Vulnerabilities > CVE-2011-1071 - Resource Management Errors vulnerability in GNU Glibc

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
gnu
CWE-399
nessus
exploit available

Summary

The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.

Vulnerable Configurations

Part Description Count
Application
Gnu
100

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionGNU glibc < 2.12.2 - 'fnmatch()' Function Stack Corruption Vulnerability. CVE-2011-1071. Dos exploits for multiple platform
idEDB-ID:17120
last seen2016-02-02
modified2011-02-25
published2011-02-25
reporterSimon Berry-Byrne
sourcehttps://www.exploit-db.com/download/17120/
titleGNU glibc < 2.12.2 - 'fnmatch' Function Stack Corruption Vulnerability

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_GLIBC-7575.NASL
    descriptionThe following bugs have been fixed : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id55442
    published2011-06-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55442
    titleSuSE 10 Security Update : glibc (ZYPP Patch Number 7575)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55442);
      script_version ("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:43");
    
      script_cve_id("CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095");
    
      script_name(english:"SuSE 10 Security Update : glibc (ZYPP Patch Number 7575)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The following bugs have been fixed :
    
      - Specially crafted input to the fnmatch function could
        cause an integer overflow. (CVE-2011-1071)
    
      - The output of the 'locale' command was not properly
        quoted. (CVE-2011-1095)
    
      - Don't search the current directory if $ORIGIN is in
        RPATH of libraries called by setuid binaries.
        (CVE-2011-0536)
    
      - The update also includes fixes for non-security bugs.
        Please refer to the package changelog for details."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-0536.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1071.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2011-1095.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7575.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/06/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-devel-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-html-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-i18ndata-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-info-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-locale-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-profile-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"nscd-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.84.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-profile-32bit-2.4-31.77.84.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20110404_GLIBC_ON_SL5_X.NASL
    descriptionThe glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id61008
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61008
    titleScientific Linux Security Update : glibc on SL5.x,SL6.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(61008);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:19");
    
      script_cve_id("CVE-2010-3847", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095");
    
      script_name(english:"Scientific Linux Security Update : glibc on SL5.x,SL6.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The glibc packages contain the standard C libraries used by multiple
    programs on the system. These packages contain the standard C and the
    standard math libraries. Without these two libraries, a Linux system
    cannot function properly.
    
    The fix for CVE-2010-3847 introduced a regression in the way the
    dynamic loader expanded the $ORIGIN dynamic string token specified in
    the RPATH and RUNPATH entries in the ELF library header. A local
    attacker could use this flaw to escalate their privileges via a setuid
    or setgid program using such a library. (CVE-2011-0536)
    
    It was discovered that the glibc fnmatch() function did not properly
    restrict the use of alloca(). If the function was called on
    sufficiently large inputs, it could cause an application using
    fnmatch() to crash or, possibly, execute arbitrary code with the
    privileges of the application. (CVE-2011-1071)
    
    It was discovered that the locale command did not produce properly
    escaped output as required by the POSIX specification. If an attacker
    were able to set the locale environment variables in the environment
    of a script that performed shell evaluation on the output of the
    locale command, and that script were run with different privileges
    than the attacker's, it could execute arbitrary code with the
    privileges of the script. (CVE-2011-1095)
    
    All users should upgrade to these updated packages, which contain
    backported patches to correct these issues."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1104&L=scientific-linux-errata&T=0&P=583
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?500923b0"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/04/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL5", reference:"glibc-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"SL5", reference:"glibc-common-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"SL5", reference:"glibc-devel-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"SL5", reference:"glibc-headers-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"SL5", reference:"glibc-utils-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"SL5", reference:"nscd-2.5-58.el5_6.2")) flag++;
    
    if (rpm_check(release:"SL6", reference:"glibc-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"SL6", reference:"glibc-common-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"SL6", reference:"glibc-devel-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"SL6", reference:"glibc-headers-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"SL6", reference:"glibc-static-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"SL6", reference:"glibc-utils-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"SL6", reference:"nscd-2.12-1.7.el6_0.5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idVMWARE_ESXI_5_0_BUILD_515841_REMOTE.NASL
    descriptionThe remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - A security bypass vulnerability exists in the e1000 driver in the Linux kernel due to improper handling of Ethernet frames that exceed the MTU. An unauthenticated, remote attacker can exploit this, via trailing payload data, to bypass packet filters. (CVE-2009-4536) - An error exists in the file misc/mntent_r.c that could allow a local attacker to cause denial of service conditions. (CVE-2010-0296) - An error exists related to glibc, the dynamic linker and
    last seen2020-06-01
    modified2020-06-02
    plugin id70880
    published2013-11-13
    reporterThis script is (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70880
    titleESXi 5.0 < Build 515841 Multiple Vulnerabilities (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70880);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id(
        "CVE-2009-4536",
        "CVE-2010-0296",
        "CVE-2011-0536",
        "CVE-2011-1071",
        "CVE-2011-1095",
        "CVE-2011-1658",
        "CVE-2011-1659"
      );
      script_bugtraq_id(37519, 46563, 47370);
      script_xref(name:"EDB-ID", value:"15274");
      script_xref(name:"VMSA", value:"2011-0009");
      script_xref(name:"VMSA", value:"2011-0012");
    
      script_name(english:"ESXi 5.0 < Build 515841 Multiple Vulnerabilities (remote check)");
      script_summary(english:"Checks the ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESXi 5.0 host is affected by multiple security
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote VMware ESXi 5.0 host is affected by the following security
    vulnerabilities :
    
