Vulnerabilities > CVE-2007-5191 - Unchecked Return Value vulnerability in multiple products

mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs.

Vulnerable Configurations

Part	Description	Count
Application	Kernel Kernel Util Linux - Kernel Util Linux 2.2 Kernel Util Linux 2.5 Kernel Util Linux 2.7.1 Kernel Util Linux 2.8 Kernel Util Linux 2.9I Kernel Util Linux 2.9V Kernel Util Linux 2.10F Kernel Util Linux 2.10M Kernel Util Linux 2.10S Kernel Util Linux 2.11B Kernel Util Linux 2.11F Kernel Util Linux 2.11M Kernel Util Linux 2.11N Kernel Util Linux 2.11O Kernel Util Linux 2.11Q Kernel Util Linux 2.11R Kernel Util Linux 2.11T Kernel Util Linux 2.11U Kernel Util Linux 2.11V Kernel Util Linux 2.11W Kernel Util Linux 2.11X Kernel Util Linux 2.11Y Kernel Util Linux 2.12 Kernel Util Linux 2.12A Kernel Util Linux 2.12B Kernel Util Linux 2.12D Kernel Util Linux 2.12H Kernel Util Linux 2.12I Kernel Util Linux 2.12J Kernel Util Linux 2.12K Kernel Util Linux 2.12L Kernel Util Linux 2.12M Kernel Util Linux 2.12O Kernel Util Linux 2.12P Kernel Util Linux 2.12Q Kernel Util Linux 2.12R Kernel Util Linux 2.13 Kernel Util Linux 2.13.0.1 Kernel Util Linux 2.13.1 Kernel Util Linux 2.13.1.1	47
Application	Loop-Aes-Utils_Project Loop AES Utils Project Loop AES Utils -	1
OS	Fedoraproject Fedoraproject Fedora 7	1
OS	Canonical Canonical Ubuntu Linux 7.04 Canonical Ubuntu Linux 6.10 Canonical Ubuntu Linux 6.06	3
OS	Debian Debian Debian Linux 3.1	1

Common Weakness Enumeration (CWE)

