Vulnerabilities > CVE-2011-0536
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| OS | 1 |
Exploit-Db
| description | GNU C library dynamic linker $ORIGIN expansion Vulnerability. CVE-2010-3847,CVE-2010-3847,CVE-2011-0536. Local exploit for linux platform |
| id | EDB-ID:15274 |
| last seen | 2016-02-01 |
| modified | 2010-10-18 |
| published | 2010-10-18 |
| reporter | Tavis Ormandy |
| source | https://www.exploit-db.com/download/15274/ |
| title | GNU C library dynamic linker - $ORIGIN expansion Vulnerability |
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0001.NASL description a. Service Console update for glibc The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update. b. Service Console update for sudo The service console package sudo is updated to version 1.7.2p1-8.el5_5. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2956 to the issue addressed in this update. c. Service Console update for openldap The service console package openldap is updated to version 2.3.43-12.el5_5.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update. last seen 2020-06-01 modified 2020-06-02 plugin id 51422 published 2011-01-06 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51422 title VMSA-2011-0001 : VMware ESX third-party updates for Service Console packages glibc, sudo, and openldap code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2011-0001. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(51422); script_version("1.27"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id("CVE-2010-0211", "CVE-2010-0212", "CVE-2010-2956", "CVE-2010-3847", "CVE-2010-3856", "CVE-2011-0536"); script_bugtraq_id(41770, 43019, 44154, 44347); script_xref(name:"VMSA", value:"2011-0001"); script_name(english:"VMSA-2011-0001 : VMware ESX third-party updates for Service Console packages glibc, sudo, and openldap"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. Service Console update for glibc The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update. b. Service Console update for sudo The service console package sudo is updated to version 1.7.2p1-8.el5_5. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2956 to the issue addressed in this update. c. Service Console update for openldap The service console package openldap is updated to version 2.3.43-12.el5_5.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2011/000150.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2011-01-04"); flag = 0; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201101404-SG", patch_updates : make_list("ESX400-201305402-SG", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201101405-SG", patch_updates : make_list("ESX400-201110408-SG", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201101226-SG", patch_updates : make_list("ESX40-TO-ESX41UPDATE01", "ESX410-201107406-SG", "ESX410-201208104-SG", "ESX410-Update01", "ESX410-Update02", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201104404-SG", patch_updates : make_list("ESX410-Update02", "ESX410-Update03") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_GLIBC-7575.NASL description The following bugs have been fixed : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the last seen 2020-06-01 modified 2020-06-02 plugin id 55442 published 2011-06-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55442 title SuSE 10 Security Update : glibc (ZYPP Patch Number 7575) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(55442); script_version ("1.6"); script_cvs_date("Date: 2019/10/25 13:36:43"); script_cve_id("CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095"); script_name(english:"SuSE 10 Security Update : glibc (ZYPP Patch Number 7575)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "The following bugs have been fixed : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the 'locale' command was not properly quoted. (CVE-2011-1095) - Don't search the current directory if $ORIGIN is in RPATH of libraries called by setuid binaries. (CVE-2011-0536) - The update also includes fixes for non-security bugs. Please refer to the package changelog for details." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-0536.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1071.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-1095.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7575."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-devel-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-html-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-i18ndata-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-info-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-locale-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-profile-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"nscd-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.84.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-profile-32bit-2.4-31.77.84.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family Scientific Linux Local Security Checks NASL id SL_20110404_GLIBC_ON_SL5_X.NASL description The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 61008 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61008 title Scientific Linux Security Update : glibc on SL5.x,SL6.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(61008); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:19"); script_cve_id("CVE-2010-3847", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095"); script_name(english:"Scientific Linux Security Update : glibc on SL5.x,SL6.