DebianDLA-1875-1: FusionDirectoryのセキュリティ更新プログラム

critical Nessus プラグイン ID 127484

Language:

概要

リモートのDebianホストにセキュリティ更新プログラムがありません。

説明

PHPに書き込まれたLDAP Webフロントエンド (当初はGOsa²から派生 2.6.x）であるFusionDirectoryでは、理論的にFusionDirectoryで管理されているLDAPデータベースへの認証されていないアクセスが、発生する可能性のある脆弱性が見つかりました。LDAPクエリの結果のステータス（「成功」）チェックが十分に厳密ではありませんでした。ログイン接続の試行中に返されたデータのどこかに「Success」という単語を含む結果として得られる出力が、「LDAP success」をFusionDirectoryに返し、不要なアクセス権を付与する可能性がありました。

Debian 8「Jessie」では、この問題はバージョン1.0.8.2-5+deb8u2で修正されています。

お使いのfusiondirectoryパッケージをアップグレードすることを推奨します。

注: Tenable Network Securityは、前述の記述ブロックをDLAセキュリティアドバイザリから直接抽出しています。Tenableでは、新たな問題を持ち込まずに、できる限り自動的に整理して書式設定するようにしています。

ソリューション

影響を受けるパッケージをアップグレードしてください。

参考資料

https://lists.debian.org/debian-lts-announce/2019/08/msg00008.html

https://packages.debian.org/source/jessie/fusiondirectory

プラグインの詳細

深刻度: Critical

ID: 127484

ファイル名: debian_DLA-1875.nasl

バージョン: 1.6

タイプ: local

エージェント: unix

ファミリー: Debian Local Security Checks

公開日: 2019/8/12

更新日: 2024/5/7

サポートされているセンサー: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

リスク情報

VPR

リスクファクター: Medium

スコア: 5.9

CVSS v2

リスクファクター: High

基本値: 7.5

現状値: 5.5

ベクトル: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS スコアのソース: CVE-2019-11187

CVSS v3

リスクファクター: Critical

基本値: 9.8

現状値: 8.5

ベクトル: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

現状ベクトル: CVSS:3.0/E:U/RL:O/RC:C

脆弱性情報

CPE: p-cpe:/a:debian:debian_linux:fusiondirectory, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-addressbook, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-alias, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-alias-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-apache2, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-apache2-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-argonaut, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-argonaut-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-asterisk, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-asterisk-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-autofs, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-autofs-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-cyrus, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-cyrus-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dashboard, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dashboard-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-uw-imap, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-weblink, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-weblink-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-webservice, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-webservice-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-smarty3-acl-render, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-database-connector, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-debconf, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-debconf-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-desktop-management, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-desktop-management-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-developers, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dhcp, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dhcp-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dns, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dns-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dovecot, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dovecot-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dsa, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-dsa-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-fai, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-fai-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-fax, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-fax-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-freeradius, p-cpe:/a:debian:debian_linux:fusiondirectory-theme-oxygen, p-cpe:/a:debian:debian_linux:fusiondirectory-webservice-shell, cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-freeradius-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-fusioninventory, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-fusioninventory-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-game, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-gpg, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-gpg-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-ipmi, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-ipmi-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-kolab, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-kolab-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-ldapdump, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-ldapmanager, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-mail, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-mail-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-nagios, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-nagios-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-netgroups, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-netgroups-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-openstack-compute, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-openstack-compute-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-opsi, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-opsi-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-puppet, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-puppet-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-pureftpd, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-pureftpd-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-quota, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-quota-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-repository, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-repository-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-rsyslog, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-samba, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-samba-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-sogo, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-sogo-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-squid, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-squid-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-ssh, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-ssh-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-sudo, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-sudo-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-supann, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-supann-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-sympa, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-sympa-schema, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-systems, p-cpe:/a:debian:debian_linux:fusiondirectory-plugin-systems-schema

必要な KB アイテム: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

エクスプロイトの容易さ: No known exploits are available

パッチ公開日: 2019/8/10

脆弱性公開日: 2019/8/15

参照情報

CVE: CVE-2019-11187