CWE-252 - Unchecked Return Value

Nessus

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2007-0969.NASL
description	From Red Hat Security Advisory 2007:0969 : Updated util-linux packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	67589
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67589
title	Oracle Linux 3 / 4 : util-linux (ELSA-2007-0969)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0969 and # Oracle Linux Security Advisory ELSA-2007-0969 respectively. # include("compat.inc"); if (description) { script_id(67589); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2007-5191"); script_xref(name:"RHSA", value:"2007:0969"); script_name(english:"Oracle Linux 3 / 4 : util-linux (ELSA-2007-0969)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2007:0969 : Updated util-linux packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2007-December/000424.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2007-November/000396.html" ); script_set_attribute( attribute:"solution", value:"Update the affected util-linux packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:losetup"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:util-linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(3\|4)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL3", cpu:"i386", reference:"losetup-2.11y-31.24")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"losetup-2.11y-31.24")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"mount-2.11y-31.24")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"mount-2.11y-31.24")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"util-linux-2.11y-31.24")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"util-linux-2.11y-31.24")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"util-linux-2.12a-17.el4_6.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "losetup / mount / util-linux"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-2462.NASL
description	- Mon Oct 8 2007 Karel Zak <kzak at redhat.com> 2.13-0.54.1 - fix #320131 - CVE-2007-5191 util-linux (u)mount doesn
last seen	2020-06-01
modified	2020-06-02
plugin id	27773
published	2007-11-06
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27773
title	Fedora 7 : util-linux-2.13-0.54.1.fc7 (2007-2462)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-2462. # include("compat.inc"); if (description) { script_id(27773); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2007-5191"); script_xref(name:"FEDORA", value:"2007-2462"); script_name(english:"Fedora 7 : util-linux-2.13-0.54.1.fc7 (2007-2462)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Mon Oct 8 2007 Karel Zak <kzak at redhat.com> 2.13-0.54.1 - fix #320131 - CVE-2007-5191 util-linux (u)mount doesn't drop privileges properly when calling helpers [F7] - Wed Aug 8 2007 Karel Zak <kzak at redhat.com> 2.13-0.54 - backport mount relatime patch - Thu Aug 2 2007 Karel Zak <kzak at redhat.com> 2.13-0.53 - fix #236848 - mount/fstab.c:lock_mtab() should open with proper permissions - fix #238918 - blockdev --getsize does not work properly on devices with more than 2^31 sectors - Mon Jul 9 2007 Karel Zak <kzak at redhat.com> 2.13-0.52 - fix #245578 - login's PAM configuration inits the keyring at an inconvenient time - fix #231532 - 'pamconsole' not documented in mount(8) - fix #243930 - translation files exist, but are not being used - fix #228731 - sfdisk doesn't support DM-MP device (add default heads and sectors) - fix #231192 - ipcs is not printing correct values on pLinux - fix #245912 - mount doesn't write the 'loop=...' option in /etc/mtab when mounting a loop device - fix #213253 - 'cal -3' generates improperly formatted output Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=320041" ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-October/004114.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1430300c" ); script_set_attribute( attribute:"solution", value:"Update the affected util-linux and / or util-linux-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:util-linux"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:util-linux-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"util-linux-2.13-0.54.1.fc7")) flag++; if (rpm_check(release:"FC7", reference:"util-linux-debuginfo-2.13-0.54.1.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "util-linux / util-linux-debuginfo"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-722.NASL
description	- Mon Oct 8 2007 Karel Zak <kzak at redhat.com> 2.13-0.49 - fix #320141 - CVE-2007-5191 util-linux (u)mount doesn
last seen	2020-06-01
modified	2020-06-02
plugin id	27059
published	2007-10-16
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27059
title	Fedora Core 6 : util-linux-2.13-0.49.fc6 (2007-722)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-722. # include("compat.inc"); if (description) { script_id(27059); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_xref(name:"FEDORA", value:"2007-722"); script_name(english:"Fedora Core 6 : util-linux-2.13-0.49.fc6 (2007-722)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Mon Oct 8 2007 Karel Zak <kzak at redhat.com> 2.13-0.49 - fix #320141 - CVE-2007-5191 util-linux (u)mount doesn't drop privileges properly when calling helpers [FC6] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-October/004186.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4e279a29" ); script_set_attribute( attribute:"solution", value:"Update the affected util-linux and / or util-linux-debuginfo packages." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:util-linux"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:util-linux-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC6", reference:"util-linux-2.13-0.49.fc6")) flag++; if (rpm_check(release:"FC6", reference:"util-linux-debuginfo-2.13-0.49.fc6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "util-linux / util-linux-debuginfo"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2007-0969.NASL
description	Updated util-linux packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	28242
published	2007-11-16
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/28242
title	RHEL 3 / 4 / 5 : util-linux (RHSA-2007:0969)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0969. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(28242); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-5191"); script_xref(name:"RHSA", value:"2007:0969"); script_name(english:"RHEL 3 / 4 / 5 : util-linux (RHSA-2007:0969)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated util-linux packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-5191" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0969" ); script_set_attribute( attribute:"solution", value:"Update the affected losetup, mount and / or util-linux packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:losetup"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:util-linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(3\|4\|5)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0969"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"losetup-2.11y-31.24")) flag++; if (rpm_check(release:"RHEL3", reference:"mount-2.11y-31.24")) flag++; if (rpm_check(release:"RHEL3", reference:"util-linux-2.11y-31.24")) flag++; if (rpm_check(release:"RHEL4", reference:"util-linux-2.12a-17.el4_6.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"util-linux-2.13-0.45.el5_1.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"util-linux-2.13-0.45.el5_1.1")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"util-linux-2.13-0.45.el5_1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "losetup / mount / util-linux"); } }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1449.NASL
description	It was discovered that loop-aes-utils, tools for mounting and manipulating filesystems, didn
