Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2016.0035 Multiple vulnerabilities have been identified in Tenable SecurityCenter 5.2.0 6 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable SecurityCenter Operating System: Linux variants VMware ESX Server Network Appliance Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-82011 CVE-2016-82010 CVE-2016-82009 CVE-2016-82008 Member content until: Thursday, May 5 2016 OVERVIEW Multiple vulnerabilities have been identified in Tenable SecurityCenter 5.2.0.[1] IMPACT The vendor has provided the following information: "SecurityCenter 5.2.0 was found vulnerable to three cross-site scripting issues. If exploited, a victim could be tricked into executing attacker-controlled JavaScript that runs in the their own context, potentially leading to authentication credential disclosure or other attacks. A fourth issue, an authenticated path disclosure weakness, has also been addressed. CVE-2016-82008 - Reflected XSS. An unauthenticated attacker could craft a URL that can be used against an authenticated SecurityCenter user. (NN Group N.V.) CVE-2016-82009 - Stored XSS. An authenticated attacker with user privileges could embed malicious JavaScript that would be stored by SecurityCenter, and subsequently rendered by other users loading a specific page. (NN Group N.V.) CVE-2016-82010 - Reflected XSS. An unauthenticated attacker could craft a URL that can be used against an authenticated SecurityCenter user. (NN Group N.V.) CVE-2016-82011 - System path disclosure weakness (post-auth). (NN Group N.V.) In addition to these fixes, SecurityCenter now implements a variety of HTTP headers and Cookie flags to further enhance security. Thanks to both CESG and NN Group N.V. for pointing out methods for accomplishing this. Note that the CVSSv2 score associated with this advisory reflects the most severe issue by the scoring standards, which is the reflected XSS." [1] MITIGATION Users should upgrade to version 5.3.1. to rectify these issues. [1] REFERENCES [1] [R1] SecurityCenter 5.2.0 Multiple Vulnerabilities http://www.tenable.com/security/tns-2016-07 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVwSB5X6ZAP0PgtI9AQIq2g/9HVwCbay8nTApjYtiSG3SUPWx+B4pYpvb 3pxi5VAQSiBJba5ge2q/A1teq1VtWk6L/xmBt53bhseTvcpHfMuS7TIxVGj2tXLV QJNmHhYjfKf/AJqIY7Nv8Nh9MM4vcJ/aaAxs8++CF0D+Cb2sovr+k7jmq/ZCczuW uDaDW8BTJQsaPTZ5/cn6QotFDkyctjSsSPvF9ypU04VJmFMGpqI4MauInENgKKHF r0Z95L6EFdDZrlSimCK8e1Z4CIhqlbbZ48RdNSqmOZxKJccYwAypam3ORKarKz2s P9KHru0/eqPhS8liW1cGSRH7mL1lpDmv1nWN+r+h13cfCqVdo9LQvNs7wRARwFBl sMM+kZo6iPfnyd8pocX402Nq0L0MG/LEShTaxQVvmJswgvs5XifvMvy+x+MpXm+c KdS/SlgH8Dvqme9XWG3zUTHPd7Hkuz0qsZ5cF2eX6WDgTE1Tkhq26BMO7LQUT1Uq kATPuW92khEZbXd7KCRjRpcXaqTMhMhKlET4qOUS/q2xv1OT0wA4EIzaOfmnw+KW 4ECWh0rJOPXrWNQGBkwzGnXGNKLtRF6Re3IMXK0aJa9DHjKcW49qWpi0JjAqlZGI O47zokP+7u8YsLGIcMFXaLJtoHwrj9IZrgIpAxhzRAmPRVArKIm058YaHBGFISGJ Gc/7AtIREMI= =oDVr -----END PGP SIGNATURE-----