Vulnerabilities > CVE-2011-1749 - Improper Input Validation vulnerability in Linux-Nfs Nfs-Utils

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2012:0310. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(58064);
  script_version ("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/15");

  script_cve_id("CVE-2011-1749");
  script_bugtraq_id(47532);
  script_xref(name:"RHSA", value:"2012:0310");

  script_name(english:"RHEL 5 : nfs-utils (RHSA-2012:0310)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An updated nfs-utils package that fixes one security issue, various
bugs, and adds one enhancement is now available for Red Hat Enterprise
Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The nfs-utils package provides a daemon for the kernel Network File
System (NFS) server, and related tools such as the mount.nfs,
umount.nfs, and showmount programs.

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A
local attacker could use this flaw to corrupt the mtab file.
(CVE-2011-1749)

This update also fixes the following bugs :

* The nfs service failed to start if the NFSv1, NFSv2, and NFSv4
support was disabled (the MOUNTD_NFS_V1='no', MOUNTD_NFS_V2='no'
MOUNTD_NFS_V3='no' lines in /etc/sysconfig/nfs were uncommented)
because the mountd daemon failed to handle the settings correctly.
With this update, the underlying code has been modified and the nfs
service starts successfully in the described scenario. (BZ#529588)

* When a user's Kerberos ticket expired, the 'sh rpc.gssd' messages
flooded the /var/log/messages file. With this update, the excessive
logging has been suppressed. (BZ#593097)

* The crash simulation (SM_SIMU_CRASH) of the rpc.statd service had a
vulnerability that could be detected by ISS (Internet Security
Scanner). As a result, the rpc.statd service terminated unexpectedly
with the following error after an ISS scan :

rpc.statd[xxxx]: recv_rply: can't decode RPC message! rpc.statd[xxxx]:
*** SIMULATING CRASH! *** rpc.statd[xxxx]: unable to register (statd,
1, udp).

However, the rpc.statd service ignored SM_SIMU_CRASH. This update
removes the simulation crash support from the service and the problem
no longer occurs. (BZ#600497)

* The nfs-utils init scripts returned incorrect status codes in the
following cases: if the rpcgssd and rpcsvcgssd daemon were not
configured, were provided an unknown argument, their function call
failed, if a program was no longer running and a
/var/lock/subsys/$SERVICE file existed, if starting a service under an
unprivileged user, if a program was no longer running and its pid file
still existed in the /var/run/ directory. With this update, the
correct codes are returned in these scenarios. (BZ#710020)

* The 'nfsstat -m' command did not display NFSv4 mounts. With this
update, the underlying code has been modified and the command returns
the list of all mounts, including any NFSv4 mounts, as expected.
(BZ#712438)

* Previously, the nfs manual pages described the fsc mount option;
however, this option is not supported. This update removes the option
description from the manual pages. (BZ#715523)

* The nfs-utils preinstall scriptlet failed to change the default
group ID for the nfsnobody user to 65534. This update modifies the
preinstall scriptlet and the default group ID is changed to 65534
after nfs-utils upgrade as expected. (BZ#729603)

* The mount.nfs command with the '-o retry' option did not try to
mount for the time specified in the 'retry=X' configuration option.
This occurred due to incorrect error handling by the command. With
this update, the underlying code has been fixed and the '-o retry'
option works as expected. (BZ#736677)

In addition, this update adds the following enhancement :

* The noresvport option, which allows NFS clients to use insecure
ports (ports above 1023), has been added to the NFS server
configuration options. (BZ#513094)

All nfs-utils users are advised to upgrade to this updated package,
which resolves these issues and adds this enhancement. After
installing this update, the nfs service will be restarted
automatically."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2012:0310"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-1749"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-utils and / or nfs-utils-debuginfo packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nfs-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nfs-utils-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/21");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2012:0310";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL5", cpu:"i386", reference:"nfs-utils-1.0.9-60.el5")) flag++;
  if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"nfs-utils-1.0.9-60.el5")) flag++;
  if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"nfs-utils-1.0.9-60.el5")) flag++;
  if (rpm_check(release:"RHEL5", cpu:"i386", reference:"nfs-utils-debuginfo-1.0.9-60.el5")) flag++;
  if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"nfs-utils-debuginfo-1.0.9-60.el5")) flag++;
  if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"nfs-utils-debuginfo-1.0.9-60.el5")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nfs-utils / nfs-utils-debuginfo");
  }
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2012:0310 and 
# Oracle Linux Security Advisory ELSA-2012-0310 respectively.
#

include("compat.inc");

if (description)
{
  script_id(68481);
  script_version("1.10");
  script_cvs_date("Date: 2019/09/30 10:58:17");

  script_cve_id("CVE-2011-1749");
  script_bugtraq_id(47532);
  script_xref(name:"RHSA", value:"2012:0310");

  script_name(english:"Oracle Linux 5 : nfs-utils (ELSA-2012-0310)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2012:0310 :

