Security

We handle security issues quickly and transparently

If you identify a security problem in our product or with one of our services, please report to this email address and provide as many details as you have to reproduce the problem.

security@greenbone.net

We will immediately start our procedure for handling security issues and keep you informed.

We have the option to receive encrypted emails:

PGP Key: greenbone-security-team-public-key.txt

Before use, verify key via direct contact:

52DC 066D D194 C025 E6CD 9402 AA03 FB4F E784 0F07

In case you detect a security bug in our product, we kindly ask you to act in the sense of a Responsible Disclosure and give us time to fix the problem and to prepare security updates for all users. Of course we like to give credit to you in the respective advisories.

In fact we ask for the same procedure of Responsible Disclosure, as we practice ourselves in case we find security bugs in other products.

Greenbone Security Advisories

DoS attack via GET/POST

GBSA2016-02

Summary

All GSM models except for GSM 25 and GSM 25V with Greenbone OS 3.1 are subject to a DoS attack via the web user interface.

Given the attacker has access to a GSM web interface, a special GET or POST request can be sent that will cause invalidation of all user session tokens.

Affected

All GSM models except GSM 25 and GSM 25V.

Greenbone OS 3.1.1 up to 3.1.25.

Severity

CVSS: AV:A/AC:L/Au:N/C:N/I:N/A:P (3.3 – Low)

Resolution

Upgrade at least to Greenbone OS 3.1.26.

History

2016-01-26: Problem identified by Rene Behring.
2016-01-28: Problem solved and solution prepared.
2016-02-02: Solution published as new Patch Level release for GOS 3.1.

Download this advisory as CVRF.
(you can use Farol to review the CVRF)

Cross site scripting

GBSA2016-01

Summary

All GSM models except for GSM 25 and GSM 25V with Greenbone OS 3.1 are subject to a cross site scripting vulnerability in the web user interface.

Given the attacker has access to a session token of the browser session, a cross site scripting can be executed via a command of the charts module.

Affected

All GSM models except GSM 25 and GSM 25V.

Greenbone OS 3.1.1 up to 3.1.23.

Severity

CVSS: AV:A/AC:M/Au:M/C:P/I:N/A:N (1.9 – Low)

Resolution

Upgrade at least to Greenbone OS 3.1.24.

History

2016-01-07: Problem identified by Sebastian Neef (Internetwache.org).
2016-01-08: Problem solved and solution prepared.
2016-01-09: Solution published as new Patch Level release for GOS 3.1.
2016-01-20: Added assigned CVE-2016-1926.

Download this advisory as CVRF.
(you can use Farol to review the CVRF)

Baseboard control via BMC factory settings

GBSA2015-01

Summary

The models GSM 600 and GSM 650 have a factory-settings of the BMC (Baseboard Management Controller) which were not pre-configured at time of shipping. It is possible to use a pre-configured account to access the hardware administration via network. Apart from reading the hardware profile, it is also possible to shut down or reboot the device.

Affected

Hardware models GSM 600 and GSM 650 with

Greenbone OS 3.0.1 up to 3.0.36.

Greenbone OS 3.1.1 up to 3.1.18.

Severity

CVSS: AV:A/AC:L/Au:S/C:P/I:P/A:C (6.7 – Medium)

Resolution

Upgrade at least to Greenbone OS 3.0.37 or Greenbone OS 3.1.18.

Workaround: Re-configure BMC manually regarding network channel and user accounts.

History

2015-09-22: Problem identified by Greenbone staff.
2015-09-23: Problem solved and solution published as new Patch Level release for GOS 3.1 and GOS 3.0.

Download this advisory as CVRF.

SQL-Injection

GBSA2014-02

Summary

A software bug in OpenVAS Manager allows remote attackers to inject SQL code that reads data from the database.

Greenbone OS is affected by this vulnerability. A successful attack is possible if the attacker controls a user account for the web interface or for OMP. The attacker will gain read access to the database.

Greenbone OS is affected in case the user account has permission to manage schedule objects. This is by default the case for roles “User” and “Admin”.

Affected

Greenbone OS 2.2.0-1 up to 2.2.0-33.

Greenbone OS 3.0.1 up to 3.0.28.

Severity

CVSS: AV:N/AC:L/Au:S/C:C/I:N/A:N (6.8 – Medium)

Resolution

Upgrade at least to Greenbone OS 2.2.0-34 or Greenbone OS 3.0.29.

Temporary workaround: Disable non-trustworthy user accounts.

References

History

2014-11-28: Problem identified by Greenbone staff (12:50), solved (15:50), solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0 (18:40).

Download this advisory as CVRF.

DHCP Code Injection via Bash-bug "Shellshock"

GBSA2014-01

Summary

A software bug in the shell “Bash” allows remote attackers to inject arbitrary code. This bug is also referred to as “Shellshock”.

