Vulnerabilities > CVE-2015-1463 - Code vulnerability in multiple products

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-233-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83888);
  script_version("2.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-9328", "CVE-2015-1461", "CVE-2015-1462", "CVE-2015-1463", "CVE-2015-2170", "CVE-2015-2221", "CVE-2015-2222", "CVE-2015-2668");
  script_bugtraq_id(72372, 72641, 72652, 72654, 74443, 74472);

  script_name(english:"Debian DLA-233-1 : clamav security and upstream version update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Upstream published version 0.98.7. This update updates sqeeze-lts to
the latest upstream release in line with the approach used for other
Debian releases.

The changes are not strictly required for operation, but users of the
previous version in Squeeze may not be able to make use of all current
virus signatures and might get warnings.

The bug fixes that are part of this release include security fixes
related to packed or crypted files (CVE-2014-9328, CVE-2015-1461,
CVE-2015-1462, CVE-2015-1463, CVE-2015-2170, CVE-2015-2221,
CVE-2015-2222, and CVE-2015-2668) and several fixes to the embedded
libmspack library, including a potential infinite loop in the Quantum
decoder (CVE-2014-9556).

If you use clamav, we strongly recommend that you upgrade to this
version.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2015/05/msg00017.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/clamav"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-daemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-freshclam");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-milter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-testfiles");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libclamav-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libclamav6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"clamav", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-base", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-daemon", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-dbg", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-docs", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-freshclam", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-milter", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"clamav-testfiles", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"libclamav-dev", reference:"0.98.7+dfsg-0+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"libclamav6", reference:"0.98.7+dfsg-0+deb6u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2015-1461.
#

include("compat.inc");

if (description)
{
  script_id(81115);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2014-9328", "CVE-2015-1461", "CVE-2015-1462", "CVE-2015-1463");
  script_xref(name:"FEDORA", value:"2015-1461");

  script_name(english:"Fedora 21 : clamav-0.98.6-1.fc21 (2015-1461)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"ClamAV 0.98.6 =============

ClamAV 0.98.6 is a bug fix release correcting the following :

  - library shared object revisions.

    - installation issues on some Mac OS X and FreeBSD
      platforms.

    - includes a patch from Sebastian Andrzej Siewior making
      ClamAV pid files compatible with systemd.

    - Fix a heap out of bounds condition with crafted Yoda's
      crypter files. This issue was discovered by Felix
      Groebert of the Google Security Team.

    - Fix a heap out of bounds condition with crafted mew
      packer files. This issue was discovered by Felix
      Groebert of the Google Security Team.

    - Fix a heap out of bounds condition with crafted upx
      packer files. This issue was discovered by Kevin
      Szkudlapski of Quarkslab.

    - Fix a heap out of bounds condition with crafted upack
      packer files. This issue was discovered by Sebastian
      Andrzej Siewior. CVE-2014-9328.

    - Compensate a crash due to incorrect compiler
      optimization when handling crafted petite packer
      files. This issue was discovered by Sebastian Andrzej
      Siewior.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1187050"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148958.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?710c5df4"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected clamav package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/02");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC21", reference:"clamav-0.98.6-1.fc21")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201512-08.
#
# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(87708);
  script_version("$Revision: 2.1 $");
  script_cvs_date("$Date: 2016/01/04 15:04:10 $");

  script_cve_id("CVE-2014-9328", "CVE-2015-1461", "CVE-2015-1462", "CVE-2015-1463", "CVE-2015-2170", "CVE-2015-2221", "CVE-2015-2222", "CVE-2015-2668");
  script_xref(name:"GLSA", value:"201512-08");

  script_name(english:"GLSA-201512-08 : ClamAV: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201512-08
(ClamAV: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ClamAV. Please review
      the CVE identifiers referenced below for details.
  
Impact :

    A remote attacker could cause ClamAV to scan a specially crafted file,
      possibly resulting in a Denial of Service condition or other unspecified
      impact.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201512-08"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All ClamAV users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=app-antivirus/clamav-0.98.7'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:clamav");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"app-antivirus/clamav", unaffected:make_list("ge 0.98.7"), vulnerable:make_list("lt 0.98.7"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ClamAV");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81147);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id(
    "CVE-2014-9328",
    "CVE-2015-1461",
    "CVE-2015-1462",
    "CVE-2015-1463"
  );
  script_bugtraq_id(
    72372,
    72641,
    72652,
    72654
  );

  script_name(english:"ClamAV < 0.98.6 Multiple Vulnerabilities");
  script_summary(english:"Checks the response to a clamd VERSION command.");

  script_set_attribute(attribute:"synopsis", value:
"The antivirus service running on the remote host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version, the ClamAV clamd antivirus daemon on the
remote host is prior to 0.98.6. It is, therefore, affected by the
following vulnerabilities :

  - An out-of-bounds access flaw exists in the unupack()
    function that is triggered when parsing a specially
    crafted Upack packer file. A remote attacker can exploit
    this to crash the application, resulting in a denial of
    service condition. (CVE-2014-9328)

  - An out-of-bounds access flaw exists that is triggered
    when parsing maliciously crafted Yoda Crypter and MEW
    packer files. A remote attacker can exploit this to
    crash the application, resulting in a denial of service
    condition. (CVE-2015-1461)
 
  - An out-of-bounds access flaw exists that is triggered
    when parsing a specially crafted UPX packer file. A
    remote attacker can exploit this to crash the
    application, resulting in a denial of service condition.
    (CVE-2015-1462)

  - A signedness flaw exists in the petite_inflate2x_1to9()
    function in 'libclamav/petite.c' that allows a remote
    attacker with a specially crafted petite packer file
    to cause a denial of service. (CVE-2015-1463)

  - An integer overflow condition exists in upx.c due to
    improper validation of user-supplied input when scanning
    EXE files. An attacker can exploit this to cause a
    heap-based buffer overflow, resulting in a denial of
    service condition or the execution of arbitrary code.");
  script_set_attribute(attribute:"see_also", value:"https://blog.clamav.net/2015/01/clamav-0986-has-been-released.html");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2015/q1/344");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.clamav.net/show_bug.cgi?id=11213");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ClamAV 0.98.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1462");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/03");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:clamav:clamav");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("clamav_detect.nasl");
  script_require_keys("Antivirus/ClamAV/version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

version = get_kb_item_or_exit("Antivirus/ClamAV/version");
port = get_service(svc:"clamd", default:3310, exit_on_fail:TRUE);

# nb: banner checks of open source software are prone to false-
#     positives so only run the check if reporting is paranoid.
if (report_paranoia < 2) audit(AUDIT_PARANOID);

# Check the version number.
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

# Affected :
# 0.x < 0.98.6
# 0.98.6beta\d
# 0.98.6rc\d
if (
  (ver[0] == 0 && ver[1] < 98) ||
  (ver[0] == 0 && ver[1] == 98 && ver[2] < 6) ||
  version =~ "^0\.98\.6-(beta|rc)\d($|[^0-9])"
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 0.98.6' +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "ClamAV", port, version);