Server Gated Cryptography (SGC)
implementation in OpenSSL did not properly handle handshake restarts.
This could allow a remote attacker to cause a denial of service.
(CVE-2011-4619)
Andrey Kulikov discovered that the GOST block cipher engine in OpenSSL
did not properly handle invalid parameters. This could allow a remote
attacker to cause a denial of service via crafted data from a TLS
client. This issue only affected Ubuntu 11.10. (CVE-2012-0027).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57615
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : libxml2 vulnerabilities (USN1334-1)
Ubuntu Local Security Checks
Severity
Total
High
1
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
83
Description: It was discovered that libxml2 contained an off by one error. If a
user or application linked against libxml2 were tricked into opening a
specially crafted XML file, an attacker could cause the application to
crash or possibly execute arbitrary code with the privileges of the
user invoking the program. (CVE-2011-0216)
It was discovered that libxml2 is vulnerable to double-free conditions
when parsing certain XML documents. This could allow a remote attacker
to cause a denial of service. (CVE-2011-2821, CVE-2011-2834)
It was discovered that libxml2 did not properly detect end of file
when parsing certain XML documents. An attacker could exploit this to
crash applications linked against libxml2. (CVE-2011-3905)
It was discovered that libxml2 did not properly decode entity
references with long names. If a user or application linked against
libxml2 were tricked into opening a specially crafted XML file, an
attacker could cause the application to crash or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2011-3919).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56870
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : freetype vulnerabilities (USN1267-1)
Ubuntu Local Security Checks
Severity
Total
High
1
Description: It was discovered that FreeType did not correctly handle certain
malformed Type 1 font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash or possibly execute arbitrary code with user privileges.
(CVE-2011-3256)
It was discovered that FreeType did not correctly handle certain
malformed CID-keyed PostScript font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash or possibly execute arbitrary code with user
privileges. (CVE-2011-3439).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 9.0 to 9.9
Qualitative Risk Analysis with CVSS Scores
84
CVSS 10.0 to 10.0
The Top 15 Host with CVSS 10.0 Vulnerabilities table provides cumulative top 15 hosts with a CVSS score
of 10.0. Each IP address will have their Hostname (DNS), OS (OS CPE), the total vulnerabilities (Total), and a
vulnerabilities bar. The vulnerably bar will separate display each severity by color. The different colors are
orange for medium, red for high, and purple for critical.
Top 15 Hosts with CVSS 10.0 Vulnerabilities
IP Address
DNS Name
OS CPE
10.31.112.10
ubuntu
cpe:/o:canonical:ubuntu_
linux:11.04
10.31.113.32
openldap
cpe:/o:debian:debian_
linux:7.2
Score
1180
40
Vulns
28
6
1
The Top 10 Subnets CVSS 10.0 Vulnerabilities chart provides the cumulative top ten network subnets with a
CVSS score of 10.0 by vulnerabilities. Each bar represents the total vulnerability count for each subnet. The
chart is filtered using the Class C summary tool and CVSS Score of 10.0; the data is then sorted using the total
vulnerability field.
Top 10 Subnets with CVSS 10.0 Vulnerabilities
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
85
The Top 10 Plugin Families Detecting CVSS 10.0 Vulnerabilities chart provides a cumulative view of the
top 10 CVSS 10.0 vulnerabilities by plugin family. This pie chart is sorted and displayed by total number of
vulnerabilities. Plugin families are designed to allow an efficient and accurate grouping of similar security
checks, aka plugins. Grouping plugins into families allows the vulnerability administrator to quickly enable or
disable a large group of plugins that are relevant to the target being scanned or unnecessary for a given host.
Top 10 Plugin Families Detecting CVSS 10.0 Vulnerabilities
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
86
The Details for CVSS 10.0 Vulnerabilities with Affected Hosts table provides a detailed list of vulnerabilities
along with the affected host. The vulnerabilities filter by CVSS Score of 10.0 and sorts by totals vulnerabilities.
This table will show each IP Address and provides information in regards to plugin, plugin name, plugin family,
the severity, and total number of vulnerabilities. This table provides a description of the vulnerability and
separates the IP address into their respected repositories.
Details for CVSS 10.0 Vulnerabilities with Affected Hosts
Plugin
62709
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS / 12.10 : openjdk-6, openjdk-7 vulnera
bilities (USN-1619-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Severity
Total
Critical
1
Description: Several information disclosure vulnerabilities were discovered in the
OpenJDK JRE. (CVE-2012-3216, CVE-2012-5069, CVE-2012-5072,
CVE-2012-5075, CVE-2012-5077, CVE-2012-5085)
Vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. (CVE-2012-4416,
CVE-2012-5071)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit
these to cause a denial of service. (CVE-2012-1531, CVE-2012-1532,
CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-5068,
CVE-2012-5083, CVE-2012-5084, CVE-2012-5086, CVE-2012-5089)
Information disclosure vulnerabilities were discovered in the OpenJDK
JRE. These issues only affected Ubuntu 12.10. (CVE-2012-5067,
CVE-2012-5070)
Vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2012-5073, CVE-2012-5079)
A vulnerability was discovered in the OpenJDK JRE related to
information disclosure and data integrity. This issue only affected
Ubuntu 12.10. (CVE-2012-5074)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit
these to cause a denial of service. These issues only affected Ubuntu
12.10. (CVE-2012-5076, CVE-2012-5087, CVE-2012-5088)
A denial of service vulnerability was found in OpenJDK.
(CVE-2012-5081)
Please see the following for more information:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-15159
24.html.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
62515
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox vulnerabilities (USN-1608-1)
Ubuntu Local Security Checks
Description: It was discovered that the browser engine used in Firefox contained a
memory corruption flaw. If a user were tricked into opening a
specially crafted web page, a remote attacker could cause Firefox to
crash or potentially execute arbitrary code as the user invoking the
program. (CVE-2012-4191)
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
87
It was discovered that Firefox allowed improper access to the Location
object. An attacker could exploit this to obtain sensitive
information. (CVE-2012-4192).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox vulnerabilities (USN-1600-1)
62476
Ubuntu Local Security Checks
Severity
Total
Critical
1
Severity
Total
Critical
1
Description: Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and
others discovered several memory corruption flaws in Firefox. If a
user were tricked into opening a specially crafted web page, a remote
attacker could cause Firefox to crash or potentially execute arbitrary
code as the user invoking the program. (CVE-2012-3982, CVE-2012-3983,
CVE-2012-3988, CVE-2012-3989)
David Bloom and Jordi Chancel discovered that Firefox did not always
properly handle the <select> element. A remote attacker could exploit
this to conduct URL spoofing and clickjacking attacks. (CVE-2012-3984)
Collin Jackson discovered that Firefox did not properly follow the
HTML5 specification for document.domain behavior. A remote attacker
could exploit this to conduct cross-site scripting (XSS) attacks via
JavaScript execution. (CVE-2012-3985)
Johnny Stenback discovered that Firefox did not properly perform
security checks on test methods for DOMWindowUtils. (CVE-2012-3986)
Alice White discovered that the security checks for GetProperty could
be bypassed when using JSAPI. If a user were tricked into opening a
specially crafted web page, a remote attacker could exploit this to
execute arbitrary code as the user invoking the program.
