IBM HTTP Server 6.0 <= 6.0.2.43 (FP43) / 6.1 <= 6.1.0.47 (FP47) / 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.7 (FP7) Named Pipe DoS

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(86019);
  script_version("1.3");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id("CVE-2015-1829");
  script_bugtraq_id(75164);

  script_name(english:"IBM HTTP Server 6.0 <= 6.0.2.43 (FP43) / 6.1 <= 6.1.0.47 (FP47) / 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.7 (FP7) Named Pipe DoS");
  script_summary(english:"Reads the version number from the SOAP port.");

  script_set_attribute(attribute:"synopsis", value:
"The remote IBM HTTP Server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The IBM HTTP Server running on the remote host is version 6.0 prior to
or equal to 6.0.2.43, 6.1 prior to or equal to 6.1.0.47, 7.0 prior to
7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.7. It is,
therefore, affected by a flaw in the Apache Portable Runtime (APR)
that is triggered when an APR application is using APR named pipe
support on Windows. A local attacker can exploit this to conduct a
pipe squatting attack from a local process.");
  # CVE-2015-1829 / PI39833
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21959081");
  script_set_attribute(attribute:"solution", value:
"Apply IBM 7.0 Fix Pack 39 (7.0.0.39) / 8.0 Fix Pack 11 (8.0.0.11) /
8.5 Fix Pack 7 (8.5.5.7) or later. Alternatively, apply the Interim
Fixes as recommended in the vendor advisory.

In the case of the 6.0 branch, apply IBM 6.0 Fix Pack 43 (6.0.2.43)
and then apply Interim Fix PI39833.

In the case of the 6.1 branch, apply IBM 6.1 Fix Pack 47 (6.1.0.47)
and then apply Interim Fixes PI39833.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/09/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/18");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:http_server");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("websphere_detect.nasl");
  script_require_ports("Services/www", 8880, 8881);
  script_require_keys("www/WebSphere", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:8880, embedded:0);

version = get_kb_item_or_exit("www/WebSphere/"+port+"/version");
source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");

app_name = "IBM WebSphere Application Server";

if (version =~ "^[0-9]+(\.[0-9]+)?$")
  audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version);

fix  = FALSE; # Fixed version for compare
min  = FALSE; # Min version for branch
pck  = FALSE; # Fix pack name (tacked onto fix in report)
itr  = "PI39833"; # Required interim fixes
vuln = FALSE; # Flag for branches requiring <= checks

if (version =~ "^8\.5\.")
{
  fix = '8.5.5.7';
  min = '8.5.0.0';
  pck = " (Fix Pack 7)";
}
else if (version =~ "^8\.0\.")
{
  fix = '8.0.0.11';
  min = '8.0.0.0';
  pck = " (Fix Pack 11)";
}
else if (version =~ "^7\.0\.")
{
  fix = '7.0.0.39';
  min = '7.0.0.0';
  pck = " (Fix Pack 39) Available 2015/11/02";
}

# V6.1.0.0 through 6.1.0.47 (without PI39833)
else if (version =~ "^6\.1\.")
{
  if (ver_compare(ver:version, fix:'6.1.0.47', strict:FALSE) <= 0)
  {
    fix = '6.1.0.47';
    min = '6.1.0.0';
    pck = " (Fix Pack 47) plus PI45596";
    vuln = TRUE;
  }
}

# V6.0.0.0 through 6.0.2.43 (without PI39833)
else if (version =~ "^6\.0\.")
{
  if (ver_compare(ver:version, fix:'6.0.2.43', strict:FALSE) <= 0)
  {
    fix = '6.0.2.43';
    min = '6.0.0.0';
    pck = " (Fix Pack 43) plus PI39833";
    vuln = TRUE;
  }
}

if (
    (
      fix && min &&
      ver_compare(ver:version, fix:fix, strict:FALSE) <  0 &&
      ver_compare(ver:version, fix:min, strict:FALSE) >= 0
    )
    ||
    vuln
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + source  +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix + pck +
      '\n  Interim fixes     : ' + itr +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);