An updated nfs-utils package that fixes one security issue, various
bugs, and adds one enhancement is now available for Red Hat Enterprise
Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The nfs-utils package provides a daemon for the kernel Network File
System (NFS) server, and related tools such as the mount.nfs,
umount.nfs, and showmount programs.

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A
local attacker could use this flaw to corrupt the mtab file.
(CVE-2011-1749)

This update also fixes the following bugs :

* The nfs service failed to start if the NFSv1, NFSv2, and NFSv4
support was disabled (the MOUNTD_NFS_V1='no', MOUNTD_NFS_V2='no'
MOUNTD_NFS_V3='no' lines in /etc/sysconfig/nfs were uncommented)
because the mountd daemon failed to handle the settings correctly.
With this update, the underlying code has been modified and the nfs
service starts successfully in the described scenario. (BZ#529588)

* When a user's Kerberos ticket expired, the 'sh rpc.gssd' messages
flooded the /var/log/messages file. With this update, the excessive
logging has been suppressed. (BZ#593097)

* The crash simulation (SM_SIMU_CRASH) of the rpc.statd service had a
vulnerability that could be detected by ISS (Internet Security
Scanner). As a result, the rpc.statd service terminated unexpectedly
with the following error after an ISS scan :

rpc.statd[xxxx]: recv_rply: can't decode RPC message! rpc.statd[xxxx]:
*** SIMULATING CRASH! *** rpc.statd[xxxx]: unable to register (statd,
1, udp).

However, the rpc.statd service ignored SM_SIMU_CRASH. This update
removes the simulation crash support from the service and the problem
no longer occurs. (BZ#600497)

* The nfs-utils init scripts returned incorrect status codes in the
following cases: if the rpcgssd and rpcsvcgssd daemon were not
configured, were provided an unknown argument, their function call
failed, if a program was no longer running and a
/var/lock/subsys/$SERVICE file existed, if starting a service under an
unprivileged user, if a program was no longer running and its pid file
still existed in the /var/run/ directory. With this update, the
correct codes are returned in these scenarios. (BZ#710020)

* The 'nfsstat -m' command did not display NFSv4 mounts. With this
update, the underlying code has been modified and the command returns
the list of all mounts, including any NFSv4 mounts, as expected.
(BZ#712438)

* Previously, the nfs manual pages described the fsc mount option;
however, this option is not supported. This update removes the option
description from the manual pages. (BZ#715523)

* The nfs-utils preinstall scriptlet failed to change the default
group ID for the nfsnobody user to 65534. This update modifies the
preinstall scriptlet and the default group ID is changed to 65534
after nfs-utils upgrade as expected. (BZ#729603)

* The mount.nfs command with the '-o retry' option did not try to
mount for the time specified in the 'retry=X' configuration option.
This occurred due to incorrect error handling by the command. With
this update, the underlying code has been fixed and the '-o retry'
option works as expected. (BZ#736677)

In addition, this update adds the following enhancement :

* The noresvport option, which allows NFS clients to use insecure
ports (ports above 1023), has been added to the NFS server
configuration options. (BZ#513094)

All nfs-utils users are advised to upgrade to this updated package,
which resolves these issues and adds this enhancement. After
installing this update, the nfs service will be restarted
automatically."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2012-March/002661.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-utils package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nfs-utils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL5", reference:"nfs-utils-1.0.9-60.0.1.el5")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
  else security_note(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nfs-utils");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2012:0168. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(79283);
  script_version("1.11");
  script_cvs_date("Date: 2019/10/24 15:35:35");

  script_cve_id("CVE-2006-1168", "CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-4008", "CVE-2011-0216", "CVE-2011-1083", "CVE-2011-1089", "CVE-2011-1526", "CVE-2011-2716", "CVE-2011-2834", "CVE-2011-3638", "CVE-2011-3905", "CVE-2011-3919", "CVE-2011-4086", "CVE-2011-4109", "CVE-2011-4127", "CVE-2011-4347", "CVE-2011-4576", "CVE-2011-4619", "CVE-2012-0028", "CVE-2012-0029", "CVE-2012-0207");
  script_bugtraq_id(51281, 51343, 51642);
  script_xref(name:"RHSA", value:"2012:0168");

  script_name(english:"RHEL 5 : rhev-hypervisor5 (RHSA-2012:0168)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An updated rhev-hypervisor5 package that fixes several security issues
and various bugs is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

