Vulnerabilities > CVE-2003-0777 - Remote vulnerability in Multiple Sane Package
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
saned in sane-backends 1.0.7 and earlier, when debug messages are enabled, does not properly handle dropped connections, which can prevent strings from being null terminated and cause a denial of service (segmentation fault).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 13 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_046.NASL description The remote host is missing the patch for the advisory SuSE-SA:2003:046 (sane). The sane (Scanner Access Now Easy) package provides access to scanners either locally or remotely over the network. Several bugs in sane were fixed to avoid remote denial-of-service attacks. These attacks can even be executed if the remote attacker is not allowed to access the sane server by not listing the attackers IP in the file sane.conf. Per default saned only accepts local requests. As a temporary workaround saned can be started via xinetd or inetd in conjunction with tcpwrapper to restrict remote access. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command last seen 2020-06-01 modified 2020-06-02 plugin id 13814 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13814 title SuSE-SA:2003:046: sane code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SuSE-SA:2003:046 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(13814); script_version ("1.12"); script_cve_id("CVE-2003-0773", "CVE-2003-0774", "CVE-2003-0775", "CVE-2003-0776", "CVE-2003-0777", "CVE-2003-0778"); name["english"] = "SuSE-SA:2003:046: sane"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SuSE-SA:2003:046 (sane). The sane (Scanner Access Now Easy) package provides access to scanners either locally or remotely over the network. Several bugs in sane were fixed to avoid remote denial-of-service attacks. These attacks can even be executed if the remote attacker is not allowed to access the sane server by not listing the attackers IP in the file sane.conf. Per default saned only accepts local requests. As a temporary workaround saned can be started via xinetd or inetd in conjunction with tcpwrapper to restrict remote access. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/2003_046_sane.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25"); script_cvs_date("Date: 2019/10/25 13:36:27"); script_end_attributes(); summary["english"] = "Check for the version of the sane package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"sane-1.0.5-295", release:"SUSE7.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"sane-1.0.7-217", release:"SUSE8.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"sane-1.0.8-143", release:"SUSE8.1") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"sane-", release:"SUSE7.3") || rpm_exists(rpm:"sane-", release:"SUSE8.0") || rpm_exists(rpm:"sane-", release:"SUSE8.1") ) { set_kb_item(name:"CVE-2003-0773", value:TRUE); set_kb_item(name:"CVE-2003-0774", value:TRUE); set_kb_item(name:"CVE-2003-0775", value:TRUE); set_kb_item(name:"CVE-2003-0776", value:TRUE); set_kb_item(name:"CVE-2003-0777", value:TRUE); set_kb_item(name:"CVE-2003-0778", value:TRUE); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-379.NASL description Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segmentation fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 15216 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15216 title Debian DSA-379-1 : sane-backends - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-379. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15216); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0773", "CVE-2003-0774", "CVE-2003-0775", "CVE-2003-0776", "CVE-2003-0777", "CVE-2003-0778"); script_bugtraq_id(8593, 8594, 8595, 8596, 8597, 8600); script_xref(name:"DSA", value:"379"); script_name(english:"Debian DSA-379-1 : sane-backends - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segmentation fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf. You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try 'telnet localhost 6566' on the server that may run saned. If you get 'connection refused' saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2003-0773 : saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf). - CAN-2003-0774 : saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory 'after' the wire buffer is read which will be followed by a segmentation fault. - CAN-2003-0775 : If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel. - CAN-2003-0776 : saned doesn't check the validity of the RPC numbers it gets before getting the parameters. - CAN-2003-0777 : If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur. - CAN-2003-0778 : It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this cannot easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit)." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-379" ); script_set_attribute( attribute:"solution", value: "Upgrade the libsane packages. For the stable distribution (woody) this problem has been fixed in version 1.0.7-4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:sane-backends"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libsane", reference:"1.0.7-4")) flag++; if (deb_check(release:"3.0", prefix:"libsane-dev", reference:"1.0.7-4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-099.NASL description Several vulnerabilities were discovered in the saned daemon, a part of the sane package, which allows for a scanner to be used remotely. The IP address of the remote host is only checked after the first communication occurs, which causes the saned.conf restrictions to be ignored for the first connection. As well, a connection that is dropped early can cause Denial of Service issues due to a number of differing factors. Finally, a lack of error checking can cause various other unfavourable actions. The provided packages have been patched to correct the issues. sane, as distributed in Mandrake Linux 9.1 and higher, have versions where the fixes were applied upstream. last seen 2020-06-01 modified 2020-06-02 plugin id 14081 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14081 title Mandrake Linux Security Advisory : sane (MDKSA-2003:099) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:099. