Security Response Team
We handle security issues quickly and transparently
We will immediately start our procedure for handling security issues and keep you informed.
We have the option to receive encrypted emails:
PGP Key: greenbone-security-team-public-key
Before use, verify key via direct contact:
60DF 863C 7526 ABDA 1FB5 CB87 AF94 94DA 4F56 EBAF
In case you detect a security bug in our product, we kindly ask you to act in the sense of a Responsible Disclosure and give us time to fix the problem and to prepare security updates for all users. Of course we like to give credit to you in the respective advisories.
In fact we ask for the same procedure of Responsible Disclosure, as we practice ourselves in case we find security bugs in other products.
Greenbone Security Advisories
GBSA-2016-02: DoS attack via GET/POST
Summary
All GSM models except for GSM 25 and GSM 25V with Greenbone OS 3.1 are subject to a DoS attack via the web user interface.
Given the attacker has access to a GSM web interface, a special GET or POST request can be sent that will cause invalidation of all user session tokens.
Affected
All GSM models except GSM 25 and GSM 25V.
Greenbone OS 3.1.1 up to 3.1.25.
Severity
CVSS: AV:A/AC:L/Au:N/C:N/I:N/A:P (3.3 – Low)
Resolution
Upgrade at least to Greenbone OS 3.1.26.
History
2016-01-26: Problem identified by Rene Behring.
2016-01-28: Problem solved and solution prepared.
2016-02-02: Solution published as new Patch Level release for GOS 3.1.
Download this advisory as CVRF.
(you can use Farol to review the CVRF)
GBSA-2016-01: Cross site scripting
Summary
All GSM models except for GSM 25 and GSM 25V with Greenbone OS 3.1 are subject to a cross site scripting vulnerability in the web user interface.
Given the attacker has access to a session token of the browser session, a cross site scripting can be executed via a command of the charts module.
Affected
All GSM models except GSM 25 and GSM 25V.
Greenbone OS 3.1.1 up to 3.1.23.
Severity
CVSS: AV:A/AC:M/Au:M/C:P/I:N/A:N (1.9 – Low)
Resolution
Upgrade at least to Greenbone OS 3.1.24.
History
2016-01-07: Problem identified by Sebastian Neef (Internetwache.org).
2016-01-08: Problem solved and solution prepared.
2016-01-09: Solution published as new Patch Level release for GOS 3.1.
2016-01-20: Added assigned CVE-2016-1926.
Download this advisory as CVRF.
(you can use Farol to review the CVRF)
GBSA-2015-01: Baseboard control via BMC factory settings
Summary
The models GSM 600 and GSM 650 have a factory-settings of the BMC (Baseboard Management Controller) which were not pre-configured at time of shipping. It is possible to use a pre-configured account to access the hardware administration via network. Apart from reading the hardware profile, it is also possible to shut down or reboot the device.
Affected
Hardware models GSM 600 and GSM 650 with
Greenbone OS 3.0.1 up to 3.0.36.
Greenbone OS 3.1.1 up to 3.1.18.
Severity
CVSS: AV:A/AC:L/Au:S/C:P/I:P/A:C (6.7 – Medium)
Resolution
Upgrade at least to Greenbone OS 3.0.37 or Greenbone OS 3.1.18.
Workaround: Re-configure BMC manually regarding network channel and user accounts.
History
2015-09-22: Problem identified by Greenbone staff.
2015-09-23: Problem solved and solution published as new Patch Level release for GOS 3.1 and GOS 3.0.
GBSA-2014-02: SQL-Injection
Summary
A software bug in OpenVAS Manager allows remote attackers to inject SQL code that reads data from the database.
Greenbone OS is affected by this vulnerability. A successful attack is possible if the attacker controls a user account for the web interface or for OMP. The attacker will gain read access to the database.
Greenbone OS is affected in case the user account has permission to manage schedule objects. This is by default the case for roles “User” and “Admin”.
Affected
Greenbone OS 2.2.0-1 up to 2.2.0-33.
Greenbone OS 3.0.1 up to 3.0.28.
Severity
CVSS: AV:N/AC:L/Au:S/C:C/I:N/A:N (6.8 – Medium)
Resolution
Upgrade at least to Greenbone OS 2.2.0-34 or Greenbone OS 3.0.29.
Temporary workaround: Disable non-trustworthy user accounts.
References
- CVE-2014-9220
- OpenVAS Security Advisory OVSA20141128
History
2014-11-28: Problem identified by Greenbone staff (12:50), solved (15:50), solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0 (18:40).
GBSA-2014-01: DHCP Code Injection via Bash-bug "Shellshock"
Summary
A software bug in the shell “Bash” allows remote attackers to inject arbitrary code. This bug is also referred to as “Shellshock”.