The rhev-hypervisor5 package provides a Red Hat Enterprise
Virtualization Hypervisor ISO disk image. The Red Hat Enterprise
Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine
(KVM) hypervisor. It includes everything necessary to run and manage
virtual machines: A subset of the Red Hat Enterprise Linux operating
environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available
for the Intel 64 and AMD64 architectures with virtualization
extensions.

A heap overflow flaw was found in the way QEMU-KVM emulated the e1000
network interface card. A privileged guest user in a virtual machine
whose network interface is configured to use the e1000 emulated driver
could use this flaw to crash the host or, possibly, escalate their
privileges on the host. (CVE-2012-0029)

A divide-by-zero flaw was found in the Linux kernel's
igmp_heard_query() function. An attacker able to send certain IGMP
(Internet Group Management Protocol) packets to a target system could
use this flaw to cause a denial of service. (CVE-2012-0207)

A double free flaw was discovered in the policy checking code in
OpenSSL. A remote attacker could use this flaw to crash an application
that uses OpenSSL by providing an X.509 certificate that has specially
crafted policy extension data. (CVE-2011-4109)

An information leak flaw was found in the SSL 3.0 protocol
implementation in OpenSSL. Incorrect initialization of SSL record
padding bytes could cause an SSL client or server to send a limited
amount of possibly sensitive data to its SSL peer via the encrypted
connection. (CVE-2011-4576)

It was discovered that OpenSSL did not limit the number of TLS/SSL
handshake restarts required to support Server Gated Cryptography. A
remote attacker could use this flaw to make a TLS/SSL server using
OpenSSL consume an excessive amount of CPU by continuously restarting
the handshake. (CVE-2011-4619)

Red Hat would like to thank Nicolae Mogoreanu for reporting
CVE-2012-0029, and Simon McVittie for reporting CVE-2012-0207.

This updated package provides updated components that include fixes
for various security issues. These issues have no security impact on
Red Hat Enterprise Virtualization Hypervisor itself, however. The
security fixes included in this update address the following CVE
numbers :

CVE-2006-1168 and CVE-2011-2716 (busybox issues)

CVE-2009-5029, CVE-2009-5064, CVE-2010-0830 and CVE-2011-1089 (glibc
issues)

CVE-2011-1083, CVE-2011-3638, CVE-2011-4086, CVE-2011-4127 and
CVE-2012-0028 (kernel issues)

CVE-2011-1526 (krb5 issue)

CVE-2011-4347 (kvm issue)

CVE-2010-4008, CVE-2011-0216, CVE-2011-2834, CVE-2011-3905,
CVE-2011-3919 and CVE-2011-1944 (libxml2 issues)

CVE-2011-1749 (nfs-utils issue)

CVE-2011-4108 (openssl issue)

CVE-2011-0010 (sudo issue)

CVE-2011-1675 and CVE-2011-1677 (util-linux issues)

CVE-2010-0424 (vixie-cron issue)

This updated rhev-hypervisor5 package fixes various bugs.
Documentation of these changes will be available shortly in the
Technical Notes document :

https://docs.redhat.com/docs/en-US/
Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes
/ index.html

Users of Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to this updated package, which fixes these issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-4109"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-4576"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-4619"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2012-0029"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2012-0207"
  );
  # https://docs.redhat.com/docs/en-US/
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/documentation/en-US/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2012:0168"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected rhev-hypervisor5 and / or rhev-hypervisor5-tools
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor5-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/17");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2012:0168";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL5", reference:"rhev-hypervisor5-5.8-20120202.0.el5")) flag++;
  if (rpm_check(release:"RHEL5", reference:"rhev-hypervisor5-tools-5.8-20120202.0.el5")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rhev-hypervisor5 / rhev-hypervisor5-tools");
  }
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update nfs-client-4831.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(75978);
  script_version("1.4");
  script_cvs_date("Date: 2019/10/25 13:36:42");

  script_cve_id("CVE-2011-1749", "CVE-2011-2500");

  script_name(english:"openSUSE Security Update : nfs-client (openSUSE-SU-2011:0747-1)");
  script_summary(english:"Check for the nfs-client-4831 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update fixes the following security issues :

