Vulnerabilities > CVE-2010-0015 - Credentials Management vulnerability in GNU Glibc 2.10.2/2.7

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
gnu
CWE-255
nessus

Summary

nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.

Vulnerable Configurations

Part Description Count
Application
Gnu
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-112.NASL
    descriptionMultiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id48185
    published2010-07-30
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/48185
    titleMandriva Linux Security Advisory : glibc (MDVSA-2010:112)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2010:112. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(48185);
      script_version("1.11");
      script_cvs_date("Date: 2019/08/02 13:32:53");
    
      script_cve_id("CVE-2009-4880", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830");
      script_bugtraq_id(36443, 37885, 40063);
      script_xref(name:"MDVSA", value:"2010:112");
    
      script_name(english:"Mandriva Linux Security Advisory : glibc (MDVSA-2010:112)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities was discovered and fixed in glibc :
    
    Multiple integer overflows in the strfmon implementation in the GNU C
    Library (aka glibc or libc6) 2.10.1 and earlier allow
    context-dependent attackers to cause a denial of service (memory
    consumption or application crash) via a crafted format string, as
    demonstrated by a crafted first argument to the money_format function
    in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880).
    
    nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7
    and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
    passwd.adjunct.byname map to entries in the passwd map, which allows
    remote attackers to obtain the encrypted passwords of NIS accounts by
    calling the getpwnam function (CVE-2010-0015).
    
    The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
    glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
    mount.cifs, does not properly handle newline characters in mountpoint
    names, which allows local users to cause a denial of service (mtab
    corruption), or possibly modify mount options and gain privileges, via
    a crafted mount request (CVE-2010-0296).
    
    Integer signedness error in the elf_get_dynamic_info function in
    elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
    2.0.1 through 2.11.1, when the --verify option is used, allows
    user-assisted remote attackers to execute arbitrary code via a crafted
    ELF program with a negative value for a certain d_tag structure member
    in the ELF header (CVE-2010-0830).
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc-pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-devel-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-doc-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-doc-pdf-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-i18ndata-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-profile-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-static-devel-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-utils-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"nscd-2.10.1-6.5mnb2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1396-1.NASL
    descriptionIt was discovered that the GNU C Library did not properly handle integer overflows in the timezone handling code. An attacker could use this to possibly execute arbitrary code by convincing an application to load a maliciously constructed tzfile. (CVE-2009-5029) It was discovered that the GNU C Library did not properly handle passwd.adjunct.byname map entries in the Network Information Service (NIS) code in the name service caching daemon (nscd). An attacker could use this to obtain the encrypted passwords of NIS accounts. This issue only affected Ubuntu 8.04 LTS. (CVE-2010-0015) Chris Evans reported that the GNU C Library did not properly calculate the amount of memory to allocate in the fnmatch() code. An attacker could use this to cause a denial of service or possibly execute arbitrary code via a maliciously crafted UTF-8 string. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2011-1071) Tomas Hoger reported that an additional integer overflow was possible in the GNU C Library fnmatch() code. An attacker could use this to cause a denial of service via a maliciously crafted UTF-8 string. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1659) Dan Rosenberg discovered that the addmntent() function in the GNU C Library did not report an error status for failed attempts to write to the /etc/mtab file. This could allow an attacker to corrupt /etc/mtab, possibly causing a denial of service or otherwise manipulate mount options. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1089) Harald van Dijk discovered that the locale program included with the GNU C library did not properly quote its output. This could allow a local attacker to possibly execute arbitrary code using a crafted localization string that was evaluated in a shell script. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2011-1095) It was discovered that the GNU C library loader expanded the $ORIGIN dynamic string token when RPATH is composed entirely of this token. This could allow an attacker to gain privilege via a setuid program that had this RPATH value. (CVE-2011-1658) It was discovered that the GNU C library implementation of memcpy optimized for Supplemental Streaming SIMD Extensions 3 (SSSE3) contained a possible integer overflow. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-2702) John Zimmerman discovered that the Remote Procedure Call (RPC) implementation in the GNU C Library did not properly handle large numbers of connections. This could allow a remote attacker to cause a denial of service. (CVE-2011-4609) It was discovered that the GNU C Library vfprintf() implementation contained a possible integer overflow in the format string protection code offered by FORTIFY_SOURCE. An attacker could use this flaw in conjunction with a format string vulnerability to bypass the format string protection and possibly execute arbitrary code. (CVE-2012-0864). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id58318
    published2012-03-12
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58318
    titleUbuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : eglibc, glibc vulnerabilities (USN-1396-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1396-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58318);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/19 12:54:27");
    
