copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2016.0017 - [Appliance][Virtual][Debian] AlienVault OSSIM and USM: Multiple vulnerabilities

Date: 29 February 2016
References: ASB-2015.0009  ASB-2015.0070  ASB-2016.0004  ESB-2016.0309  ASB-2016.0012  ESB-2016.0377  ESB-2016.0391  ESB-2016.0394  ESB-2016.0506  ESB-2016.0514  
ESB-2016.0532  ESB-2016.0535  ESB-2016.0549  ESB-2016.0555.2  ESB-2016.0572  ESB-2016.0579  ESB-2016.0580  ASB-2016.0020  ESB-2016.0596  ESB-2016.0602  ESB-2016.0606  
ASB-2016.0023.2  ESB-2016.0631  ESB-2016.0632  ESB-2016.0671  ESB-2016.0679.2  ESB-2016.0680  ESB-2016.0738  ESB-2016.0759  ESB-2016.0854  ESB-2016.1117  ESB-2016.1807  
ESB-2016.2602  ESB-2016.2702  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0017
 Multiple vulnerabilities have been identified in AlienVault OSSIM and USM
                             29 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              AlienVault OSSIM
                      AlientVault USM
Operating System:     Debian GNU/Linux
                      Network Appliance
                      Virtualisation
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Root Compromise                 -- Existing Account      
                      Denial of Service               -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
                      Provide Misleading Information  -- Existing Account      
                      Access Confidential Data        -- Console/Physical      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2037 CVE-2016-1523 CVE-2016-1522
                      CVE-2016-1521 CVE-2016-1233 CVE-2016-0755
                      CVE-2016-0728 CVE-2016-0723 CVE-2016-0616
                      CVE-2016-0609 CVE-2016-0608 CVE-2016-0606
                      CVE-2016-0600 CVE-2016-0598 CVE-2016-0597
                      CVE-2016-0596 CVE-2016-0546 CVE-2016-0505
                      CVE-2015-8784 CVE-2015-8783 CVE-2015-8782
                      CVE-2015-8781 CVE-2015-8779 CVE-2015-8778
                      CVE-2015-8776 CVE-2015-8767 CVE-2015-8704
                      CVE-2015-8683 CVE-2015-8665 CVE-2015-8631
                      CVE-2015-8630 CVE-2015-8629 CVE-2015-7872
                      CVE-2015-7556 CVE-2015-7547 CVE-2014-0015
                      CVE-2013-4312  
Member content until: Wednesday, March 30 2016
Reference:            ASB-2016.0012
                      ASB-2016.0004
                      ESB-2016.0514
                      ESB-2016.0506
                      ESB-2016.0394
                      ESB-2016.0391
                      ESB-2016.0377
                      ESB-2016.0309
                      ASB-2015.0070
                      ASB-2015.0009

OVERVIEW

        Numerous vulnerabilities have been identified in AlienVault USM and
        OSSIM prior to version 5.2.2. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "AlienVault ID: ENG-102814 Description: Properly account for FDs 
        passed over unix sockets. CVE ID: CVE-2013-4312
        
        AlienVault ID: ENG-102814 Description: Crash on invalid USB device 
        descriptors in visor driver. CVE ID: CVE-2015-7556
        
        AlienVault ID: ENG-102814 Description: Dmitry Vyukov discovered a 
        vulnerability in the keyrings garbage collector allowing a local 
        user to trigger a kernel panic. CVE ID: CVE-2015-7872
        
        AlienVault ID: ENG-102814 Description: SCTP denial of service during
        heartbeat timeout functions. CVE ID: CVE-2015-8767
        
        AlienVault ID: ENG-102814 Description: use-after-free in TIOCGETD 
        ioctl. CVE ID: CVE-2016-0723
        
        AlienVault ID: ENG-102814 Description: join_session_keyring() will 
        reject attempts to change the session keyring of a multithreaded 
        program but gdm is now multithreaded before it gets to the point of
        starting PAM and running pam_keyinit to create the session keyring.
        CVE ID: CVE-2016-0728
        