When using wildcards in /etc/exports an attacker could gain
unauthorized access to an nfs exported filesystem by creating a DNS
record that resolves to the attacker's IP as well as to a trusted IP
(CVE-2011-2500).

mount.nfs could corrupt /etc/mtab (CVE-2011-1749)."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=689799"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=693189"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=701702"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2011-07/msg00006.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2011-07/msg00008.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-client packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nfs-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nfs-client-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nfs-kernel-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.4", reference:"nfs-client-1.2.3-11.16.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"nfs-client-debuginfo-1.2.3-11.16.1") ) flag++;
if ( rpm_check(release:"SUSE11.4", reference:"nfs-kernel-server-1.2.3-11.16.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nfs-client / nfs-kernel-server / nfs-client-debuginfo");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2011:1534. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(57015);
  script_version ("1.19");
  script_cvs_date("Date: 2019/10/25 13:36:16");

  script_cve_id("CVE-2011-1749", "CVE-2011-2500");
  script_bugtraq_id(47532, 48465);
  script_xref(name:"RHSA", value:"2011:1534");

  script_name(english:"RHEL 6 : nfs-utils (RHSA-2011:1534)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated nfs-utils packages that fix two security issues, various bugs,
and add one enhancement are now available for Red Hat Enterprise Linux
6.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The nfs-utils packages provide a daemon for the kernel Network File
System (NFS) server, and related tools such as the mount.nfs,
umount.nfs, and showmount programs.

A flaw was found in the way nfs-utils performed IP based
authentication of mount requests. In configurations where a directory
was exported to a group of systems using a DNS wildcard or NIS
(Network Information Service) netgroup, an attacker could possibly
gain access to other directories exported to a specific host or
subnet, bypassing intended access restrictions. (CVE-2011-2500)

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A
local attacker could use this flaw to corrupt the mtab file.
(CVE-2011-1749)

This update also fixes several bugs and adds an enhancement.
Documentation for these bug fixes and the enhancement will be
available shortly from the Technical Notes document, linked to in the
References section.

Users of nfs-utils are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues and add this
enhancement. After installing this update, the nfs service will be
restarted automatically."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-1749"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2011-2500"
  );
  # https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?056c0c27"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2011:1534"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-utils and / or nfs-utils-debuginfo packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nfs-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nfs-utils-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/12/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2011:1534";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"nfs-utils-1.2.3-15.el6")) flag++;
  if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"nfs-utils-1.2.3-15.el6")) flag++;
  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"nfs-utils-1.2.3-15.el6")) flag++;
  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"nfs-utils-debuginfo-1.2.3-15.el6")) flag++;
  if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"nfs-utils-debuginfo-1.2.3-15.el6")) flag++;
  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"nfs-utils-debuginfo-1.2.3-15.el6")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nfs-utils / nfs-utils-debuginfo");
  }
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(61193);
  script_version("1.6");
  script_cvs_date("Date: 2019/10/25 13:36:20");

  script_cve_id("CVE-2011-1749", "CVE-2011-2500");

  script_name(english:"Scientific Linux Security Update : nfs-utils on SL6.x i386/x86_64");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The nfs-utils packages provide a daemon for the kernel Network File
System (NFS) server, and related tools such as the mount.nfs,
umount.nfs, and showmount programs.

A flaw was found in the way nfs-utils performed IP based
authentication of mount requests. In configurations where a directory
was exported to a group of systems using a DNS wildcard or NIS
(Network Information Service) netgroup, an attacker could possibly
gain access to other directories exported to a specific host or
subnet, bypassing intended access restrictions. (CVE-2011-2500)

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A
local attacker could use this flaw to corrupt the mtab file.
(CVE-2011-1749)

This update also fixes several bugs and adds an enhancement.

Users of nfs-utils are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues and add this
enhancement. After installing this update, the nfs service will be
restarted automatically."
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1112&L=scientific-linux-errata&T=0&P=1916
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0470fa08"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-utils and / or nfs-utils-debuginfo packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/12/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL6", reference:"nfs-utils-1.2.3-15.el6")) flag++;
if (rpm_check(release:"SL6", reference:"nfs-utils-debuginfo-1.2.3-15.el6")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2011:186. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(57146);
  script_version("1.11");
  script_cvs_date("Date: 2019/08/02 13:32:54");

  script_cve_id("CVE-2011-1749");
  script_bugtraq_id(47532);
  script_xref(name:"MDVSA", value:"2011:186");

  script_name(english:"Mandriva Linux Security Advisory : nfs-utils (MDVSA-2011:186)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandriva Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A vulnerability has been discovered and corrected in nfs-utils :

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A
local attacker could use this flaw to corrupt the mtab file
(CVE-2011-1749).