      script_cve_id("CVE-2009-5029", "CVE-2010-0015", "CVE-2011-1071", "CVE-2011-1089", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659", "CVE-2011-2702", "CVE-2011-4609", "CVE-2012-0864");
      script_bugtraq_id(37885, 46563, 46740, 47370, 50898, 51439, 52201);
      script_xref(name:"USN", value:"1396-1");
    
      script_name(english:"Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : eglibc, glibc vulnerabilities (USN-1396-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the GNU C Library did not properly handle
    integer overflows in the timezone handling code. An attacker could use
    this to possibly execute arbitrary code by convincing an application
    to load a maliciously constructed tzfile. (CVE-2009-5029)
    
    It was discovered that the GNU C Library did not properly handle
    passwd.adjunct.byname map entries in the Network Information Service
    (NIS) code in the name service caching daemon (nscd). An attacker
    could use this to obtain the encrypted passwords of NIS accounts. This
    issue only affected Ubuntu 8.04 LTS. (CVE-2010-0015)
    
    Chris Evans reported that the GNU C Library did not properly calculate
    the amount of memory to allocate in the fnmatch() code. An attacker
    could use this to cause a denial of service or possibly execute
    arbitrary code via a maliciously crafted UTF-8 string. This issue only
    affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10.
    (CVE-2011-1071)
    
    Tomas Hoger reported that an additional integer overflow was possible
    in the GNU C Library fnmatch() code. An attacker could use this to
    cause a denial of service via a maliciously crafted UTF-8 string. This
    issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
    and Ubuntu 11.04. (CVE-2011-1659)
    
    Dan Rosenberg discovered that the addmntent() function in the GNU C
    Library did not report an error status for failed attempts to write to
    the /etc/mtab file. This could allow an attacker to corrupt /etc/mtab,
    possibly causing a denial of service or otherwise manipulate mount
    options. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS,
    Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1089)
    
    Harald van Dijk discovered that the locale program included with the
    GNU C library did not properly quote its output. This could allow a
    local attacker to possibly execute arbitrary code using a crafted
    localization string that was evaluated in a shell script. This issue
    only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10.
    (CVE-2011-1095)
    
    It was discovered that the GNU C library loader expanded the $ORIGIN
    dynamic string token when RPATH is composed entirely of this token.
    This could allow an attacker to gain privilege via a setuid program
    that had this RPATH value. (CVE-2011-1658)
    
    It was discovered that the GNU C library implementation of memcpy
    optimized for Supplemental Streaming SIMD Extensions 3 (SSSE3)
    contained a possible integer overflow. An attacker could use this to
    cause a denial of service or possibly execute arbitrary code. This
    issue only affected Ubuntu 10.04 LTS. (CVE-2011-2702)
    
    John Zimmerman discovered that the Remote Procedure Call (RPC)
    implementation in the GNU C Library did not properly handle large
    numbers of connections. This could allow a remote attacker to cause a
    denial of service. (CVE-2011-4609)
    