(CVE-2012-3991)
Mariusz Mlynski discovered a history state error in Firefox. A remote
attacker could exploit this to spoof the location property to inject
script or intercept posted data. (CVE-2012-3992)
Mariusz Mlynski and others discovered several flaws in Firefox that
allowed a remote attacker to conduct cross-site scripting (XSS)
attacks. (CVE-2012-3993, CVE-2012-3994, CVE-2012-4184)
Abhishek Arya, Atte Kettunen and others discovered several memory
flaws in Firefox when using the Address Sanitizer tool. If a user were
tricked into opening a specially crafted web page, a remote attacker
could cause Firefox to crash or potentially execute arbitrary code as
the user invoking the program. (CVE-2012-3990, CVE-2012-3995,
CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182,
CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187,
CVE-2012-4188).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
62178
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.
10 / 12.04 LTS : php5 vulnerabilities (USN1569-1)
Ubuntu Local Security Checks
Description: It was discovered that PHP incorrectly handled certain character
sequences when applying HTTP response-splitting protection. A remote
attacker could create a specially-crafted URL and inject arbitrary
headers. (CVE-2011-1398, CVE-2012-4388)
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
88
It was discovered that PHP incorrectly handled directories with a
large number of files. This could allow a remote attacker to execute
arbitrary code with the privileges of the web server, or to perform a
denial of service. (CVE-2012-2688)
It was discovered that PHP incorrectly parsed certain PDO prepared
statements. A remote attacker could use this flaw to cause PHP to
crash, leading to a denial of service. (CVE-2012-3450).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
62062
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox regression (USN-1548-2)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: USN-1548-1 fixed vulnerabilities in Firefox. The new package caused a
regression in Private Browsing which could leak sites visited to the
browser cache. This update fixes the problem.
Gary Kwong, Christian Holler, Jesse Ruderman, Steve Fink, Bob Clary,
Andrew Sutherland, Jason Smith, John Schoenick, Vladimir Vukicevic and
Daniel Holbert discovered memory safety issues affecting Firefox. If
the user were tricked into opening a specially crafted page, an
attacker could exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-1970, CVE-2012-1971)
Abhishek Arya discovered multiple use-after-free
vulnerabilities. If the user were tricked into opening a
specially crafted page, an attacker could exploit these to
cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-1972, CVE-2012-1973,
CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956,
CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960,
CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964)
Mariusz Mlynsk discovered that it is possible to shadow the
location object using Object.defineProperty. This could
potentially result in a cross-site scripting (XSS) attack
against plugins. With cross-site scripting vulnerabilities,
if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the
contents or steal confidential data within the same domain.
(CVE-2012-1956)
Mariusz Mlynski discovered an escalation of privilege
vulnerability through about:newtab. This could possibly lead
to potentially code execution with the privileges of the
user invoking Firefox. (CVE-2012-3965)
Frédéric Hoguin discovered that bitmap format images with
a negative height could potentially result in memory
corruption. If the user were tricked into opening a
specially crafted image, an attacker could exploit this to
cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-3966)
It was discovered that Firefox's WebGL implementation was
vulnerable to multiple memory safety issues. If the user
were tricked into opening a specially crafted page, an
attacker could exploit these to cause a denial of service
via application crash, or potentially execute code with the
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
89
privileges of the user invoking Firefox. (CVE-2012-3967,
CVE-2012-3968)
Arthur Gerkis discovered multiple memory safety issues in
Firefox's Scalable Vector Graphics (SVG) implementation. If
the user were tricked into opening a specially crafted
image, an attacker could exploit these to cause a denial of
service via application crash, or potentially execute code
with the privileges of the user invoking Firefox.
(CVE-2012-3969, CVE-2012-3970)
Christoph Diehl discovered multiple memory safety issues in
the bundled Graphite 2 library. If the user were tricked
into opening a specially crafted page, an attacker could
exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-3971)
Nicolas Grégoire discovered an out-of-bounds read in the
format-number feature of XSLT. This could potentially cause
inaccurate formatting of numbers and information leakage.
(CVE-2012-3972)
Mark Goodwin discovered that under certain circumstances,
Firefox's developer tools could allow remote debugging even
when disabled. (CVE-2012-3973)
It was discovered that when the DOMParser is used to parse
text/html data in a Firefox extension, linked resources
within this HTML data will be loaded. If the data being
parsed in the extension is untrusted, it could lead to
information leakage and potentially be combined with other
attacks to become exploitable. (CVE-2012-3975)
Mark Poticha discovered that under certain circumstances
incorrect SSL certificate information can be displayed on
the addressbar, showing the SSL data for a previous site
while another has been loaded. This could potentially be
used for phishing attacks. (CVE-2012-3976)
It was discovered that, in some instances, certain security
checks in the location object could be bypassed. This could
allow for the loading of restricted content and can
potentially be combined with other issues to become
exploitable. (CVE-2012-3978)
Colby Russell discovered that eval in the web console can
execute injected code with chrome privileges, leading to the
running of malicious code in a privileged context. If the
user were tricked into opening a specially crafted page, an
attacker could exploit this to cause a denial of service via
application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-3980).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
61773
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : openjdk-6 vulnerabilities (USN-1553- Ubuntu Local Security Checks
1)
Severity
Total
Critical
1
Description: It was discovered that the Beans component in OpenJDK 6 did not
properly prevent access to restricted classes. A remote attacker could
use this to create an untrusted Java applet or application that would
bypass Java sandbox restrictions. (CVE-2012-1682)
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
90
It was discovered that functionality in the AWT component in OpenJDK 6
made it easier for a remote attacker, in conjunction with other
vulnerabilities, to bypass Java sandbox restrictions. (CVE-2012-0547).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
61730
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox vulnerabilities (USN-1548-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: Gary Kwong, Christian Holler, Jesse Ruderman, Steve Fink, Bob Clary,
Andrew Sutherland, Jason Smith, John Schoenick, Vladimir Vukicevic and
Daniel Holbert discovered memory safety issues affecting Firefox. If
the user were tricked into opening a specially crafted page, an
attacker could exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-1970, CVE-2012-1971)
Abhishek Arya discovered multiple use-after-free vulnerabilities. If
the user were tricked into opening a specially crafted page, an
attacker could exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-1972, CVE-2012-1973,
CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956,
CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960,
CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964)
Mariusz Mlynsk discovered that it is possible to shadow the location
object using Object.defineProperty. This could potentially result in a
cross-site scripting (XSS) attack against plugins. With cross-site
scripting vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this to modify
the contents or steal confidential data within the same domain.
(CVE-2012-1956)
Mariusz Mlynski discovered an escalation of privilege vulnerability
through about:newtab. This could possibly lead to potentially code
execution with the privileges of the user invoking Firefox.