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14081); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2003-0773", "CVE-2003-0774", "CVE-2003-0775", "CVE-2003-0776", "CVE-2003-0777", "CVE-2003-0778"); script_xref(name:"MDKSA", value:"2003:099"); script_name(english:"Mandrake Linux Security Advisory : sane (MDKSA-2003:099)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in the saned daemon, a part of the sane package, which allows for a scanner to be used remotely. The IP address of the remote host is only checked after the first communication occurs, which causes the saned.conf restrictions to be ignored for the first connection. As well, a connection that is dropped early can cause Denial of Service issues due to a number of differing factors. Finally, a lack of error checking can cause various other unfavourable actions. The provided packages have been patched to correct the issues. sane, as distributed in Mandrake Linux 9.1 and higher, have versions where the fixes were applied upstream." ); script_set_attribute( attribute:"solution", value: "Update the affected libsane1, libsane1-devel and / or sane-backends packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsane1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsane1-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sane-backends"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/10/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libsane1-1.0.9-3.3.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libsane1-devel-1.0.9-3.3.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sane-backends-1.0.9-3.3.90mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-285.NASL description Updated SANE packages that resolve a number of vulnerabilities with the saned daemon are now available. SANE is a package for using document scanners. Sane includes a daemon program (called saned) that enables a single machine connected to a scanner to be used remotely. This program contains several vulnerabilities. NOTE: Although the SANE packages include this program, it is not used by default under Red Hat Enterprise Linux. The IP address of the remote host is only checked after the first communication occurs, causing saned.conf restrictions to be ineffective for the first communication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0773 to this issue. A connection that is dropped early causes one of several problems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2003-0774, CVE-2003-0775, and CVE-2003-0777 to these issues. Lack of error checking can cause various other unfavorable consequences. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2003-0776 and CVE-2003-0778 to these issues. Users of SANE (particularly those that use saned for remote scanner access) should upgrade to these errata packages, which contain a backported security patch to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 12423 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12423 title RHEL 2.1 : sane-backends (RHSA-2003:285) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:285. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12423); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0773", "CVE-2003-0774", "CVE-2003-0775", "CVE-2003-0776", "CVE-2003-0777", "CVE-2003-0778"); script_xref(name:"RHSA", value:"2003:285"); script_name(english:"RHEL 2.1 : sane-backends (RHSA-2003:285)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated SANE packages that resolve a number of vulnerabilities with the saned daemon are now available. SANE is a package for using document scanners. Sane includes a daemon program (called saned) that enables a single machine connected to a scanner to be used remotely. This program contains several vulnerabilities. NOTE: Although the SANE packages include this program, it is not used by default under Red Hat Enterprise Linux. The IP address of the remote host is only checked after the first communication occurs, causing saned.conf restrictions to be ineffective for the first communication. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0773 to this issue. A connection that is dropped early causes one of several problems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2003-0774, CVE-2003-0775, and CVE-2003-0777 to these issues. Lack of error checking can cause various other unfavorable consequences. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2003-0776 and CVE-2003-0778 to these issues. Users of SANE (particularly those that use saned for remote scanner access) should upgrade to these errata packages, which contain a backported security patch to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0773" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0774" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0775" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0776" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0777" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0778" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:285" ); script_set_attribute( attribute:"solution", value: "Update the affected sane-backends and / or sane-backends-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sane-backends"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sane-backends-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/22"); script_set_attribute(attribute:"patch_publication_date", value:"2003/10/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:285"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sane-backends-1.0.5-4.3")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sane-backends-devel-1.0.5-4.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sane-backends / sane-backends-devel"); } }
Redhat
| advisories |
|
References
- ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-005.0/CSSA-2004-005.0.txt
- http://www.debian.org/security/2003/dsa-379
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:099
- http://www.novell.com/linux/security/advisories/2003_046_sane.html
- http://www.redhat.com/support/errata/RHSA-2003-278.html
- http://www.redhat.com/support/errata/RHSA-2003-285.html
- http://www.securityfocus.com/bid/8593
- http://www.securityfocus.com/bid/8597