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) All users should upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1104&L=scientific-linux-errata&T=0&P=583 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?500923b0" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"glibc-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"SL5", reference:"glibc-common-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"SL5", reference:"glibc-devel-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"SL5", reference:"glibc-headers-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"SL5", reference:"glibc-utils-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"SL5", reference:"nscd-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"SL6", reference:"glibc-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"SL6", reference:"glibc-common-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"SL6", reference:"glibc-devel-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"SL6", reference:"glibc-headers-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"SL6", reference:"glibc-static-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"SL6", reference:"glibc-utils-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"SL6", reference:"nscd-2.12-1.7.el6_0.5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id VMWARE_ESXI_5_0_BUILD_515841_REMOTE.NASL description The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - A security bypass vulnerability exists in the e1000 driver in the Linux kernel due to improper handling of Ethernet frames that exceed the MTU. An unauthenticated, remote attacker can exploit this, via trailing payload data, to bypass packet filters. (CVE-2009-4536) - An error exists in the file misc/mntent_r.c that could allow a local attacker to cause denial of service conditions. (CVE-2010-0296) - An error exists related to glibc, the dynamic linker and last seen 2020-06-01 modified 2020-06-02 plugin id 70880 published 2013-11-13 reporter This script is (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70880 title ESXi 5.0 < Build 515841 Multiple Vulnerabilities (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70880); script_version("1.10"); script_cvs_date("Date: 2019/11/27"); script_cve_id( "CVE-2009-4536", "CVE-2010-0296", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659" ); script_bugtraq_id(37519, 46563, 47370); script_xref(name:"EDB-ID", value:"15274"); script_xref(name:"VMSA", value:"2011-0009"); script_xref(name:"VMSA", value:"2011-0012"); script_name(english:"ESXi 5.0 < Build 515841 Multiple Vulnerabilities (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - A security bypass vulnerability exists in the e1000 driver in the Linux kernel due to improper handling of Ethernet frames that exceed the MTU. An unauthenticated, remote attacker can exploit this, via trailing payload data, to bypass packet filters. (CVE-2009-4536) - An error exists in the file misc/mntent_r.c that could allow a local attacker to cause denial of service conditions. (CVE-2010-0296) - An error exists related to glibc, the dynamic linker and '$ORIGIN' substitution that could allow privilege escalation. (CVE-2011-0536) - An error exists in the function 'fnmatch' in the file posix/fnmatch.c that could allow arbitrary code execution. (CVE-2011-1071) - An error exists in the file locale/programs/locale.c related to localization environment variables that could allow privilege escalation. (CVE-2011-1095) - An error exists related to glibc, the dynamic linker and 'RPATH' that could allow privilege escalation. (CVE-2011-1658) - An error exists in the function 'fnmatch' related to UTF-8 string handling that could allow privilege escalation. (CVE-2011-1659)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2011-0012.html"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2011-0009.html"); # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2007671 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c402a9a2"); # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2007673 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?635686b4"); # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2007680 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fce8c282"); script_set_attribute(attribute:"solution", value: "Apply patches ESXi500-201112401-SG and ESXi500-201112403-SG."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-0296"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/22"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is (C) 2013-2019 Tenable Network Security, Inc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 5.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.0"); match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) exit(1, 'Failed to extract the ESXi build number.'); build = int(match[1]); fixed_build = 515841; if (build < fixed_build) { if (report_verbosity > 0) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else exit(0, "The host has "+ver+" build "+build+" and thus is not affected.");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0413.NASL description From Red Hat Security Advisory 2011:0413 : Updated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 68245 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68245 title Oracle Linux 6 : glibc (ELSA-2011-0413) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:0413 and # Oracle Linux Security Advisory ELSA-2011-0413 respectively. # include("compat.inc"); if (description) { script_id(68245); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:09"); script_cve_id("CVE-2010-3847", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659"); script_bugtraq_id(46563, 64465); script_xref(name:"RHSA", value:"2011:0413"); script_name(english:"Oracle Linux 6 : glibc (ELSA-2011-0413)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2011:0413 : Updated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) All users should upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2011-April/002054.html" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/07"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"glibc-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"EL6", reference:"glibc-common-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"EL6", reference:"glibc-devel-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"EL6", reference:"glibc-headers-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"EL6", reference:"glibc-static-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"EL6", reference:"glibc-utils-2.12-1.7.el6_0.5")) flag++; if (rpm_check(release:"EL6", reference:"nscd-2.12-1.7.el6_0.5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc"); }NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0010.NASL description a. Service Console update for DHCP The DHCP client daemon, dhclient, does not properly sanatize certain options in DHCP server replies. An attacker could send a specially crafted DHCP server reply, that is saved on the client system and evaluated by a process that assumes the option is trusted. This could lead to arbitrary code execution with the privileges of the evaluating process. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0997 to this issue. b. Service Console update for glibc This patch updates the glibc package for ESX service console to glibc-2.5-58.7602.vmw. This fixes multiple security issues in glibc, glibc-common and nscd including possible local privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2010-0296, CVE-2011-0536, CVE-2011-1095, CVE-2011-1071, CVE-2011-1658 and CVE-2011-1659 to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55747 published 2011-08-01 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55747 title VMSA-2011-0010 : VMware ESX third-party updates for Service Console packages glibc and dhcp code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2011-0010. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(55747); script_version("1.39"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id("CVE-2010-0296", "CVE-2011-0536", "CVE-2011-0997", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659"); script_bugtraq_id(44154, 46563, 47176, 47370); script_xref(name:"VMSA", value:"2011-0010"); script_name(english:"VMSA-2011-0010 : VMware ESX third-party updates for Service Console packages glibc and dhcp"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. Service Console update for DHCP The DHCP client daemon, dhclient, does not properly sanatize certain options in DHCP server replies. An attacker could send a specially crafted DHCP server reply, that is saved on the client system and evaluated by a process that assumes the option is trusted. This could lead to arbitrary code execution with the privileges of the evaluating process. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0997 to this issue. b. Service Console update for glibc This patch updates the glibc package for ESX service console to glibc-2.5-58.7602.vmw. This fixes multiple security issues in glibc, glibc-common and nscd including possible local privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2010-0296, CVE-2011-0536, CVE-2011-1095, CVE-2011-1071, CVE-2011-1658 and CVE-2011-1659 to these issues." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000163.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1"); script_set_attribute(attribute:"patch_publication_date", value:"2011/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2011-07-28"); flag = 0; if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201203405-SG")) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201110406-SG", patch_updates : make_list("ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201110408-SG", patch_updates : make_list("ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201107405-SG", patch_updates : make_list("ESX410-Update02", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201107406-SG", patch_updates : make_list("ESX410-201208104-SG", "ESX410-Update02", "ESX410-Update03") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0412.NASL description From Red Hat Security Advisory 2011:0412 : Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 68244 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68244 title Oracle Linux 5 : glibc (ELSA-2011-0412) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2011:0412 and # Oracle Linux Security Advisory ELSA-2011-0412 respectively. # include("compat.inc"); if (description) { script_id(68244); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:09"); script_cve_id("CVE-2010-0296", "CVE-2010-3847", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659"); script_bugtraq_id(46563, 46740, 64465); script_xref(name:"RHSA", value:"2011:0412"); script_name(english:"Oracle Linux 5 : glibc (ELSA-2011-0412)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2011:0412 : Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) All users should upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2011-April/002053.html" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/01"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL5", reference:"glibc-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"EL5", reference:"glibc-common-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"EL5", reference:"glibc-devel-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"EL5", reference:"glibc-headers-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"EL5", reference:"glibc-utils-2.5-58.el5_6.2")) flag++; if (rpm_check(release:"EL5", reference:"nscd-2.5-58.el5_6.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-utils / etc"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1009-2.NASL description USN-1009-1 fixed vulnerabilities in the GNU C library. Colin Watson discovered that the fixes were incomplete and introduced flaws with setuid programs loading libraries that used dynamic string tokens in their RPATH. If the last seen 2020-06-01 modified 2020-06-02 plugin id 51501 published 2011-01-12 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51501 title Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : eglibc, glibc vulnerability (USN-1009-2) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1009-2. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(51501); script_version("1.15"); script_cvs_date("Date: 2019/09/19 12:54:26"); script_cve_id("CVE-2010-3847", "CVE-2010-3856", "CVE-2011-0536"); script_bugtraq_id(44154, 44347); script_xref(name:"USN", value:"1009-2"); script_name(english:"Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : eglibc, glibc vulnerability (USN-1009-2)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "USN-1009-1 fixed vulnerabilities in the GNU C library. Colin Watson discovered that the fixes were incomplete and introduced flaws with setuid programs loading libraries that used dynamic string tokens in their RPATH. If the 'man' program was installed setuid, a local attacker could exploit this to gain 'man' user privileges, potentially leading to further privilege escalations. Default Ubuntu installations were not affected. Tavis Ormandy discovered multiple flaws in the GNU C Library's handling of the LD_AUDIT environment variable when running a privileged binary. A local attacker could exploit this to gain root privileges. (CVE-2010-3847, CVE-2010-3856). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1009-2/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:eglibc-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:glibc-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:glibc-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-dev-bin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-dev-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-i686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-pic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-prof"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/07"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(8\.04|9\.10|10\.04|10\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 9.10 / 10.04 / 10.