      - A security bypass vulnerability exists in the e1000
        driver in the Linux kernel due to improper handling of
        Ethernet frames that exceed the MTU. An unauthenticated,
        remote attacker can exploit this, via trailing payload
        data, to bypass packet filters. (CVE-2009-4536)
    
      - An error exists in the file misc/mntent_r.c that could
        allow a local attacker to cause denial of service
        conditions. (CVE-2010-0296)
    
      - An error exists related to glibc, the dynamic linker
        and '$ORIGIN' substitution that could allow privilege
        escalation. (CVE-2011-0536)
    
      - An error exists in the function 'fnmatch' in the file
        posix/fnmatch.c that could allow arbitrary code
        execution. (CVE-2011-1071)
    
      - An error exists in the file locale/programs/locale.c
        related to localization environment variables that
        could allow privilege escalation. (CVE-2011-1095)
    
      - An error exists related to glibc, the dynamic linker
        and 'RPATH' that could allow privilege escalation.
        (CVE-2011-1658)
    
      - An error exists in the function 'fnmatch' related to
        UTF-8 string handling that could allow privilege
        escalation. (CVE-2011-1659)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2011-0012.html");
      script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2011-0009.html");
      # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2007671
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c402a9a2");
      # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2007673
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?635686b4");
      # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2007680
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fce8c282");
      script_set_attribute(attribute:"solution", value:
    "Apply patches ESXi500-201112401-SG and ESXi500-201112403-SG.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-0296");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/12/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is (C) 2013-2019 Tenable Network Security, Inc.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    
    if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi");
    if ("VMware ESXi 5.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.0");
    
    match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);
    if (isnull(match)) exit(1, 'Failed to extract the ESXi build number.');
    
    build = int(match[1]);
    fixed_build = 515841;
    
    if (build < fixed_build)
    {
      if (report_verbosity > 0)
      {
        report = '\n  ESXi version    : ' + ver +
                 '\n  Installed build : ' + build +
                 '\n  Fixed build     : ' + fixed_build +
                 '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else exit(0, "The host has "+ver+" build "+build+" and thus is not affected.");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-0413.NASL
    descriptionFrom Red Hat Security Advisory 2011:0413 : Updated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id68245
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68245
    titleOracle Linux 6 : glibc (ELSA-2011-0413)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2011:0413 and 
    # Oracle Linux Security Advisory ELSA-2011-0413 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68245);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2010-3847", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659");
      script_bugtraq_id(46563, 64465);
      script_xref(name:"RHSA", value:"2011:0413");
    
      script_name(english:"Oracle Linux 6 : glibc (ELSA-2011-0413)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2011:0413 :
    
    Updated glibc packages that fix three security issues are now
    available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    important security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    The glibc packages contain the standard C libraries used by multiple
    programs on the system. These packages contain the standard C and the
    standard math libraries. Without these two libraries, a Linux system
    cannot function properly.
    
    The fix for CVE-2010-3847 introduced a regression in the way the
    dynamic loader expanded the $ORIGIN dynamic string token specified in
    the RPATH and RUNPATH entries in the ELF library header. A local
    attacker could use this flaw to escalate their privileges via a setuid
    or setgid program using such a library. (CVE-2011-0536)
    
    It was discovered that the glibc fnmatch() function did not properly
    restrict the use of alloca(). If the function was called on
    sufficiently large inputs, it could cause an application using
    fnmatch() to crash or, possibly, execute arbitrary code with the
    privileges of the application. (CVE-2011-1071)
    
    It was discovered that the locale command did not produce properly
    escaped output as required by the POSIX specification. If an attacker
    were able to set the locale environment variables in the environment
    of a script that performed shell evaluation on the output of the
    locale command, and that script were run with different privileges
    than the attacker's, it could execute arbitrary code with the
    privileges of the script. (CVE-2011-1095)
    