    It was discovered that the GNU C Library vfprintf() implementation
    contained a possible integer overflow in the format string protection
    code offered by FORTIFY_SOURCE. An attacker could use this flaw in
    conjunction with a format string vulnerability to bypass the format
    string protection and possibly execute arbitrary code. (CVE-2012-0864).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1396-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libc-bin and / or libc6 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-bin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/03/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(8\.04|10\.04|10\.10|11\.04|11\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 10.04 / 10.10 / 11.04 / 11.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"8.04", pkgname:"libc6", pkgver:"2.7-10ubuntu8.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"libc-bin", pkgver:"2.11.1-0ubuntu7.10")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"libc6", pkgver:"2.11.1-0ubuntu7.10")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"libc-bin", pkgver:"2.12.1-0ubuntu10.4")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"libc6", pkgver:"2.12.1-0ubuntu10.4")) flag++;
    if (ubuntu_check(osver:"11.04", pkgname:"libc6", pkgver:"2.13-0ubuntu13.1")) flag++;
    if (ubuntu_check(osver:"11.10", pkgname:"libc6", pkgver:"2.13-20ubuntu5.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libc-bin / libc6");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GLIBC-7201.NASL
    descriptionSeveral security issues were fixed : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called
    last seen2020-06-01
    modified2020-06-02
    plugin id50377
    published2010-10-28
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50377
    titleSuSE 10 Security Update : glibc (ZYPP Patch Number 7201)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50377);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:40");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856");
    
      script_name(english:"SuSE 10 Security Update : glibc (ZYPP Patch Number 7201)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several security issues were fixed :
    
      - Decoding of the $ORIGIN special value in various LD_
        environment variables allowed local attackers to execute
        code in context of e.g. setuid root programs, elevating
        privileges. This issue does not affect SUSE as an
        assertion triggers before the respective code is
        executed. The bug was fixed nevertheless.
        (CVE-2010-3847)
    
      - The LD_AUDIT environment was not pruned during setuid
        root execution and could load shared libraries from
        standard system library paths. This could be used by
        local attackers to inject code into setuid root programs
        and so elevated privileges. (CVE-2010-3856)
    
      - Integer overflow causing arbitrary code execution in
        ld.so --verify mode could be induced by a specially
        crafted binary. (CVE-2010-0830)
    
      - The addmntent() function would not escape the newline
        character properly, allowing the user to insert
        arbitrary newlines to the /etc/mtab; if the addmntent()
        is run by a setuid mount binary that does not do extra
        input checking, this would allow custom entries to be
        inserted in /etc/mtab. (CVE-2010-0296)
    
      - The strfmon() function contains an integer overflow
        vulnerability in width specifiers handling that could be
        triggered by an attacker that can control the format
        string passed to strfmon(). (CVE-2008-1391)
    
      - Some setups (mainly Solaris-based legacy setups) include
        shadow information (password hashes) as so-called
        'adjunct passwd' table, mangling it with the rest of
        passwd columns instead of keeping it in the shadow
        table. Normally, Solaris will disclose this information
        only to clients bound to a priviledged port, but when
        nscd is deployed on the client, getpwnam() would
        disclose the password hashes to all users. New mode
        'adjunct as shadow' can now be enabled in
        /etc/default/nss that will move the password hashes from
        the world-readable passwd table to emulated shadow table
        (that is not cached by nscd). (CVE-2010-0015)
    
    Some invalid behavior, crashes and memory leaks were fixed :
    
      - nscd in the paranoia mode would crash on the periodic
        restart in case one of the databases was disabled in the
        nscd configuration.
    
      - When closing a widechar stdio stream, memory would
        sometimes be leaked.
    
      - memcpy() on power6 would errorneously use a 64-bit
        instruction within 32-bit code in certain corner cases.
    
      - jrand48() returns numbers in the wrong range on 64-bit
        systems: Instead of [-231, +231), the value was always
        positive and sometimes higher than the supposed upper
        bound.
    
      - Roughly every 300 days of uptime, the times() function
        would report an error for 4096 seconds, a side-effect of
        how system calls are implemented on i386. glibc was
        changed to never report an error and crash an
        application that would trigger EFAULT by kernel (because
        of invalid pointer passed to the times() syscall)
        before.
    
      - getifaddrs() would report infiniband interfaces with
        corrupted ifa_name structure field.
    
      - getgroups(-1) normally handles the invalid array size
        gracefully by setting EINVAL. However, a crash would be
        triggered in case the code was compiled using
        '-DFORTIFYSOURCE=2 -O2'.
    
      - Pthread cleanup handlers would not always be invoked on
        thread cancellation (e.g. in RPC code, but also in other
        parts of glibc that may hang outside of a syscall) -
        glibc is now compiled with
    
        -fasynchronous-unwind-tables. Some other minor issues
        were fixed :
    
      - There was a problem with sprof<->dlopen() interaction
        due to a missing flag in the internal dlopen() wrapper.
    