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"8.04", pkgname:"glibc-doc", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"glibc-source", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-amd64", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-dbg", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-dev", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-dev-amd64", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-dev-i386", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-i386", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-i686", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-pic", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-prof", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libc6-xen", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"nscd", pkgver:"2.7-10ubuntu8")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"eglibc-source", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"glibc-doc", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc-bin", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc-dev-bin", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-amd64", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-dbg", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-dev", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-dev-amd64", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-dev-i386", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-i386", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-i686", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-pic", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-prof", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"libc6-xen", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"nscd", pkgver:"2.10.1-0ubuntu19")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"eglibc-source", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"glibc-doc", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc-bin", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc-dev-bin", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-amd64", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-dbg", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-dev", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-dev-amd64", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-dev-i386", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-i386", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-i686", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-pic", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-prof", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"libc6-xen", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"nscd", pkgver:"2.11.1-0ubuntu7.7")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"eglibc-source", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"glibc-doc", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc-bin", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc-dev-bin", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-amd64", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-dbg", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-dev", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-dev-amd64", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-dev-i386", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-i386", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-pic", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-prof", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"libc6-xen", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"nscd", pkgver:"2.12.1-0ubuntu10.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eglibc-source / glibc-doc / glibc-source / libc-bin / libc-dev-bin / etc"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0412.NASL description Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 53291 published 2011-04-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53291 title RHEL 5 : glibc (RHSA-2011:0412) NASL family SuSE Local Security Checks NASL id SUSE_11_GLIBC-110516.NASL description This update fixes the following security issues found in glibc : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the last seen 2020-06-01 modified 2020-06-02 plugin id 55441 published 2011-06-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55441 title SuSE 11.1 Security Update : glibc (SAT Patch Number 4572) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-0412.NASL description Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 53430 published 2011-04-15 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53430 title CentOS 5 : glibc (CESA-2011:0412) NASL family SuSE Local Security Checks NASL id SUSE_GLIBC-7574.NASL description This update contains the following fixes : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the last seen 2020-06-01 modified 2020-06-02 plugin id 57201 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57201 title SuSE 10 Security Update : glibc (ZYPP Patch Number 7574) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0012.NASL description a. ESX third-party update for Service Console kernel This update takes the console OS kernel package to kernel-2.6.18-238.9.1 which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243, CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues. b. ESX third-party update for Service Console krb5 RPMs This patch updates the krb5-libs and krb5-workstation RPMs of the console OS to version 1.6.1-55.el5_6.1, which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282 to these issues. c. ESXi and ESX update to third-party component glibc The glibc third-party library is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071, CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues. d. ESX update to third-party drivers mptsas, mpt2sas, and mptspi The mptsas, mpt2sas, and mptspi drivers are updated which addresses multiple security issues in the mpt2sas driver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56508 published 