Vulnerabilities > CVE-2015-8982 - Integer Overflow or Wraparound vulnerability in GNU Glibc

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
gnu
CWE-190
nessus

Summary

Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Gnu
112

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3239-1.NASL
    descriptionIt was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982) It was discovered that an integer overflow existed in the _IO_wstr_overflow() function of the GNU C Library. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983) It was discovered that the fnmatch() function in the GNU C Library did not properly handle certain malformed patterns. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984) Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service. (CVE-2016-1234) Florian Weimer discovered a NULL pointer dereference in the DNS resolver of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2015-5180) Michael Petlan discovered an unbounded stack allocation in the getaddrinfo() function of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-3706) Aldy Hernandez discovered an unbounded stack allocation in the sunrpc implementation in the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-4429) Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5417) Andreas Schwab discovered that the GNU C Library on ARM 32-bit platforms did not properly set up execution contexts. An attacker could use this to cause a denial of service. (CVE-2016-6323). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97856
    published2017-03-21
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97856
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : eglibc, glibc vulnerabilities (USN-3239-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3239-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97856);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/22");
    
      script_cve_id("CVE-2015-5180", "CVE-2015-8982", "CVE-2015-8983", "CVE-2015-8984", "CVE-2016-1234", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-5417", "CVE-2016-6323");
      script_xref(name:"USN", value:"3239-1");
    
      script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : eglibc, glibc vulnerabilities (USN-3239-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "It was discovered that the GNU C Library incorrectly handled the
    strxfrm() function. An attacker could use this issue to cause a denial
    of service or possibly execute arbitrary code. This issue only
    affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)
    
    It was discovered that an integer overflow existed in the
    _IO_wstr_overflow() function of the GNU C Library. An attacker could
    use this to cause a denial of service or possibly execute arbitrary
    code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
    (CVE-2015-8983)
    
    It was discovered that the fnmatch() function in the GNU C Library did
    not properly handle certain malformed patterns. An attacker could use
    this to cause a denial of service. This issue only affected Ubuntu
    12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)
    
    Alexander Cherepanov discovered a stack-based buffer overflow in the
    glob implementation of the GNU C Library. An attacker could use this
    to specially craft a directory layout and cause a denial of service.
    (CVE-2016-1234)
    
    Florian Weimer discovered a NULL pointer dereference in the DNS
    resolver of the GNU C Library. An attacker could use this to cause a
    denial of service. (CVE-2015-5180)
    
    Michael Petlan discovered an unbounded stack allocation in the
    getaddrinfo() function of the GNU C Library. An attacker could use
    this to cause a denial of service. (CVE-2016-3706)
    
    Aldy Hernandez discovered an unbounded stack allocation in the sunrpc
    implementation in the GNU C Library. An attacker could use this to
    cause a denial of service. (CVE-2016-4429)
    
    Tim Ruehsen discovered that the getaddrinfo() implementation in the
    GNU C Library did not properly track memory allocations. An attacker
    could use this to cause a denial of service. This issue only affected
    Ubuntu 16.04 LTS. (CVE-2016-5417)
    
    Andreas Schwab discovered that the GNU C Library on ARM 32-bit
    platforms did not properly set up execution contexts. An attacker
    could use this to cause a denial of service. (CVE-2016-6323).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3239-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected libc6 package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04|14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"libc6", pkgver:"2.15-0ubuntu10.16")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"libc6", pkgver:"2.19-0ubuntu6.10")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libc6", pkgver:"2.23-0ubuntu6")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libc6");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1721.NASL
    descriptionAccording to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.(CVE-2016-4429) - Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.(CVE-2015-8982) - The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.(CVE-2014-4043) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-07-22
    plugin id126849
    published2019-07-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126849
    titleEulerOS 2.0 SP2 : glibc (EulerOS-SA-2019-1721)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126849);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2014-4043",
        "CVE-2015-8982",
        "CVE-2016-4429"
      );
      script_bugtraq_id(
        68006
      );
    
      script_name(english:"EulerOS 2.0 SP2 : glibc (EulerOS-SA-2019-1721)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the glibc packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - Stack-based buffer overflow in the clntudp_call
        function in sunrpc/clnt_udp.c in the GNU C Library (aka
        glibc or libc6) allows remote servers to cause a denial
        of service (crash) or possibly unspecified other impact
        via a flood of crafted ICMP and UDP
        packets.(CVE-2016-4429)
    