(CVE-2012-3965)
Frédéric Hoguin discovered that bitmap format images with a negative
height could potentially result in memory corruption. If the user were
tricked into opening a specially crafted image, an attacker could
exploit this to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-3966)
It was discovered that Firefox's WebGL implementation was vulnerable
to multiple memory safety issues. If the user were tricked into
opening a specially crafted page, an attacker could exploit these to
cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox.
(CVE-2012-3967, CVE-2012-3968)
Arthur Gerkis discovered multiple memory safety issues in Firefox's
Scalable Vector Graphics (SVG) implementation. If the user were
tricked into opening a specially crafted image, an attacker could
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-3969, CVE-2012-3970)
Christoph Diehl discovered multiple memory safety issues in the
bundled Graphite 2 library. If the user were tricked into opening a
specially crafted page, an attacker could exploit these to cause a
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
91
denial of service via application crash, or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2012-3971)
Nicolas Grégoire discovered an out-of-bounds read in the
format-number feature of XSLT. This could potentially cause inaccurate
formatting of numbers and information leakage. (CVE-2012-3972)
Mark Goodwin discovered that under certain circumstances, Firefox's
developer tools could allow remote debugging even when disabled.
(CVE-2012-3973)
It was discovered that when the DOMParser is used to parse text/html
data in a Firefox extension, linked resources within this HTML data
will be loaded. If the data being parsed in the extension is
untrusted, it could lead to information leakage and potentially be
combined with other attacks to become exploitable. (CVE-2012-3975)
Mark Poticha discovered that under certain circumstances incorrect SSL
certificate information can be displayed on the addressbar, showing
the SSL data for a previous site while another has been loaded. This
could potentially be used for phishing attacks. (CVE-2012-3976)
It was discovered that, in some instances, certain security checks in
the location object could be bypassed. This could allow for the
loading of restricted content and can potentially be combined with
other issues to become exploitable. (CVE-2012-3978)
Colby Russell discovered that eval in the web console can execute
injected code with chrome privileges, leading to the running of
malicious code in a privileged context. If the user were tricked into
opening a specially crafted page, an attacker could exploit this to
cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox.
(CVE-2012-3980).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
60086
Plugin Name
Family
PHP 5.4.x < 5.4.5 _php_stream_scandir
Overflow
CGI abuses
Severity
Total
Critical
1
Severity
Total
Critical
1
Description: According to its banner, the version of PHP installed on the remote
host is 5.4.x earlier than 5.4.5, and is, therefore, potentially
affected by an unspecified overflow vulnerability in the function
'_php_stream_scandir' in the file 'main/streams/streams.c'.
Hosts in Repository 'net_10_31_113':
10.31.113.32 - MAC Address: b6:3c:8a:3d:0e:20 DNS Name: openldap
Plugin
60013
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : ubufox update (USN-1509-2)
Ubuntu Local Security Checks
Description: USN-1509-1 fixed vulnerabilities in Firefox. This update provides an
updated ubufox package for use with the lastest Firefox.
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian
Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle
Huey discovered memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-1948, CVE-2012-1949)
Mario Gomes discovered that the address bar may be
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
92
incorrectly updated. Drag-and-drop events in the address bar
may cause the address of the previous site to be displayed
while a new page is loaded. An attacker could exploit this
to conduct phishing attacks. (CVE-2012-1950)
Abhishek Arya discovered four memory safety issues affecting
Firefox. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit these to
cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-1951, CVE-2012-1952,
CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be
incorrectly updated. Calls to history.forward and
history.back could be used to navigate to a site while the
address bar still displayed the previous site. A remote
attacker could exploit this to conduct phishing attacks.
(CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not
filtered out of the HTML <description> of RSS feeds. A
remote attacker could exploit this to conduct cross-site
scripting (XSS) attacks via JavaScript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If
the user were tricked into opening a specially crafted page,
an attacker could possibly exploit this to cause a denial of
service via application crash, or potentially execute code
with the privileges of the user invoking Firefox.
(CVE-2012-1958)
Bobby Holley discovered that same-compartment security
wrappers (SCSW) could be bypassed to allow XBL access. If
the user were tricked into opening a specially crafted page,
an attacker could possibly exploit this to execute code with
the privileges of the user invoking Firefox. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in
Mozilla's color management library (QCMS). If the user were
tricked into opening a specially crafted color profile, an
attacker could possibly exploit this to cause a denial of
service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header
was ignored when its value was specified multiple times. An
attacker could exploit this to conduct clickjacking attacks.
(CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If
the user were tricked into opening a specially crafted page,
an attacker could possibly exploit this to cause a denial of
service via application crash, or potentially execute code
with the privileges of the user invoking Firefox.
(CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage
vulnerability in the Content Security Policy (CSP) 1.0
implementation. If the user were tricked into opening a
specially crafted page, an attacker could possibly exploit
this to access a user's OAuth 2.0 access tokens and OpenID
credentials. (CVE-2012-1963)
Matt McCutchen discovered a clickjacking vulnerability in
the certificate warning page. A remote attacker could trick
a user into accepting a malicious certificate via a crafted
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
93
certificate warning page. (CVE-2012-1964)
Mario Gomes and Soroush Dalili discovered that JavaScript
was not filtered out of feed URLs. If the user were tricked
into opening a specially crafted URL, an attacker could
possibly exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2012-1965)
A vulnerability was discovered in the context menu of data:
URLs. If the user were tricked into opening a specially
crafted URL, an attacker could possibly exploit this to
conduct cross-site scripting (XSS) attacks. (CVE-2012-1966)
It was discovered that the execution of javascript: URLs was
not properly handled in some cases. A remote attacker could
exploit this to execute code with the privileges of the user
invoking Firefox. (CVE-2012-1967).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
60012
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox vulnerabilities (USN-1509-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian
Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle
Huey discovered memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-1948, CVE-2012-1949)
Mario Gomes discovered that the address bar may be incorrectly
updated. Drag-and-drop events in the address bar may cause the address
of the previous site to be displayed while a new page is loaded. An
attacker could exploit this to conduct phishing attacks.
(CVE-2012-1950)
Abhishek Arya discovered four memory safety issues affecting Firefox.
If the user were tricked into opening a specially crafted page, an
attacker could possibly exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-1951, CVE-2012-1952,
CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly
updated. Calls to history.forward and history.back could be used to
navigate to a site while the address bar still displayed the previous
site. A remote attacker could exploit this to conduct phishing
attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered
out of the HTML <description> of RSS feeds. A remote attacker could
exploit this to conduct cross-site scripting (XSS) attacks via
JavaScript execution in the HTML feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW)
could be bypassed to allow XBL access. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
94
this to execute code with the privileges of the user invoking Firefox.
(CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a
specially crafted color profile, an attacker could possibly exploit
this to cause a denial of service via application crash.
(CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was
ignored when its value was specified multiple times. An attacker could
exploit this to conduct clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability
in the Content Security Policy (CSP) 1.0 implementation. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to access a user's OAuth 2.0 access tokens and
OpenID credentials. (CVE-2012-1963)
Matt McCutchen discovered a clickjacking vulnerability in the
certificate warning page. A remote attacker could trick a user into
accepting a malicious certificate via a crafted certificate warning
page. (CVE-2012-1964)
Mario Gomes and Soroush Dalili discovered that JavaScript was not
filtered out of feed URLs. If the user were tricked into opening a
specially crafted URL, an attacker could possibly exploit this to
conduct cross-site scripting (XSS) attacks. (CVE-2012-1965)
A vulnerability was discovered in the context menu of data: URLs. If
the user were tricked into opening a specially crafted URL, an
attacker could possibly exploit this to conduct cross-site scripting
(XSS) attacks. (CVE-2012-1966)
It was discovered that the execution of javascript: URLs was not
properly handled in some cases. A remote attacker could exploit this
to execute code with the privileges of the user invoking Firefox.
(CVE-2012-1967).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59640
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox regressions (USN-1463-3)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: USN-1463-1 fixed vulnerabilities in Firefox. The new package caused a
regression in the rendering of Hebrew text and the ability of the
Hotmail inbox to auto-update. This update fixes the problem.
Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew
McCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered
memory safety issues affecting Firefox. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit
these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-1937, CVE-2012-1938)
It was discovered that Mozilla's WebGL implementation
exposed a bug in certain NVIDIA graphics drivers. The impact
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
95
of this issue has not been disclosed at this time.
(CVE-2011-3101)
Adam Barth discovered that certain inline event handlers
were not being blocked properly by the Content Security
Policy's (CSP) inline-script blocking feature. Web
applications relying on this feature of CSP to protect
against cross-site scripting (XSS) were not fully protected.
With cross-site scripting vulnerabilities, if a user were
tricked into viewing a specially crafted page, a remote
attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2012-1944)
Paul Stone discovered that a viewed HTML page hosted on a
Windows or Samba share could load Windows shortcut files
(.lnk) in the same share. These shortcut files could then
link to arbitrary locations on the local file system of the
individual loading the HTML page. An attacker could
potentially use this vulnerability to show the contents of
these linked files or directories in an iframe, resulting in
information disclosure. (CVE-2012-1945)
Arthur Gerkis discovered a use-after-free vulnerability
while replacing/inserting a node in a document. If the user
were tricked into opening a specially crafted page, an
attacker could possibly exploit this to cause a denial of
service via application crash, or potentially execute code
with the privileges of the user invoking Firefox.
(CVE-2012-1946)
Kaspar Brand discovered a vulnerability in how the Network
Security Services (NSS) ASN.1 decoder handles zero length
items. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to
cause a denial of service via application crash.
(CVE-2012-0441)
Abhishek Arya discovered two buffer overflow and one
use-after-free vulnerabilities. If the user were tricked
into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via
application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-1940,
CVE-2012-1941, CVE-2012-1947).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
59394
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox vulnerabilities (USN-1463-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew
McCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered
memory safety issues affecting Firefox. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit
these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-1937, CVE-2012-1938)
It was discovered that Mozilla's WebGL implementation exposed a bug in
certain NVIDIA graphics drivers. The impact of this issue has not been
disclosed at this time. (CVE-2011-3101)
Adam Barth discovered that certain inline event handlers were not
being blocked properly by the Content Security Policy's (CSP)
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
96
inline-script blocking feature. Web applications relying on this
feature of CSP to protect against cross-site scripting (XSS) were not
fully protected. With cross-site scripting vulnerabilities, if a user
were tricked into viewing a specially crafted page, a remote attacker
could exploit this to modify the contents, or steal confidential data,
within the same domain. (CVE-2012-1944)
Paul Stone discovered that a viewed HTML page hosted on a Windows or
Samba share could load Windows shortcut files (.lnk) in the same
share. These shortcut files could then link to arbitrary locations on
the local file system of the individual loading the HTML page. An
attacker could potentially use this vulnerability to show the contents
of these linked files or directories in an iframe, resulting in
information disclosure. (CVE-2012-1945)
Arthur Gerkis discovered a use-after-free vulnerability while
replacing/inserting a node in a document. If the user were tricked
into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-1946)
Kaspar Brand discovered a vulnerability in how the Network Security
Services (NSS) ASN.1 decoder handles zero length items. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to cause a denial of service via application
crash. (CVE-2012-0441)
Abhishek Arya discovered two buffer overflow and one use-after-free
vulnerabilities. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit these to cause a
denial of service via application crash, or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2012-1940,
CVE-2012-1941, CVE-2012-1947).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58923
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 : ubufox
update (USN-1430-2)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: USN-1430-1 fixed vulnerabilities in Firefox. This update provides an
updated ubufox package for use with the latest Firefox.
Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong,
Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli
Pettay discovered memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-0467, CVE-2012-0468)
Aki Helin discovered a use-after-free vulnerability in
XPConnect. An attacker could potentially exploit this to
execute arbitrary code with the privileges of the user
invoking Firefox. (CVE-2012-0469)
Atte Kettunen discovered that invalid frees cause heap
corruption in gfxImageSurface. If a user were tricked into
opening a malicious Scalable Vector Graphics (SVG) image
file, an attacker could exploit these to cause a denial of
service via application crash, or potentially execute code
with the privileges of the user invoking Firefox.
(CVE-2012-0470)
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
97
Anne van Kesteren discovered a potential cross-site
scripting (XSS) vulnerability via multibyte content
processing errors. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this
to modify the contents, or steal confidential data, within
the same domain. (CVE-2012-0471)
Matias Juntunen discovered a vulnerability in Firefox's
WebGL implementation that potentially allows the reading of
illegal video memory. An attacker could possibly exploit
this to cause a denial of service via application crash.
(CVE-2012-0473)
Jordi Chancel, Eddy Bordi, and Chris McGowen discovered that
Firefox allowed the address bar to display a different
website than the one the user was visiting. This could
potentially leave the user vulnerable to cross-site
scripting (XSS) attacks. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this
to modify the contents, or steal confidential data, within
the same domain. (CVE-2012-0474)
Simone Fabiano discovered that Firefox did not always send
correct origin headers when connecting to an IPv6 websites.
An attacker could potentially use this to bypass intended
access controls. (CVE-2012-0475)
Masato Kinugawa discovered that cross-site scripting (XSS)
injection is possible during the decoding of ISO-2022-KR and
ISO-2022-CN character sets. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this
to modify the contents, or steal confidential data, within
the same domain. (CVE-2012-0477)
It was discovered that certain images rendered using WebGL
could cause Firefox to crash. If the user were tricked into
opening a specially crafted page, an attacker could exploit
this to cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-0478)
Mateusz Jurczyk discovered an off-by-one error in the
OpenType Sanitizer. If the user were tricked into opening a
specially crafted page, an attacker could exploit this to
cause a denial of service via application crash, or
potentially execute code with the privileges of the user
invoking Firefox. (CVE-2011-3062)
Daniel Divricean discovered a defect in the error handling
of JavaScript errors can potentially leak the file names and
location of JavaScript files on a server. This could
potentially lead to inadvertent information disclosure and a
vector for further attacks. (CVE-2011-1187)
Jeroen van der Gun discovered a vulnerability in the way
Firefox handled RSS and Atom feeds. Invalid RSS or ATOM
content loaded over HTTPS caused the location bar to be
updated with the address of this content, while the main
window still displays the previously loaded content. An
attacker could potentially exploit this vulnerability to
conduct phishing attacks. (CVE-2012-0479).