        AlienVault ID: ENG-102850 Description: apl_42.c in ISC BIND 9.x 
        before 9.9.8-P3 and 9.9.x and 9.10.x before 9.10.3-P3 allows remote
        authenticated users to cause a denial of service (INSIST assertion 
        failure and daemon exit) via a malformed Address Prefix List (APL) 
        record. CVE ID: CVE-2015-8704
        
        AlienVault ID: ENG-102851 Description: Problematic permissions via 
        udev rule not set. CVE ID: CVE-2016-1233
        
        AlienVault ID: ENG-102900 Description: The ConnectionExists function
        in lib/url.c in libcurl before 7.47.0 does not properly re-use 
        NTLM-authenticated proxy connections, which might allow remote 
        attackers to authenticate as other users via a request, a similar 
        issue to CVE-2014-0015. CVE ID: CVE-2016-0755
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect availability via
        unknown vectors related to Options. CVE ID: CVE-2016-0505
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows local users to affect confidentiality, integrity, and
        availability via unknown vectors related to Client. CVE ID: 
        CVE-2016-0546
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB 
        before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 
        allows remote authenticated users to affect availability via vectors
        related to DML. CVE ID: CVE-2016-0596
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect availability via
        unknown vectors related to Optimizer. CVE ID: CVE-2016-0597
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect availability via
        vectors related to DML. CVE ID: CVE-2016-0598
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect availability via
        unknown vectors related to InnoDB. CVE ID: CVE-2016-0600
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect integrity via 
        unknown vectors related to encryption. CVE ID: CVE-2016-0606
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect availability via
        vectors related to UDF. CVE ID: CVE-2016-0608
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and 
        MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 
        10.1.10 allows remote authenticated users to affect availability via
        unknown vectors related to privileges. CVE ID: CVE-2016-0609
        
        AlienVault ID: ENG-102904 Description: Unspecified vulnerability in
        Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x 
        before 10.0.23, and 10.1.x before 10.1.10 allows remote 
        authenticated users to affect availability via unknown vectors 
        related to Optimizer. CVE ID: CVE-2016-0616
        
        AlienVault ID: ENG-102951 Description: xdr_nullstring() doesn't 
        check for terminating null character CVE ID: CVE-2015-8629
        
        AlienVault ID: ENG-102951 Description: krb5 doesn't check for null 
        policy when KADM5_POLICY is set in the mask CVE ID: CVE-2015-8630
        
        AlienVault ID: ENG-102951 Description: Memory leak caused by 
        supplying a null principal name in request CVE ID: CVE-2015-8631
        
        AlienVault ID: ENG-102958 Description: Out-of-bounds Read CVE ID: 
        CVE-2015-8665
        
        AlienVault ID: ENG-102958 Description: out-of-bounds read in CIE Lab
        image format CVE ID: CVE-2015-8683
        
        AlienVault ID: ENG-102958 Description: tif_luv.c in libtiff allows 
        attackers to cause a denial of service (out-of-bounds write) via an
        invalid number of samples per pixel in a LogL compressed TIFF image,
        a different vulnerability than CVE-2015-8782. CVE ID: CVE-2015-8781
        
        AlienVault ID: ENG-102958 Description: tif_luv.c in libtiff allows 
        attackers to cause a denial of service (out-of-bounds writes) via a
        crafted TIFF image, a different vulnerability than CVE-2015-8781. 
        CVE ID: CVE-2015-8782
        
        AlienVault ID: ENG-102958 Description: tif_luv.c in libtiff allows 
        attackers to cause a denial of service (out-of-bounds reads) via a 
        crafted TIFF image. CVE ID: CVE-2015-8783
        
        AlienVault ID: ENG-102958 Description: potential out-of-bound write
        in NeXTDecode() CVE ID: CVE-2015-8784
        