last seen	2020-06-01
modified	2020-06-02
plugin id	29858
published	2008-01-07
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29858
title	Debian DSA-1449-1 : loop-aes-utils - programming error
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1449. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(29858); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2007-5191"); script_xref(name:"DSA", value:"1449"); script_name(english:"Debian DSA-1449-1 : loop-aes-utils - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that loop-aes-utils, tools for mounting and manipulating filesystems, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1449" ); script_set_attribute( attribute:"solution", value: "Upgrade the loop-aes-utils package. For the old stable distribution (sarge), this problem has been fixed in version 2.12p-4sarge2. For the stable distribution (etch), this problem has been fixed in version 2.12r-15+etch1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:loop-aes-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"loop-aes-utils", reference:"2.12p-4sarge2")) flag++; if (deb_check(release:"4.0", prefix:"loop-aes-utils", reference:"2.12r-15+etch1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200710-18.NASL
description	The remote host is affected by the vulnerability described in GLSA-200710-18 (util-linux: Local privilege escalation) Ludwig Nussel discovered that the check_special_mountprog() and check_special_umountprog() functions call setuid() and setgid() in the wrong order and do not check the return values, which can lead to privileges being dropped improperly. Impact : A local attacker may be able to exploit this vulnerability by using mount helpers such as the mount.nfs program to gain root privileges and run arbitrary commands. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	27516
published	2007-10-19
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27516
title	GLSA-200710-18 : util-linux: Local privilege escalation
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200710-18. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(27516); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-5191"); script_xref(name:"GLSA", value:"200710-18"); script_name(english:"GLSA-200710-18 : util-linux: Local privilege escalation"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200710-18 (util-linux: Local privilege escalation) Ludwig Nussel discovered that the check_special_mountprog() and check_special_umountprog() functions call setuid() and setgid() in the wrong order and do not check the return values, which can lead to privileges being dropped improperly. Impact : A local attacker may be able to exploit this vulnerability by using mount helpers such as the mount.nfs program to gain root privileges and run arbitrary commands. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200710-18" ); script_set_attribute( attribute:"solution", value: "All util-linux users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sys-apps/util-linux-2.12r-r8'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:util-linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sys-apps/util-linux", unaffected:make_list("ge 2.12r-r8"), vulnerable:make_list("lt 2.12r-r8"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "util-linux"); }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2007-198.NASL
description	The mount and umount programs in util-linux called the setuid() and setgid() functions in the wrong order and did not check the return values, which could allow attackers to grain privileges via helper applications such as mount.nfs. Updated packages have been patched to fix this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	27071
published	2007-10-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27071
title	Mandrake Linux Security Advisory : util-linux (MDKSA-2007:198)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:198. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(27071); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2007-5191"); script_xref(name:"MDKSA", value:"2007:198"); script_name(english:"Mandrake Linux Security Advisory : util-linux (MDKSA-2007:198)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The mount and umount programs in util-linux called the setuid() and setgid() functions in the wrong order and did not check the return values, which could allow attackers to grain privileges via helper applications such as mount.nfs. Updated packages have been patched to fix this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:losetup"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:util-linux"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:util-linux-ng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"losetup-2.12r-8.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"mount-2.12r-8.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"util-linux-2.12r-8.3mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"losetup-2.12r-12.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"mount-2.12r-12.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"util-linux-2.12r-12.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"util-linux-ng-2.13-3.1mdv2008.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-533-1.NASL
description	Ludwig Nussel discovered that mount and umount did not properly drop privileges when using helper programs. Local attackers may be able to bypass security restrictions and gain root privileges using programs such as mount.nfs or mount.cifs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	28139
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/28139
title	Ubuntu 6.06 LTS / 6.10 / 7.04 : util-linux vulnerability (USN-533-1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-533-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(28139); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2007-5191"); script_xref(name:"USN", value:"533-1"); script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 : util-linux vulnerability (USN-533-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Ludwig Nussel discovered that mount and umount did not properly drop privileges when using helper programs. Local attackers may be able to bypass security restrictions and gain root privileges using programs such as mount.nfs or mount.cifs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/533-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:bsdutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:util-linux"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:util-linux-locales"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06\|6\.10\|7\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"bsdutils", pkgver:"2.12r-4ubuntu6.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"mount", pkgver:"2.12r-4ubuntu6.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"util-linux", pkgver:"2.12r-4ubuntu6.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"util-linux-locales", pkgver:"2.12r-4ubuntu6.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"bsdutils", pkgver:"2.12r-11ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"mount", pkgver:"2.12r-11ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"util-linux", pkgver:"2.12r-11ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"util-linux-locales", pkgver:"2.12r-11ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"bsdutils", pkgver:"2.12r-17ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"mount", pkgver:"2.12r-17ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"util-linux", pkgver:"2.12r-17ubuntu2.1")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"util-linux-locales", pkgver:"2.12r-17ubuntu2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bsdutils / mount / util-linux / util-linux-locales"); }