    All users should upgrade to these updated packages, which contain
    backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2011-April/002054.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected glibc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"glibc-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"EL6", reference:"glibc-common-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"EL6", reference:"glibc-devel-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"EL6", reference:"glibc-headers-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"EL6", reference:"glibc-static-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"EL6", reference:"glibc-utils-2.12-1.7.el6_0.5")) flag++;
    if (rpm_check(release:"EL6", reference:"nscd-2.12-1.7.el6_0.5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1396-1.NASL
    descriptionIt was discovered that the GNU C Library did not properly handle integer overflows in the timezone handling code. An attacker could use this to possibly execute arbitrary code by convincing an application to load a maliciously constructed tzfile. (CVE-2009-5029) It was discovered that the GNU C Library did not properly handle passwd.adjunct.byname map entries in the Network Information Service (NIS) code in the name service caching daemon (nscd). An attacker could use this to obtain the encrypted passwords of NIS accounts. This issue only affected Ubuntu 8.04 LTS. (CVE-2010-0015) Chris Evans reported that the GNU C Library did not properly calculate the amount of memory to allocate in the fnmatch() code. An attacker could use this to cause a denial of service or possibly execute arbitrary code via a maliciously crafted UTF-8 string. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2011-1071) Tomas Hoger reported that an additional integer overflow was possible in the GNU C Library fnmatch() code. An attacker could use this to cause a denial of service via a maliciously crafted UTF-8 string. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1659) Dan Rosenberg discovered that the addmntent() function in the GNU C Library did not report an error status for failed attempts to write to the /etc/mtab file. This could allow an attacker to corrupt /etc/mtab, possibly causing a denial of service or otherwise manipulate mount options. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1089) Harald van Dijk discovered that the locale program included with the GNU C library did not properly quote its output. This could allow a local attacker to possibly execute arbitrary code using a crafted localization string that was evaluated in a shell script. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2011-1095) It was discovered that the GNU C library loader expanded the $ORIGIN dynamic string token when RPATH is composed entirely of this token. This could allow an attacker to gain privilege via a setuid program that had this RPATH value. (CVE-2011-1658) It was discovered that the GNU C library implementation of memcpy optimized for Supplemental Streaming SIMD Extensions 3 (SSSE3) contained a possible integer overflow. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-2702) John Zimmerman discovered that the Remote Procedure Call (RPC) implementation in the GNU C Library did not properly handle large numbers of connections. This could allow a remote attacker to cause a denial of service. (CVE-2011-4609) It was discovered that the GNU C Library vfprintf() implementation contained a possible integer overflow in the format string protection code offered by FORTIFY_SOURCE. An attacker could use this flaw in conjunction with a format string vulnerability to bypass the format string protection and possibly execute arbitrary code. (CVE-2012-0864). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id58318
    published2012-03-12
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58318
    titleUbuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : eglibc, glibc vulnerabilities (USN-1396-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-1396-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58318);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/19 12:54:27");
    
      script_cve_id("CVE-2009-5029", "CVE-2010-0015", "CVE-2011-1071", "CVE-2011-1089", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659", "CVE-2011-2702", "CVE-2011-4609", "CVE-2012-0864");
      script_bugtraq_id(37885, 46563, 46740, 47370, 50898, 51439, 52201);
      script_xref(name:"USN", value:"1396-1");
    
      script_name(english:"Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : eglibc, glibc vulnerabilities (USN-1396-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the GNU C Library did not properly handle
    integer overflows in the timezone handling code. An attacker could use
    this to possibly execute arbitrary code by convincing an application
    to load a maliciously constructed tzfile. (CVE-2009-5029)
    
    It was discovered that the GNU C Library did not properly handle
    passwd.adjunct.byname map entries in the Network Information Service
    (NIS) code in the name service caching daemon (nscd). An attacker
    could use this to obtain the encrypted passwords of NIS accounts. This
    issue only affected Ubuntu 8.04 LTS. (CVE-2010-0015)
    
    Chris Evans reported that the GNU C Library did not properly calculate
    the amount of memory to allocate in the fnmatch() code. An attacker
    could use this to cause a denial of service or possibly execute
    arbitrary code via a maliciously crafted UTF-8 string. This issue only
    affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10.
    (CVE-2011-1071)
    
    Tomas Hoger reported that an additional integer overflow was possible
    in the GNU C Library fnmatch() code. An attacker could use this to
    cause a denial of service via a maliciously crafted UTF-8 string. This
    issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
    and Ubuntu 11.04. (CVE-2011-1659)
    
    Dan Rosenberg discovered that the addmntent() function in the GNU C
    Library did not report an error status for failed attempts to write to
    the /etc/mtab file. This could allow an attacker to corrupt /etc/mtab,
    possibly causing a denial of service or otherwise manipulate mount
    options. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS,
    Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1089)
    
    Harald van Dijk discovered that the locale program included with the
    GNU C library did not properly quote its output. This could allow a
    local attacker to possibly execute arbitrary code using a crafted
    localization string that was evaluated in a shell script. This issue
    only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 10.10.
    (CVE-2011-1095)
    
    It was discovered that the GNU C library loader expanded the $ORIGIN
    dynamic string token when RPATH is composed entirely of this token.
    This could allow an attacker to gain privilege via a setuid program
    that had this RPATH value. (CVE-2011-1658)
    