        AlienVault ID: ENG-103013 Description: glibc getaddrinfo stack-based
        buffer overflow. CVE ID: CVE-2015-7547
        
        AlienVault ID: ENG-103013 Description: Passing out of range data to
        strftime() causes a segfault. CVE ID: CVE-2015-8776
        
        AlienVault ID: ENG-103013 Description: hcreate((size_t)-1) should 
        fail with ENOMEM. CVE ID: CVE-2015-8778
        
        AlienVault ID: ENG-103013 Description: catopen() Multiple unbounded
        stack allocations CVE ID: CVE-2015-8779
        
        AlienVault ID: ENG-103015 Description: The directrun function in 
        directmachine.cpp in Libgraphite in Graphite 2 1.2.4, as used in 
        Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does
        not validate a certain skip operation, which allows remote attackers
        to execute arbitrary code, obtain sensitive information, or cause a
        denial of service (out-of-bounds read and application crash) via a 
        crafted Graphite smart font. CVE ID: CVE-2016-1521
        
        AlienVault ID: ENG-103015 Description: Code.cpp in Libgraphite in 
        Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox
        ESR 38.x before 38.6.1, does not consider recursive load calls 
        during a size check, which allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly execute 
        arbitrary code via a crafted Graphite smart font. CVE ID: 
        CVE-2016-1522
        
        AlienVault ID: ENG-103015 Description: The SillMap::readFace 
        function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as 
        used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 
        38.6.1, mishandles a return value, which allows remote attackers to
        cause a denial of service (missing initialization, NULL pointer 
        dereference, and application crash) via a crafted Graphite smart 
        font. CVE ID: CVE-2016-1523
        
        AlienVault ID: ENG-103030 Description: out-of-bounds write with cpio
        2.11 CVE ID: CVE-2016-2037" [1]


MITIGATION

        The vendor encourages users to upgrade to the latest version to 
        address the vulnerabilities. [1]


REFERENCES

        [1] Security Advisory - AlienVault v5.2.2 addresses 36 vulnerabilities
            https://www.alienvault.com/forums/discussion/6695/security-advisory-alienvault-v5-2-2-addresses-36-vulnerabilities

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVtPlpn6ZAP0PgtI9AQJ26BAAwY2clpUC3ZeCOP1lG0QnwOiEHmG43cva
mHPTjkd2uB+gmzumq3xAT4dEmBq7PMdGvXjQVMeJeWANBokITMBhAOXEgF7jhRH/
uyUu7cycTIy/OuttPbeVN9OdaaP1ZtLb9St3d7UHPw1Tc1qkTJkT9Zt0UxNPuOW7
e7zMtoY04dsc6B3I+ZgQb5wsMZ1FBH78kyGd63DhRg1rHP5265L6BIbzDeOi7ESb
h/eVwDMv6F4zSOqC6Ff0cgvOHvXEoxHs2erEKQLmDEC+8owO4wAitHc4WcVlAMFb
47+lcdcwKSYZlf4+Qcj1BnfP0qz5T0lusjUKs3Inxe6zlhZnYWDusnz+1Cn/NaOQ
6gM33TbaeDuwf9j0PiD7KKnV6de/IMAnG+hJYP5FyLePz1iPbCTXuCBnuvPxTNXa
x2siIMiKUi/VhLPyfgvzwuxdXMkqn6Jaap5b8VVijp24zffcQ9/XeJmv67pY3NWI
hqlNX5sGYra1PEfD/ncfOs7moLBfp45laz352+zn79FStrGakqlxuk9iMVKxn8Ol
R4BH1Aa36DARw4HMsYOwSeeZ4o3xNpmuGFwqMH30irBSKr63PghGAXFaK0dezfiF
WoqrSdj/cQMOpnrW7GvoqrxDSHfa9vQI7onJidxTxwjkhWyEa3FpbSVY0cg+Fzed
ECI86VLIZsQ=
=Ule4
-----END PGP SIGNATURE-----