Vulnerabilities > CVE-2011-3152 - Cryptographic Issues vulnerability in Canonical Ubuntu Linux and Update-Manager
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 5 | |
| Application | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1284-2.NASL description USN-1284-1 fixed vulnerabilities in Update Manager. One of the fixes introduced a regression for Kubuntu users attempting to upgrade to a newer Ubuntu release. This update fixes the problem. We apologize for the inconvenience. David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152) David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154) This update also adds a hotfix to Update Notifier to handle cases where the upgrade is being performed from CD media. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 57997 published 2012-02-17 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57997 title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : update-manager regression (USN-1284-2) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1284-2. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(57997); script_version("1.8"); script_cvs_date("Date: 2019/09/19 12:54:27"); script_cve_id("CVE-2011-3152", "CVE-2011-3154"); script_xref(name:"USN", value:"1284-2"); script_name(english:"Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : update-manager regression (USN-1284-2)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "USN-1284-1 fixed vulnerabilities in Update Manager. One of the fixes introduced a regression for Kubuntu users attempting to upgrade to a newer Ubuntu release. This update fixes the problem. We apologize for the inconvenience. David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152) David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154) This update also adds a hotfix to Update Notifier to handle cases where the upgrade is being performed from CD media. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1284-2/" ); script_set_attribute( attribute:"solution", value:"Update the affected update-manager-core package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:update-manager-core"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/02/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(8\.04|10\.04|10\.10|11\.04|11\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 10.04 / 10.10 / 11.04 / 11.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"8.04", pkgname:"update-manager-core", pkgver:"1:0.87.33")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"update-manager-core", pkgver:"1:0.134.11.2")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"update-manager-core", pkgver:"1:0.142.23.2")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"update-manager-core", pkgver:"1:0.150.5.2")) flag++; if (ubuntu_check(osver:"11.10", pkgname:"update-manager-core", pkgver:"1:0.152.25.8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "update-manager-core"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1284-1.NASL description David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152) David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154) This update also adds a hotfix to Update Notifier to handle cases where the upgrade is being performed from CD media. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56971 published 2011-11-29 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56971 title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : update-manager vulnerabilities (USN-1284-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-1284-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(56971); script_version("1.9"); script_cvs_date("Date: 2019/09/19 12:54:27"); script_cve_id("CVE-2011-3152", "CVE-2011-3154"); script_xref(name:"USN", value:"1284-1"); script_name(english:"Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : update-manager vulnerabilities (USN-1284-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152) David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154) This update also adds a hotfix to Update Notifier to handle cases where the upgrade is being performed from CD media. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/1284-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected auto-upgrade-tester, update-manager and / or update-notifier packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:auto-upgrade-tester"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:update-manager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:update-notifier"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/17"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(8\.04|10\.04|10\.10|11\.04|11\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 10.04 / 10.10 / 11.04 / 11.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"8.04", pkgname:"update-manager", pkgver:"1:0.87.31.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"auto-upgrade-tester", pkgver:"1:0.134.11.1")) flag++; if (ubuntu_check(osver:"10.04", pkgname:"update-notifier", pkgver:"0.99.3ubuntu0.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"update-manager", pkgver:"1:0.142.23.1")) flag++; if (ubuntu_check(osver:"10.10", pkgname:"update-notifier", pkgver:"0.105ubuntu1.1")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"update-manager", pkgver:"1:0.150.5.1")) flag++; if (ubuntu_check(osver:"11.04", pkgname:"update-notifier", pkgver:"0.111ubuntu2.1")) flag++; if (ubuntu_check(osver:"11.10", pkgname:"update-manager", pkgver:"1:0.152.25.5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "auto-upgrade-tester / update-manager / update-notifier"); }
Seebug
| bulletinFamily | exploit |
| description | CVE ID:CVE-2011-3152 Ubuntu是一款基于linux内核的发行版本。 David Black发现更新管理器(Update Manager)在校验GPG签名之前不正确提取下载的升级tarball,如果远程攻击者可执行中间人攻击,此缺陷可导致用于替换任意文件 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.10 powerpc Ubuntu Ubuntu Linux 10.10 i386 Ubuntu Ubuntu Linux 10.10 ARM Ubuntu Ubuntu Linux 10.10 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://www.ubuntu.com/usn/usn-1284-1 |
| id | SSV:24266 |
| last seen | 2017-11-19 |
| modified | 2011-11-29 |
| published | 2011-11-29 |
| reporter | Root |
| title | Ubuntu升级管理器GPG签名校验安全绕过漏洞 |
References
- http://secunia.com/advisories/47024
- http://www.osvdb.org/77642
- http://www.securityfocus.com/bid/50833
- http://www.ubuntu.com/usn/USN-1284-1
- https://bugs.launchpad.net/ubuntu/%2Bsource/update-manager/%2Bbug/881548
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71494
- http://secunia.com/advisories/47024
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71494
- https://bugs.launchpad.net/ubuntu/%2Bsource/update-manager/%2Bbug/881548
- http://www.ubuntu.com/usn/USN-1284-1
- http://www.securityfocus.com/bid/50833
- http://www.osvdb.org/77642