    It was discovered that the GNU C library implementation of memcpy
    optimized for Supplemental Streaming SIMD Extensions 3 (SSSE3)
    contained a possible integer overflow. An attacker could use this to
    cause a denial of service or possibly execute arbitrary code. This
    issue only affected Ubuntu 10.04 LTS. (CVE-2011-2702)
    
    John Zimmerman discovered that the Remote Procedure Call (RPC)
    implementation in the GNU C Library did not properly handle large
    numbers of connections. This could allow a remote attacker to cause a
    denial of service. (CVE-2011-4609)
    
    It was discovered that the GNU C Library vfprintf() implementation
    contained a possible integer overflow in the format string protection
    code offered by FORTIFY_SOURCE. An attacker could use this flaw in
    conjunction with a format string vulnerability to bypass the format
    string protection and possibly execute arbitrary code. (CVE-2012-0864).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/1396-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libc-bin and / or libc6 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc-bin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/03/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(8\.04|10\.04|10\.10|11\.04|11\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 10.04 / 10.10 / 11.04 / 11.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"8.04", pkgname:"libc6", pkgver:"2.7-10ubuntu8.1")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"libc-bin", pkgver:"2.11.1-0ubuntu7.10")) flag++;
    if (ubuntu_check(osver:"10.04", pkgname:"libc6", pkgver:"2.11.1-0ubuntu7.10")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"libc-bin", pkgver:"2.12.1-0ubuntu10.4")) flag++;
    if (ubuntu_check(osver:"10.10", pkgname:"libc6", pkgver:"2.12.1-0ubuntu10.4")) flag++;
    if (ubuntu_check(osver:"11.04", pkgname:"libc6", pkgver:"2.13-0ubuntu13.1")) flag++;
    if (ubuntu_check(osver:"11.10", pkgname:"libc6", pkgver:"2.13-20ubuntu5.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libc-bin / libc6");
    }
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2011-0010.NASL
    descriptiona. Service Console update for DHCP The DHCP client daemon, dhclient, does not properly sanatize certain options in DHCP server replies. An attacker could send a specially crafted DHCP server reply, that is saved on the client system and evaluated by a process that assumes the option is trusted. This could lead to arbitrary code execution with the privileges of the evaluating process. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0997 to this issue. b. Service Console update for glibc This patch updates the glibc package for ESX service console to glibc-2.5-58.7602.vmw. This fixes multiple security issues in glibc, glibc-common and nscd including possible local privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2010-0296, CVE-2011-0536, CVE-2011-1095, CVE-2011-1071, CVE-2011-1658 and CVE-2011-1659 to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id55747
    published2011-08-01
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55747
    titleVMSA-2011-0010 : VMware ESX third-party updates for Service Console packages glibc and dhcp
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2011-0010. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55747);
      script_version("1.39");
      script_cvs_date("Date: 2019/09/24 15:02:54");
    
      script_cve_id("CVE-2010-0296", "CVE-2011-0536", "CVE-2011-0997", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659");
      script_bugtraq_id(44154, 46563, 47176, 47370);
      script_xref(name:"VMSA", value:"2011-0010");
    
      script_name(english:"VMSA-2011-0010 : VMware ESX third-party updates for Service Console packages glibc and dhcp");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESX host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. Service Console update for DHCP
    
        The DHCP client daemon, dhclient, does not properly sanatize
        certain options in DHCP server replies. An attacker could send a
        specially crafted DHCP server reply, that is saved on
        the client system and evaluated by a process that assumes the
        option is trusted. This could lead to arbitrary code execution
        with the privileges of the evaluating process.
    
        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CVE-2011-0997 to this issue.
    
    b. Service Console update for glibc
    
        This patch updates the glibc package for ESX service console to
        glibc-2.5-58.7602.vmw. This fixes multiple security issues in
        glibc, glibc-common and nscd including possible local privilege
        escalation.
     
        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the identifiers CVE-2010-0296, CVE-2011-0536,
        CVE-2011-1095, CVE-2011-1071, CVE-2011-1658 and CVE-2011-1659 to
        these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2012/000163.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2011-07-28");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201203405-SG")) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.0",
        patch         : "ESX400-201110406-SG",
        patch_updates : make_list("ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0",
        patch         : "ESX400-201110408-SG",
        patch_updates : make_list("ESX400-Update04")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.1",
        patch         : "ESX410-201107405-SG",
        patch_updates : make_list("ESX410-Update02", "ESX410-Update03")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.1",
        patch         : "ESX410-201107406-SG",
        patch_updates : make_list("ESX410-201208104-SG", "ESX410-Update02", "ESX410-Update03")
      )
    ) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-0412.NASL
    descriptionFrom Red Hat Security Advisory 2011:0412 : Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id68244
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68244
    titleOracle Linux 5 : glibc (ELSA-2011-0412)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2011:0412 and 
    # Oracle Linux Security Advisory ELSA-2011-0412 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68244);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2010-0296", "CVE-2010-3847", "CVE-2011-0536", "CVE-2011-1071", "CVE-2011-1095", "CVE-2011-1658", "CVE-2011-1659");
      script_bugtraq_id(46563, 46740, 64465);
      script_xref(name:"RHSA", value:"2011:0412");
    
      script_name(english:"Oracle Linux 5 : glibc (ELSA-2011-0412)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2011:0412 :
    
    Updated glibc packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having
    important security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    The glibc packages contain the standard C libraries used by multiple
    programs on the system. These packages contain the standard C and the
    standard math libraries. Without these two libraries, a Linux system
    cannot function properly.
    