2011-10-14 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56508 title VMSA-2011-0012 : VMware ESXi and ESX updates to third-party libraries and ESX Service Console NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201312-01.NASL description The remote host is affected by the vulnerability described in GLSA-201312-01 (GNU C Library: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GNU C Library. Please review the CVE identifiers referenced below for details. Impact : A local attacker could trigger vulnerabilities in dynamic library loader, making it possible to load attacker-controlled shared objects during execution of setuid/setgid programs to escalate privileges. A context-dependent attacker could trigger various vulnerabilities in GNU C Library, including a buffer overflow, leading to execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 71167 published 2013-12-03 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71167 title GLSA-201312-01 : GNU C Library: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1009-1.NASL description Tavis Ormandy discovered multiple flaws in the GNU C Library last seen 2020-06-01 modified 2020-06-02 plugin id 50318 published 2010-10-24 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50318 title Ubuntu 8.04 LTS / 9.04 / 9.10 / 10.04 LTS / 10.10 : glibc, eglibc vulnerabilities (USN-1009-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0413.NASL description Updated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 53292 published 2011-04-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53292 title RHEL 6 : glibc (RHSA-2011:0413) NASL family Misc. NASL id VMWARE_VMSA-2011-0010_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries : - DHCP - glibc last seen 2020-06-01 modified 2020-06-02 plugin id 89679 published 2016-03-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89679 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0010) (remote check) NASL family Misc. NASL id VMWARE_VMSA-2011-0012_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities in several third-party components and libraries : - Kernel - krb5 - glibc - mtp2sas - mptsas - mptspi last seen 2020-06-01 modified 2020-06-02 plugin id 89680 published 2016-03-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89680 title VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0012) (remote check) NASL family SuSE Local Security Checks NASL id SUSE_11_GLIBC-110517.NASL description This update fixes the following security issues found in glibc : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the last seen 2020-06-01 modified 2020-06-02 plugin id 57106 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57106 title SuSE 11.1 Security Update : glibc (SAT Patch Number 4572) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-178.NASL description Multiple vulnerabilities was discovered and fixed in glibc : Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has in (a) RPATH or (b) RUNPATH. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847 (CVE-2011-0536). The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a stack extension attack, a related issue to CVE-2010-2898, as originally reported for use of this library by Google Chrome (CVE-2011-1071). The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296 (CVE-2011-1089). locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function (CVE-2011-1095). Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071 (CVE-2011-1659). crypt_blowfish before 1.1, as used in glibc on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56953 published 2011-11-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56953 title Mandriva Linux Security Advisory : glibc (MDVSA-2011:178) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0023.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Switch to use malloc when the input line is too long [Orabug 19951108] - Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin) - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, - Fix patch for integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Fix return code when starting an already started nscd daemon (#979413). - Fix getnameinfo for many PTR record queries (#1020486). - Return EINVAL error for negative sizees to getgroups (#995207). - Fix integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420). - Revert incomplete fix for bug #758193. - Fix _nl_find_msg malloc failure case, and callers (#957089). - Test on init_fct, not result->__init_fct, after demangling (#816647). - Don last seen 2020-06-01 modified 2020-06-02 plugin id 81118 published 2015-02-02 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81118 title OracleVM 3.2 : glibc (OVMSA-2015-0023) (GHOST) NASL family SuSE Local Security Checks NASL id SUSE9_12775.NASL description This update contains the following fixes : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the last seen 2020-06-01 modified 2020-06-02 plugin id 55440 published 2011-06-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55440 title SuSE9 Security Update : glibc (YOU Patch Number 12775)
Oval
| accepted | 2011-12-05T04:00:11.149-05:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847. | ||||
| family | unix | ||||
| id | oval:org.mitre.oval:def:13086 | ||||
| status | accepted | ||||
| submitted | 2011-09-06T16:14:19.000-05:00 | ||||
| title | VMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcp | ||||
| version | 6 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- https://launchpad.net/bugs/701783
- http://secunia.com/advisories/43989
- http://openwall.com/lists/oss-security/2011/02/01/3
- http://openwall.com/lists/oss-security/2011/02/03/2
- http://lists.debian.org/debian-security-announce/2011/msg00005.html
- https://bugzilla.redhat.com/show_bug.cgi?id=667974
- http://www.vupen.com/english/advisories/2011/0863
- http://www.redhat.com/support/errata/RHSA-2011-0413.html
- http://www.ubuntu.com/usn/USN-1009-2
- http://securitytracker.com/id?1025289
- http://www.redhat.com/support/errata/RHSA-2011-0412.html
- http://secunia.com/advisories/43830
- http://secunia.com/advisories/46397
- http://www.vmware.com/security/advisories/VMSA-2011-0012.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13086
- http://www.securityfocus.com/archive/1/520102/100/0/threaded
- http://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=96611391ad8823ba58405325d78cefeae5cdf699