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20071115_UTIL_LINUX_ON_SL5_X.NASL
description	A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191)
last seen	2020-06-01
modified	2020-06-02
plugin id	60311
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60311
title	Scientific Linux Security Update : util-linux on SL5.x, SL4.x, SL3.x i386/x86_64
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60311); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:17"); script_cve_id("CVE-2007-5191"); script_name(english:"Scientific Linux Security Update : util-linux on SL5.x, SL4.x, SL3.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0711&L=scientific-linux-errata&T=0&P=3126 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?34adae88" ); script_set_attribute( attribute:"solution", value:"Update the affected losetup, mount and / or util-linux packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL3", reference:"losetup-2.11y-31.24")) flag++; if (rpm_check(release:"SL3", reference:"mount-2.11y-31.24")) flag++; if (rpm_check(release:"SL3", reference:"util-linux-2.11y-31.24")) flag++; if (rpm_check(release:"SL4", reference:"util-linux-2.12a-17.1")) flag++; if (rpm_check(release:"SL5", reference:"util-linux-2.13-0.45.el5.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1450.NASL
description	It was discovered that util-linux, miscellaneous system utilities, didn
last seen	2020-06-01
modified	2020-06-02
plugin id	29859
published	2008-01-07
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29859
title	Debian DSA-1450-1 : util-linux - programming error
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1450. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(29859); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2007-5191"); script_xref(name:"DSA", value:"1450"); script_name(english:"Debian DSA-1450-1 : util-linux - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that util-linux, miscellaneous system utilities, didn't drop privileged user and group permissions in the correct order in the mount and umount commands. This could potentially allow a local user to gain additional privileges." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1450" ); script_set_attribute( attribute:"solution", value: "Upgrade the util-linux package. For the old stable distribution (sarge), this problem has been fixed in version 2.12p-4sarge2. For the stable distribution (etch), this problem has been fixed in version 2.12r-19etch1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:util-linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"bsdutils", reference:"2.12p-4sarge2")) flag++; if (deb_check(release:"3.1", prefix:"mount", reference:"2.12p-4sarge2")) flag++; if (deb_check(release:"3.1", prefix:"util-linux", reference:"2.12p-4sarge2")) flag++; if (deb_check(release:"3.1", prefix:"util-linux-locales", reference:"2.12p-4sarge2")) flag++; if (deb_check(release:"4.0", prefix:"bsdutils", reference:"2.12r-19etch1")) flag++; if (deb_check(release:"4.0", prefix:"mount", reference:"2.12r-19etch1")) flag++; if (deb_check(release:"4.0", prefix:"util-linux", reference:"2.12r-19etch1")) flag++; if (deb_check(release:"4.0", prefix:"util-linux-locales", reference:"2.12r-19etch1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	VMware ESX Local Security Checks
NASL id	VMWARE_VMSA-2008-0001.NASL
description	I Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	40372
published	2009-07-27
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/40372
title	VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2008-0001. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(40372); script_version("1.29"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2007-3108", "CVE-2007-4572", "CVE-2007-5116", "CVE-2007-5135", "CVE-2007-5191", "CVE-2007-5360", "CVE-2007-5398"); script_bugtraq_id(21663, 25163, 25831, 26350, 26454, 26455, 26701, 27497, 27686, 29003, 29076, 29404); script_xref(name:"VMSA", value:"2008-0001"); script_name(english:"VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "I Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2008/000004.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119, 189, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2008-01-07"); flag = 0; if (esx_check(ver:"ESX 2.5.5", patch:"14")) flag++; if (esx_check(ver:"ESX 2.5.5", patch:"3")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1002962")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1002963")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1002964")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1002968")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1002972")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1003176")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1002969")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1002970")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1002971")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1002975")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1002976")) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200712402-SG", patch_updates : make_list("ESX350-201008410-SG", "ESX350-201012408-SG", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200712403-SG", patch_updates : make_list("ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200712404-SG", patch_updates : make_list("ESX350-201008412-SG", "ESX350-Update05a") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2007-0969.NASL
description	Updated util-linux packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	36400
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/36400
title	CentOS 3 / 4 : util-linux (CESA-2007:0969)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0969 and # CentOS Errata and Security Advisory 2007:0969 respectively. # include("compat.inc"); if (description) { script_id(36400); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2007-5191"); script_xref(name:"RHSA", value:"2007:0969"); script_name(english:"CentOS 3 / 4 : util-linux (CESA-2007:0969)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated util-linux packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. A flaw was discovered in the way that the mount and umount utilities used the setuid and setgid functions, which could lead to privileges being dropped improperly. A local user could use this flaw to run mount helper applications such as, mount.nfs, with additional privileges (CVE-2007-5191). Users are advised to update to these erratum packages which contain a backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2007-November/014434.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a5e7afbf" ); # https://lists.centos.org/pipermail/centos-announce/2007-November/014435.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?64290772" ); # https://lists.centos.org/pipermail/centos-announce/2007-November/014436.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e7964e5a" ); # https://lists.centos.org/pipermail/centos-announce/2007-November/014445.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?72566657" ); script_set_attribute( attribute:"solution", value:"Update the affected util-linux packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:losetup"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:util-linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3\|4)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"losetup-2.11y-31.24")) flag++; if (rpm_check(release:"CentOS-3", reference:"mount-2.11y-31.24")) flag++; if (rpm_check(release:"CentOS-3", reference:"util-linux-2.11y-31.24")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"util-linux-2.12a-17.c4.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "losetup / mount / util-linux"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_UTIL-LINUX-4552.NASL
description	Insufficient length checks when reading the passphrase for encrypted paritions in the mount program could cause a buffer overflow that could potentially be exploited to gain root privileges. When executing helper program
last seen	2020-06-01
modified	2020-06-02
plugin id	27514
published	2007-10-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27514
title	openSUSE 10 Security Update : util-linux (util-linux-4552)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update util-linux-4552. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27514); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-5191"); script_name(english:"openSUSE 10 Security Update : util-linux (util-linux-4552)"); script_summary(english:"Check for the util-linux-4552 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Insufficient length checks when reading the passphrase for encrypted paritions in the mount program could cause a buffer overflow that could potentially be exploited to gain root privileges. When executing helper program 'mount' didn't check the return value of setuid(). Therefore helper program could potenially run as root (CVE-2007-5191)." ); script_set_attribute( attribute:"solution", value:"Update the affected util-linux package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:util-linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"util-linux-2.12r+2.13rc2+git20070725-24.2") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "util-linux"); }

