[Openvas-announce] Security Releases for OpenVAS-5 and OpenVAS-6

Michael Wiegand michael.wiegand at greenbone.net
Fri Nov 8 16:48:36 CET 2013


Hello,

The OpenVAS developers have just released a number of important security
releases for the Open Vulnerability Assessment System release series 5
and 6 (OpenVAS-5 and OpenVAS-6).

The releases are:
- OpenVAS Manager 4.0.4
- OpenVAS Manager 3.0.7
- OpenVAS Administrator 1.3.2
- OpenVAS Administrator 1.2.2

We highly recommend to update your OpenVAS installation to the
versions listed above immediately.

For OpenVAS Manager, this is a security release addressing a serious
security bug and it is highly recommended to update any installation of
OpenVAS Manager 3.0 and 4.0 with the corresponding release.

A software bug in OpenVAS Manager allowed an attacker to bypass the OMP
authentication procedure. The attack vector was remotely available in
case OpenVAS Manager was listening on a public network interface. In
case of successful attack, the attacker gained partial rights to execute
OMP commands.  The bypass authentication was, however, incomplete and
several OMP commands failed to execute properly.

For OpenVAS Administrator, this is a security release addressing a very
serious security bug and it is highly recommended to update any
installation of OpenVAS Administrator 1.2 and 1.3 with the corresponding
release.

A software bug in OpenVAS Administrator allowed an attacker to bypass
the OAP authentication procedure. The attack vector was remotely
available in case OpenVAS Administrator was listening on a public
network interface. In case of successful attack, the attacker was able
to create and modify users and could use the gained privileges to take
control over an OpenVAS installation if the Scanner and/or Manager
instances controlled by this Administrator instance were also listening
on public network interfaces.

The source tarballs for the releases along with checksums and signatures
are available for download from the OpenVAS website at
http://www.openvas.org/.

Regards,


Michael Wiegand

-- 
Michael Wiegand |  Greenbone Networks GmbH  |  http://www.greenbone.net/
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner



More information about the Openvas-announce mailing list