• Greenbone Cloud Service TRIAL
  • Greenbone Enterprise TRIAL
  • Buy Here
  • Contact
  • Blog
  • Deutsch Deutsch German de
  • English English English en
Greenbone
  • Products
    • Hardware Appliances
      • Greenbone Enterprise 6500
      • Greenbone Enterprise 5400
      • Greenbone Enterprise 650
      • Greenbone Enterprise 600
      • Greenbone Enterprise 450
      • Greenbone Enterprise 400
      • Greenbone Enterprise 150
      • Greenbone Enterprise 35
    • Virtual Appliances
      • Greenbone Enterprise EXA
      • Greenbone Enterprise PETA
      • Greenbone Enterprise TERA
      • Greenbone Enterprise DECA
      • Greenbone Enterprise CENO
      • Greenbone Enterprise 25V
    • Greenbone Cloud Service
    • Technology
      • Feed Comparison
      • Product Comparison
      • Roadmap & Lifecycle
  • Cyber Resilience
    • Vulnerability Management
    • The Vulnerability Timeline
    • Cyber Defense Security
  • Customer Services
    • Technical Support
    • Self-Learning Courses
    • Documents
  • About Greenbone
    • Contact
    • Careers
    • Media Contact
  • Search
  • Menu Menu

We handle security issues quickly and transparently

If you identify a security problem in our product or with one of our services, please report to this e-mail address and provide as many details as you have to reproduce the problem.

security@greenbone.net

Email

We will immediately start our procedure for handling security issues and keep you informed.

We have the option to receive encrypted emails:

PGP key: greenbone-security-team-public-key

Before use, verify key via direct contact:

60DF 863C 7526 ABDA 1FB5  CB87 AF94 94DA 4F56 EBAF

In case you detect a security bug in our product, we kindly ask you to act in the sense of the Responsible Disclosure and give us time to fix the problem and to prepare security updates for all users. Of course we would like to give credit to you in the respective advisories.

This corresponds to the procedure of the Responsible Disclosure and the way we act ourselves in case we find security bugs in other products.

Greenbone Security Advisories

GBSA-2016-02: DoS attack via GET/POST

Summary

All appliance models except for Greenbone Enterprise 25 and Greenbone Enterprise 25V with Greenbone OS 3.1 are subject to a DoS attack via the web interface.

Given the attacker has access to a web interface, a special GET or POST request can be sent that will cause the invalidation of all user session tokens.

Affected

All appliance models except Greenbone Enterprise 25 and Greenbone Enterprise 25V.

Greenbone OS 3.1.1 up to 3.1.25.

Severity

CVSS: AV:A/AC:L/Au:N/C:N/I:N/A:P (3.3 – Low)

Resolution

Upgrade at least to Greenbone OS 3.1.26.

History

2016-01-26: problem identified by Rene Behring.
2016-01-28: problem solved and solution prepared.
2016-02-02: solution published as new Patch Level release for GOS 3.1.

Download this advisory as CVRF

GBSA-2016-01: Cross-Site-Scripting

Summary

All appliance models except for Greenbone Enterprise 25 and Greenbone Enterprise 25V with Greenbone OS 3.1 are subject to a cross site scripting vulnerability in the web user interface.

Given the attacker has access to a session token of the browser session, a cross site scripting can be executed via a command of the charts module.

Affected

All appliance models except Greenbone Enterprise 25 and Greenbone Enterprise 25V.

Greenbone OS 3.1.1 up to 3.1.23.

Severity

CVSS: AV:A/AC:M/Au:M/C:P/I:N/A:N (1.9 – Low)

Resolution

Upgrade at least to Greenbone OS 3.1.24.

History

2016-01-07: problem identified by Sebastian Neef (Internetwache.org).
2016-01-08: problem solved and solution prepared.
2016-01-09: solution published as new Patch Level release for GOS 3.1.
2016-01-20: added assigned CVE-2016-1926.

Download this advisory as CVRF

GBSA-2015-01: Baseboard control via BMC factory settings

Summary

The models Greenbone Enterprise 600 and Greenbone Enterprise 650 have factory settings of the BMC (Baseboard Management Controller) which were not pre-configured at time of shipping. It is possible to use a pre-configured account to access the hardware administration via network. Apart from reading the hardware profile, it is also possible to shut down or reboot the device.