    The fix for CVE-2010-3847 introduced a regression in the way the
    dynamic loader expanded the $ORIGIN dynamic string token specified in
    the RPATH and RUNPATH entries in the ELF library header. A local
    attacker could use this flaw to escalate their privileges via a setuid
    or setgid program using such a library. (CVE-2011-0536)
    
    It was discovered that the glibc addmntent() function did not sanitize
    its input properly. A local attacker could possibly use this flaw to
    inject malformed lines into /etc/mtab via certain setuid mount
    helpers, if the attacker were allowed to mount to an arbitrary
    directory under their control. (CVE-2010-0296)
    
    It was discovered that the glibc fnmatch() function did not properly
    restrict the use of alloca(). If the function was called on
    sufficiently large inputs, it could cause an application using
    fnmatch() to crash or, possibly, execute arbitrary code with the
    privileges of the application. (CVE-2011-1071)
    
    It was discovered that the locale command did not produce properly
    escaped output as required by the POSIX specification. If an attacker
    were able to set the locale environment variables in the environment
    of a script that performed shell evaluation on the output of the
    locale command, and that script were run with different privileges
    than the attacker's, it could execute arbitrary code with the
    privileges of the script. (CVE-2011-1095)
    
    All users should upgrade to these updated packages, which contain
    backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2011-April/002053.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected glibc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "$ORIGIN" Expansion Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL5", reference:"glibc-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"EL5", reference:"glibc-common-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"EL5", reference:"glibc-devel-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"EL5", reference:"glibc-headers-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"EL5", reference:"glibc-utils-2.5-58.el5_6.2")) flag++;
    if (rpm_check(release:"EL5", reference:"nscd-2.5-58.el5_6.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-utils / etc");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20120213_GLIBC_ON_SL4_X.NASL
    descriptionThe glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd. (CVE-2009-5064) It was discovered that the glibc addmntent() function, used by various mount helper utilities, did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into the mtab (mounted file systems table) file via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library loaded ELF (Executable and Linking Format) files. If a carefully-crafted ELF file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-0830) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1089) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-03-18
    modified2012-08-01
    plugin id61243
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61243
    titleScientific Linux Security Update : glibc on SL4.x i386/x86_64 (20120213)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(61243);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0296", "CVE-2010-0830", "CVE-2011-1071", "CVE-2011-1089", "CVE-2011-1095", "CVE-2011-4609");
    
      script_name(english:"Scientific Linux Security Update : glibc on SL4.x i386/x86_64 (20120213)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The glibc packages contain the standard C libraries used by multiple
    programs on the system. These packages contain the standard C and the
    standard math libraries. Without these two libraries, a Linux system
    cannot function properly.
    
    An integer overflow flaw, leading to a heap-based buffer overflow, was
    found in the way the glibc library read timezone files. If a
    carefully-crafted timezone file was loaded by an application linked
    against glibc, it could cause the application to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running the application. (CVE-2009-5029)
    
    A flaw was found in the way the ldd utility identified dynamically
    linked libraries. If an attacker could trick a user into running ldd
    on a malicious binary, it could result in arbitrary code execution
    with the privileges of the user running ldd. (CVE-2009-5064)
    
    It was discovered that the glibc addmntent() function, used by various
    mount helper utilities, did not sanitize its input properly. A local
    attacker could possibly use this flaw to inject malformed lines into
    the mtab (mounted file systems table) file via certain setuid mount
    helpers, if the attacker were allowed to mount to an arbitrary
    directory under their control. (CVE-2010-0296)
    
    An integer overflow flaw, leading to a heap-based buffer overflow, was
    found in the way the glibc library loaded ELF (Executable and Linking
    Format) files. If a carefully-crafted ELF file was loaded by an
    application linked against glibc, it could cause the application to
    crash or, potentially, execute arbitrary code with the privileges of
    the user running the application. (CVE-2010-0830)
    
    It was discovered that the glibc fnmatch() function did not properly
    restrict the use of alloca(). If the function was called on
    sufficiently large inputs, it could cause an application using
    fnmatch() to crash or, possibly, execute arbitrary code with the
    privileges of the application. (CVE-2011-1071)
    
    It was found that the glibc addmntent() function, used by various
    mount helper utilities, did not handle certain errors correctly when
    updating the mtab (mounted file systems table) file. If such utilities
    had the setuid bit set, a local attacker could use this flaw to
    corrupt the mtab file. (CVE-2011-1089)
    