      - On x86_64, backtrace of a static destructor would stop
        in the _fini() glibc pseudo-routine, making it difficult
        to find out what originally triggered the program
        termination. The routine now has unwind information
        attached.
    
      - glibc-locale now better coexists with sap-locale on
        upgrades by regenerating the locale/gconv indexes
        properly."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1391.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0296.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0830.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3847.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3856.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7201.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-devel-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-html-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-i18ndata-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-info-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-locale-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"nscd-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-devel-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-html-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-i18ndata-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-info-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-locale-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-profile-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"nscd-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-profile-32bit-2.4-31.77.76.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GLIBC-101025.NASL
    descriptionThis update of glibc fixes various bugs and security issues : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called
    last seen2020-06-01
    modified2020-06-02
    plugin id50912
    published2010-12-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50912
    titleSuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50912);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:39");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856");
    
      script_name(english:"SuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of glibc fixes various bugs and security issues :
    
      - Decoding of the $ORIGIN special value in various LD_
        environment variables allowed local attackers to execute
        code in context of e.g. setuid root programs, elevating
        privileges. This issue does not affect SUSE as an
        assertion triggers before the respective code is
        executed. The bug was fixed nevertheless.
        (CVE-2010-3847)
    
      - The LD_AUDIT environment was not pruned during setuid
        root execution and could load shared libraries from
        standard system library paths. This could be used by
        local attackers to inject code into setuid root programs
        and so elevated privileges. (CVE-2010-3856)
    
      - Integer overflow causing arbitrary code execution in
        ld.so --verify mode could be induced by a specially
        crafted binary. (CVE-2010-0830)
    
      - The addmntent() function would not escape the newline
        character properly, allowing the user to insert
        arbitrary newlines to the /etc/mtab; if the addmntent()
        is run by a setuid mount binary that does not do extra
        input checking, this would allow custom entries to be
        inserted in /etc/mtab. (CVE-2010-0296)
    
      - The strfmon() function contains an integer overflow
        vulnerability in width specifiers handling that could be
        triggered by an attacker that can control the format
        string passed to strfmon(). (CVE-2008-1391)
    
      - Some setups (mainly Solaris-based legacy setups) include
        shadow information (password hashes) as so-called
        'adjunct passwd' table, mangling it with the rest of
        passwd columns instead of keeping it in the shadow
        table. Normally, Solaris will disclose this information
        only to clients bound to a priviledged port, but when
        nscd is deployed on the client, getpwnam() would
        disclose the password hashes to all users. New mode
        'adjunct as shadow' can now be enabled in
        /etc/default/nss that will move the password hashes from
        the world-readable passwd table to emulated shadow table
        (that is not cached by nscd). (CVE-2010-0015)
    
    Some invalid behaviour, crashes and memory leaks were fixed :
    
      - statfs64() would not function properly on IA64 in ia32el
        emulation mode.
    
      - memcpy() and memset() on power6 would erroneously use a
        64-bit instruction within 32-bit code in certain corner
        cases.
    
      - nscd would not load /etc/host.conf properly before
        performing host resolution - most importantly, multi on
        in /etc/host.conf would be ignored when nscd was used,
        breaking e.g. resolving records in /etc/hosts where
        single name would point at multiple addresses
    
      - Removed mapping from lowercase sharp s to uppercase
        sharp S; uppercase S is not a standardly used letter and
        causes problems for ISO encodings.
    
    Some other minor issues were fixed :
    
      - glibc-locale now better coexists with sap-locale on
        upgrades by regenerating the locale/gconv indexes
        properly.
    
      - Ports 623 and 664 may not be allocated by RPC code
        automatically anymore since that may clash with ports
        used on some IPMI network cards.
    