      - Integer overflow in the strxfrm function in the GNU C
        Library (aka glibc or libc6) before 2.21 allows
        context-dependent attackers to cause a denial of
        service (crash) or possibly execute arbitrary code via
        a long string, which triggers a stack-based buffer
        overflow.(CVE-2015-8982)
    
      - The posix_spawn_file_actions_addopen function in glibc
        before 2.20 does not copy its path argument in
        accordance with the POSIX specification, which allows
        context-dependent attackers to trigger use-after-free
        vulnerabilities.(CVE-2014-4043)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1721
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?218f5dca");
      script_set_attribute(attribute:"solution", value:
    "Update the affected glibc packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4429");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["glibc-2.17-111.h35",
            "glibc-common-2.17-111.h35",
            "glibc-devel-2.17-111.h35",
            "glibc-headers-2.17-111.h35",
            "glibc-static-2.17-111.h35",
            "glibc-utils-2.17-111.h35",
            "nscd-2.17-111.h35"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2030.NASL
    descriptionAccording to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.(CVE-2016-4429) - Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.(CVE-2015-8982) - The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.(CVE-2014-4043) - res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).(CVE-2015-5180) - A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code.(CVE-2018-11237) - In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.(CVE-2019-9169) - The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.(CVE-2016-10228) - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-24
    plugin id129223
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129223
    titleEulerOS 2.0 SP3 : glibc (EulerOS-SA-2019-2030)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129223);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2014-4043",
        "CVE-2015-5180",
        "CVE-2015-8982",
        "CVE-2016-10228",
        "CVE-2016-4429",
        "CVE-2017-12132",
        "CVE-2018-11237",
        "CVE-2019-9169"
      );
      script_bugtraq_id(
        68006
      );
    
      script_name(english:"EulerOS 2.0 SP3 : glibc (EulerOS-SA-2019-2030)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the glibc packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - Stack-based buffer overflow in the clntudp_call
        function in sunrpc/clnt_udp.c in the GNU C Library (aka
        glibc or libc6) allows remote servers to cause a denial
        of service (crash) or possibly unspecified other impact
        via a flood of crafted ICMP and UDP
        packets.(CVE-2016-4429)
    
      - Integer overflow in the strxfrm function in the GNU C
        Library (aka glibc or libc6) before 2.21 allows
        context-dependent attackers to cause a denial of
        service (crash) or possibly execute arbitrary code via
        a long string, which triggers a stack-based buffer
        overflow.(CVE-2015-8982)
    
      - The posix_spawn_file_actions_addopen function in glibc
        before 2.20 does not copy its path argument in
        accordance with the POSIX specification, which allows
        context-dependent attackers to trigger use-after-free
        vulnerabilities.(CVE-2014-4043)
    
      - res_query in libresolv in glibc before 2.25 allows
        remote attackers to cause a denial of service (NULL
        pointer dereference and process crash).(CVE-2015-5180)
    
      - A buffer overflow has been discovered in the GNU C
        Library (aka glibc or libc6) in the
        __mempcpy_avx512_no_vzeroupper function when particular
        conditions are met. An attacker could use this
        vulnerability to cause a denial of service or
        potentially execute code.(CVE-2018-11237)
    
      - In the GNU C Library (aka glibc or libc6) through 2.29,
        proceed_next_node in posix/regexec.c has a heap-based
        buffer over-read via an attempted case-insensitive
        regular-expression match.(CVE-2019-9169)
    
      - The iconv program in the GNU C Library (aka glibc or
        libc6) 2.25 and earlier, when invoked with the -c
        option, enters an infinite loop when processing invalid
        multi-byte input sequences, leading to a denial of
        service.(CVE-2016-10228)
    
      - The DNS stub resolver in the GNU C Library (aka glibc
        or libc6) before version 2.26, when EDNS support is
        enabled, will solicit large UDP responses from name
        servers, potentially simplifying off-path DNS spoofing
        attacks due to IP fragmentation.(CVE-2017-12132)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2030
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7ebae79a");
      script_set_attribute(attribute:"solution", value:
    "Update the affected glibc packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9169");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["glibc-2.17-196.h27",
            "glibc-common-2.17-196.h27",
            "glibc-devel-2.17-196.h27",
            "glibc-headers-2.17-196.h27",
            "glibc-static-2.17-196.h27",
            "glibc-utils-2.17-196.h27",
            "nscd-2.17-196.h27"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3239-3.NASL
    descriptionUSN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately, the fix for CVE-2016-3706 introduced a regression that in some circumstances prevented IPv6 addresses from resolving. This update reverts the change in Ubuntu 12.04 LTS. We apologize for the error. It was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982) It was discovered that an integer overflow existed in the _IO_wstr_overflow() function of the GNU C Library. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983) It was discovered that the fnmatch() function in the GNU C Library did not properly handle certain malformed patterns. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984) Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service. (CVE-2016-1234) Michael Petlan discovered an unbounded stack allocation in the getaddrinfo() function of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-3706) Aldy Hernandez discovered an unbounded stack allocation in the sunrpc implementation in the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-4429) Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5417) Andreas Schwab discovered that the GNU C Library on ARM 32-bit platforms did not properly set up execution contexts. An attacker could use this to cause a denial of service. (CVE-2016-6323). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97936
    published2017-03-24
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97936
    titleUbuntu 12.04 LTS : eglibc regression (USN-3239-3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3239-3. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97936);
      script_version("3.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/22");
    