The updated packages have been patched to correct this issue."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-utils and / or nfs-utils-clients packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils-clients");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK2010.1", reference:"nfs-utils-1.2.2-5.1mdv2010.2", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2010.1", reference:"nfs-utils-clients-1.2.2-5.1mdv2010.2", yank:"mdv")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
  else security_note(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(61269);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2011-1749");

  script_name(english:"Scientific Linux Security Update : nfs-utils on SL5.x i386/x86_64 (20120221)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The nfs-utils package provides a daemon for the kernel Network File
System (NFS) server, and related tools such as the mount.nfs,
umount.nfs, and showmount programs.

It was found that the mount.nfs tool did not handle certain errors
correctly when updating the mtab (mounted file systems table) file. A
local attacker could use this flaw to corrupt the mtab file.
(CVE-2011-1749)

This update also fixes the following bugs :

  - The nfs service failed to start if the NFSv1, NFSv2, and
    NFSv4 support was disabled (the MOUNTD_NFS_V1='no',
    MOUNTD_NFS_V2='no' MOUNTD_NFS_V3='no' lines in
    /etc/sysconfig/nfs were uncommented) because the mountd
    daemon failed to handle the settings correctly. With
    this update, the underlying code has been modified and
    the nfs service starts successfully in the described
    scenario.

  - When a user's Kerberos ticket expired, the 'sh rpc.gssd'
    messages flooded the /var/log/messages file. With this
    update, the excessive logging has been suppressed.

  - The crash simulation (SM_SIMU_CRASH) of the rpc.statd
    service had a vulnerability that could be detected by
    ISS (Internet Security Scanner). As a result, the
    rpc.statd service terminated unexpectedly with the
    following error after an ISS scan :

    rpc.statd[xxxx]: recv_rply: can't decode RPC message!
    rpc.statd[xxxx]: *** SIMULATING CRASH! ***
    rpc.statd[xxxx]: unable to register (statd, 1, udp).

However, the rpc.statd service ignored SM_SIMU_CRASH. This update
removes the simulation crash support from the service and the problem
no longer occurs.

  - The nfs-utils init scripts returned incorrect status
    codes in the following cases: if the rpcgssd and
    rpcsvcgssd daemon were not configured, were provided an
    unknown argument, their function call failed, if a
    program was no longer running and a
    /var/lock/subsys/$SERVICE file existed, if starting a
    service under an unprivileged user, if a program was no
    longer running and its pid file still existed in the
    /var/run/ directory. With this update, the correct codes
    are returned in these scenarios.

  - The 'nfsstat -m' command did not display NFSv4 mounts.
    With this update, the underlying code has been modified
    and the command returns the list of all mounts,
    including any NFSv4 mounts, as expected.

  - Previously, the nfs manual pages described the fsc mount
    option; however, this option is not supported. This
    update removes the option description from the manual
    pages.

  - The nfs-utils preinstall scriptlet failed to change the
    default group ID for the nfsnobody user to 65534. This
    update modifies the preinstall scriptlet and the default
    group ID is changed to 65534 after nfs-utils upgrade as
    expected.

  - The mount.nfs command with the '-o retry' option did not
    try to mount for the time specified in the 'retry=X'
    configuration option. This occurred due to incorrect
    error handling by the command. With this update, the
    underlying code has been fixed and the '-o retry' option
    works as expected.

In addition, this update adds the following enhancement :

  - The noresvport option, which allows NFS clients to use
    insecure ports (ports above 1023), has been added to the
    NFS server configuration options.

All nfs-utils users are advised to upgrade to this updated package,
which resolves these issues and adds this enhancement. After
installing this update, the nfs service will be restarted
automatically."
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1203&L=scientific-linux-errata&T=0&P=3542
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?4438eef8"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected nfs-utils and / or nfs-utils-debuginfo packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nfs-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nfs-utils-debuginfo");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 5.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL5", reference:"nfs-utils-1.0.9-60.el5")) flag++;
if (rpm_check(release:"SL5", reference:"nfs-utils-debuginfo-1.0.9-60.el5")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_NOTE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nfs-utils / nfs-utils-debuginfo");
}