      - On x86_64, backtrace of a static destructor would stop
        in the _fini() glibc pseudo-routine, making it difficult
        to find out what originally triggered the program
        termination. The routine now has unwind information
        attached."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=375315"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=445636"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=513961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=534828"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=541773"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=569091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=572188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=585879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=592941"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=594263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=615556"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=646960"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1391.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0296.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0830.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3847.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3856.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Apply SAT patch number 3392 / 3393 as appropriate."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-i18ndata-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-locale-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"nscd-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i686", reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i686", reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-i18ndata-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-locale-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"nscd-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-locale-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"nscd-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"nscd-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-html-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-i18ndata-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-info-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-locale-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-profile-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"nscd-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-profile-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-profile-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-html-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-info-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-locale-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-profile-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"nscd-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-profile-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-profile-32bit-2.11.1-0.20.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-111.NASL
    descriptionMultiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391 (CVE-2009-4881). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90 The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id46849
    published2010-06-09
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46849
    titleMandriva Linux Security Advisory : glibc (MDVSA-2010:111)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2010:111. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(46849);
      script_version("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:53");
    
      script_cve_id("CVE-2009-4880", "CVE-2009-4881", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830");
      script_bugtraq_id(36443, 37885, 40063);
      script_xref(name:"MDVSA", value:"2010:111");
    
      script_name(english:"Mandriva Linux Security Advisory : glibc (MDVSA-2010:111)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities was discovered and fixed in glibc :
    
    Multiple integer overflows in the strfmon implementation in the GNU C
    Library (aka glibc or libc6) 2.10.1 and earlier allow
    context-dependent attackers to cause a denial of service (memory
    consumption or application crash) via a crafted format string, as
    demonstrated by a crafted first argument to the money_format function
    in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880).
    
    Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in
    the strfmon implementation in the GNU C Library (aka glibc or libc6)
    before 2.10.1 allows context-dependent attackers to cause a denial of
    service (application crash) via a crafted format string, as
    demonstrated by the %99999999999999999999n string, a related issue to
    CVE-2008-1391 (CVE-2009-4881).
    
    nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7
    and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
    passwd.adjunct.byname map to entries in the passwd map, which allows
    remote attackers to obtain the encrypted passwords of NIS accounts by
    calling the getpwnam function (CVE-2010-0015).
    
    The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
    glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
    mount.cifs, does not properly handle newline characters in mountpoint
    names, which allows local users to cause a denial of service (mtab
    corruption), or possibly modify mount options and gain privileges, via
    a crafted mount request (CVE-2010-0296).
    
    Integer signedness error in the elf_get_dynamic_info function in
    elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
    2.0.1 through 2.11.1, when the --verify option is used, allows
    user-assisted remote attackers to execute arbitrary code via a crafted
    ELF program with a negative value for a certain d_tag structure member
    in the ELF header (CVE-2010-0830).
    
    Packages for 2008.0 and 2009.0 are provided as of the Extended
    Maintenance Program. Please visit this link to learn more:
    http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4
    90
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc-pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-devel-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-doc-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-doc-pdf-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-i18ndata-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-profile-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-static-devel-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-utils-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"nscd-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", reference:"glibc-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-devel-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-doc-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-doc-pdf-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-i18ndata-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-profile-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-static-devel-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-utils-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"nscd-2.8-1.20080520.5.5mnb2")) flag++;
    
    if (rpm_check(release:"MDK2009.1", reference:"glibc-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-devel-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-doc-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-doc-pdf-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-i18ndata-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-profile-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-static-devel-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-utils-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"nscd-2.9-0.20081113.5.1mnb2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GLIBC-110516.NASL
    descriptionThis update fixes the following security issues found in glibc : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id55441
    published2011-06-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55441
    titleSuSE 11.1 Security Update : glibc (SAT Patch Number 4572)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55441);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/25 13:36:42");
    
      script_cve_id("CVE-2010-0015", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095");
    
      script_name(english:"SuSE 11.1 Security Update : glibc (SAT Patch Number 4572)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following security issues found in glibc :
    
      - Specially crafted input to the fnmatch function could
        cause an integer overflow. (CVE-2011-1071)
    
      - The output of the 'locale' command was not properly
        quoted. (CVE-2011-1095)
    
      - Unprivileged users could read the NIS shadow database.
        (CVE-2010-0015)
    
