[4eyes] FW: [COE #75896] [UCSB-OIT #1011097] Potentially Critical Vulnerabilities Found On 128.111.28.110
Matthew Turk
mturk at cs.ucsb.edu
Thu May 25 12:11:52 PDT 2017
Please check your machine to see if it's 128.111.28.110. If this is yours, please see the issue below reported by IT - your version of PHP needs to be updated ASAP. (And let CoE Support and me know.)
Thanks,
Matthew
-----Original Message-----
From: Scott Kasai via CoE Support [mailto:help at engineering.ucsb.edu]
Sent: Thursday, May 25, 2017 10:47 AM
Cc: mturk at cs.ucsb.edu; holl at cs.ucsb.edu
Subject: [COE #75896] [UCSB-OIT #1011097] Potentially Critical Vulnerabilities Found On 128.111.28.110
The following reply has been made regarding CoE Support ticket #75896:
Hi Matt and Tobias,
OIT is reporting that ilab-110.cs.ucsb.edu has some vulnerabilities with the PHP on this server that needs to be addressed.
The current version PHP they have detected is no longer supported and advises that it needs to be updated to a supported version.
OIT has requested this to be remedied and reply to them within 5 days of this notification, or risk having the machine cut off from the network to mitigate the risk to the campus.
For further information, please read below...
On Thu May 25 10:24:26 2017, security at ucsb.edu wrote:
> Greetings:
>
> Our vulnerability scanner has found a potentially vulnerable host on
> your network. You should consider taking the recommended actions
> mentioned in this report in order to reduce the chances of this host
> being abused by an attacker. If you believe any part of this report to
> be incorrect, please let us know so that we can work to improve our
> reporting accuracy.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Here is information about potential vulnerabilities that were found:
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP: 128.111.28.110
> FQDN: ilab-110.cs.ucsb.edu
> Scanned From: on-campus address
> Scan Start: Tue May 23 08:05:52 2017 -0700 (PDT) Scan End: Tue May 23
> 08:08:00 2017 -0700 (PDT)
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Plugin Name: PHP Unsupported Version Detection (58987)
>
> Synopsis:
>
> The remote host contains an unsupported version of a web application
> scripting language.
>
> Description:
>
> According to its version, the installation of PHP on the remote host
> is no longer supported.
>
> Lack of support implies that no new security patches for the product
> will be released by the vendor. As a result, it is likely to contain
> security vulnerabilities.
>
> See Also:
>
> http://php.net/eol.php
> https://wiki.php.net/rfc/releaseprocess
>
> Solution:
>
> Upgrade to a version of PHP that is currently supported.
>
> Risk Factor: Critical
> CVSS Base Score: 10.0
>
>
> Plugin Information:
>
>
> Plugin Output:
>
> Port: 80 / tcp / www
> None
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Plugin Name: PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)
> (92554)
>
> Synopsis:
>
> The version of PHP running on the remote web server is affected by
> multiple vulnerabilities.
>
> Description:
>
> According to its banner, the version of PHP running on the remote web
> server is 5.5.x prior to 5.5.38. It is, therefore, affected by
> multiple vulnerabilities :
>
> - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to
> a failure to properly resolve namespace conflicts in accordance with
> RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set
> based on untrusted user data in the 'Proxy' header of HTTP requests.
> The HTTP_PROXY environment variable is used by some web client
> libraries to specify a remote proxy server. An unauthenticated, remote
> attacker can exploit this, via a crafted 'Proxy' header in an HTTP
> request, to redirect an application's internal HTTP traffic to an
> arbitrary proxy server where it may be observed or manipulated.
> (CVE-2016-5385)
>
> - An overflow condition exists in the php_bz2iop_read() function
> within file ext/bz2/bz2.c due to improper handling of error
> conditions. An unauthenticated, remote attacker can exploit this, via
> a crafted request, to execute arbitrary code. (CVE-
> 2016-5399)
>
> - A flaw exists in the GD Graphics Library (libgd), specifically in
> the gdImageScaleTwoPass() function within file gd_interpolation.c, due
> to improper validation of user-supplied input. An unauthenticated,
> remote attacker can exploit this to cause a denial of service
> condition. (CVE-2016-6207)
>
> - An integer overflow condition exists in the virtual_file_ex()
> function within file Zend/zend_virtual_cwd.c due to improper
> validation of user-supplied input. An unauthenticated, remote attacker
> can exploit this to cause a denial of service condition or the
> execution of arbitrary code. (CVE-2016-6289)
>
> - A use-after-free error exists within the file ext/session/session.c
> when handling 'var_hash' destruction. An unauthenticated, remote
> attacker can exploit this to deference already freed memory, resulting
> in the execution of arbitrary code.
> (CVE-2016-6290)
>
> - An out-of-bounds read error exists in the
> exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c.
> An unauthenticated, remote attacker can exploit this to cause a denial
> of service condition or disclose memory contents. (CVE-2016-6291)
>
> - A NULL pointer dereference flaw exists in the
> exif_process_user_comment() function within file ext/exif/exif.c. An
> unauthenticated, remote attacker can exploit this to cause a denial of
> service condition.