    It was discovered that the locale command did not produce properly
    escaped output as required by the POSIX specification. If an attacker
    were able to set the locale environment variables in the environment
    of a script that performed shell evaluation on the output of the
    locale command, and that script were run with different privileges
    than the attacker's, it could execute arbitrary code with the
    privileges of the script. (CVE-2011-1095)
    
    An integer overflow flaw was found in the glibc fnmatch() function. If
    an attacker supplied a long UTF-8 string to an application linked
    against glibc, it could cause the application to crash.
    (CVE-2011-1659)
    
    A denial of service flaw was found in the remote procedure call (RPC)
    implementation in glibc. A remote attacker able to open a large number
    of connections to an RPC service that is using the RPC implementation
    from glibc, could use this flaw to make that service use an excessive
    amount of CPU time. (CVE-2011-4609)
    
    This update also fixes the following bug :
    
      - When using an nscd package that is a different version
        than the glibc package, the nscd service could fail to
        start. This update makes the nscd package require a
        specific glibc version to prevent this problem.
    
    Users should upgrade to these updated packages, which resolve these
    issues."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1202&L=scientific-linux-errata&T=0&P=2559
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c13b3468"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nptl-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nscd");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 4.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL4", reference:"glibc-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-common-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-debuginfo-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-debuginfo-common-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-devel-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-headers-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-profile-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"glibc-utils-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"nptl-devel-2.3.4-2.57")) flag++;
    if (rpm_check(release:"SL4", reference:"nscd-2.3.4-2.57")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2012-0125.NASL
    descriptionUpdated glibc packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd. (CVE-2009-5064) It was discovered that the glibc addmntent() function, used by various mount helper utilities, did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into the mtab (mounted file systems table) file via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library loaded ELF (Executable and Linking Format) files. If a carefully-crafted ELF file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-0830) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1089) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id57923
    published2012-02-14
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57923
    titleCentOS 4 : glibc (CESA-2012:0125)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2012:0125 and 
    # CentOS Errata and Security Advisory 2012:0125 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57923);
      script_version("1.14");
      script_cvs_date("Date: 2020/01/07");
    
      script_cve_id("CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0296", "CVE-2010-0830", "CVE-2011-1071", "CVE-2011-1089", "CVE-2011-1095", "CVE-2011-1659", "CVE-2011-4609");
      script_bugtraq_id(40063, 46563, 46740, 47370, 50898, 51439);
      script_xref(name:"RHSA", value:"2012:0125");
    
      script_name(english:"CentOS 4 : glibc (CESA-2012:0125)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated glibc packages that fix multiple security issues and one bug
    are now available for Red Hat Enterprise Linux 4.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    The glibc packages contain the standard C libraries used by multiple
    programs on the system. These packages contain the standard C and the
    standard math libraries. Without these two libraries, a Linux system
    cannot function properly.
    
    An integer overflow flaw, leading to a heap-based buffer overflow, was
    found in the way the glibc library read timezone files. If a
    carefully-crafted timezone file was loaded by an application linked
    against glibc, it could cause the application to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running the application. (CVE-2009-5029)
    
    A flaw was found in the way the ldd utility identified dynamically
    linked libraries. If an attacker could trick a user into running ldd
    on a malicious binary, it could result in arbitrary code execution
    with the privileges of the user running ldd. (CVE-2009-5064)
    
    It was discovered that the glibc addmntent() function, used by various
    mount helper utilities, did not sanitize its input properly. A local
    attacker could possibly use this flaw to inject malformed lines into
    the mtab (mounted file systems table) file via certain setuid mount
    helpers, if the attacker were allowed to mount to an arbitrary
    directory under their control. (CVE-2010-0296)
    
    An integer overflow flaw, leading to a heap-based buffer overflow, was
    found in the way the glibc library loaded ELF (Executable and Linking
    Format) files. If a carefully-crafted ELF file was loaded by an
    application linked against glibc, it could cause the application to
    crash or, potentially, execute arbitrary code with the privileges of
    the user running the application. (CVE-2010-0830)
    
    It was discovered that the glibc fnmatch() function did not properly
    restrict the use of alloca(). If the function was called on
    sufficiently large inputs, it could cause an application using
    fnmatch() to crash or, possibly, execute arbitrary code with the
    privileges of the application. (CVE-2011-1071)
    
    It was found that the glibc addmntent() function, used by various
    mount helper utilities, did not handle certain errors correctly when
    updating the mtab (mounted file systems table) file. If such utilities
    had the setuid bit set, a local attacker could use this flaw to
    corrupt the mtab file. (CVE-2011-1089)
    
    It was discovered that the locale command did not produce properly
    escaped output as required by the POSIX specification. If an attacker
    were able to set the locale environment variables in the environment
    of a script that performed shell evaluation on the output of the
    locale command, and that script were run with different privileges
    than the attacker's, it could execute arbitrary code with the
    privileges of the script. (CVE-2011-1095)
    
    An integer overflow flaw was found in the glibc fnmatch() function. If
    an attacker supplied a long UTF-8 string to an application linked
    against glibc, it could cause the application to crash.
    (CVE-2011-1659)
    
    A denial of service flaw was found in the remote procedure call (RPC)
    implementation in glibc. A remote attacker able to open a large number
    of connections to an RPC service that is using the RPC implementation
    from glibc, could use this flaw to make that service use an excessive
    amount of CPU time. (CVE-2011-4609)
    
    Red Hat would like to thank the Ubuntu Security Team for reporting
    CVE-2010-0830, and Dan Rosenberg for reporting CVE-2011-1089. The
    Ubuntu Security Team acknowledges Dan Rosenberg as the original
    reporter of CVE-2010-0830.
    