      - Don't search the current directory if $ORIGIN is in
        RPATH of libraries called by setuid binaries.
        (CVE-2011-0536) The update also includes fixes for
        non-security bugs. Please refer to the package changelog
        for details."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=569091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=585879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=625591"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=625835"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=645303"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=647965"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=649634"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=659090"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=664541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=666179"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=673111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=677787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=678031"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=685405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=687510"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-0536.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1071.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1095.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 4572.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1");
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-i18ndata-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-locale-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"nscd-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-i18ndata-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"nscd-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-html-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-i18ndata-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-info-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-locale-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"glibc-profile-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i586", reference:"nscd-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i686", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"i686", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-html-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-i18ndata-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-info-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-locale-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-profile-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-profile-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"nscd-2.11.1-0.30.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1973.NASL
    descriptionChristoph Pleger has discovered that the GNU C Library (aka glibc) and its derivatives add information from the passwd.adjunct.byname map to entries in the passwd map, which allows local users to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
    last seen2020-06-01
    modified2020-06-02
    plugin id44838
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44838
    titleDebian DSA-1973-1 : glibc, eglibc - information disclosure
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1973. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44838);
      script_version("1.9");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2010-0015");
      script_xref(name:"DSA", value:"1973");
    
      script_name(english:"Debian DSA-1973-1 : glibc, eglibc - information disclosure");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Christoph Pleger has discovered that the GNU C Library (aka glibc) and
    its derivatives add information from the passwd.adjunct.byname map to
    entries in the passwd map, which allows local users to obtain the
    encrypted passwords of NIS accounts by calling the getpwnam function."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2010/dsa-1973"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the glibc or eglibc package.
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 2.3.6.ds1-13etch10 of the glibc package.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 2.7-18lenny2 of the glibc package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:eglibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:glibc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/01/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"glibc-doc", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-amd64", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dbg", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dev", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dev-amd64", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dev-i386", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dev-ppc64", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dev-s390x", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-dev-sparc64", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-i386", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-i686", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-pic", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-ppc64", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-prof", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-s390x", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-sparc64", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-sparcv9", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-sparcv9b", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6-xen", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6.1", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6.1-dbg", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6.1-dev", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6.1-pic", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"libc6.1-prof", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"locales", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"locales-all", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"4.0", prefix:"nscd", reference:"2.3.6.ds1-13etch10")) flag++;
    if (deb_check(release:"5.0", prefix:"glibc-doc", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"glibc-source", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-amd64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dbg", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-amd64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-i386", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-mips64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-mipsn32", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-ppc64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-s390x", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-dev-sparc64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-i386", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-i686", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-mips64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-mipsn32", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-pic", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-ppc64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-prof", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-s390x", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-sparc64", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-sparcv9b", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6-xen", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6.1", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6.1-alphaev67", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6.1-dbg", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6.1-dev", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6.1-pic", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"libc6.1-prof", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"locales", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"locales-all", reference:"2.7-18lenny2")) flag++;
    if (deb_check(release:"5.0", prefix:"nscd", reference:"2.7-18lenny2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_GLIBC-101026.NASL
    descriptionThis update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called
    last seen2020-06-01
    modified2020-06-02
    plugin id50367
    published2010-10-28
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50367
    titleopenSUSE Security Update : glibc (openSUSE-SU-2010:0914-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update glibc-3399.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50367);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856");
    
      script_name(english:"openSUSE Security Update : glibc (openSUSE-SU-2010:0914-1)");
      script_summary(english:"Check for the glibc-3399 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of glibc fixes various bugs and security issues :
    
    CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_
    environment variables allowed local attackers to execute code in
    context of e.g. setuid root programs, elevating privileges. This issue
    does not affect SUSE as an assertion triggers before the respective
    code is executed. The bug was fixed nevertheless.
    
    CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid
    root execution and could load shared libraries from standard system
    library paths. This could be used by local attackers to inject code
    into setuid root programs and so elevated privileges.
    
    CVE-2010-0830: Integer overflow causing arbitrary code execution in
    ld.so
    
    --verify mode could be induced by a specially crafted binary.
    