> (CVE-2016-6292)
>
> - Multiple out-of-bounds read errors exist in the
> locale_accept_from_http() function within file
> ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker
> can exploit these to cause a denial of service condition or disclose
> memory contents.
> (CVE-2016-6293, CVE-2016-6294)
>
> - A use-after-free error exists within file ext/snmp/snmp.c when
> handling garbage collection during deserialization of user- supplied
> input. An unauthenticated, remote attacker can exploit this to
> deference already freed memory, resulting in the execution of
> arbitrary code. (CVE-2016-6295)
>
> - A heap-based buffer overflow condition exists in the
> simplestring_addn() function within file simplestring.c due to
> improper validation of user-supplied input. An unauthenticated, remote
> attacker can exploit this to cause a denial of service condition or
> the execution of arbitrary code. (CVE-2016-6296)
>
> - An integer overflow condition exists in the
> php_stream_zip_opener() function within file ext/zip/zip_stream.c due
> to improper validation of user- supplied input when handling zip
> streams. An unauthenticated, remote attacker can exploit this to cause
> a denial of service condition or the execution of arbitrary code.
> (CVE-2016-6297)
>
> - An out-of-bounds read error exists in the GD Graphics Library
> (libgd), specifically in the gdImageScaleBilinearPalette() function
> within file gd_interpolation.c, when handling transparent color. An
> unauthenticated, remote attacker can exploit this to cause a denial of
> service condition or disclose memory contents. (VulnDB 141674)
>
> - A heap-based buffer overflow condition exists in the
> mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to
> improper validation of user-supplied input. An unauthenticated, remote
> attacker can exploit this to cause a denial of service condition or
> the execution of arbitrary code.
> (VulnDB 141953)
>
> - A NULL write flaw exists in the GD Graphics Library (libgd) in the
> gdImageColorTransparent() function due to improper handling of
> negative transparent colors. A remote attacker can exploit this to
> disclose memory contents. (VulnDB 142104)
>
> - An overflow condition exists in the php_url_prase_ex() function due
> to improper validation of user-supplied input. A remote attacker can
> exploit this to cause a buffer overflow, resulting in a denial of
> service condition. (VulnDB 142133)
>
> See Also:
>
> http://php.net/ChangeLog-5.php#5.5.38
> https://httpoxy.org
>
> Solution:
>
> Upgrade to PHP version 5.5.38 or later.
>
> Risk Factor: Critical
> CVSS Base Score: 10.0
> CVSS Temporal Score: 7.8
>
> References:
>
> edb-id: http://www.exploit-db.com/exploits/40155
> cert: http://www.kb.cert.org/vuls/id/797896
> bid: http://www.securityfocus.com/bid/91821
> bid: http://www.securityfocus.com/bid/92051
> bid: http://www.securityfocus.com/bid/92073
> bid: http://www.securityfocus.com/bid/92074
> bid: http://www.securityfocus.com/bid/92078
> bid: http://www.securityfocus.com/bid/92094
> bid: http://www.securityfocus.com/bid/92095
> bid: http://www.securityfocus.com/bid/92097
> bid: http://www.securityfocus.com/bid/92099
> osvdb: 141667
> osvdb: 141674
> osvdb: 141675
> osvdb: 141942
> osvdb: 141943
> osvdb: 141944
> osvdb: 141945
> osvdb: 141946
> osvdb: 141953
> osvdb: 141954
> osvdb: 141957
> osvdb: 141958
> osvdb: 142018
> osvdb: 142104
> osvdb: 142133
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5385
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5399
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6207
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6289
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6290
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6291
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6292
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6293
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6294
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6295
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6296
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6297
>
> Plugin Information:
>
>
> Plugin Output:
>
> Port: 80 / tcp / www
> None
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Plugin Name: PHP 5.5.x < 5.5.37 Multiple Vulnerabilities (91897)
>
> Synopsis:
>
> The version of PHP running on the remote web server is affected by
> multiple vulnerabilities.
>
> Description:
>
> According to its banner, the version of PHP running on the remote web
> server is 5.5.x prior to 5.5.37. It is, therefore, affected by
> multiple vulnerabilities :
>
> - A denial of service vulnerability exists in the GD graphics library
> in the gdImageFillToBorder() function within file gd.c when handling
> crafted images that have an overly large negative coordinate. An
> unauthenticated, remote attacker can exploit this, via a crafted
> image, to crash processes linked against the library.
> (CVE-2015-8874)
>
> - An integer overflow condition exists in the
> _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c due to improper
> validation of user-supplied input. An unauthenticated, remote attacker
> can exploit this to cause a denial of service condition or the
> execution of arbitrary code. (CVE-2016-5766)
>
> - An integer overflow condition exists in the
> gdImagePaletteToTrueColor() function within file ext/gd/libgd/gd.c due
> to improper validation of user-supplied input. An unauthenticated,
> remote attacker can exploit this to cause a denial of service
> condition or the execution of arbitrary code. (CVE-2016-5767)
>
> - A double-free error exists in the
> _php_mb_regex_ereg_replace_exec() function within file
> ext/mbstring/php_mbregex.c when handling a failed callback execution.