    This update also fixes the following bug :
    
    * When using an nscd package that is a different version than the
    glibc package, the nscd service could fail to start. This update makes
    the nscd package require a specific glibc version to prevent this
    problem. (BZ#657009)
    
    Users should upgrade to these updated packages, which resolve these
    issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2012-February/018427.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?04137bde"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected glibc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-0296");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:glibc-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:glibc-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nptl-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"glibc-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"glibc-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"glibc-common-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"glibc-common-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"glibc-devel-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"glibc-devel-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"glibc-headers-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"glibc-headers-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"glibc-profile-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"glibc-profile-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"glibc-utils-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"glibc-utils-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"nptl-devel-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"nptl-devel-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"nscd-2.3.4-2.57")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"nscd-2.3.4-2.57")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-profile / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-0412.NASL
    descriptionUpdated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id53291
    published2011-04-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53291
    titleRHEL 5 : glibc (RHSA-2011:0412)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GLIBC-110516.NASL
    descriptionThis update fixes the following security issues found in glibc : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id55441
    published2011-06-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55441
    titleSuSE 11.1 Security Update : glibc (SAT Patch Number 4572)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-0125.NASL
    descriptionFrom Red Hat Security Advisory 2012:0125 : Updated glibc packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd. (CVE-2009-5064) It was discovered that the glibc addmntent() function, used by various mount helper utilities, did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into the mtab (mounted file systems table) file via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library loaded ELF (Executable and Linking Format) files. If a carefully-crafted ELF file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-0830) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1089) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id68455
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68455
    titleOracle Linux 4 : glibc (ELSA-2012-0125)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2011-0412.NASL
    descriptionUpdated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id53430
    published2011-04-15
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53430
    titleCentOS 5 : glibc (CESA-2011:0412)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GLIBC-7574.NASL
    descriptionThis update contains the following fixes : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id57201
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57201
    titleSuSE 10 Security Update : glibc (ZYPP Patch Number 7574)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2011-0012.NASL
    descriptiona. ESX third-party update for Service Console kernel This update takes the console OS kernel package to kernel-2.6.18-238.9.1 which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798, CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015, CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086, CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477, CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158, CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243, CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251, CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710, CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues. b. ESX third-party update for Service Console krb5 RPMs This patch updates the krb5-libs and krb5-workstation RPMs of the console OS to version 1.6.1-55.el5_6.1, which resolves multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282 to these issues. c. ESXi and ESX update to third-party component glibc The glibc third-party library is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071, CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues. d. ESX update to third-party drivers mptsas, mpt2sas, and mptspi The mptsas, mpt2sas, and mptspi drivers are updated which addresses multiple security issues in the mpt2sas driver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id56508
    published2011-10-14
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/56508
    titleVMSA-2011-0012 : VMware ESXi and ESX updates to third-party libraries and ESX Service Console
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL09408132.NASL
    descriptionInteger overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.
    last seen2020-06-01
    modified2020-06-02
    plugin id93030
    published2016-08-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93030
    titleF5 Networks BIG-IP : glibc vulnerability (SOL09408132)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0125.NASL
    descriptionUpdated glibc packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd. (CVE-2009-5064) It was discovered that the glibc addmntent() function, used by various mount helper utilities, did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into the mtab (mounted file systems table) file via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library loaded ELF (Executable and Linking Format) files. If a carefully-crafted ELF file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2010-0830) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file. (CVE-2011-1089) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-04-16
    modified2012-02-14
    plugin id57928
    published2012-02-14
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57928
    titleRHEL 4 : glibc (RHSA-2012:0125)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201312-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201312-01 (GNU C Library: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GNU C Library. Please review the CVE identifiers referenced below for details. Impact : A local attacker could trigger vulnerabilities in dynamic library loader, making it possible to load attacker-controlled shared objects during execution of setuid/setgid programs to escalate privileges. A context-dependent attacker could trigger various vulnerabilities in GNU C Library, including a buffer overflow, leading to execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id71167
    published2013-12-03
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/71167
    titleGLSA-201312-01 : GNU C Library: Multiple vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2011-179.NASL
    descriptionMultiple vulnerabilities was discovered and fixed in glibc : The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296 (CVE-2011-1089). Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071 (CVE-2011-1659). crypt_blowfish before 1.1, as used in glibc on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id61938
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61938
    titleMandriva Linux Security Advisory : glibc (MDVSA-2011:179)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL15885.NASL
    descriptionThe GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id79606
    published2014-11-28
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79606
    titleF5 Networks BIG-IP : GNU C Library vulnerability (SOL15885)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-0413.NASL
    descriptionUpdated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id53292
    published2011-04-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53292
    titleRHEL 6 : glibc (RHSA-2011:0413)
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2011-0010_REMOTE.NASL
    descriptionThe remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries : - DHCP - glibc
    last seen2020-06-01
    modified2020-06-02
    plugin id89679
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89679
    titleVMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0010) (remote check)
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2011-0012_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities in several third-party components and libraries : - Kernel - krb5 - glibc - mtp2sas - mptsas - mptspi
    last seen2020-06-01
    modified2020-06-02
    plugin id89680
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89680
    titleVMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0012) (remote check)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GLIBC-110517.NASL
    descriptionThis update fixes the following security issues found in glibc : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id57106
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57106
    titleSuSE 11.1 Security Update : glibc (SAT Patch Number 4572)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2011-178.NASL
    descriptionMultiple vulnerabilities was discovered and fixed in glibc : Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has in (a) RPATH or (b) RUNPATH. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847 (CVE-2011-0536). The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a stack extension attack, a related issue to CVE-2010-2898, as originally reported for use of this library by Google Chrome (CVE-2011-1071). The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296 (CVE-2011-1089). locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function (CVE-2011-1095). Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071 (CVE-2011-1659). crypt_blowfish before 1.1, as used in glibc on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id56953
    published2011-11-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56953
    titleMandriva Linux Security Advisory : glibc (MDVSA-2011:178)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0023.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Switch to use malloc when the input line is too long [Orabug 19951108] - Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin) - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, - Fix patch for integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Fix return code when starting an already started nscd daemon (#979413). - Fix getnameinfo for many PTR record queries (#1020486). - Return EINVAL error for negative sizees to getgroups (#995207). - Fix integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420). - Revert incomplete fix for bug #758193. - Fix _nl_find_msg malloc failure case, and callers (#957089). - Test on init_fct, not result->__init_fct, after demangling (#816647). - Don
    last seen2020-06-01
    modified2020-06-02
    plugin id81118
    published2015-02-02
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81118
    titleOracleVM 3.2 : glibc (OVMSA-2015-0023) (GHOST)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12775.NASL
    descriptionThis update contains the following fixes : - Specially crafted input to the fnmatch function could cause an integer overflow. (CVE-2011-1071) - The output of the
    last seen2020-06-01
    modified2020-06-02
    plugin id55440
    published2011-06-28
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55440
    titleSuSE9 Security Update : glibc (YOU Patch Number 12775)