    CVE-2010-0296: The addmntent() function would not escape the newline
    character properly, allowing the user to insert arbitrary newlines to
    the /etc/mtab; if the addmntent() is run by a setuid mount binary that
    does not do extra input checking, this would allow custom entries to
    be inserted in /etc/mtab.
    
    CVE-2008-1391: The strfmon() function contains an integer overflow
    vulnerability in width specifiers handling that could be triggered by
    an attacker that can control the format string passed to strfmon().
    
    CVE-2010-0015: Some setups (mainly Solaris-based legacy setups)
    include shadow information (password hashes) as so-called 'adjunct
    passwd' table, mangling it with the rest of passwd columns instead of
    keeping it in the shadow table. Normally, Solaris will disclose this
    information only to clients bound to a priviledged port, but when nscd
    is deployed on the client, getpwnam() would disclose the password
    hashes to all users. New mode 'adjunct as shadow' can now be enabled
    in /etc/default/nss that will move the password hashes from the
    world-readable passwd table to emulated shadow table (that is not
    cached by nscd).
    
    Some invalid behaviour, crashes and memory leaks were fixed :
    
      - statfs64() would not function properly on IA64 in ia32el
        emulation mode.
    
      - memcpy() and memset() on power6 would erroneously use a
        64-bit instruction within 32-bit code in certain corner
        cases.
    
      - nscd would not load /etc/host.conf properly before
        performing host resolution - most importantly, `multi
        on` in /etc/host.conf would be ignored when nscd was
        used, breaking e.g. resolving records in /etc/hosts
        where single name would point at multiple addresses
    
      - Removed mapping from lowercase sharp s to uppercase
        sharp S; uppercase S is not a standardly used letter and
        causes problems for ISO encodings.
    
    Some other minor issues were fixed :
    
      - glibc-locale now better coexists with sap-locale on
        upgrades by regenerating the locale/gconv indexes
        properly.
    
      - Ports 623 and 664 may not be allocated by RPC code
        automatically anymore since that may clash with ports
        used on some IPMI network cards.
    
      - On x86_64, backtrace of a static destructor would stop
        in the _fini() glibc pseudo-routine, making it difficult
        to find out what originally triggered the program
        termination. The routine now has unwind information
        attached."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=375315"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=445636"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=513961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=534828"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=537315"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=538067"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=541773"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=569091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=572188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=585879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=592941"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=594263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=615556"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=646960"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-10/msg00041.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected glibc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-devel-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-html-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-i18ndata-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-info-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-locale-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-obsolete-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"glibc-profile-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"nscd-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"glibc-32bit-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"glibc-devel-32bit-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"glibc-locale-32bit-2.9-2.13.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"glibc-profile-32bit-2.9-2.13.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GLIBC-110517.NASL
    descriptionThis update fixes the following security issues found in glibc : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id57106
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57106
    titleSuSE 11.1 Security Update : glibc (SAT Patch Number 4572)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57106);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/25 13:36:42");
    
      script_cve_id("CVE-2010-0015", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095");
    
      script_name(english:"SuSE 11.1 Security Update : glibc (SAT Patch Number 4572)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following security issues found in glibc :
    
      - Specially crafted input to the fnmatch function could
        cause an integer overflow. (CVE-2011-1071)
    
      - The output of the 'locale' command was not properly
        quoted. (CVE-2011-1095)
    
      - Unprivileged users could read the NIS shadow database.
        (CVE-2010-0015)
    
      - Don't search the current directory if $ORIGIN is in
        RPATH of libraries called by setuid binaries.
        (CVE-2011-0536) The update also includes fixes for
        non-security bugs. Please refer to the package changelog
        for details."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=569091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=585879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=625591"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=625835"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=645303"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=647965"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=649634"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=659090"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=664541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=666179"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=673111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=677787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=678031"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=685405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=687510"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-0536.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1071.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1095.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 4572.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/05/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1");
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-devel-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-devel-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-html-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-i18ndata-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-info-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-locale-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-locale-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-profile-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-profile-32bit-2.11.1-0.30.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"nscd-2.11.1-0.30.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");