Oval

accepted

2013-04-29T04:01:38.804-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10101

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	320041
title	CVE-2007-5191 util-linux (u)mount doesn't drop privileges properly when calling helpers

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025
comment util-linux is earlier than 0:2.12a-17.el4_6.1
oval oval:com.redhat.rhsa:tst:20070969001
comment util-linux is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20070235002

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005
comment util-linux is earlier than 0:2.13-0.45.el5_1.1
oval oval:com.redhat.rhsa:tst:20070969004
comment util-linux is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhba:tst:20090070002

rhsa

id	RHSA-2007:0969
released	2007-11-15
severity	Moderate
title	RHSA-2007:0969: util-linux security update (Moderate)

rpms

losetup-0:2.11y-31.24
mount-0:2.11y-31.24
util-linux-0:2.11y-31.24
util-linux-0:2.12a-17.el4_6.1
util-linux-0:2.13-0.45.el5_1.1
util-linux-debuginfo-0:2.11y-31.24
util-linux-debuginfo-0:2.12a-17.el4_6.1
util-linux-debuginfo-0:2.13-0.45.el5_1.1

Statements

contributor	Mark J Cox
lastmodified	2009-06-01
organization	Red Hat
statement	Updates are available to address this issue: https://rhn.redhat.com/errata/RHSA-2007-0969.html

Summary