Oval

accepted2011-12-05T04:00:09.114-05:00
classvulnerability
contributors
nameAslesha Nargolkar
organizationHewlett-Packard
definition_extensions
commentVMware ESX Server 4.1 is installed
ovaloval:org.mitre.oval:def:13012
descriptionThe GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.
familyunix
idoval:org.mitre.oval:def:12853
statusaccepted
submitted2011-09-06T16:14:19.000-05:00
titleVMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcp
version6

Redhat

advisories
  • rhsa
    idRHSA-2011:0412
  • rhsa
    idRHSA-2011:0413
rpms
  • glibc-0:2.5-58.el5_6.2
  • glibc-common-0:2.5-58.el5_6.2
  • glibc-debuginfo-0:2.5-58.el5_6.2
  • glibc-debuginfo-common-0:2.5-58.el5_6.2
  • glibc-devel-0:2.5-58.el5_6.2
  • glibc-headers-0:2.5-58.el5_6.2
  • glibc-utils-0:2.5-58.el5_6.2
  • nscd-0:2.5-58.el5_6.2
  • glibc-0:2.12-1.7.el6_0.5
  • glibc-common-0:2.12-1.7.el6_0.5
  • glibc-debuginfo-0:2.12-1.7.el6_0.5
  • glibc-devel-0:2.12-1.7.el6_0.5
  • glibc-headers-0:2.12-1.7.el6_0.5
  • glibc-static-0:2.12-1.7.el6_0.5
  • glibc-utils-0:2.12-1.7.el6_0.5
  • nscd-0:2.12-1.7.el6_0.5
  • glibc-0:2.3.4-2.57
  • glibc-common-0:2.3.4-2.57
  • glibc-debuginfo-0:2.3.4-2.57
  • glibc-debuginfo-common-0:2.3.4-2.57
  • glibc-devel-0:2.3.4-2.57
  • glibc-headers-0:2.3.4-2.57
  • glibc-profile-0:2.3.4-2.57
  • glibc-utils-0:2.3.4-2.57
  • nptl-devel-0:2.3.4-2.57
  • nscd-0:2.3.4-2.57