Greenbone OS is affected by this vulnerability regarding the DHCP client functionality. A successful attack is possible if the attacker can compromise the DHCP server of the internal network or can inject his own DHCP service into the internal network. The attacker will gain root privileges.
Greenbone OS is only affected in this scenario in case DHCP is configured for Greenbone OS. When using a static IP Address this attack vector does not work.
Affected
Greenbone OS 2.2.0-1 up to 2.2.0-31 when DHCP is enabled.
Greenbone OS 3.0.1 up to 3.0.25 when DHCP is enabled.
Resolution
Upgrade at least to Greenbone OS 2.2.0-32 or Greenbone OS 3.0.26.
Temporary workaround: Disable DHCP and use static IP address instead.
References
- CVE-2014-6271
History
2014-09-24: General Bash problem report received and verified.
2014-09-25: Attack vector analysis for Greenbone OS and solution test.
2014-09-26: Solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0.
Download this advisory as CVRF.
German / Deutsch
Zusammenfassung
Ein Software-Fehler im Shell-Programm “Bash” erlaubt entfernten Angreifern beliebigen Code auszuführen. Dieser Fehler ist auch bekannt als “Shellshock”.
Greenbone OS ist von diesem Fehler betroffen bezüglich der DHCP Client Funktion. Ein erfolgreicher Angriff ist möglich sofern der Angreifer den DHCP-Server des internen Netzwerkes übernehmen oder einen eigenen DHCP-Dienst in das interne Netzwerk einschleusen konnte. Der Angreifer kann dabei root-Rechte erlangen.
Greenbone OS ist nur dann in diesem Szenario betroffen, falls DHCP konfiguriert wurde. Bei Verwendung einer statischen IP-Adresse besteht diese Angriffsmöglichkeit nicht.
Betroffen
Greenbone OS 2.2.0-1 bis 2.2.0-31 sofern DHCP eingeschaltet ist.
Greenbone OS 3.0.1 bis 3.0.25 sofern DHCP eingeschaltet ist.
Beseitigung
Upgrade auf mindesten Greenbone OS 2.2.0-32 bzw. Greenbone OS 3.0.26.
Temporäre Umgehung: DHCP deaktivieren und stattdessen eine statische IP verwenden.
Referenzen
- CVE-2014-6271
Geschichte
2014-09-24: Allgemeiner Problembericht zu Bash erhalten und verifiziert.
2014-09-25: Analyse des Angriffsvektors für Greenbone OS und Test von Lösungen.
2014-09-26: Lösung veröffentlicht als Patch Level für GOS 2.2.0 und GOS 3.0.
GBSA-2013-01: OMP Authentication Bypass
Summary
A software bug in the server module “OpenVAS Manager” allowed to bypass the OMP authentication procedure. The attack vector is remotely available in case public OMP is enabled. In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass authentication is, however, incomplete and several OMP commands will fail to execute properly.
Affected
Greenbone OS 2.2.0-1 up to 2.2.0-19 when public OMP is enabled.
Resolution
Upgrade at least to Greenbone OS 2.2.0-20.
Temporary workaround: Disable public OMP.
References
- CVE-2013-6765
- OpenVAS Security Advisory OVSA20131108
History
2013-11-07: Problem report received and verified.
2013-11-08: Resolution implemented, confirmed and made available.
2013-11-14: Received CVE assignment.
2013-11-15: OpenVAS Security Advisory OVSA20131108 released.
Download this advisory as CVRF.
German / Deutsch
Zusammenfassung
Ein Software-Fehler im Server-Modul “OpenVAS Manager” ermöglichte die OMP Authentifzierungs-Prozedur zu umgehen. Der Angriffsvektor ist aus der Ferne nutzbar wenn der GSM “Public OMP” eingeschaltet hat. Im Falle eines erfolgreichen Angriffs erhält der Angreifer partielle Rechte OMP Kommandos auszuführen. Diese Umgehung der Authentifizierung ist allerdings unvollständig, so dass einige OMP Kommandos bei der Ausführung einen Fehler melden oder unvollständig ablaufen.
Betroffen
Greenbone OS 2.2.0-1 bis 2.2.0-19 sofern “Public OMP” eingeschaltet ist.
Beseitigung
Upgrade auf mindesten Greenbone OS 2.2.0-20.
Temporäre Umgehung: Public OMP deaktivieren.
Referenzen
- CVE-2013-6765
- OpenVAS Sicherheitsmeldung OVSA20131108
Geschichte
2013-11-07: Problem-Bericht erhalten und verifiziert.
2013-11-08: Lösung implementiert, bestätigt und bereitgestellt sowie Problem und Lösung veröffentlicht.
2013-11-14: Zuteilung einer CVE erfolgt.
2013-11-15: OpenVAS Sicherheitsmeldung OVSA20131108 freigegeben.