Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-2658-1.NASLUbuntu 14.04 LTS : PHP vulnerabilities (USN-2658-1)
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.74 High
EPSS
Percentile
98.1%
Neal Poole and Tomas Hoger discovered that PHP incorrectly handled NULL bytes in file paths. A remote attacker could possibly use this issue to bypass intended restrictions and create or obtain access to sensitive files. (CVE-2015-3411, CVE-2015-3412, CVE-2015-4025, CVE-2015-4026, CVE-2015-4598)
Emmanuel Law discovered that the PHP phar extension incorrectly handled filenames starting with a NULL byte. A remote attacker could use this issue with a crafted tar archive to cause a denial of service. (CVE-2015-4021)
Max Spelsberg discovered that PHP incorrectly handled the LIST command when connecting to remote FTP servers. A malicious FTP server could possibly use this issue to execute arbitrary code. (CVE-2015-4022, CVE-2015-4643)
Shusheng Liu discovered that PHP incorrectly handled certain malformed form data. A remote attacker could use this issue with crafted form data to cause CPU consumption, leading to a denial of service.
(CVE-2015-4024)
Andrea Palazzo discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue with crafted serialized data to possibly execute arbitrary code.
(CVE-2015-4147)
Andrea Palazzo discovered that the PHP Soap client incorrectly validated that the uri property is a string. A remote attacker could use this issue with crafted serialized data to possibly obtain sensitive information. (CVE-2015-4148)
Taoguang Chen discovered that PHP incorrectly validated data types in multiple locations. A remote attacker could possibly use these issues to obtain sensitive information or cause a denial of service.
(CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)
It was discovered that the PHP Fileinfo component incorrectly handled certain files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 15.04. (CVE-2015-4604, CVE-2015-4605)
It was discovered that PHP incorrectly handled table names in php_pgsql_meta_data. A local attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-4644).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2658-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(84563);
script_version("2.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");
script_cve_id(
"CVE-2015-3411",
"CVE-2015-3412",
"CVE-2015-4021",
"CVE-2015-4022",
"CVE-2015-4024",
"CVE-2015-4025",
"CVE-2015-4026",
"CVE-2015-4147",
"CVE-2015-4148",
"CVE-2015-4598",
"CVE-2015-4599",
"CVE-2015-4600",
"CVE-2015-4601",
"CVE-2015-4602",
"CVE-2015-4603",
"CVE-2015-4604",
"CVE-2015-4605",
"CVE-2015-4643",
"CVE-2015-4644"
);
script_bugtraq_id(
73357,
74413,
74700,
74902,
74903,
74904,
75056,
75103,
75233,
75241,
75244,
75246,
75249,
75250,
75251,
75252,
75255,
75291,
75292
);
script_xref(name:"USN", value:"2658-1");
script_name(english:"Ubuntu 14.04 LTS : PHP vulnerabilities (USN-2658-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"Neal Poole and Tomas Hoger discovered that PHP incorrectly handled
NULL bytes in file paths. A remote attacker could possibly use this
issue to bypass intended restrictions and create or obtain access to
sensitive files. (CVE-2015-3411, CVE-2015-3412, CVE-2015-4025,
CVE-2015-4026, CVE-2015-4598)
Emmanuel Law discovered that the PHP phar extension incorrectly
handled filenames starting with a NULL byte. A remote attacker could
use this issue with a crafted tar archive to cause a denial of
service. (CVE-2015-4021)
Max Spelsberg discovered that PHP incorrectly handled the LIST command
when connecting to remote FTP servers. A malicious FTP server could
possibly use this issue to execute arbitrary code. (CVE-2015-4022,
CVE-2015-4643)
Shusheng Liu discovered that PHP incorrectly handled certain malformed
form data. A remote attacker could use this issue with crafted form
data to cause CPU consumption, leading to a denial of service.
(CVE-2015-4024)
Andrea Palazzo discovered that the PHP Soap client incorrectly
validated data types. A remote attacker could use this issue with
crafted serialized data to possibly execute arbitrary code.
(CVE-2015-4147)
Andrea Palazzo discovered that the PHP Soap client incorrectly
validated that the uri property is a string. A remote attacker could
use this issue with crafted serialized data to possibly obtain
sensitive information. (CVE-2015-4148)
Taoguang Chen discovered that PHP incorrectly validated data types in
multiple locations. A remote attacker could possibly use these issues
to obtain sensitive information or cause a denial of service.
(CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602,
CVE-2015-4603)
It was discovered that the PHP Fileinfo component incorrectly handled
certain files. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service. This issue only affected
Ubuntu 15.04. (CVE-2015-4604, CVE-2015-4605)
It was discovered that PHP incorrectly handled table names in
php_pgsql_meta_data. A local attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2015-4644).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2658-1");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4603");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2015-4643");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/09");
script_set_attribute(attribute:"patch_publication_date", value:"2015/07/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5filter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libphp5-embed");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php-pear");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cgi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-cli");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-curl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-enchant");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-fpm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-gmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-intl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-ldap");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-mysqlnd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-odbc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-pgsql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-pspell");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-readline");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-recode");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-snmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-sqlite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-sybase");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-tidy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-xmlrpc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:php5-xsl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '14.04', 'pkgname': 'libapache2-mod-php5', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'libapache2-mod-php5filter', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'libphp5-embed', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php-pear', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-cgi', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-cli', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-common', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-curl', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-dev', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-enchant', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-fpm', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-gd', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-gmp', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-intl', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-ldap', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-mysql', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-mysqlnd', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-odbc', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-pgsql', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-pspell', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-readline', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-recode', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-snmp', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-sqlite', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-sybase', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-tidy', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-xmlrpc', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'},
{'osver': '14.04', 'pkgname': 'php5-xsl', 'pkgver': '5.5.9+dfsg-1ubuntu4.11'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libapache2-mod-php5 / libapache2-mod-php5filter / libphp5-embed / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| canonical | ubuntu_linux | libapache2-mod-php5 | p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5 |
| canonical | ubuntu_linux | libapache2-mod-php5filter | p-cpe:/a:canonical:ubuntu_linux:libapache2-mod-php5filter |
| canonical | ubuntu_linux | libphp5-embed | p-cpe:/a:canonical:ubuntu_linux:libphp5-embed |
| canonical | ubuntu_linux | php-pear | p-cpe:/a:canonical:ubuntu_linux:php-pear |
| canonical | ubuntu_linux | php5 | p-cpe:/a:canonical:ubuntu_linux:php5 |
| canonical | ubuntu_linux | php5-cgi | p-cpe:/a:canonical:ubuntu_linux:php5-cgi |
| canonical | ubuntu_linux | php5-cli | p-cpe:/a:canonical:ubuntu_linux:php5-cli |
| canonical | ubuntu_linux | php5-common | p-cpe:/a:canonical:ubuntu_linux:php5-common |
| canonical | ubuntu_linux | php5-curl | p-cpe:/a:canonical:ubuntu_linux:php5-curl |
| canonical | ubuntu_linux | php5-dev | p-cpe:/a:canonical:ubuntu_linux:php5-dev |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3411
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3412
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4147
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4148
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4598
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4600
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4601
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4602
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4603
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4604
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4605
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644
ubuntu.com/security/notices/USN-2658-1
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.74 High
EPSS
Percentile
98.1%