Greenbone OS is affected by this vulnerability regarding the DHCP client functionality. A successful attack is possible if the attacker can compromise the DHCP server of the internal network or can inject his own DHCP service into the internal network. The attacker will gain root privileges.

Greenbone OS is only affected in this scenario in case DHCP is configured for Greenbone OS. When using a static IP Address this attack vector does not work.

Affected

Greenbone OS 2.2.0-1 up to 2.2.0-31 when DHCP is enabled.

Greenbone OS 3.0.1 up to 3.0.25 when DHCP is enabled.

Resolution

Upgrade at least to Greenbone OS 2.2.0-32 or Greenbone OS 3.0.26.

Temporary workaround: Disable DHCP and use static IP address instead.

References

  • CVE-2014-6271

History

2014-09-24: General Bash problem report received and verified.
2014-09-25: Attack vector analysis for Greenbone OS and solution test.
2014-09-26: Solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0.

Download this advisory as CVRF.

German / Deutsch

Zusammenfassung

Ein Software-Fehler im Shell-Programm “Bash” erlaubt entfernten Angreifern beliebigen Code auszuführen. Dieser Fehler ist auch bekannt als “Shellshock”.

Greenbone OS ist von diesem Fehler betroffen bezüglich der DHCP Client Funktion. Ein erfolgreicher Angriff ist möglich sofern der Angreifer den DHCP-Server des internen Netzwerkes übernehmen oder einen eigenen DHCP-Dienst in das interne Netzwerk einschleusen konnte. Der Angreifer kann dabei root-Rechte erlangen.

Greenbone OS ist nur dann in diesem Szenario betroffen, falls DHCP konfiguriert wurde. Bei Verwendung einer statischen IP-Adresse besteht diese Angriffsmöglichkeit nicht.

Betroffen

Greenbone OS 2.2.0-1 bis 2.2.0-31 sofern DHCP eingeschaltet ist.

Greenbone OS 3.0.1 bis 3.0.25 sofern DHCP eingeschaltet ist.

Beseitigung

Upgrade auf mindesten Greenbone OS 2.2.0-32 bzw. Greenbone OS 3.0.26.

Temporäre Umgehung: DHCP deaktivieren und stattdessen eine statische IP verwenden.

Referenzen

  • CVE-2014-6271

Geschichte

2014-09-24: Allgemeiner Problembericht zu Bash erhalten und verifiziert.
2014-09-25: Analyse des Angriffsvektors für Greenbone OS und Test von Lösungen.
2014-09-26: Lösung veröffentlicht als Patch Level für GOS 2.2.0 und GOS 3.0.

OMP Authentication Bypass

GBSA2013-01

Summary

A software bug in the server module “OpenVAS Manager” allowed to bypass the OMP authentication procedure. The attack vector is remotely available in case public OMP is enabled. In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass authentication is, however, incomplete and several OMP commands will fail to execute properly.

Affected

Greenbone OS 2.2.0-1 up to 2.2.0-19 when public OMP is enabled.

Resolution

Upgrade at least to Greenbone OS 2.2.0-20.

Temporary workaround: Disable public OMP.

References

History

2013-11-07: Problem report received and verified.
2013-11-08: Resolution implemented, confirmed and made available.
2013-11-14: Received CVE assignment.
2013-11-15: OpenVAS Security Advisory OVSA20131108 released.

Download this advisory as CVRF.

German / Deutsch

Zusammenfassung

Ein Software-Fehler im Server-Modul “OpenVAS Manager” ermöglichte die OMP Authentifzierungs-Prozedur zu umgehen. Der Angriffsvektor ist aus der Ferne nutzbar wenn der GSM “Public OMP” eingeschaltet hat. Im Falle eines erfolgreichen Angriffs erhält der Angreifer partielle Rechte OMP Kommandos auszuführen. Diese Umgehung der Authentifizierung ist allerdings unvollständig, so dass einige OMP Kommandos bei der Ausführung einen Fehler melden oder unvollständig ablaufen.

Betroffen

Greenbone OS 2.2.0-1 bis 2.2.0-19 sofern “Public OMP” eingeschaltet ist.

Beseitigung

Upgrade auf mindesten Greenbone OS 2.2.0-20.

Temporäre Umgehung: Public OMP deaktivieren.

Referenzen

Geschichte

2013-11-07: Problem-Bericht erhalten und verifiziert.
2013-11-08: Lösung implementiert, bestätigt und bereitgestellt sowie Problem und Lösung veröffentlicht.
2013-11-14: Zuteilung einer CVE erfolgt.
2013-11-15: OpenVAS Sicherheitsmeldung OVSA20131108 freigegeben.