Daily threat assessment 26JAN2016 (nginx and RoR vulns)

Security annoucements of interest to the AtomiCorp community, such as vulnerabilities in third party applications.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Daily threat assessment 26JAN2016 (nginx and RoR vulns)

Unread post by mikeshinn »

This report is a daily analysis of all published vulnerabilities in any product, weaknesses in technologies, exploits Internet wide, current internet threats associated with platforms and products our customer use, and if any action is required to protect their assets from these these vulnerabilities, weaknesses and exploits depending on the Atomicorp product they are using.

Please see this forum post for an explanation of the categories used in this report.

Note: CVEs are sometimes created after a vulnerability is published (sometimes far after it has been made public). When CVEs are referenced, it is because a CVE was created today, not because an issue was resolved today, and it is included here for reference.

ASL users

Summary: Two vulnerabilities may effect some ASL users.

1) If you are using nginx, and are using the resolver directive see notes below.
2) If you are using Ruby on Rails, all users should upgrade. See notes below for patches and workarounds.

Already protect against/Known Method/No update required

Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - SQL vulnerabilities
Gongwalker API Manager 1.1 - Blind SQL Injection
CVE-2016-1926 (When the Greenbone Assistant is protected the ASL WAF)
CVE-2015-8379
osCommerce 2.3.3.4 - (geo_zones.php zID param) SQL Injection Vulnerability

Not already protected against/New Method/Update Available

None.

Not already protected against/Doesnt protect against/Solution

CVE-2016-0742, CVE-2016-0746, CVE-2016-0747: nginx DNS resolv DOS vulnerabilities. The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive is used in a configuration file. A patch is available from the vendor and are fixed in nginx 1.9.10 and 1.8.1.

CVE-2015-7577 Ruby on Rails (3.1.0 and newer ) - Nested attributes rejection proc bypass in Active Record. (update and monkey patch available from vendor) https://groups.google.com/forum/#!msg/r ... gZtYdbFQAJ
CVE-2015-7576 Ruby on Rails (all versions) - Timing attack vulnerability in basic authentication in Action Controller. (update and monkey patch available from vendor) https://groups.google.com/forum/#!msg/r ... 7wNGxbFQAJ
CVE-2016-0751 Ruby on Rails (all versions) - Possible Object Leak and Denial of Service attack in Action Pack. (update and patches available from vendor) https://groups.google.com/forum/#!msg/r ... oI9XxbFQAJ
CVE-2016-0752 Ruby on Rails (all versions) - Possible Remote Code injection and Information Leak Vulnerability in Action View (updates available from vendor) https://groups.google.com/forum/#!msg/r ... B9_LhbFQAJ
CVE-2016-0753 Ruby on Rails 4.1.0 and newer - Possible Input Validation Circumvention in Active Model (updates available from vendor) https://groups.google.com/forum/#!msg/r ... YETcxbFQAJ
CVE-2015-7581 Ruby on Rails >= 4.0.0 and < 5.0.0.beta1 - Object leak vulnerability for wildcard controller routes in Action Pack (updates available from vendor) https://groups.google.com/forum/#!msg/r ... PnFelbFQAJ

Potential Vulnerability/Solution

None.

Rules only users

Summary: Three vulnerabilities for rules only users:

1)Ruby on Rails users should upgrade, or install appropriate patches/workarounds from vendor.
2) Linux kernel level vulnerability in wireless subsystem
3) nginx DoS vulnerabilities, install update from vendor or reconfigure nginx.

Already protect against/Known Method/No update required

Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - SQL vulnerabilities
Gongwalker API Manager 1.1 - Blind SQL Injection
CVE-2015-8379
osCommerce 2.3.3.4 - (geo_zones.php zID param) SQL Injection Vulnerability

Not already protected against/New Method/Update Available

None.

Not already protected against/Doesnt protect against/Solution

modsecurity can not protect against these system level vulnerabilities:

CVE-2016-0742, CVE-2016-0746, CVE-2016-0747: nginx DNS resolv DOS vulnerabilities. The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive is used in a configuration file. A patch is available from the vendor and are fixed in nginx 1.9.10 and 1.8.1.

CVE-2015-7577 Ruby on Rails (3.1.0 and newer ) - Nested attributes rejection proc bypass in Active Record. (update and monkey patch available from vendor) https://groups.google.com/forum/#!msg/r ... gZtYdbFQAJ
CVE-2015-7576 Ruby on Rails (all versions) - Timing attack vulnerability in basic authentication in Action Controller. (update and monkey patch available from vendor) https://groups.google.com/forum/#!msg/r ... 7wNGxbFQAJ
CVE-2016-0751 Ruby on Rails (all versions) - Possible Object Leak and Denial of Service attack in Action Pack. (update and patches available from vendor) https://groups.google.com/forum/#!msg/r ... oI9XxbFQAJ
CVE-2016-0752 Ruby on Rails (all versions) - Possible Remote Code injection and Information Leak Vulnerability in Action View (updates available from vendor) https://groups.google.com/forum/#!msg/r ... B9_LhbFQAJ
CVE-2016-0753 Ruby on Rails 4.1.0 and newer - Possible Input Validation Circumvention in Active Model (updates available from vendor) https://groups.google.com/forum/#!msg/r ... YETcxbFQAJ
CVE-2015-7581 Ruby on Rails >= 4.0.0 and < 5.0.0.beta1 - Object leak vulnerability for wildcard controller routes in Action Pack (updates available from vendor) https://groups.google.com/forum/#!msg/r ... PnFelbFQAJ


Potential Vulnerability/Solution

CVE-2016-1926 - If the Greenbone Assistant is protected by a proxy running the rules, the vulnerability is addressed.
Post Reply