TrustKeeper Scan Engine Update – August 27, 2014

Summary

The latest update to the TrustKeeper Scan Engine is now available. This week's highlights include coverage for 16 new vulnerabilities and added protocol fingerprinting support for GeoVision Remote Playback Log and WebCam Command.

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Drupal

• Drupal Large Number of XML Elements Denial of Service (CVE-2014-5266)
• Drupal XML Large Nested Entities DoS (CVE-2014-5265)

FreeBSD

• FreeBSD nullfs Filesystem Access Restriction Bypass (FreeBSD-SA-13:13.nullfs) (CVE-2013-5710)

OpenSSL

• OpenSSL DTLS Double Free Denial of Service (CVE-2014-3505)
• OpenSSL DTLS Handshake Anonymous CypherSuite Denial of Service (CVE-2014-3510)
• OpenSSL DTLS Handshake Large Length Denial of Service (CVE-2014-3506)
• OpenSSL Elliptic Curve Point Format Client Denial of Service (CVE-2014-3509)
• OpenSSL Pretty Print Null Byte Information Disclosure (CVE-2014-3508)
• OpenSSL SRP Ciphersuite Client Denial of Service (CVE-2014-5139)
• OpenSSL SRP Library Denial of Service (CVE-2014-3512)
• OpenSSL Zero Length DTLS Fragment Denial of Service (CVE-2014-3507)

PHP

• PHP DNS Record Parser Denial of Service (CVE-2014-3597)
• PHP Fileinfo Component Denial of Service (CVE-2014-3587)
• PHP GD Library Null Byte Injection Vulnerability (CVE-2014-5120)

WordPress

• WordPress Large Number of XML Elements Denial of Service (CVE-2014-5266)
• WordPress XML Large Nested Entities DoS (CVE-2014-5265)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.