TrustKeeper Scan Engine Update - December 12, 2013

It's that time again for another TrustKeeper Scan Engine Update and you didn't even need to put it on your Amazon Wish-list. This release contains mostly Ruby-based vulnerabilities with a couple more Cisco ASA/IOS vulnerabilities for a total of 18 new vulnerability checks.

As always, this release contains improvements to existing tests and their associate evidence to help aid in vulnerability remediation activities.

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Cisco

• Cisco ASA Certificate Processing Denial of Service Vulnerability (CSCuh19462) (CVE-2013-3458)
• Cisco ASA Next-Generation Firewall Fragmented Traffic Denial of Service Vulnerability (CSCue88387) (CVE-2013-3382)
• Cisco IOS GET VPN Encryption Policy Bypass Vulnerability (CSCui07698) (CVE-2013-3436)
• OSPF LSA Manipulation Vulnerability in Multiple Cisco Products (cisco-sa-20130801-lsaospf) (CVE-2013-0149)

Nokia

• Nokia IPSO Voyager Readfile.TCL Arbitrary File Read

Ruby

• Ruby Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)
• Ruby Heap Overflow in Floating Point Parsing (CVE-2013-4164)
• Ruby Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
• Ruby Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)

Ruby on Rails

• Ruby on Rails Active Record and JSON SQL Filter Bypass (CVE-2013-0155)
• Ruby on Rails Active Record SQL Injection (CVE-2012-6496)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.