Hosts in Repository 'net_10_31_112':
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
98
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58922
Plugin Name
Family
Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04
LTS : firefox vulnerabilities (USN-1430-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong,
Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli
Pettay discovered memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-0467, CVE-2012-0468)
Aki Helin discovered a use-after-free vulnerability in XPConnect. An
attacker could potentially exploit this to execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2012-0469)
Atte Kettunen discovered that invalid frees cause heap corruption in
gfxImageSurface. If a user were tricked into opening a malicious
Scalable Vector Graphics (SVG) image file, an attacker could exploit
these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Firefox. (CVE-2012-0470)
Anne van Kesteren discovered a potential cross-site scripting (XSS)
vulnerability via multibyte content processing errors. With cross-site
scripting vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this to modify
the contents, or steal confidential data, within the same domain.
(CVE-2012-0471)
Matias Juntunen discovered a vulnerability in Firefox's WebGL
implementation that potentially allows the reading of illegal video
memory. An attacker could possibly exploit this to cause a denial of
service via application crash. (CVE-2012-0473)
Jordi Chancel, Eddy Bordi, and Chris McGowen discovered that Firefox
allowed the address bar to display a different website than the one
the user was visiting. This could potentially leave the user
vulnerable to cross-site scripting (XSS) attacks. With cross-site
scripting vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this to modify
the contents, or steal confidential data, within the same domain.
(CVE-2012-0474)
Simone Fabiano discovered that Firefox did not always send correct
origin headers when connecting to an IPv6 websites. An attacker could
potentially use this to bypass intended access controls.
(CVE-2012-0475)
Masato Kinugawa discovered that cross-site scripting (XSS) injection
is possible during the decoding of ISO-2022-KR and ISO-2022-CN
character sets. With cross-site scripting vulnerabilities, if a user
were tricked into viewing a specially crafted page, a remote attacker
could exploit this to modify the contents, or steal confidential data,
within the same domain. (CVE-2012-0477)
It was discovered that certain images rendered using WebGL could cause
Firefox to crash. If the user were tricked into opening a specially
crafted page, an attacker could exploit this to cause a denial of
service via application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-0478)
Mateusz Jurczyk discovered an off-by-one error in the OpenType
Sanitizer. If the user were tricked into opening a specially crafted
page, an attacker could exploit this to cause a denial of service via
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
99
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2011-3062)
Daniel Divricean discovered a defect in the error handling of
JavaScript errors can potentially leak the file names and location of
JavaScript files on a server. This could potentially lead to
inadvertent information disclosure and a vector for further attacks.
(CVE-2011-1187)
Jeroen van der Gun discovered a vulnerability in the way Firefox
handled RSS and Atom feeds. Invalid RSS or ATOM content loaded over
HTTPS caused the location bar to be updated with the address of this
content, while the main window still displays the previously loaded
content. An attacker could potentially exploit this vulnerability to
conduct phishing attacks. (CVE-2012-0479).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58444
Plugin Name
Family
Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.
04 / 11.10 : freetype vulnerabilities (USN1403-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1126)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1127)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed TrueType font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash. (CVE-2012-1128)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed Type42 font files. If a user were tricked into using
a specially crafted font file, a remote attacker could cause FreeType
to crash. (CVE-2012-1129)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed PCF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1130)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed TrueType font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash. (CVE-2012-1131)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed Type1 font files. If a user were tricked into using
a specially crafted font file, a remote attacker could cause FreeType
to crash. (CVE-2012-1132)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash or possibly execute arbitrary code with user privileges.
(CVE-2012-1133)
Mateusz Jurczyk discovered that FreeType did not correctly handle
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
100
certain malformed Type1 font files. If a user were tricked into using
a specially crafted font file, a remote attacker could cause FreeType
to crash or possibly execute arbitrary code with user privileges.
(CVE-2012-1134)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed TrueType font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash. (CVE-2012-1135)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash or possibly execute arbitrary code with user privileges.
(CVE-2012-1136)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1137)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed TrueType font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash. (CVE-2012-1138)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1139)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed PostScript font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash. (CVE-2012-1140)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed BDF font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1141)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed Windows FNT/FON font files. If a user were tricked
into using a specially crafted font file, a remote attacker could
cause FreeType to crash. (CVE-2012-1142)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed font files. If a user were tricked into using a
specially crafted font file, a remote attacker could cause FreeType to
crash. (CVE-2012-1143)
Mateusz Jurczyk discovered that FreeType did not correctly handle
certain malformed TrueType font files. If a user were tricked into
using a specially crafted font file, a remote attacker could cause
FreeType to crash or possibly execute arbitrary code with user
privileges. (CVE-2012-1144).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58130
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
openjdk-6 vulnerabilities (USN-1373-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: It was discovered that the Java HttpServer class did not limit the
number of headers read from a HTTP request. A remote attacker could
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
101
cause a denial of service by sending special requests that trigger
hash collisions predictably. (CVE-2011-5035)
ATTENTION: this update changes previous Java HttpServer class behavior
by limiting the number of request headers to 200. This may be
increased by adjusting the sun.net.httpserver.maxReqHeaders property.
It was discovered that the Java Sound component did not properly check
buffer boundaries. A remote attacker could use this to cause a denial
of service or view confidential data. (CVE-2011-3563)
It was discovered that the Java2D implementation does not properly
check graphics rendering objects before passing them to the native
renderer. A remote attacker could use this to cause a denial of
service or to bypass Java sandbox restrictions. (CVE-2012-0497)
It was discovered that an off-by-one error exists in the Java ZIP file
processing code. An attacker could us this to cause a denial of
service through a maliciously crafted ZIP file. (CVE-2012-0501)
It was discovered that the Java AWT KeyboardFocusManager did not
properly enforce keyboard focus security policy. A remote attacker
could use this with an untrusted application or applet to grab
keyboard focus and possibly expose confidential data. (CVE-2012-0502)
It was discovered that the Java TimeZone class did not properly
enforce security policy around setting the default time zone. A remote
attacker could use this with an untrusted application or applet to set
a new default time zone and bypass Java sandbox restrictions.
(CVE-2012-0503)
It was discovered the Java ObjectStreamClass did not throw an
accurately identifiable exception when a deserialization failure
occurred. A remote attacker could use this with an untrusted
application or applet to bypass Java sandbox restrictions.
(CVE-2012-0505)
It was discovered that the Java CORBA implementation did not properly
protect repository identifiers on certain CORBA objects. A remote
attacker could use this to corrupt object data. (CVE-2012-0506)
It was discovered that the Java AtomicReferenceArray class
implementation did not properly check if an array was of the expected
Object[] type. A remote attacker could use this with a malicious
application or applet to bypass Java sandbox restrictions.
