Vulnerabilities > CVE-2014-9471
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.
Vulnerable Configurations
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-179.NASL description Updated coreutils packages fix security vulnerability : Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly handled user-supplied input. An attacker could possibly use this to cause a denial of service or potentially execute code (CVE-2014-9471). last seen 2020-06-01 modified 2020-06-02 plugin id 82454 published 2015-03-31 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82454 title Mandriva Linux Security Advisory : coreutils (MDVSA-2015:179) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2015:179. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(82454); script_version("1.3"); script_cvs_date("Date: 2019/08/02 13:32:57"); script_cve_id("CVE-2014-9471"); script_xref(name:"MDVSA", value:"2015:179"); script_name(english:"Mandriva Linux Security Advisory : coreutils (MDVSA-2015:179)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated coreutils packages fix security vulnerability : Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly handled user-supplied input. An attacker could possibly use this to cause a denial of service or potentially execute code (CVE-2014-9471)." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2015-0029.html" ); script_set_attribute( attribute:"solution", value:"Update the affected coreutils and / or coreutils-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:coreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:coreutils-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:2"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"coreutils-8.15-3.2.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"coreutils-doc-8.15-3.2.mbs1")) flag++; if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"coreutils-8.21-8.1.mbs2")) flag++; if (rpm_check(release:"MDK-MBS2", reference:"coreutils-doc-8.21-8.1.mbs2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-22.NASL description The remote host is affected by the vulnerability described in GLSA-201612-22 (Coreutils: Arbitrary code execution) A memory corruption flaw in GNU Coreutils’ parse_datetime function was reported. Applications using parse_datetime(), such as touch or date, may accepted untrusted input. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95638 published 2016-12-08 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95638 title GLSA-201612-22 : Coreutils: Arbitrary code execution code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201612-22. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(95638); script_version("$Revision: 2.1 $"); script_cvs_date("$Date: 2016/12/08 20:42:13 $"); script_cve_id("CVE-2014-9471"); script_xref(name:"GLSA", value:"201612-22"); script_name(english:"GLSA-201612-22 : Coreutils: Arbitrary code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201612-22 (Coreutils: Arbitrary code execution) A memory corruption flaw in GNU Coreutils’ parse_datetime function was reported. Applications using parse_datetime(), such as touch or date, may accepted untrusted input. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201612-22" ); script_set_attribute( attribute:"solution", value: "All Coreutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sys-apps/coreutils-8.23'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:coreutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sys-apps/coreutils", unaffected:make_list("ge 8.23"), vulnerable:make_list("lt 8.23"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Coreutils"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2473-1.NASL description It was discovered that the distcheck rule in dist-check.mk in GNU coreutils allows local users to gain privileges via a symlink attack on a directory tree under /tmp. This issue only affected Ubuntu 10.04 LTS. (CVE-2009-4135) Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly handled user-supplied input. An attacker could possibly use this to cause a denial of service or potentially execute code. (CVE-2014-9471). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 80552 published 2015-01-15 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80552 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : coreutils vulnerabilities (USN-2473-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2473-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(80552); script_version("1.9"); script_cvs_date("Date: 2019/09/19 12:54:31"); script_cve_id("CVE-2009-4135", "CVE-2014-9471"); script_bugtraq_id(37256, 71268); script_xref(name:"USN", value:"2473-1"); script_name(english:"Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : coreutils vulnerabilities (USN-2473-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that the distcheck rule in dist-check.mk in GNU coreutils allows local users to gain privileges via a symlink attack on a directory tree under /tmp. This issue only affected Ubuntu 10.04 LTS. (CVE-2009-4135) Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly handled user-supplied input. An attacker could possibly use this to cause a denial of service or potentially execute code. (CVE-2014-9471). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2473-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected coreutils package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(59); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:coreutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/11"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(10\.04|12\.04|14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 12.04 / 14.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"10.04", pkgname:"coreutils", pkgver:"7.4-2ubuntu3.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"coreutils", pkgver:"8.13-3ubuntu3.3")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"coreutils", pkgver:"8.21-1ubuntu5.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "coreutils"); }NASL family SuSE Local Security Checks NASL id SUSE_11_COREUTILS-150416.NASL description Coreutils was updated to fix one security issue and one non-security bug. The following vulnerability was fixed : - Commands such as date, touch or using parse_datetime() could, when accepting untrusted input, allow an attacker to crash the application or, potentially, execute arbitrary code. (bnc#911832, CVE-2014-9471) The following non-security bug was fixed : - df(1) executed against a bind mounted path which resided on a different file system could issue many unnecessary stat calls, causing unwanted performance issues. (bnc#919809) last seen 2020-06-01 modified 2020-06-02 plugin id 83133 published 2015-04-29 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83133 title SuSE 11.3 Security Update : coreutils (SAT Patch Number 10620)
References
- http://advisories.mageia.org/MGASA-2015-0029.html
- http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
- http://secunia.com/advisories/62226
- http://ubuntu.com/usn/usn-2473-1
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:179
- http://www.openwall.com/lists/oss-security/2014/11/25/1
- http://www.openwall.com/lists/oss-security/2014/11/25/4
- http://www.openwall.com/lists/oss-security/2015/01/03/11
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766147
- https://security.gentoo.org/glsa/201612-22