> An unauthenticated, remote attacker can exploit this to execute
> arbitrary code.
> (CVE-2016-5768)
>
> - An integer overflow condition exists within file ext/mcrypt/mcrypt.c
> due to improper validation of user-supplied input when handling data
> values. An unauthenticated, remote attacker can exploit this to cause
> a denial of service condition or the execution of arbitrary code.
> (CVE-2016-5769)
>
> - An integer overflow condition exists within file
> ext/spl/spl_directory.c, triggered by an int/size_t type confusion
> error, that allows an unauthenticated, remote attacker to have an
> unspecified impact.
> (CVE-2016-5770)
>
> - A use-after-free error exists in the garbage collection algorithm
> within file ext/spl/spl_array.c. An unauthenticated, remote attacker
> can exploit this to dereference already freed memory, resulting in the
> execution of arbitrary code. (CVE-
> 2016-5771)
>
> - A double-free error exists in the php_wddx_process_data() function
> within file ext/wddx/wddx.c when handling specially crafted XML
> content. An unauthenticated, remote attacker can exploit this to
> execute arbitrary code.
> (CVE-2016-5772)
>
> - A use-after-free error exists in the garbage collection algorithm
> within file ext/zip/php_zip.c. An unauthenticated, remote attacker can
> exploit this to dereference already freed memory, resulting in the
> execution of arbitrary code. (CVE-
> 2016-5773)
>
> - An integer overflow condition exists in the json_decode() and
> json_utf8_to_utf16() functions within file
> ext/standard/php_smart_str.h due to improper validation of
> user-supplied input. An unauthenticated, remote attacker can exploit
> this to cause a denial of service condition or the execution of
> arbitrary code.
> (VulnDB 140378)
>
> - An out-of-bounds read error exists in the pass2_no_dither() function
> within file ext/gd/libgd/gd_topal.c that allows an unauthenticated,
> remote attacker to cause a denial of service condition or disclose
> memory contents. (VulnDB 140379)
>
> - An integer overflow condition exists within file
> ext/standard/string.c when handling string lengths due to improper
> validation of user-supplied input. An unauthenticated, remote attacker
> can exploit this to have an unspecified impact.
> (VulnDB 140380)
>
> - A NULL pointer dereference flaw exists in the
> _gdScaleVert() function within file
> ext/gd/libgd/gd_interpolation.c that is triggered when handling
> _gdContributionsCalc return values. An unauthenticated, remote
> attacker can exploit this to cause a denial of service condition.
> (VulnDB 140382)
>
> - An integer overflow condition exists in the nl2br() function within
> file ext/standard/string.c when handling new_length values due to
> improper validation of user-supplied input. An unauthenticated, remote
> attacker can exploit this to have an unspecified impact.
> (VulnDB 140385)
>
> - An integer overflow condition exists in multiple functions within
> file ext/standard/string.c when handling string values due to improper
> validation of user-supplied input. An unauthenticated, remote attacker
> can exploit this to have an unspecified impact.
> (VulnDB 140386)
>
> Note that Nessus has not tested for these issues but has instead
> relied only on the application's self-reported version number.
>
> See Also:
>
> http://php.net/ChangeLog-5.php#5.5.37
>
> Solution:
>
> Upgrade to PHP version 5.5.37 or later.
>
> Risk Factor: Critical
> CVSS Base Score: 10.0
> CVSS Temporal Score: 7.8
>
> References:
>
> bid: http://www.securityfocus.com/bid/90714
> bid: http://www.securityfocus.com/bid/91393
> bid: http://www.securityfocus.com/bid/91395
> bid: http://www.securityfocus.com/bid/91396
> bid: http://www.securityfocus.com/bid/91397
> bid: http://www.securityfocus.com/bid/91398
> bid: http://www.securityfocus.com/bid/91399
> bid: http://www.securityfocus.com/bid/91401
> bid: http://www.securityfocus.com/bid/91403
> osvdb: 125857
> osvdb: 140377
> osvdb: 140378
> osvdb: 140379
> osvdb: 140380
> osvdb: 140381
> osvdb: 140382
> osvdb: 140383
> osvdb: 140384
> osvdb: 140385
> osvdb: 140386
> osvdb: 140387
> osvdb: 140388
> osvdb: 140390
> osvdb: 140391
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8874
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5766
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5767
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5768
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5769
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5770
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5771
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5772
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5773
>
> Plugin Information:
>
>
> Plugin Output:
>
> Port: 80 / tcp / www
> None
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
--
Scott Kasai
User Support Specialist
Engineering Computing Infrastructure
University of California, Santa Barbara
More information about the Ilab-users
mailing list