(CVE-2012-0507).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
58069
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
libvorbis vulnerability (USN-1370-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: It was discovered that libvorbis did not correctly handle certain
malformed ogg files. If a user were tricked into opening a specially
crafted ogg file with an application that uses libvorbis, an attacker
could cause a denial of service or possibly execute arbitrary code
with the user's privileges.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
102
Plugin
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
firefox vulnerabilities (USN-1355-1)
57844
Ubuntu Local Security Checks
Severity
Total
Critical
1
Severity
Total
Critical
1
Description: It was discovered that if a user chose to export their Firefox Sync
key the 'Firefox Recovery Key.html' file is saved with incorrect
permissions, making the file contents potentially readable by other
users. (CVE-2012-0450)
Nicolas Gregoire and Aki Helin discovered that when processing a
malformed embedded XSLT stylesheet, Firefox can crash due to memory
corruption. If the user were tricked into opening a specially crafted
page, an attacker could exploit this to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-0449)
It was discovered that memory corruption could occur during the
decoding of Ogg Vorbis files. If the user were tricked into opening a
specially crafted file, an attacker could exploit this to cause a
denial of service via application crash, or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2012-0444)
Tim Abraldes discovered that when encoding certain images types the
resulting data was always a fixed size. There is the possibility of
sensitive data from uninitialized memory being appended to these
images. (CVE-2012-0447)
It was discovered that Firefox did not properly perform XPConnect
security checks. An attacker could exploit this to conduct cross-site
scripting (XSS) attacks through web pages and Firefox extensions. With
cross-site scripting vulnerabilities, if a user were tricked into
viewing a specially crafted page, a remote attacker could exploit this
to modify the contents, or steal confidential data, within the same
domain. (CVE-2012-0446)
It was discovered that Firefox did not properly handle node removal in
the DOM. If the user were tricked into opening a specially crafted
page, an attacker could exploit this to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2011-3659)
Alex Dvorov discovered that Firefox did not properly handle sub-frames
in form submissions. An attacker could exploit this to conduct
phishing attacks using HTML5 frames. (CVE-2012-0445)
Ben Hawkes, Christian Holler, Honza Bombas, Jason Orendorff, Jesse
Ruderman, Jan Odvarko, Peter Van Der Beken, Bob Clary, and Bill
McCloskey discovered memory safety issues affecting Firefox. If the
user were tricked into opening a specially crafted page, an attacker
could exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Firefox. (CVE-2012-0442, CVE-2012-0443).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57685
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
openjdk-6, openjdk-6b18 regression (USN- Ubuntu Local Security Checks
1263-2)
Description: USN-1263-1 fixed vulnerabilities in OpenJDK 6. The upstream patch for
the chosen plaintext attack on the block-wise AES encryption algorithm
(CVE-2011-3389) introduced a regression that caused TLS/SSL
connections to fail when using certain algorithms. This update fixes
the problem.
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
103
We apologize for the inconvenience.
Deepak Bhole discovered a flaw in the Same Origin Policy (SOP)
implementation in the IcedTea web browser plugin. This could allow a
remote attacker to open connections to certain hosts that should not
be permitted. (CVE-2011-3377)
Juliano Rizzo and Thai Duong discovered that the block-wise
AES encryption algorithm block-wise as used in TLS/SSL was
vulnerable to a chosen-plaintext attack. This could allow a
remote attacker to view confidential data. (CVE-2011-3389)
It was discovered that a type confusion flaw existed in the
in the Internet Inter-Orb Protocol (IIOP) deserialization
code. A remote attacker could use this to cause an untrusted
application or applet to execute arbitrary code by
deserializing malicious input. (CVE-2011-3521)
It was discovered that the Java scripting engine did not
perform SecurityManager checks. This could allow a remote
attacker to cause an untrusted application or applet to
execute arbitrary code with the full privileges of the JVM.
(CVE-2011-3544)
It was discovered that the InputStream class used a global
buffer to store input bytes skipped. An attacker could
possibly use this to gain access to sensitive information.
(CVE-2011-3547)
It was discovered that a vulnerability existed in the
AWTKeyStroke class. A remote attacker could cause an
untrusted application or applet to execute arbitrary code.
(CVE-2011-3548)
It was discovered that an integer overflow vulnerability
existed in the TransformHelper class in the Java2D
implementation. A remote attacker could use this cause a
denial of service via an application or applet crash or
possibly execute arbitrary code. (CVE-2011-3551)
It was discovered that the default number of available UDP
sockets for applications running under SecurityManager
restrictions was set too high. A remote attacker could use
this with a malicious application or applet exhaust the
number of available UDP sockets to cause a denial of service
for other applets or applications running within the same
JVM. (CVE-2011-3552)
It was discovered that Java API for XML Web Services
(JAX-WS) could incorrectly expose a stack trace. A remote
attacker could potentially use this to gain access to
sensitive information. (CVE-2011-3553)
It was discovered that the unpacker for pack200 JAR files
did not sufficiently check for errors. An attacker could
cause a denial of service or possibly execute arbitrary code
through a specially crafted pack200 JAR file.
(CVE-2011-3554)
It was discovered that the RMI registration implementation
did not properly restrict privileges of remotely executed
code. A remote attacker could use this to execute code with
elevated privileges. (CVE-2011-3556, CVE-2011-3557)
It was discovered that the HotSpot VM could be made to
crash, allowing an attacker to cause a denial of service or
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
104
possibly leak sensitive information. (CVE-2011-3558)
It was discovered that the HttpsURLConnection class did not
properly perform SecurityManager checks in certain
situations. This could allow a remote attacker to bypass
restrictions on HTTPS connections. (CVE-2011-3560).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
Plugin Name
Family
Ubuntu 11.04 / 11.10 : mozvoikko, ubufox
update (USN-1306-2)
57458
Ubuntu Local Security Checks
Severity
Total
Critical
1
Severity
Total
Critical
1
Description: USN-1306-1 fixed vulnerabilities in Firefox. This update provides
updated Mozvoikko and ubufox packages for use with Firefox 9.
Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian
Holler, David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse
Ruderman, Marcia Knous, and Rober Longson discovered several memory
safety issues which could possibly be exploited to crash Firefox or
execute arbitrary code as the user that invoked Firefox.
(CVE-2011-3660)
Aki Helin discovered a crash in the YARR regular expression
library that could be triggered by JavaScript in web
content. (CVE-2011-3661)
It was discovered that a flaw in the Mozilla SVG
implementation could result in an out-of-bounds memory
access if SVG elements were removed during a DOMAttrModified
event handler. An attacker could potentially exploit this
vulnerability to crash Firefox. (CVE-2011-3658)
Mario Heiderich discovered it was possible to use SVG
animation accessKey events to detect key strokes even when
JavaScript was disabled. A malicious web page could
potentially exploit this to trick a user into interacting
with a prompt thinking it came from the browser in a context
where the user believed scripting was disabled.
(CVE-2011-3663)
It was discovered that it was possible to crash Firefox when
scaling an OGG <video> element to extreme sizes.