Affected

Hardware models Greenbone Enterprise 600 and Greenbone Enterprise 650 with

  • Greenbone OS 3.0.1 up to 3.0.36
  • Greenbone OS 3.1.1 up to 3.1.18

Severity

CVSS: AV:A/AC:L/Au:S/C:P/I:P/A:C (6.7 – Medium)

Resolution

Upgrade at least to Greenbone OS 3.0.37 or Greenbone OS 3.1.18.

Temporary workaround: re-configure BMC manually regarding network channel and user accounts.

History

2015-09-22: problem identified by Greenbone staff.
2015-09-23: problem solved and solution published as new Patch Level release for GOS 3.1 and GOS 3.0.

Download this advisory as CVRF

GBSA-2014-02: SQL injection

Summary

A software bug in the server module “OpenVAS Manager” allows remote attackers to inject SQL code that reads data from the database.

Greenbone OS is affected by this vulnerability. A successful attack is possible if the attacker controls a user account for the web interface or for OMP. The attacker will gain read access to the database.

Greenbone OS is affected in case the user account has permission to manage schedule objects. This is by default the case for roles “User” and “Admin”.

Affected

Greenbone OS 2.2.0-1 up to 2.2.0-33.

Greenbone OS 3.0.1 up to 3.0.28.

Severity

CVSS: AV:N/AC:L/Au:S/C:C/I:N/A:N (6.8 – Medium)

Resolution

Upgrade at least to Greenbone OS 2.2.0-34 or Greenbone OS 3.0.29.

Temporary workaround: disable non-trustworthy user accounts.

References

  • CVE-2014-9220
  • OpenVAS Security Advisory

History

2014-11-28: problem identified by Greenbone staff (12:50), problem solved (15:50), solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0 (18:40).

Download this advisory as CVRF

GBSA-2014-01: DHCP code injection via Bash bug "Shellshock"

Summary

A software bug in the shell “Bash” allows remote attackers to inject arbitrary code. This bug is also referred to as “Shellshock”.

Greenbone OS is affected by this vulnerability regarding the DHCP client functionality. A successful attack is possible if the attacker can compromise the DHCP server of the internal network or can inject his own DHCP service into the internal network. The attacker will gain root privileges.

Greenbone OS is only affected in this scenario in case DHCP is configured for Greenbone OS. When using a static IP address, this attack vector does not work.

Affected

Greenbone OS 2.2.0-1 up to 2.2.0-31 if DHCP is enabled.

Greenbone OS 3.0.1 up to 3.0.25 if DHCP is enabled.

Resolution

Upgrade at least to Greenbone OS 2.2.0-32 or Greenbone OS 3.0.26.

Temporary workaround: disable DHCP and use static IP address instead.

References

  • CVE-2014-6271

History

2014-09-24: general Bash problem report received and verified.
2014-09-25: attack vector analysis for Greenbone OS and solution test.
2014-09-26: solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0.

Download this advisory as CVRF

GBSA-2013-01: OMP authentication bypass

Summary

A software bug in the server module “OpenVAS Manager” allowed bypassing the OMP authentication procedure. The attack vector is remotely available in case public OMP is enabled. In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass authentication is, however, incomplete and several OMP commands will fail to execute properly.

Affected

Greenbone OS 2.2.0-1 up to 2.2.0-19 if public OMP is enabled.

Resolution

Upgrade at least to Greenbone OS 2.2.0-20.

Temporary workaround: disable public OMP.

References

  • CVE-2013-6765
  • OpenVAS Security Advisory

History

2013-11-07: problem report received and verified.
2013-11-08: resolution implemented, confirmed and made available.
2013-11-14: received CVE assignment.
2013-11-15: OpenVAS Security Advisory OVSA20131108 released.

Download this advisory as CVRF

In a hurry?

We’re here for you!

+49-541-760278-0

Products & Solutions

  • Hardware Appliances
  • Virtual Appliances
  • Greenbone Cloud Service
  • Open Source Vulnerability Management
  • Buy Here
ISO9001EN

Service & Support

  • Customer Services
  • FAQ
  • Documents
  • Warranty
  • Test Here
ISO27001EN

About us

  • About Greenbone
  • Blog
  • License information
  • Privacy Statement
  • Terms & Conditions

Contact with us

  • Contact
  • Product Request
  • Careers
  • Partners
  • Security Response Team
  • Imprint

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2023
  • LinkedIn
  • Mail
Scroll to top

This site is only using technically necessary cookies. By continuing to browse the site, you are agreeing to use this cookies.

Accept CookiesPrivacy policy

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Datenschutzerklärung
Einstellungen akzeptierenVerberge nur die Benachrichtigung
  • Deutsch
  • English