      script_cve_id("CVE-2015-8982", "CVE-2015-8983", "CVE-2015-8984", "CVE-2016-1234", "CVE-2016-3706", "CVE-2016-4429", "CVE-2016-5417", "CVE-2016-6323");
      script_xref(name:"USN", value:"3239-3");
    
      script_name(english:"Ubuntu 12.04 LTS : eglibc regression (USN-3239-3)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately,
    the fix for CVE-2016-3706 introduced a regression that in some
    circumstances prevented IPv6 addresses from resolving. This update
    reverts the change in Ubuntu 12.04 LTS. We apologize for the error.
    
    It was discovered that the GNU C Library incorrectly handled the
    strxfrm() function. An attacker could use this issue to cause a denial
    of service or possibly execute arbitrary code. This issue only
    affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)
    
    It was discovered that an integer overflow existed in the
    _IO_wstr_overflow() function of the GNU C Library. An
    attacker could use this to cause a denial of service or
    possibly execute arbitrary code. This issue only affected
    Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983)
    
    It was discovered that the fnmatch() function in the GNU C
    Library did not properly handle certain malformed patterns.
    An attacker could use this to cause a denial of service.
    This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
    LTS. (CVE-2015-8984)
    
    Alexander Cherepanov discovered a stack-based buffer
    overflow in the glob implementation of the GNU C Library. An
    attacker could use this to specially craft a directory
    layout and cause a denial of service. (CVE-2016-1234)
    
    Michael Petlan discovered an unbounded stack allocation in
    the getaddrinfo() function of the GNU C Library. An attacker
    could use this to cause a denial of service. (CVE-2016-3706)
    
    Aldy Hernandez discovered an unbounded stack allocation in
    the sunrpc implementation in the GNU C Library. An attacker
    could use this to cause a denial of service. (CVE-2016-4429)
    
    Tim Ruehsen discovered that the getaddrinfo() implementation
    in the GNU C Library did not properly track memory
    allocations. An attacker could use this to cause a denial of
    service. This issue only affected Ubuntu 16.04 LTS.
    (CVE-2016-5417)
    
    Andreas Schwab discovered that the GNU C Library on ARM
    32-bit platforms did not properly set up execution contexts.
    An attacker could use this to cause a denial of service.
    (CVE-2016-6323).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3239-3/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected libc6 package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"libc6", pkgver:"2.15-0ubuntu10.18")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libc6");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1667.NASL
    descriptionAccording to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the
    last seen2020-05-06
    modified2019-06-27
    plugin id126294
    published2019-06-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126294
    titleEulerOS 2.0 SP5 : glibc (EulerOS-SA-2019-1667)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3239-2.NASL
    descriptionUSN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately, the fix for CVE-2015-5180 introduced an internal ABI change within the resolver library. This update reverts the change. We apologize for the inconvenience. Please note that long-running services that were restarted to compensate for the USN-3239-1 update may need to be restarted again. It was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982) It was discovered that an integer overflow existed in the _IO_wstr_overflow() function of the GNU C Library. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983) It was discovered that the fnmatch() function in the GNU C Library did not properly handle certain malformed patterns. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984) Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service. (CVE-2016-1234) Florian Weimer discovered a NULL pointer dereference in the DNS resolver of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2015-5180) Michael Petlan discovered an unbounded stack allocation in the getaddrinfo() function of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-3706) Aldy Hernandez discovered an unbounded stack allocation in the sunrpc implementation in the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-4429) Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5417) Andreas Schwab discovered that the GNU C Library on ARM 32-bit platforms did not properly set up execution contexts. An attacker could use this to cause a denial of service. (CVE-2016-6323). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97887
    published2017-03-22
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97887
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : eglibc, glibc regression (USN-3239-2)