(CVE-2011-3665).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
57457
Plugin Name
Family
Ubuntu 11.04 / 11.10 : firefox vulnerabilities
(USN-1306-1)
Ubuntu Local Security Checks
Description: Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian
Holler, David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse
Ruderman, Marcia Knous, and Rober Longson discovered several memory
safety issues which could possibly be exploited to crash Firefox or
execute arbitrary code as the user that invoked Firefox.
(CVE-2011-3660)
Aki Helin discovered a crash in the YARR regular expression library
that could be triggered by JavaScript in web content. (CVE-2011-3661)
It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. An attacker could potentially
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
105
exploit this vulnerability to crash Firefox. (CVE-2011-3658)
Mario Heiderich discovered it was possible to use SVG animation
accessKey events to detect key strokes even when JavaScript was
disabled. A malicious web page could potentially exploit this to trick
a user into interacting with a prompt thinking it came from the
browser in a context where the user believed scripting was disabled.
(CVE-2011-3663)
It was discovered that it was possible to crash Firefox when scaling
an OGG <video> element to extreme sizes. (CVE-2011-3665).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56945
Plugin Name
Family
Ubuntu 11.04 / 11.10 : mozvoikko, ubufox
update (USN-1277-2)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: USN-1277-1 fixed vulnerabilities in Firefox. This update provides
updated Mozvoikko and ubufox packages for use with Firefox 8.
Yosuke Hasegawa discovered that the Mozilla browser engine mishandled
invalid sequences in the Shift-JIS encoding. It may be possible to
trigger this crash without the use of debugging APIs, which might
allow malicious websites to exploit this vulnerability. An attacker
could possibly use this flaw this to steal data or inject malicious
scripts into web content. (CVE-2011-3648)
Marc Schoenefeld discovered that using Firebug to profile a
JavaScript file with many functions would cause Firefox to
crash. An attacker might be able to exploit this without
using the debugging APIs, which could potentially remotely
crash the browser, resulting in a denial of service.
(CVE-2011-3650)
Jason Orendorff, Boris Zbarsky, Gregg Tavares, Mats
Palmgren, Christian Holler, Jesse Ruderman, Simona Marcu,
Bob Clary, and William McCloskey discovered multiple memory
safety bugs in the browser engine used in Firefox and other
Mozilla-based products. An attacker might be able to use
these flaws to execute arbitrary code with the privileges of
the user invoking Firefox or possibly crash the browser
resulting in a denial of service. (CVE-2011-3651)
It was discovered that Firefox could be caused to crash
under certain conditions, due to an unchecked allocation
failure, resulting in a denial of service. It might also be
possible to execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2011-3652)
Aki Helin discovered that Firefox does not properly handle
links from SVG mpath elements to non-SVG elements. An
attacker could use this vulnerability to crash Firefox,
resulting in a denial of service, or possibly execute
arbitrary code with the privileges of the user invoking
Firefox. (CVE-2011-3654)
It was discovered that an internal privilege check failed to
respect the NoWaiverWrappers introduced with Firefox 4. An
attacker could possibly use this to gain elevated privileges
within the browser for web content. (CVE-2011-3655).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
106
Plugin
56944
Plugin Name
Family
Ubuntu 11.04 / 11.10 : firefox vulnerabilities
(USN-1277-1)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Severity
Total
Critical
1
Description: Yosuke Hasegawa discovered that the Mozilla browser engine mishandled
invalid sequences in the Shift-JIS encoding. It may be possible to
trigger this crash without the use of debugging APIs, which might
allow malicious websites to exploit this vulnerability. An attacker
could possibly use this flaw this to steal data or inject malicious
scripts into web content. (CVE-2011-3648)
Marc Schoenefeld discovered that using Firebug to profile a JavaScript
file with many functions would cause Firefox to crash. An attacker
might be able to exploit this without using the debugging APIs, which
could potentially remotely crash the browser, resulting in a denial of
service. (CVE-2011-3650)
Jason Orendorff, Boris Zbarsky, Gregg Tavares, Mats Palmgren,
Christian Holler, Jesse Ruderman, Simona Marcu, Bob Clary, and William
McCloskey discovered multiple memory safety bugs in the browser engine
used in Firefox and other Mozilla-based products. An attacker might be
able to use these flaws to execute arbitrary code with the privileges
of the user invoking Firefox or possibly crash the browser resulting
in a denial of service. (CVE-2011-3651)
It was discovered that Firefox could be caused to crash under certain
conditions, due to an unchecked allocation failure, resulting in a
denial of service. It might also be possible to execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2011-3652)
Aki Helin discovered that Firefox does not properly handle links from
SVG mpath elements to non-SVG elements. An attacker could use this
vulnerability to crash Firefox, resulting in a denial of service, or
possibly execute arbitrary code with the privileges of the user
invoking Firefox. (CVE-2011-3654)
It was discovered that an internal privilege check failed to respect
the NoWaiverWrappers introduced with Firefox 4. An attacker could
possibly use this to gain elevated privileges within the browser for
web content. (CVE-2011-3655).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56860
Plugin Name
Family
Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 :
icedtea-web, openjdk-6, openjdk-6b18
vulnerabilities (USN-1263-1)
Ubuntu Local Security Checks
Description: Deepak Bhole discovered a flaw in the Same Origin Policy (SOP)
implementation in the IcedTea web browser plugin. This could allow a
remote attacker to open connections to certain hosts that should not
be permitted. (CVE-2011-3377)
Juliano Rizzo and Thai Duong discovered that the block-wise AES
encryption algorithm block-wise as used in TLS/SSL was vulnerable to a
chosen-plaintext attack. This could allow a remote attacker to view
confidential data. (CVE-2011-3389)
It was discovered that a type confusion flaw existed in the in the
Internet Inter-Orb Protocol (IIOP) deserialization code. A remote
attacker could use this to cause an untrusted application or applet to
execute arbitrary code by deserializing malicious input.
(CVE-2011-3521)
It was discovered that the Java scripting engine did not perform
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
107
SecurityManager checks. This could allow a remote attacker to cause an
untrusted application or applet to execute arbitrary code with the
full privileges of the JVM. (CVE-2011-3544)
It was discovered that the InputStream class used a global buffer to
store input bytes skipped. An attacker could possibly use this to gain
access to sensitive information. (CVE-2011-3547)
It was discovered that a vulnerability existed in the AWTKeyStroke
class. A remote attacker could cause an untrusted application or
applet to execute arbitrary code. (CVE-2011-3548)
It was discovered that an integer overflow vulnerability existed in
the TransformHelper class in the Java2D implementation. A remote
attacker could use this cause a denial of service via an application
or applet crash or possibly execute arbitrary code. (CVE-2011-3551)
It was discovered that the default number of available UDP sockets for
applications running under SecurityManager restrictions was set too
high. A remote attacker could use this with a malicious application or
applet exhaust the number of available UDP sockets to cause a denial
of service for other applets or applications running within the same
JVM. (CVE-2011-3552)
It was discovered that Java API for XML Web Services (JAX-WS) could
incorrectly expose a stack trace. A remote attacker could potentially
use this to gain access to sensitive information. (CVE-2011-3553)
It was discovered that the unpacker for pack200 JAR files did not
sufficiently check for errors. An attacker could cause a denial of
service or possibly execute arbitrary code through a specially crafted
pack200 JAR file. (CVE-2011-3554)
It was discovered that the RMI registration implementation did not
properly restrict privileges of remotely executed code. A remote
attacker could use this to execute code with elevated privileges.
(CVE-2011-3556, CVE-2011-3557)
It was discovered that the HotSpot VM could be made to crash, allowing
an attacker to cause a denial of service or possibly leak sensitive
information. (CVE-2011-3558)
It was discovered that the HttpsURLConnection class did not properly
perform SecurityManager checks in certain situations. This could allow
a remote attacker to bypass restrictions on HTTPS connections.
(CVE-2011-3560).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56387
Plugin Name
Family
Ubuntu 11.04 : mozvoikko, ubufox, webfav
update (USN-1222-2)
Ubuntu Local Security Checks
Severity
Total
Critical
1
Description: USN-1222-1 fixed vulnerabilities in Firefox. This update provides
updated packages for use with Firefox 7.
Benjamin Smedberg, Bob Clary, Jesse Ruderman, Bob Clary, Andrew
McCreight, Andreas Gal, Gary Kwong, Igor Bukanov, Jason Orendorff,
Jesse Ruderman, and Marcia Knous discovered multiple memory
vulnerabilities in the browser rendering engine. An attacker could use
these to possibly execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2011-2995, CVE-2011-2997)
Boris Zbarsky discovered that a frame named 'location' could
shadow the window.location object unless a script in a page
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
108
grabbed a reference to the true object before the frame was
created. This is in violation of the Same Origin Policy. A
malicious website could possibly use this to access another
website or the local file system. (CVE-2011-2999)
Ian Graham discovered that when multiple Location headers
were present, Firefox would use the second one resulting in
a possible CRLF injection attack. CRLF injection issues can
result in a wide variety of attacks, such as XSS (Cross-Site
Scripting) vulnerabilities, browser cache poisoning, and
cookie theft. (CVE-2011-3000)
Mariusz Mlynski discovered that if the user could be
convinced to hold down the enter key, a malicious website
could potential pop up a download dialog and the default
open action would be selected or lead to the installation of
an arbitrary add-on. This would result in potentially
malicious content being run with privileges of the user
invoking Firefox. (CVE-2011-2372, CVE-2011-3001)
Michael Jordon and Ben Hawkes discovered flaws in WebGL. If
a user were tricked into opening a malicious page, an
attacker could cause the browser to crash. (CVE-2011-3002,
CVE-2011-3003)
It was discovered that Firefox did not properly free memory
when processing ogg files. If a user were tricked into
opening a malicious page, an attacker could cause the
browser to crash. (CVE-2011-3005)
David Rees and Aki Helin discovered a problems in the
JavaScript engine. An attacker could exploit this to crash
the browser or potentially escalate privileges within the
browser. (CVE-2011-3232).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
56347
Plugin Name
Family
Ubuntu 11.04 : Firefox vulnerabilities (USNUbuntu Local Security Checks
1222-1)
Severity
Total
Critical
1
Description: Benjamin Smedberg, Bob Clary, Jesse Ruderman, Bob Clary, Andrew
McCreight, Andreas Gal, Gary Kwong, Igor Bukanov, Jason Orendorff,
Jesse Ruderman, and Marcia Knous discovered multiple memory
vulnerabilities in the browser rendering engine. An attacker could use
these to possibly execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2011-2995, CVE-2011-2997)
Boris Zbarsky discovered that a frame named 'location' could shadow
the window.location object unless a script in a page grabbed a
reference to the true object before the frame was created. This is in
violation of the Same Origin Policy. A malicious website could
possibly use this to access another website or the local file system.
(CVE-2011-2999)
Ian Graham discovered that when multiple Location headers were
present, Firefox would use the second one resulting in a possible CRLF
injection attack. CRLF injection issues can result in a wide variety
of attacks, such as XSS (Cross-Site Scripting) vulnerabilities,
browser cache poisoning, and cookie theft. (CVE-2011-3000)
Mariusz Mlynski discovered that if the user could be convinced to hold
down the enter key, a malicious website could potential pop up a
download dialog and the default open action would be selected or lead
to the installation of an arbitrary add-on. This would result in
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
109
potentially malicious content being run with privileges of the user
invoking Firefox. (CVE-2011-2372, CVE-2011-3001)
Michael Jordon and Ben Hawkes discovered flaws in WebGL. If a user
were tricked into opening a malicious page, an attacker could cause
the browser to crash. (CVE-2011-3002, CVE-2011-3003)
It was discovered that Firefox did not properly free memory when
processing ogg files. If a user were tricked into opening a malicious
page, an attacker could cause the browser to crash. (CVE-2011-3005)
David Rees and Aki Helin discovered a problems in the JavaScript
engine. An attacker could exploit this to crash the browser or
potentially escalate privileges within the browser. (CVE-2011-3232).
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
33850
Plugin Name
Family
Unsupported Unix Operating System
General
Severity
Total
Critical
1
Severity
Total
Critical
1
Severity
Total
High
1
Description: According to its version, the remote Unix operating system is obsolete
and is no longer maintained by its vendor or provider.
Lack of support implies that no new security patches will be released
for it.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
23968
Plugin Name
Family
phpBB < 2.0.22 Multiple Vulnerabilities
CGI abuses
Description: The version of phpBB installed on the remote host fails to properly
block 'bad' redirection targets. In addition, it reportedly contains
a non-persistent cross-site scripting flaw involving its private
messaging functionality and several other issues. At a minimum, a
remote attacker can leverage these flaws to launch cross-site
scripting attacks against the affected application.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6556
Plugin Name
Family
PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
Web Servers
Description: PHP versions 5.3.x earlier than 5.3.15 are affected by the following vulnerabilities.
- - An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'. (CVE-2012-2688)
- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed. (CVE-2012-3365)
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6530
Plugin Name
Family
PHP 5.4.x < 5.4.5 _php_stream_scandir
Overflow
Web Servers
Severity
Total
High
1
Description: PHP versions earlier than 5.4.5 are affected by the following vulnerabilities.
- An unspecified overflow vulnerability in the function '_php_stream_scandir' in the file 'main/streams/streams.c'
Hosts in Repository 'net_10_31_112':
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
110
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
Plugin
6304
Plugin Name
Family
PHP 5.3.9 php_register_variable_ex()
Code Execution
Web Servers
Severity
Total
High
1
Description: PHP version 5.3.9 is reportedly affected by a code execution vulnerability. Specifically, the fix for the hash collision denial of service
vulnerability (CVE-2011-4885) itself has introduced a remote code execution vulnerability in the php_register_variable_ex() in the file php_variables.c.
A new configuration variable, max_input_vars, was added as part of the fix. If the number of input variables exceeds this value and the variable being
processed is an array, code execution can occur.
Hosts in Repository 'net_10_31_112':
10.31.112.10 - MAC Address: 00:0c:29:43:f9:3b DNS Name: ubuntu
CVSS 10.0 to 10.0
Qualitative Risk Analysis with CVSS Scores
111